I agree, they must be separate and delete user script, must NOT be called by the auth subsystem, it is too dangerous.
Simo. On Fri, 2002-05-17 at 15:22, Andrew Bartlett wrote: > The behavior of the 'add user script' smb.conf option is rather weird: > > It is documented as an option to the login parts of the protocol, and > used to add users dynamically during the logon process, if they don't > exist locally. > > However, it is also used in the SAMR code when an admin explicitly > creates a user. This is > actually the more natural use for the parameter, but it is unnaturally > shared between the > two areas. > > This 'dual use' causes problems - unexpected users being created etc. > > However, this is nothing compared to its evil twin: > > 'delete user script' runs when a user attempts to log in, but the PDC > says that they don't exist. Firstly: does this really happen? If a > user has to attempt to log in to trigger it, what exactly is the > point... This also has rather nasty consequences, when the user does not > exist on the PDC (normal local user etc), the script can fire. If the > admin is not careful this can be quite nasty. While this is documented, > it is still nasty. > > Whats more, all the PDC documentation refers to these options for their > SAMR use, so as to > create machine accounts on demand... > > Now both of these options are *too* easy to misconfigure, and they > really don't fit well into the HEAD authenticiaon setup anyway. > > Could these be killed in the auth context? This would leave them as > SAMR commands, for when > users are really added to the system. > > If we still need the capability to add users to the system on a dynamic > basis (this is really the job of winbind, but I digress) could we at > least use a different option? Like 'dynamic login user add script'? > Or keep these but rename the SAMR meanings? > > What do you think? > > Andrew Bartlett > > -- > Andrew Bartlett [EMAIL PROTECTED] > Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] > Student Network Administrator, Hawker College [EMAIL PROTECTED] > http://samba.org http://build.samba.org http://hawkerc.net > -- Simo Sorce ---------- Una scelta di liberta': Software Libero. A choice of freedom: Free Software. http://www.softwarelibero.it -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba