Creating machine trust account for NT

Andrew Bartlett abartlet at pcug.org.au
Thu Nov 15 05:03:03 GMT 2001 

werner maes wrote:
> 
> Hello,
> 
> Just some more questions regarding joining a NT-2000 client to the domain:
> 
> Is it necessary to enable the checkbox "create a computer account in the
> domain" when you want to join the client to the domain?
> ==> This option will create an account on the domain for this computer. You
> must specify a user account with the ability to add workstations to the
> specified domain above.
> 
> Off course after you have created an entry for the machine in /etc/passw
> and in smbpasswd. I used to enable this checkbox and when asked for a user
> name and password I gave in 'root' with password the samba password of
> root. This practically always worked.
> 
> But it seems to work even without enabling this checkbox. Then I asked
> myself: why is it even necessary to create a entry in smbpasswd for root?
> I'm referring to paragraphs 8.4.1 and 8.4.2 of the Samba-HOWTO collection.

OK, this is a basic rundown of how it works:

When you select this option, the NT client logs in to the Samba server,
and issues a 'create account' RPC command, then a 'set password' command
to set a random smb password on the trust account.

This works fine on the Samba side of things, but we have some legacy
issues:  Unfortunately the way samba works internally it requires an
/etc/passwd account before it can create it in smbpasswd.  By default
the 'create user' call only makes the smbpasswd part, you have to do the
unix stuff yourself.  This is what the 'add user script' (and the 'add
machine script' in HEAD) are for, to allow samba to do both parts.

Now, back to your question.  Why you did the 'smbpasswd -am' yourself,
you effectively did the same thing as the 'create user' checkbox on the
NT client achives, except that you set the password to a known value. 
In this case the NT client just changes that password when you join it,
but in the meantime any other machine can use that account - not a good
thing and why only the second method is supported under Win2k.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba mailing list