[Samba] machine account with w2k

Heinz Allerberger allerberger at em.uni-frankfurt.de
Fri Sep 10 08:38:53 GMT 2004 

High Brian,

what you wrote I tried in my first experiment.
I created the user domamdin like this:
# useradd -m -u 500 -G 0 domadmin
# pdbedit -a -U 500 -G 512 domadmin
The Unix-user "domadmin" had the uid = 500, the primary-group = 500 
(like normal users), and was a member of the root-group = 0.

Whit this settings I was able to join my Samba-PDC with 
Windows-NT4.0-Workstations well, when I manually created a 
machine-account on the Samba. But when I tried to the same with a 
Windows2000-Workstation, then I got a login prompt. Then I tried to give 
in the domadmin with the password, the login-promt appeared again. It 
was not possible to join my Samba-PDC with Windows2000-Workstations. I 
tried different things until I read in the Samba-manual, that I should 
join a Samba-Domain with the user Root. This is normally not possible, 
because Root does not have an smb-account and im my smb.conf I have:  
invalid users = root .
Yes, and because it was'nt successful with the user domadmin as member 
of group 0, I tried the really not nice thing, that I gave the user 
domadmin the uid 0, and this was successful.

Please could you tell me, what I did wrong? Please see for this the 
documentation in my first mail, there are my smb.conf and the 
user-profile from the domadmin.

By, Heinz.

Heinz Allerberger
Systemadministrator
Zentrum Neurologie
Universitätsklinikum
Frankfurt am Main
Tel: 069/6301-4274
Fax: 069/6301-6842
Piepser 18-0455



Brian Krusic wrote:

>>The Domain Admin user "domadmin" must have the root-policies on the
>>/etc/passwd like this:
>>domadmin:x:0:0:
>>    
>>
>
>This is incorrect as you should never have users with identical uids.
>
>You should mod the entry in etc/group to add your domadmin user to the root
>group.  This gives it root privs.
>
>  
>
>>In my opinion it is not fine, because it is a security-hole,
>>    
>>
>Incorrect.
>Only someone of root or admin privs should be able to initially join domains
>for if any one could, then a potential hacker to do so w/o admin/root privs
>and attain further domain trust by doing so.
>
>Bri-
>
>
>
>  
>

More information about the samba mailing list