[Samba] On the fly Machine accounts

John H Terpstra jht at samba.org
Fri Aug 26 18:06:21 GMT 2005 

On Friday 26 August 2005 10:48, Eric Feldhusen wrote:
> John H Terpstra wrote:
> > On Friday 26 August 2005 10:07, Paul Gienger wrote:
> >>Many people on this list.
> >
> > What is your OS platform? Does it implement controls over permitted home
> > directories and shells that can be specified to the useradd command?
> >
> > More than one Linux distro will NOT permit the creation of a user account
> > (that is what a Windows domain member trust account is on the UNIX host)
> > with a shell other than what is defined in /etc/shells, and some will not
> > permit a home directory that consists of /dev/null.
> >
> > If your Linux distro has paranoid controls like that, a work around is
> > necessary. Here is a possible work-around:
> >
> > add machine script = /usr/sbin/useradd -d /var/nodirs -g computers
> > -s /bin/false '%u'
> >
> > Note that the %u is quoted with single quotes.
> >
> > Add to the /etc/shells:  /bin/false
> >
> > Create the directory /var/nodirs with permissions set:
> > 	chown root:root /var/nodirs
> > 	chmod 550 /var/nodirs
> >
> > In other words,  all access to /var/nodirs prevents user ability to write
> > to the directory. It should also have no contents.
> >
> > - John T.
>
> Will this work with Redhat Enterprise 3 & 4? Just curious, and I'm not
> in a position to check at the moment.

Why do you ask? Why do you suspect it will not?

All I suggested is that you need to establish the capabilities of the specific 
implementation of the useradd command on your platform of choice. Samba can 
not solve a limitation that is caused by one of the basic utilities that is 
part of the operating system platform.

Debian and Red Hat have at times had paranoid restrictions in their useradd 
toolsets. I do not remember which versions and releases, but I do know that 
there were some updates that later removed some of the restrictions. The 
right answer is, try running useradd from the command line, like this:

	useradd -d /dev/null -s /bin/false jim

If it works, you are in good shape. If not, find an alternative way to achieve 
the same result.

Each Linux distribution is a little different. Sometimes, just to keep ahead 
of the pack, a distribution vendor will adopt a particular nuance of paranoia 
that breaks the world apart. That's life, and fortunately, with Linux it is 
not terminal - you can always replace the problematic component.

If your platform of choice is limited in any way, and you want automated 
computer account creation to work correctly, you will need to find an 
alternative method. Why will an alternative method not work? I am perplexed 
by the question. Apologies if I have misundertsood you.

- John T.

More information about the samba mailing list