[Samba] On the fly Machine accounts
Eric Feldhusen
efeldhusen at chartermi.net
Fri Aug 26 18:07:27 GMT 2005
Craig White wrote:
> On Fri, 2005-08-26 at 12:48 -0400, Eric Feldhusen wrote:
>>John H Terpstra wrote:
>>>On Friday 26 August 2005 10:07, Paul Gienger wrote:
>>>What is your OS platform? Does it implement controls over permitted home
>>>directories and shells that can be specified to the useradd command?
>>>
>>>More than one Linux distro will NOT permit the creation of a user account
>>>(that is what a Windows domain member trust account is on the UNIX host) with
>>>a shell other than what is defined in /etc/shells, and some will not permit a
>>>home directory that consists of /dev/null.
>>>
>>>If your Linux distro has paranoid controls like that, a work around is
>>>necessary. Here is a possible work-around:
>>>
>>>add machine script = /usr/sbin/useradd -d /var/nodirs -g computers
>>>-s /bin/false '%u'
>>>
>>>Note that the %u is quoted with single quotes.
>>>
>>>Add to the /etc/shells: /bin/false
>>>
>>>Create the directory /var/nodirs with permissions set:
>>> chown root:root /var/nodirs
>>> chmod 550 /var/nodirs
>>>
>>>In other words, all access to /var/nodirs prevents user ability to write to
>>>the directory. It should also have no contents.
>>>
>>>- John T.
>>
>>Will this work with Redhat Enterprise 3 & 4? Just curious, and I'm not
>>in a position to check at the moment.
>
> RHEL 3/4 support invalid shells and home directory of /dev/null so this
> workaround shouldn't be necessary
> Craig
But, from experience, RHEL3/4 doesn't support usernames with a $ at the
end. The reasoning I've heard was it's not POSIX compliant. The fix
I've heard to do with replace the shadow-utils rpm in RHEL4 with the
shadow-utils rpm from Fedora Core 3, but I do so hate to mix and match
rpms considering I help manage nearly 100 servers with other people, so
I like to keep them "standard" as much as possible.
--
Eric Feldhusen
System Administrator http://www.remc1.org
PO Box 270 (906) 482-4520 x239
809 Hecla St (906) 482-5031 fax
Hancock, MI 49930 (906) 370 6202 mobile
More information about the samba
mailing list