win2k joining Samba 2.2.2 PDC problems.
Jeremy Porter
jerry at freeside.com
Mon Dec 10 12:08:08 GMT 2001
>Thanks for the reply. I have re-read the Samba-PDC-HOWTO twice more and canno
>t find
>any reference to needing root to join a client to a domain! My copy is that
>supplied with 2.2.2 and is dated Jul 31 2001. I created the machine trust acc
>ount
>manually and was logged in as root to do that.
>
>When trying to join the client I used a username which is listed in my "domain
> admin
>group" list. Surely the point of this parameter is to provide non-root access
> in
>just this situation. The last thing I want to have to do is use my Unix root
>password to join a client to the domain!
Unfortunately, it looks like an impelementation issue in the samba server
that is fairly deeply coupled to the unix security model. The unix requirement
of being root to setuid to the user logging in, the smbpasswd being owned by
root and the need to change the machine trust account password when logging
in for the first time. If there was a split between the samba file
server and the samba account authorization, authenication server, it
might be possible to address this issue. (Would also provide a more
"clean" security impelementation) In theory this could be done via some
type of "pam" system and a non-root daemon. Although given the need for
a /etc/passwd entry for a machine trust account, some root access will always
be needed for adding a new machine.
At any rate, we should look at updating the howto to be more clear on
the root requirement.
--- jerry at fc.net
Freeside Orbitial Construction Corps
More information about the samba
mailing list