Multiple UID-0 accounts in a Samba domain?
neil.hoggarth at physiol.ox.ac.uk
Mon Oct 29 04:10:03 GMT 2001
I have a Solaris 8 machine, running Samba 2.2.2, acting as a domain
Several different people in the Department do administrative work, such
as adding client machines to the network. Rather than a single shared
root password we've historically given each sysadmin a root equivelent
account, so that in addition to root account there are several other
administrator accounts in the /etc/passwd / /etc/shadow file, with
different usernames but with UID 0. This has the advantage that the
various admins get to choose their own root password, can change it
whenever they feel it is appropriate to do so, etc, without disrupting
their colleagues access to the system.
Since we started joining Windows 2000 workstations to our Samba
controlled domain we have needed to add the administrator accounts to
our smbpasswd file (previously the admin accounts only existed on the
Unix side, and didn't log into Samba). I've found several odd effects
which I suspect result from the fact that the NT SIDs that are derived
for the various different UID-0 accounts are the same.
In particular, it would seem that only the first UID-0 account that is
listed in the smbpasswd file is able to add Windows workstations to the
Samba controlled domain; if any of the other admins attempt to use their
admin username and password to join a workstation then a machine account
is created in the smbpasswd file, but no password set on it (both
password hash fields set to 'NO PASSWORDXXXXXXXXXXXXXXXXXXXXX',
last-change-time set to 'LCT-00000000'). On the Windows side an error
dialogue with the following message appears:
The following error occured attempting to join the domain
The account used is a computer account. Use your global
user account or local user account to access this server.
Any idea how we might overcome this? Is there any way to assign
different SIDs to domain accounts which share a Unix UID? I've tried
changing the UIDs in the smbpasswd file but this seems not to affect the
SID assigned by the Samba domain controller.
Neil Hoggarth Departmental Computer Officer
<neil.hoggarth at physiol.ox.ac.uk> Laboratory of Physiology
http://www.physiol.ox.ac.uk/~njh/ University of Oxford, UK
More information about the samba