[Samba] root rq'd to join domain

[Ryan Novosielski]

I tried this and it did not work. I verified that the /etc/passwd and
/products/samba/private/smbpasswd files contained the right user accounts
(the latter having a W). I am in the domain admin group= portion of the
smb.conf. However, it tells me on the windows end that my password is bad
-- it is not, as I set it right before the second time I tried to make
absolutely certain.

The syslog errors I received were along the lines of:

Unable to unmarshall SAMR_Q_SET_USERINFO

...seeming to relate to the permissions on the smbpasswd file (it also
claimed it could not read the passdb database). I have seen John say that
it was not possible to join the domain without root access, but then
others have said that it is possible. Is it or is it not possible to give
users merely "domain admin group= " status, in Samba 2.2.8a, and still
allow users to join the domain?

The admin users= setting might also help, but again, I open myself up to
having users browse shares as root in this case (unless I use A.J.
Dawson's solution, which I have not yet had the opportunity to try).

Can a developer please set me straight here?

---- _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  |  | Ryan Novosielski - Jr. UNIX Systems Admin
|$&| |__| |  | |__/ | \| _|  | novosirj at umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science Bldg - C630

On Tue, 20 May 2003, Thierry Terrier wrote:

> Hi,
> I'm using this script to create a machine account.
> But you *have to* known the machine names and create them before as root
> by #addsmbpdcmachine MACHINE_NAME.
> Then no admin. rights are required to join the domain (do not use create
> a machine account.on windoze).
> Note: If a machine quit the domain you have to recreate it (just
> overwrite) before joining domain.
> I hope this help
> Best regards
>
> Here is my script:
> #!/bin/bash
> # Add a new machine in Primary Domain Controller Samba
> # T.TERRIER 15 feb 2002
> # Note: Replace "staffgroup" by your group domain name
> useradd -d /dev/null -g staffgroup -c $1.staffgroup -s /bin/false -M $1$
> smbpasswd -a -m "$1"$
> #!end of addsmbpdcmachine
>
> Ryan Novosielski a écrit:
>
> >I believe it was expected that Samba would allow domain joins by people in
> >the "admin group=" parameter -- I seem to remember reading that
> >somewhere... I also seem to remember (and have discovered) that, no, it is
> >in fact "root", or UID 0 only, who can accomplish this task. My question
> >is, what are the ways around this? There are people in my organization who
> >will be joining machines to the domain (so I don't have to travel over
> >there to do something so trivial), but they are not part of my department
> >and can't officially be trusted with root privileges, beyond domain joins.
> >
> >I know that the creation of additional UID 0 accounts is possible, but
> >most UNIX admins frown upon that sort of thing. However, I don't
> >believe it would be as big of a deal if there were some other way
> >to restrict this user so that it was only good for domain joins,
> >not root access on shares, etc.
> >
> >Another idea -- don't know how feasible this is -- can the "add user
> >script=" and "delete user script=" commands simply be changed to "sudo
> >useradd" or "sudo userdel"  instead of just useradd or userdel, or does
> >some other part of the process other than these two commands require root
> >access.
> >
> >There may be something else I'm overlooking... maybe manual machine
> >account creation? Does this not require root access (I know the creation
> >would, but then does the subsequent domain join only require domain admin
> >group access)?
> >
> >This is another one of those things that I bet someone has run into before
> >me, and I'd appreciate hearing about any experience anyone has gained on
> >the subject.
> >
> >---- _  _ _  _ ___  _  _  _
> >|Y#| |  | |\/| |  \ |\ |  |  | Ryan Novosielski - Jr. UNIX Systems Admin
> >|$&| |__| |  | |__/ | \| _|  | novosirj at umdnj.edu - 973/972.0922 (2-0922)
> >\__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science Bldg - C630
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>