[Samba] Unix user rights to join domain

[John H Terpstra]

On Mon, 17 Mar 2003, Olaf Grewe wrote:

> Hi,
>
> I recently joined a Samba server to a Samba PDC'd domain. It worked rather
> smoothly after I figured out that I had to create a root account with
> smbpasswd on the Samba PDC. Without it, I was stuck with the following
> error:
> > smbpasswd -j WHATEVER -r WHOCARES -Uname%password
> error setting trust account password: NT_STATUS_ACCESS_DENIED
> Unable to join domain WHATEVER
>
> I'd rather prefer to use my domain_adm account for this kind of tasks but
> it's obviously lacking sufficient rights (whether on directories and/or
> files, I don't know). The domain_adm account is obviously mentioned in the
> domain admin group parameter of smb.conf and the machine account was added
> to the smbpasswd of WHOCARES beforehand.
>
> My question is: Which rights does an admin account need to be able to join
> other machines into a domain? Joining Samba to a Samba PDC'd domain
> appears to be faily uncommon, as I didn't find much by searching the
> respective lists and groups.

When you want to make a MS Windows NT/2K/XP client a member of a MS
Windwos network Domain, you must provide the name of an account and
password for a user who has full "Domain Administrator" ability. That user
is usually 'Administrator' on the domain controllers.

The user 'root' is the equivalent of the MS Windows NT 'Administrator'.

Obviously, every domain needs an 'Administrator' account. It is thus
logical that 'root' needs to have an smbpasswd account. You can map this
to administrator by setting in smb.conf [globals]:
	username map = /etc/samba/smbusers

And in /etc/samba/smbusers:
	root = Administrator

Att he end of the day, just like with MS Windows NT/2K only Adminsitrator
(by default) has the right to add users/machines to the Domain.

- John T.
-- 
John H Terpstra
Email: jht at samba.org