[Samba] Unix user rights to join domain

Olaf Grewe ogrewe at wiwi.hu-berlin.de
Mon Mar 17 21:10:55 GMT 2003


Hi John,

Thanks for your quick reaction. If you don't mind, I'd like to ask you -
or someone from the list for that matter - for a slightly more granular
answer. I was trained to avoid the Administrator or root as much as
possible, not least for accountability reasons. For most tasks on *nix and
Windows it is possible to grant rights more granular than using root. So I
reckon this holds true for Samba also. Most likely, it's a matter of
having the Admin user in the right *nix group? 

Regards
	Olaf


On Mon, 17 Mar 2003, John H Terpstra wrote:

> On Mon, 17 Mar 2003, Olaf Grewe wrote:
> 
> > Hi,
> >
> > I recently joined a Samba server to a Samba PDC'd domain. It worked rather
> > smoothly after I figured out that I had to create a root account with
> > smbpasswd on the Samba PDC. Without it, I was stuck with the following
> > error:
> > > smbpasswd -j WHATEVER -r WHOCARES -Uname%password
> > error setting trust account password: NT_STATUS_ACCESS_DENIED
> > Unable to join domain WHATEVER
> >
> > I'd rather prefer to use my domain_adm account for this kind of tasks but
> > it's obviously lacking sufficient rights (whether on directories and/or
> > files, I don't know). The domain_adm account is obviously mentioned in the
> > domain admin group parameter of smb.conf and the machine account was added
> > to the smbpasswd of WHOCARES beforehand.
> >
> > My question is: Which rights does an admin account need to be able to join
> > other machines into a domain? Joining Samba to a Samba PDC'd domain
> > appears to be faily uncommon, as I didn't find much by searching the
> > respective lists and groups.
> 
> When you want to make a MS Windows NT/2K/XP client a member of a MS
> Windwos network Domain, you must provide the name of an account and
> password for a user who has full "Domain Administrator" ability. That user
> is usually 'Administrator' on the domain controllers.
> 
> The user 'root' is the equivalent of the MS Windows NT 'Administrator'.
> 
> Obviously, every domain needs an 'Administrator' account. It is thus
> logical that 'root' needs to have an smbpasswd account. You can map this
> to administrator by setting in smb.conf [globals]:
> 	username map = /etc/samba/smbusers
> 
> And in /etc/samba/smbusers:
> 	root = Administrator
> 
> Att he end of the day, just like with MS Windows NT/2K only Adminsitrator
> (by default) has the right to add users/machines to the Domain.
> 
> - John T.
> -- 
> John H Terpstra
> Email: jht at samba.org
> 



More information about the samba mailing list