[Samba] Unix user rights to join domain

John H Terpstra jht at samba.org
Mon Mar 17 21:19:23 GMT 2003


On Mon, 17 Mar 2003, Olaf Grewe wrote:

> Hi John,
>
> Thanks for your quick reaction. If you don't mind, I'd like to ask you -
> or someone from the list for that matter - for a slightly more granular
> answer. I was trained to avoid the Administrator or root as much as
> possible, not least for accountability reasons. For most tasks on *nix and
> Windows it is possible to grant rights more granular than using root. So I
> reckon this holds true for Samba also. Most likely, it's a matter of
> having the Admin user in the right *nix group?

The smbpasswd file is owned by root. It is a little difficult to avoid
Unix system security. In short, what ever user you use, the uid needs to
be '0'.

- John T.

>
> Regards
> 	Olaf
>
>
> On Mon, 17 Mar 2003, John H Terpstra wrote:
>
> > On Mon, 17 Mar 2003, Olaf Grewe wrote:
> >
> > > Hi,
> > >
> > > I recently joined a Samba server to a Samba PDC'd domain. It worked rather
> > > smoothly after I figured out that I had to create a root account with
> > > smbpasswd on the Samba PDC. Without it, I was stuck with the following
> > > error:
> > > > smbpasswd -j WHATEVER -r WHOCARES -Uname%password
> > > error setting trust account password: NT_STATUS_ACCESS_DENIED
> > > Unable to join domain WHATEVER
> > >
> > > I'd rather prefer to use my domain_adm account for this kind of tasks but
> > > it's obviously lacking sufficient rights (whether on directories and/or
> > > files, I don't know). The domain_adm account is obviously mentioned in the
> > > domain admin group parameter of smb.conf and the machine account was added
> > > to the smbpasswd of WHOCARES beforehand.
> > >
> > > My question is: Which rights does an admin account need to be able to join
> > > other machines into a domain? Joining Samba to a Samba PDC'd domain
> > > appears to be faily uncommon, as I didn't find much by searching the
> > > respective lists and groups.
> >
> > When you want to make a MS Windows NT/2K/XP client a member of a MS
> > Windwos network Domain, you must provide the name of an account and
> > password for a user who has full "Domain Administrator" ability. That user
> > is usually 'Administrator' on the domain controllers.
> >
> > The user 'root' is the equivalent of the MS Windows NT 'Administrator'.
> >
> > Obviously, every domain needs an 'Administrator' account. It is thus
> > logical that 'root' needs to have an smbpasswd account. You can map this
> > to administrator by setting in smb.conf [globals]:
> > 	username map = /etc/samba/smbusers
> >
> > And in /etc/samba/smbusers:
> > 	root = Administrator
> >
> > Att he end of the day, just like with MS Windows NT/2K only Adminsitrator
> > (by default) has the right to add users/machines to the Domain.
> >
> > - John T.
> > --
> > John H Terpstra
> > Email: jht at samba.org
> >
>

-- 
John H Terpstra
Email: jht at samba.org


More information about the samba mailing list