[Samba] root rq'd to join domain

[Ryan Novosielski]

I believe it was expected that Samba would allow domain joins by people in
the "admin group=" parameter -- I seem to remember reading that
somewhere... I also seem to remember (and have discovered) that, no, it is
in fact "root", or UID 0 only, who can accomplish this task. My question
is, what are the ways around this? There are people in my organization who
will be joining machines to the domain (so I don't have to travel over
there to do something so trivial), but they are not part of my department
and can't officially be trusted with root privileges, beyond domain joins.

I know that the creation of additional UID 0 accounts is possible, but
most UNIX admins frown upon that sort of thing. However, I don't
believe it would be as big of a deal if there were some other way
to restrict this user so that it was only good for domain joins,
not root access on shares, etc.

Another idea -- don't know how feasible this is -- can the "add user
script=" and "delete user script=" commands simply be changed to "sudo
useradd" or "sudo userdel"  instead of just useradd or userdel, or does
some other part of the process other than these two commands require root
access.

There may be something else I'm overlooking... maybe manual machine
account creation? Does this not require root access (I know the creation
would, but then does the subsequent domain join only require domain admin
group access)?

This is another one of those things that I bet someone has run into before
me, and I'd appreciate hearing about any experience anyone has gained on
the subject.

---- _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  |  | Ryan Novosielski - Jr. UNIX Systems Admin
|$&| |__| |  | |__/ | \| _|  | novosirj at umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science Bldg - C630