[Samba] root rq'd to join domain

Thierry Terrier thierry.terrier at atolltech.fr
Tue May 20 14:47:32 GMT 2003

I'm using this script to create a machine account.
But you *have to* known the machine names and create them before as root 
by #addsmbpdcmachine MACHINE_NAME.
Then no admin. rights are required to join the domain (do not use create 
a machine account.on windoze).
Note: If a machine quit the domain you have to recreate it (just 
overwrite) before joining domain.
I hope this help
Best regards

Here is my script:
# Add a new machine in Primary Domain Controller Samba
# T.TERRIER 15 feb 2002
# Note: Replace "staffgroup" by your group domain name
useradd -d /dev/null -g staffgroup -c $1.staffgroup -s /bin/false -M $1$
smbpasswd -a -m "$1"$
#!end of addsmbpdcmachine

Ryan Novosielski a écrit:

>I believe it was expected that Samba would allow domain joins by people in
>the "admin group=" parameter -- I seem to remember reading that
>somewhere... I also seem to remember (and have discovered) that, no, it is
>in fact "root", or UID 0 only, who can accomplish this task. My question
>is, what are the ways around this? There are people in my organization who
>will be joining machines to the domain (so I don't have to travel over
>there to do something so trivial), but they are not part of my department
>and can't officially be trusted with root privileges, beyond domain joins.
>I know that the creation of additional UID 0 accounts is possible, but
>most UNIX admins frown upon that sort of thing. However, I don't
>believe it would be as big of a deal if there were some other way
>to restrict this user so that it was only good for domain joins,
>not root access on shares, etc.
>Another idea -- don't know how feasible this is -- can the "add user
>script=" and "delete user script=" commands simply be changed to "sudo
>useradd" or "sudo userdel"  instead of just useradd or userdel, or does
>some other part of the process other than these two commands require root
>There may be something else I'm overlooking... maybe manual machine
>account creation? Does this not require root access (I know the creation
>would, but then does the subsequent domain join only require domain admin
>group access)?
>This is another one of those things that I bet someone has run into before
>me, and I'd appreciate hearing about any experience anyone has gained on
>the subject.
>---- _  _ _  _ ___  _  _  _
>|Y#| |  | |\/| |  \ |\ |  |  | Ryan Novosielski - Jr. UNIX Systems Admin
>|$&| |__| |  | |__/ | \| _|  | novosirj at umdnj.edu - 973/972.0922 (2-0922)
>\__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science Bldg - C630

More information about the samba mailing list