[Samba] root rq'd to join domain

Brian Wiese bwiese at hms4emc.com
Tue May 20 15:44:09 GMT 2003


Perhaps the 'admin users = ' string can be used in the [global] section to
provide other users/groups samba admin access.

|-----Original Message-----
|From: Thierry Terrier [mailto:thierry.terrier at atolltech.fr]
|Sent: Tuesday, May 20, 2003 9:48 AM
|To: samba at lists.samba.org
|Subject: Re: [Samba] root rq'd to join domain
|
|
|Hi,
|I'm using this script to create a machine account.
|But you *have to* known the machine names and create them 
|before as root 
|by #addsmbpdcmachine MACHINE_NAME.
|Then no admin. rights are required to join the domain (do not 
|use create 
|a machine account.on windoze).
|Note: If a machine quit the domain you have to recreate it (just 
|overwrite) before joining domain.
|I hope this help
|Best regards
|
|Here is my script:
|#!/bin/bash
|# Add a new machine in Primary Domain Controller Samba
|# T.TERRIER 15 feb 2002
|# Note: Replace "staffgroup" by your group domain name
|useradd -d /dev/null -g staffgroup -c $1.staffgroup -s 
|/bin/false -M $1$
|smbpasswd -a -m "$1"$
|#!end of addsmbpdcmachine
|
|Ryan Novosielski a écrit:
|
|>I believe it was expected that Samba would allow domain joins 
|by people in
|>the "admin group=" parameter -- I seem to remember reading that
|>somewhere... I also seem to remember (and have discovered) 
|that, no, it is
|>in fact "root", or UID 0 only, who can accomplish this task. 
|My question
|>is, what are the ways around this? There are people in my 
|organization who
|>will be joining machines to the domain (so I don't have to travel over
|>there to do something so trivial), but they are not part of 
|my department
|>and can't officially be trusted with root privileges, beyond 
|domain joins.
|>
|>I know that the creation of additional UID 0 accounts is possible, but
|>most UNIX admins frown upon that sort of thing. However, I don't
|>believe it would be as big of a deal if there were some other way
|>to restrict this user so that it was only good for domain joins,
|>not root access on shares, etc.
|>
|>Another idea -- don't know how feasible this is -- can the "add user
|>script=" and "delete user script=" commands simply be changed to "sudo
|>useradd" or "sudo userdel"  instead of just useradd or 
|userdel, or does
|>some other part of the process other than these two commands 
|require root
|>access.
|>
|>There may be something else I'm overlooking... maybe manual machine
|>account creation? Does this not require root access (I know 
|the creation
|>would, but then does the subsequent domain join only require 
|domain admin
|>group access)?
|>
|>This is another one of those things that I bet someone has 
|run into before
|>me, and I'd appreciate hearing about any experience anyone 
|has gained on
|>the subject.
|>
|>---- _  _ _  _ ___  _  _  _
|>|Y#| |  | |\/| |  \ |\ |  |  | Ryan Novosielski - Jr. UNIX 
|Systems Admin
|>|$&| |__| |  | |__/ | \| _|  | novosirj at umdnj.edu - 
|973/972.0922 (2-0922)
|>\__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science 
|Bldg - C630
|>  
|>
|
|
|-- 
|To unsubscribe from this list go to the following URL and read the
|instructions:  http://lists.samba.org/mailman/listinfo/samba
|



More information about the samba mailing list