[Samba] root rq'd to join domain
A.J.Dawson at Bradford.ac.uk
Tue May 20 15:49:53 GMT 2003
The other option to try is the one that I use - create a Samba 'root' user
with a different password to the root user on the Linux. This allows me
to join machines to the domain but not access any shares (as root is not a
member of the group users on the machine in question). I also made the
Samba root user a member of the group NT_adm, our NT admin group.
I've tried quite hard to access any of our shares using this account - I
*can* log onto a domain controlled machine using the username/password
combination, but I cannot get access to any of the shares I have
On Tue, 20 May 2003, Brian Wiese wrote:
> Perhaps the 'admin users =3D ' string can be used in the [global] section=
> provide other users/groups samba admin access.
> |-----Original Message-----
> |From: Thierry Terrier [mailto:thierry.terrier at atolltech.fr]
> |Sent: Tuesday, May 20, 2003 9:48 AM
> |To: samba at lists.samba.org
> |Subject: Re: [Samba] root rq'd to join domain
> |I'm using this script to create a machine account.
> |But you *have to* known the machine names and create them
> |before as root
> |by #addsmbpdcmachine MACHINE_NAME.
> |Then no admin. rights are required to join the domain (do not
> |use create
> |a machine account.on windoze).
> |Note: If a machine quit the domain you have to recreate it (just
> |overwrite) before joining domain.
> |I hope this help
> |Best regards
> |Here is my script:
> |# Add a new machine in Primary Domain Controller Samba
> |# T.TERRIER 15 feb 2002
> |# Note: Replace "staffgroup" by your group domain name
> |useradd -d /dev/null -g staffgroup -c $1.staffgroup -s
> |/bin/false -M $1$
> |smbpasswd -a -m "$1"$
> |#!end of addsmbpdcmachine
> |Ryan Novosielski a =E9crit:
> |>I believe it was expected that Samba would allow domain joins
> |by people in
> |>the "admin group=3D" parameter -- I seem to remember reading that
> |>somewhere... I also seem to remember (and have discovered)
> |that, no, it is
> |>in fact "root", or UID 0 only, who can accomplish this task.
> |My question
> |>is, what are the ways around this? There are people in my
> |organization who
> |>will be joining machines to the domain (so I don't have to travel over
> |>there to do something so trivial), but they are not part of
> |my department
> |>and can't officially be trusted with root privileges, beyond
> |domain joins.
> |>I know that the creation of additional UID 0 accounts is possible, but
> |>most UNIX admins frown upon that sort of thing. However, I don't
> |>believe it would be as big of a deal if there were some other way
> |>to restrict this user so that it was only good for domain joins,
> |>not root access on shares, etc.
> |>Another idea -- don't know how feasible this is -- can the "add user
> |>script=3D" and "delete user script=3D" commands simply be changed to "s=
> |>useradd" or "sudo userdel" instead of just useradd or
> |userdel, or does
> |>some other part of the process other than these two commands
> |require root
> |>There may be something else I'm overlooking... maybe manual machine
> |>account creation? Does this not require root access (I know
> |the creation
> |>would, but then does the subsequent domain join only require
> |domain admin
> |>group access)?
> |>This is another one of those things that I bet someone has
> |run into before
> |>me, and I'd appreciate hearing about any experience anyone
> |has gained on
> |>the subject.
> |>---- _ _ _ _ ___ _ _ _
> |>|Y#| | | |\/| | \ |\ | | | Ryan Novosielski - Jr. UNIX
> |Systems Admin
> |>|$&| |__| | | |__/ | \| _| | novosirj at umdnj.edu -
> |973/972.0922 (2-0922)
> |>\__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science
> |Bldg - C630
> |To unsubscribe from this list go to the following URL and read the
> |instructions: http://lists.samba.org/mailman/listinfo/samba
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
Dr. Andy Dawson
A.J.Dawson at Bradford.ac.uk
Never attribute to malice that which is adequately explained by stupidity.
More information about the samba