[Samba] root rq'd to join domain

Wed May 21 02:54:48 GMT 2003

On Tue, 20 May 2003, Brian Wiese wrote:

> Perhaps the 'admin users = ' string can be used in the [global] section to
> provide other users/groups samba admin access.

No! That will not work. Sorry. You must use the administrator account
(unix root) to affect domain joins.

- John T.

>
> |-----Original Message-----
> |From: Thierry Terrier [mailto:thierry.terrier at atolltech.fr]
> |Sent: Tuesday, May 20, 2003 9:48 AM
> |To: samba at lists.samba.org
> |Subject: Re: [Samba] root rq'd to join domain
> |
> |
> |Hi,
> |I'm using this script to create a machine account.
> |But you *have to* known the machine names and create them
> |before as root
> |by #addsmbpdcmachine MACHINE_NAME.
> |Then no admin. rights are required to join the domain (do not
> |use create
> |a machine account.on windoze).
> |Note: If a machine quit the domain you have to recreate it (just
> |overwrite) before joining domain.
> |I hope this help
> |Best regards
> |
> |Here is my script:
> |#!/bin/bash
> |# Add a new machine in Primary Domain Controller Samba
> |# T.TERRIER 15 feb 2002
> |# Note: Replace "staffgroup" by your group domain name
> |useradd -d /dev/null -g staffgroup -c $1.staffgroup -s
> |/bin/false -M $1$
> |smbpasswd -a -m "$1"$
> |#!end of addsmbpdcmachine
> |
> |Ryan Novosielski a écrit:
> |
> |>I believe it was expected that Samba would allow domain joins
> |by people in
> |>the "admin group=" parameter -- I seem to remember reading that
> |>somewhere... I also seem to remember (and have discovered)
> |that, no, it is
> |>in fact "root", or UID 0 only, who can accomplish this task.
> |My question
> |>is, what are the ways around this? There are people in my
> |organization who
> |>will be joining machines to the domain (so I don't have to travel over
> |>there to do something so trivial), but they are not part of
> |my department
> |>and can't officially be trusted with root privileges, beyond
> |domain joins.
> |>
> |>I know that the creation of additional UID 0 accounts is possible, but
> |>most UNIX admins frown upon that sort of thing. However, I don't
> |>believe it would be as big of a deal if there were some other way
> |>to restrict this user so that it was only good for domain joins,
> |>not root access on shares, etc.
> |>
> |>Another idea -- don't know how feasible this is -- can the "add user
> |>script=" and "delete user script=" commands simply be changed to "sudo
> |>useradd" or "sudo userdel"  instead of just useradd or
> |userdel, or does
> |>some other part of the process other than these two commands
> |require root
> |>access.
> |>
> |>There may be something else I'm overlooking... maybe manual machine
> |>account creation? Does this not require root access (I know
> |the creation
> |>would, but then does the subsequent domain join only require
> |domain admin
> |>group access)?
> |>
> |>This is another one of those things that I bet someone has
> |run into before
> |>me, and I'd appreciate hearing about any experience anyone
> |has gained on
> |>the subject.
> |>
> |>---- _  _ _  _ ___  _  _  _
> |>|Y#| |  | |\/| |  \ |\ |  |  | Ryan Novosielski - Jr. UNIX
> |Systems Admin
> |>|$&| |__| |  | |__/ | \| _|  | novosirj at umdnj.edu -
> |973/972.0922 (2-0922)
> |>\__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science
> |Bldg - C630
> |>
> |>
> |
> |
> |--
> |To unsubscribe from this list go to the following URL and read the
> |instructions:  http://lists.samba.org/mailman/listinfo/samba
> |
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

-- 
John H Terpstra
Email: jht at samba.org