[Samba] Re: How do you create an accout that can ONLY add
workstations to the domain
Michael Lueck
mlueck at lueckdatasystems.com
Wed Jul 21 17:29:54 GMT 2004
Paul Gienger wrote:
> The criteria that defines whether or not you can join machines is
> usually whether or not you can add system users in UNIX.
I guess I should have explained a bit more of what I have tried and chatted with John Terpstra about.
/etc/group
domadmin:x:2000:mradmin
# initGrps.sh
net groupmap modify ntgroup="Domain Admins" unixgroup=domadmin
(These two allow Win2K ifmember.exe /list to see that the logged in user is a domain admin, but the ID can not add workstations to the domain...)
# /etc/samba/smb.conf
[global]
admin users = @domadmin
And then the account may finally add workstations.
So that's all fine and dandy except now I have a utility ID in script files with passwords that has way too many permissions to the domain.
On a side note, if I remove the account from /etc/group yet leave it in the admin users = list, ifmember.exe /list no longer sees the domain admin membership, but joining the workstations to the
domain still works. So, admin users = seems to be key for now, but it is unclear which share needs it, as admin users is a share level setting per the docs.
Some shares are created automatically if you do not specify / override the default settings. I'm thinking if I knew what share was critical I could add a section of that name, admin users = under it,
and lock this ID to being an admin only for that one required share... IPC$ maybe? I am not turing up anyone doing an [IPC$] share, but I just might try it...
--
Michael Lueck
Lueck Data Systems
Remove the upper case letters NOSPAM to contact me directly.
More information about the samba
mailing list