[Samba] Win2k joining a Samba domain

John H Terpstra jht at samba.org
Wed Mar 10 07:11:48 GMT 2004

On Tue, 9 Mar 2004, Jim C. wrote:

> Hash: SHA1
> Mr. Terpstra,
> Are you saying that if I have a user account in ldap which is
> responsible for admin, that it must be uid=root or that it must be
> uidNumber=0? What about gid=root/gidNumber=0 for a group?  I have the
> setup below and somethings do get done. Machines accounts are added
> automatically and both Admin and root can authorize the joining of the
> domain.  On a Mandrake system like mine the smbldap scripts belong to a
> group named "adm" and uid=root belongs to this group also as well as to
> the group "Domain Admins".

Joining a domain involves adding a user account to your UNIX system.
Normally only root can add/delete accounts. How secure do you think your
UNIX system will be if anyone can add/delete accounts? How secure a world
do we want?

In short, the account that you use to create a domain member trust account
for machines must have full administrative privilidge on the UNIX system.

- John T.

> getent group shows:
> netusers:x:502:njim,Admin,root
> njim:x:503:njim
> adm:x:4:ldap,Admin,adm,root
> machines:x:1001:
> nogroup:x:65534:
> root:x:0:root,Admin
> [LDAP entries end here]
> [root at enigma root]# net3 groupmap list
> Domain Users (S-1-5-21-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-513) -> netusers
> Domain Computers (S-1-5-21-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-515) -> machines
> Domain Guests (S-1-5-21-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-514) -> nogroup
> Domain Admins (S-1-5-21-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-512) -> root
> I do have your book "The Official Samba 3 HOWTO and Reference Guide",
> BTW.  Definitely worth the money but I sure wish I had more money. ;-)
> The problem I am having though is that I cannot use the Windows Server
> Manager or User Manager for Domains.  I can browse the information but I
> cannot change it.  Any tips or references to relevant portions of the
> book would help.
> Thanks,
> Jim C.
> |>Having managed to get far enough with the config to get a win2k box to
> |>connect to a Samba v3.0 share where the Samba machine's backend is based
> |>in LDAP, I cannot now add this win2k machine to the domain.
> |>
> |>Can anyone give me an example of how to set up an account within the
> |>LDAP server that has sufficient rights to allow the machine to join my
> |>Samba domain?
> |
> - --
> - -----------------------------------------------------------------
> | I can be reached on the following messenger services:		|
> |---------------------------------------------------------------|
> | MSN: j_c_llings at hotmail.com  AIM: WyteLi0n  ICQ: 123291844 	|
> |---------------------------------------------------------------|
> | Y!: j_c_llings               Jabber: jcllings at njs.netlab.cz	|
> - -----------------------------------------------------------------
> Version: GnuPG v1.2.3-nr1 (Windows XP)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> iD8DBQFATpSa57L0B7uXm9oRAh9BAJ9cKdoO+IM6rxA/K8T90NDsg88HdwCfZqof
> eOFZ16/I07+e1t3arClBB4Y=
> =vMn6

John H Terpstra
Email: jht at samba.org

More information about the samba mailing list