[Samba] Win2k joining a Samba domain
John H Terpstra
jht at samba.org
Wed Mar 10 07:11:48 GMT 2004
On Tue, 9 Mar 2004, Jim C. wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mr. Terpstra,
> Are you saying that if I have a user account in ldap which is
> responsible for admin, that it must be uid=root or that it must be
> uidNumber=0? What about gid=root/gidNumber=0 for a group? I have the
> setup below and somethings do get done. Machines accounts are added
> automatically and both Admin and root can authorize the joining of the
> domain. On a Mandrake system like mine the smbldap scripts belong to a
> group named "adm" and uid=root belongs to this group also as well as to
> the group "Domain Admins".
Joining a domain involves adding a user account to your UNIX system.
Normally only root can add/delete accounts. How secure do you think your
UNIX system will be if anyone can add/delete accounts? How secure a world
do we want?
In short, the account that you use to create a domain member trust account
for machines must have full administrative privilidge on the UNIX system.
- John T.
>
> getent group shows:
>
> netusers:x:502:njim,Admin,root
> njim:x:503:njim
> adm:x:4:ldap,Admin,adm,root
> machines:x:1001:
> nogroup:x:65534:
> root:x:0:root,Admin
> [LDAP entries end here]
>
> [root at enigma root]# net3 groupmap list
> Domain Users (S-1-5-21-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-513) -> netusers
> Domain Computers (S-1-5-21-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-515) -> machines
> Domain Guests (S-1-5-21-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-514) -> nogroup
> Domain Admins (S-1-5-21-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-512) -> root
>
> I do have your book "The Official Samba 3 HOWTO and Reference Guide",
> BTW. Definitely worth the money but I sure wish I had more money. ;-)
>
> The problem I am having though is that I cannot use the Windows Server
> Manager or User Manager for Domains. I can browse the information but I
> cannot change it. Any tips or references to relevant portions of the
> book would help.
>
>
> Thanks,
> Jim C.
>
> |>Having managed to get far enough with the config to get a win2k box to
> |>connect to a Samba v3.0 share where the Samba machine's backend is based
> |>in LDAP, I cannot now add this win2k machine to the domain.
> |>
> |>Can anyone give me an example of how to set up an account within the
> |>LDAP server that has sufficient rights to allow the machine to join my
> |>Samba domain?
> |
>
> - --
>
> - -----------------------------------------------------------------
> | I can be reached on the following messenger services: |
> |---------------------------------------------------------------|
> | MSN: j_c_llings at hotmail.com AIM: WyteLi0n ICQ: 123291844 |
> |---------------------------------------------------------------|
> | Y!: j_c_llings Jabber: jcllings at njs.netlab.cz |
> - -----------------------------------------------------------------
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3-nr1 (Windows XP)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFATpSa57L0B7uXm9oRAh9BAJ9cKdoO+IM6rxA/K8T90NDsg88HdwCfZqof
> eOFZ16/I07+e1t3arClBB4Y=
> =vMn6
> -----END PGP SIGNATURE-----
>
>
--
John H Terpstra
Email: jht at samba.org
More information about the samba
mailing list