[Samba] Win2k joining a Samba domain

Jim C. jcllings at javahop.com
Wed Mar 10 15:53:37 GMT 2004

Hash: SHA1

|> Joining a domain involves adding a user account to your UNIX system.
|> Normally only root can add/delete accounts. How secure do you think your
|> UNIX system will be if anyone can add/delete accounts? How secure a world
|> do we want?

The trust accounts add just fine on my system through the use of the adm
group as mentioned earlier.  I can't find an explanation of what it is
that User Manager for Domains does exactly.  If it simply edits an LDAP
database then my problems regarding it are strictly with LDAP and the
first place I should look is probably /etc/ldap/slapd.access.conf.
mmmm... OH! Duh, I didn't watch the ldap logs when I was trying to run
that.  I'll give this a try.  Should be insightful.   I found that "tail
- -f /var/log/ldap/ldap.log | grep filter" works OK for finding out what
samba is looking for.

|> In short, the account that you use to create a domain member trust
|> for machines must have full administrative privilidge on the UNIX system.

OK, so that means that uid=root should be uidNumber=0 *AND* I should
probably put ldap first in nss_switch.conf so that this is the one that
gets found by the system.  Does this account need to be a
sambaSamAccount or can it possibly be POSIX only?  I would wish to
minimize the number of admin accounts, of course.

BTW, if I can figure this out I will be very happy to draw a diagram
that shows a viable LDAP structure for inclusion in the docs. I am one
of those unfortunates who learns visually.  As many others have
discovered, it is really difficult to teach some of us using a text
based medium. :-/

Thank you for your patience in the mean time.

Jim C.

- --

- -----------------------------------------------------------------
| I can be reached on the following messenger services:		|
| MSN: j_c_llings at hotmail.com  AIM: WyteLi0n  ICQ: 123291844 	|
| Y!: j_c_llings               Jabber: jcllings at njs.netlab.cz	|
- -----------------------------------------------------------------
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba mailing list