[Samba] How do you handle this right now? Joining workstations
to a samba domain.
Paul Gienger
pgienger at ae-solutions.com
Sat May 1 14:28:26 GMT 2004
What I did on my setup was that I had an 'Administrator' account with a
uid of 0. I'm not sure if this was made by the smbldap-tools populate
script or if I hand created it, but it was uid 0 and had the proper sid
to be the domain administrator as far as windows was concerned. The UID
0 part made sure that it was able to add user accounts under UNIX, and
being a seperate account I could lock it down more so it couldn't log in
on unix, which is what I'm most worried about at my shop. I did things
like give it shell = /bin/nosuchshell, didn't give it any hosts (which
means it can't log in when using check_host_attr if I remember the param
right) and other fun stuff like that.
Robert wrote:
> Currently, we have a few windows NT4 domains and we are looking to
> upgrade to samba. I have played with samba on my own and am very
> comfortable with it. I have implemented pdc and bdc on both samba 2.x
> and 3.x with an LDAP backend.
>
>
> How do you currently handle adding workstations to the domain. I have
> done it on my test domain with the root user and by assigning a
> different password for the samba password from the actual root login.
> I noticed that in 2.2.8a, I was able to join the domain as a non root
> user with an LDAP backend as long as I added the user to the domain
> admin = parameter. This was however, not doable on the smbpasswd
> backend. With 3.0, I was not able to add the user unless it was done
> with the root user. For security reasons, I added "invalid users =
> root" to the global section, but added "invalid users = " to the IPC$
> share so that root was able to join the workstations, but access no
> files or printers on the server.
>
> The problem with my situation is that there are multiple groups of
> administrators who needed to add machines to "their" respective
> domains. One group handles management of faculty workstations,
> another handles student lab machines, and there are a few groups
> around the place. For ease of management, we are going to use a
> single domain.
>
> How would you handle this? Should I just share the smb root password
> with ALL administrators, or would this cause problems?
>
> Thanks in advance.
>
>
--
Paul Gienger Office: 701-281-1884
Applied Engineering Inc. Cell: 701-306-6254
Information Systems Consultant Fax: 701-281-1322
URL: www.ae-solutions.com mailto:pgienger at ae-solutions.com
More information about the samba
mailing list