[Samba] How do you handle this right now? Joining workstations to a samba domain.

Paul Gienger pgienger at ae-solutions.com
Sat May 1 14:28:26 GMT 2004

What I did on my setup was that I had an 'Administrator' account with a 
uid of 0.  I'm not sure if this was made by the smbldap-tools populate 
script or if I hand created it, but it was uid 0 and had the proper sid 
to be the domain administrator as far as windows was concerned.  The UID 
0 part made sure that it was able to add user accounts under UNIX, and 
being a seperate account I could lock it down more so it couldn't log in 
on unix, which is what I'm most worried about at my shop.  I did things 
like give it shell = /bin/nosuchshell, didn't give it any hosts (which 
means it can't log in when using check_host_attr if I remember the param 
right)  and other fun stuff like that.

Robert wrote:

> Currently, we have a few windows NT4 domains and we are looking to 
> upgrade to samba.  I have played with samba on my own and am very 
> comfortable with it.  I have implemented pdc and bdc on both samba 2.x 
> and 3.x with an LDAP backend.
> How do you currently handle adding workstations to the domain.  I have 
> done it on my test domain with the root user and by assigning a 
> different password for the samba password from the actual root login.  
> I noticed that in 2.2.8a, I was able to join the domain as a non root 
> user with an LDAP backend as long as I added the user to the domain 
> admin = parameter.  This was however, not doable on the smbpasswd 
> backend.  With 3.0, I was not able to add the user unless it was done 
> with the root user.  For security reasons, I added "invalid users = 
> root" to the global section, but added "invalid users = " to the IPC$ 
> share so that root was able to join the workstations, but access no 
> files or printers on the server.
> The problem with my situation is that there are multiple groups of 
> administrators who needed to add machines to "their" respective 
> domains.  One group handles management of faculty workstations, 
> another handles student lab machines, and there are a few groups 
> around the place.  For ease of management, we are going to use a 
> single domain.
> How would you handle this?  Should I just share the smb root password 
> with ALL administrators, or would this cause problems?
> Thanks in advance.

Paul Gienger                     Office:		701-281-1884
Applied Engineering Inc.         Cell:			701-306-6254
Information Systems Consultant   Fax:			701-281-1322
URL: www.ae-solutions.com        mailto:pgienger at ae-solutions.com

More information about the samba mailing list