[Samba] adding machine accounts on-the-fly - 3.0.4 and LDAP
Rauno Tuul
rauno.tuul at haigekassa.ee
Tue May 11 14:29:33 GMT 2004
Hi,
I want to achieve, that the IT staff could add machines (2000/XP) to samba-3
(LDAP backend) on the fly.
Creating a new machine account to LDAP requires special access to samba
(uid=0).
In samba-2.2.x was a great parameter called "domain admin group". So
everyone, who belonged to the specified group and root (uid=0) could modify
LDAP.
Others got message - "cannot access LDAP when not root".
In samba-3 this parameter was removed (I don't get it, why?!?!).
Until 3.0.2a I could pass the LDAP access check by specifying in smb.conf
global
admin users = @domain_admins
So users, who where in domain_admins group, their uid was forced to 0 and
they passed the LDAP check.
(wrote about it:
http://lists.samba.org/archive/samba/2003-September/073997.html )
After upgrading to 3.0.4 that trick also doesn't work.
So at the moment using root account (uid=0) is the one and ONLY way to add
machines to LDAP.
All this LDAP access has nothing to do with groupmap.
I created an administrator account (uid=0)(basically fake root)
# smbldap-usershow.pl administrator
dn: uid=root,ou=Users,dc=company,dc=lan
objectClass:
posixAccount,shadowAccount,sambaSamAccount,inetOrgPerson
sambaDomainName: DOMAIN
uidNumber: 0
gidNumber: 0
sambaSID: S-1-5-21-1347305728-752463190-2852647101-500
displayName: administrator
cn: administrator
uid: administrator
sambaAcctFlags: [U ]
sambaPrimaryGroupSID: S-1-5-21-1347305728-752463190-2852647101-514
The specified user does not belong to any group and has got no access rights
on domain.
RID -514 is "domain guest".
On XP box ja log in as local admin. No machine account exists on PDC.
On joining domain I enter "administrator/password" and samba creates
successfully a new LDAP entry and returns error to client "Access denied".
When entering the same "administrator/password" again (second time), XP
successfully joins domain.
When the machine is in domain and I log into that box as
DOMAIN\administrator, I get no privileged access on that box.
Entire joining was done without any relevance to group mapping (domain
admins groupmap is not needed for join at this case).
In this case I've an administrator account, which hasn't got any admin
rights.
Why can't there be a parameter, with what I could specify additional access
to LDAP? like in 2.2.x was...
I discussed about it earlier:
http://lists.samba.org/archive/samba/2003-September/073608.html
"Because you now have something much more powerful that
provides real NT Groups to your NT/200x/XP clients."
Well, where is the power, when I can't modify LDAP!?!?!
Giving to each IT staff member a password on "administrator" account is a
very bad option.
Basically "administrator" account is meant to be a account of power.
Restricting this isnt polite... but sharing the power to each membes is also
bad and could have very bad consequences.
What would be the solution?
Best regards,
Rauno Tuul
More information about the samba
mailing list