[Samba] adding machine accounts on-the-fly - 3.0.4 and LDAP

Rauno Tuul rauno.tuul at haigekassa.ee
Tue May 11 14:29:33 GMT 2004


I want to achieve, that the IT staff could add machines (2000/XP) to samba-3
(LDAP backend) on the fly.

Creating a new machine account to LDAP requires special access to samba

In samba-2.2.x was a great parameter called "domain admin group". So
everyone, who belonged to the specified group and root (uid=0) could modify
Others got message - "cannot access LDAP when not root".

In samba-3 this parameter was removed (I don't get it, why?!?!).
Until 3.0.2a I could pass the LDAP access check by specifying in smb.conf
	admin users = @domain_admins
So users, who where in domain_admins group, their uid was forced to 0 and
they passed the LDAP check.
(wrote about it:
http://lists.samba.org/archive/samba/2003-September/073997.html )

After upgrading to 3.0.4 that trick also doesn't work.
So at the moment using root account (uid=0) is the one and ONLY way to add
machines to LDAP.

All this LDAP access has nothing to do with groupmap.

I created an administrator account (uid=0)(basically fake root)
# smbldap-usershow.pl administrator
	dn: uid=root,ou=Users,dc=company,dc=lan
	sambaDomainName: DOMAIN
	uidNumber: 0
	gidNumber: 0
	sambaSID: S-1-5-21-1347305728-752463190-2852647101-500
	displayName: administrator
	cn: administrator
	uid: administrator
	sambaAcctFlags: [U          ]
	sambaPrimaryGroupSID: S-1-5-21-1347305728-752463190-2852647101-514

The specified user does not belong to any group and has got no access rights
on domain.
RID -514 is "domain guest".

On XP box ja log in as local admin. No machine account exists on PDC.
On joining domain I enter "administrator/password" and samba creates
successfully a new LDAP entry and returns error to client "Access denied".
When entering the same "administrator/password" again (second time), XP
successfully joins domain.

When the machine is in domain and I log into that box as
DOMAIN\administrator, I get no privileged access on that box.
Entire joining was done without any relevance to group mapping (domain
admins groupmap is not needed for join at this case).
In this case I've an administrator account, which hasn't got any admin

Why can't there be a parameter, with what I could specify additional access
to LDAP? like in 2.2.x was...
I discussed about it earlier:
	"Because you now have something much more powerful that 
	provides real NT Groups to your NT/200x/XP clients."
Well, where is the power, when I can't modify LDAP!?!?!

Giving to each IT staff member a password on "administrator" account is a
very bad option.
Basically "administrator" account is meant to be a account of power.
Restricting this isnt polite... but sharing the power to each membes is also
bad and could have very bad consequences.

What would be the solution?

Best regards,

 Rauno Tuul

More information about the samba mailing list