[Samba] adding machine accounts on-the-fly - 3.0.4 and LDAP

RRuegner robert at ruegner.org
Wed May 12 00:08:37 GMT 2004 

Rauno Tuul schrieb:

> Hi,
> 
> I want to achieve, that the IT staff could add machines (2000/XP) to samba-3
> (LDAP backend) on the fly.
> 
> Creating a new machine account to LDAP requires special access to samba
> (uid=0).
> 
> In samba-2.2.x was a great parameter called "domain admin group". So
> everyone, who belonged to the specified group and root (uid=0) could modify
> LDAP.
> Others got message - "cannot access LDAP when not root".
> 
> In samba-3 this parameter was removed (I don't get it, why?!?!).
> Until 3.0.2a I could pass the LDAP access check by specifying in smb.conf
> global
> 	admin users = @domain_admins
> So users, who where in domain_admins group, their uid was forced to 0 and
> they passed the LDAP check.
> (wrote about it:
> http://lists.samba.org/archive/samba/2003-September/073997.html )
> 
> After upgrading to 3.0.4 that trick also doesn't work.
> So at the moment using root account (uid=0) is the one and ONLY way to add
> machines to LDAP.
> 
> All this LDAP access has nothing to do with groupmap.
> 
> I created an administrator account (uid=0)(basically fake root)
> # smbldap-usershow.pl administrator
> 	dn: uid=root,ou=Users,dc=company,dc=lan
> 	objectClass:
> posixAccount,shadowAccount,sambaSamAccount,inetOrgPerson
> 	sambaDomainName: DOMAIN
> 	uidNumber: 0
> 	gidNumber: 0
> 	sambaSID: S-1-5-21-1347305728-752463190-2852647101-500
> 	displayName: administrator
> 	cn: administrator
> 	uid: administrator
> 	sambaAcctFlags: [U          ]
> 	sambaPrimaryGroupSID: S-1-5-21-1347305728-752463190-2852647101-514
> 
> The specified user does not belong to any group and has got no access rights
> on domain.
> RID -514 is "domain guest".
> 
> On XP box ja log in as local admin. No machine account exists on PDC.
> On joining domain I enter "administrator/password" and samba creates
> successfully a new LDAP entry and returns error to client "Access denied".
> When entering the same "administrator/password" again (second time), XP
> successfully joins domain.
> 
> When the machine is in domain and I log into that box as
> DOMAIN\administrator, I get no privileged access on that box.
> Entire joining was done without any relevance to group mapping (domain
> admins groupmap is not needed for join at this case).
> In this case I've an administrator account, which hasn't got any admin
> rights.
> 
> 
> Why can't there be a parameter, with what I could specify additional access
> to LDAP? like in 2.2.x was...
> I discussed about it earlier:
> http://lists.samba.org/archive/samba/2003-September/073608.html
> 	"Because you now have something much more powerful that 
> 	provides real NT Groups to your NT/200x/XP clients."
> Well, where is the power, when I can't modify LDAP!?!?!
> 
> Giving to each IT staff member a password on "administrator" account is a
> very bad option.
> Basically "administrator" account is meant to be a account of power.
> Restricting this isnt polite... but sharing the power to each membes is also
> bad and could have very bad consequences.
> 
> What would be the solution?
> 
> Best regards,
> 
>  Rauno Tuul
Hi, you should have a group match in your ldap for the Group Domain 
Admins then it will work as you want
Regards

More information about the samba mailing list