[Samba] machine account with w2k
allerberger at em.uni-frankfurt.de
Fri Sep 10 08:38:53 GMT 2004
what you wrote I tried in my first experiment.
I created the user domamdin like this:
# useradd -m -u 500 -G 0 domadmin
# pdbedit -a -U 500 -G 512 domadmin
The Unix-user "domadmin" had the uid = 500, the primary-group = 500
(like normal users), and was a member of the root-group = 0.
Whit this settings I was able to join my Samba-PDC with
Windows-NT4.0-Workstations well, when I manually created a
machine-account on the Samba. But when I tried to the same with a
Windows2000-Workstation, then I got a login prompt. Then I tried to give
in the domadmin with the password, the login-promt appeared again. It
was not possible to join my Samba-PDC with Windows2000-Workstations. I
tried different things until I read in the Samba-manual, that I should
join a Samba-Domain with the user Root. This is normally not possible,
because Root does not have an smb-account and im my smb.conf I have:
invalid users = root .
Yes, and because it was'nt successful with the user domadmin as member
of group 0, I tried the really not nice thing, that I gave the user
domadmin the uid 0, and this was successful.
Please could you tell me, what I did wrong? Please see for this the
documentation in my first mail, there are my smb.conf and the
user-profile from the domadmin.
Frankfurt am Main
Brian Krusic wrote:
>>The Domain Admin user "domadmin" must have the root-policies on the
>>/etc/passwd like this:
>This is incorrect as you should never have users with identical uids.
>You should mod the entry in etc/group to add your domadmin user to the root
>group. This gives it root privs.
>>In my opinion it is not fine, because it is a security-hole,
>Only someone of root or admin privs should be able to initially join domains
>for if any one could, then a potential hacker to do so w/o admin/root privs
>and attain further domain trust by doing so.
More information about the samba