[Samba] Securing "machine auth account"
info
info at QueensKnight.com
Tue Mar 29 06:12:40 GMT 2005
Please give me a sanity check here...
The docs all call out requiring root access to allow machines to join a
Domain.
I do not want to give out the root password. For adding machines to the
domain, I just want my users to be able to type "let me in". I could
not find a solution on google, so I ran truss on the daemon during an
add machine operation in combination with snoop, and came up with a
solution.
The following is working in testing (Solaris 2.9, samba 3.0.10, PDC,
NIS), anyone see any "gotchas" with this? (besides NIS ;-) )
In /etc/passwd:
samba:x:0:1:Dummy Account for Adding Machines to Domain:/dev/null:/bin/false
Corresponding entry in /etc/shadow, with an easy "public" password.
I can not log in via telnet, I can not even su to it as root on the
console. There is no home directory, and no shell, just an account with
root permissions and a password.
I can add it to smbpasswd. I can add machines to the domain using it.
The real root account is not in smbpasswd. I am just using it for
authentication.
This just seems to easy to not have been thought of before, so I am
worried that I am missing something stupid... Or does everyone already
know this, and I just missed it in the docs...
I am aware that between the time that a machine trust account is created
and the time it is activated, anyone could "steal" it. This is a
student network (K-5), and I want every system to join, so that is not
an issue.
TIA,
Artie Efemok
More information about the samba
mailing list