[Samba] Securing "machine auth account"

info info at QueensKnight.com
Tue Mar 29 06:12:40 GMT 2005

Please give me a sanity check here...

The docs all call out requiring root access to allow machines to join a 

I do not want to give out the root password.  For adding machines to the 
domain, I just want my users to be able to type "let me in".  I could 
not find a solution on google, so I ran truss on the daemon during an 
add machine operation in combination with snoop, and came up with a 

The following is working in testing (Solaris 2.9, samba 3.0.10, PDC, 
NIS), anyone see any "gotchas" with this? (besides NIS ;-) )

In /etc/passwd:
samba:x:0:1:Dummy Account for Adding Machines to Domain:/dev/null:/bin/false

Corresponding entry in /etc/shadow, with an easy "public" password.

I can not log in via telnet, I can not even su to it as root on the 
console.  There is no home directory, and no shell, just an account with 
root permissions and a password.

I can add it to smbpasswd.  I can add machines to the domain using it.
The real root account is not in smbpasswd.  I am just using it for 

This just seems to easy to not have been thought of before, so I am 
worried that I am missing something stupid...  Or does everyone already 
know this, and I just missed it in the docs...

I am aware that between the time that a machine trust account is created 
and the time it is activated, anyone could "steal" it.  This is a 
student network (K-5), and I want every system to join, so that is not 
an issue.

Artie Efemok

More information about the samba mailing list