[Samba] Securing "machine auth account"

John H Terpstra jht at samba.org
Tue Mar 29 06:35:34 GMT 2005 

On Monday 28 March 2005 23:12, info wrote:
> Please give me a sanity check here...

OK. So please check the chapter on "Rights and Privileges" in the 
Samba-HOWTO-Collection. You can obtain the latest build from:

http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf

If this does not solve your problem in a more sane manner please drop me a 
line.

Cheers,
John T.

>
> The docs all call out requiring root access to allow machines to join a
> Domain.
>
> I do not want to give out the root password.  For adding machines to the
> domain, I just want my users to be able to type "let me in".  I could
> not find a solution on google, so I ran truss on the daemon during an
> add machine operation in combination with snoop, and came up with a
> solution.
>
> The following is working in testing (Solaris 2.9, samba 3.0.10, PDC,
> NIS), anyone see any "gotchas" with this? (besides NIS ;-) )
>
> In /etc/passwd:
> samba:x:0:1:Dummy Account for Adding Machines to
> Domain:/dev/null:/bin/false

This is a 'root' account because UID=0 means the account has 'root' level 
privilege on UNIX.

>
> Corresponding entry in /etc/shadow, with an easy "public" password.
>
> I can not log in via telnet, I can not even su to it as root on the
> console.  There is no home directory, and no shell, just an account with
> root permissions and a password.
>
> I can add it to smbpasswd.  I can add machines to the domain using it.
> The real root account is not in smbpasswd.  I am just using it for
> authentication.
>
> This just seems to easy to not have been thought of before, so I am
> worried that I am missing something stupid...  Or does everyone already
> know this, and I just missed it in the docs...
>
> I am aware that between the time that a machine trust account is created
> and the time it is activated, anyone could "steal" it.  This is a
> student network (K-5), and I want every system to join, so that is not
> an issue.
>
> TIA,
> Artie Efemok

-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.

More information about the samba mailing list