[Samba] Non-root accounts cannot join the Samba PDC:s domain

Gerald (Jerry) Carter jerry at samba.org
Tue Aug 29 14:38:09 GMT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

BJörn Lindqvist wrote:
>> > to turn permissions on in samba.conf, then
>> > the net rpc rights grant syntax seem to be
>> > "unstable." This doesn't work:
>> >
>> > net rpc rights grant username SeMachineAccountPrivilege
>>
>> You have to fully qualify names.  That's not an unstable
>> syntax....
> 
> It is inconsistent with other "net" commands. I.e:
> 
> net rpc user info someuser
> 
> where the name does not have to be fully qualified

The net command is a kitchen sink that needs to be
broken into multiple commands.  You don't have to qualify
the name in your example because it is implicitly
qualified by the domain of the server you are connecting to.

>> > Instead of username you are supposed to use
>> > some DOMAIN/username syntax I haven't figured out.
>> > Howerver, I was able to allow everyone
>> > to join the domain with:
>> >
>> > net rpc rights grant Everybody SeMachineAccountPrivilege
>>
>> This is a security hole.  I really would recommend
>> against this.  It's about the same as 'guest account = root'.
> 
> Why? If it is, then how else do enable computers to 
> join your domain?

It's the same as saying 'admin users = +users'.

I suggest creating a group mapping (let's call it "Unix Admins")
and then running

net rpc rights grant "DOMAIN\Unix Admins"  SeMachineAccountPrivilege \
   -U root





cheers, jerry
=====================================================================
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE9FFRIR7qMdg1EfYRApc8AJ4/KiN540spTNaWQxV9DOQwCMHI3gCg8ybs
At0IC/wSXZEDF+04rDzoV9o=
=iJ7A
-----END PGP SIGNATURE-----


More information about the samba mailing list