[Samba] Non-root accounts cannot join the Samba PDC:s domain

[BJörn Lindqvist]

> BJörn Lindqvist wrote:
> > It is inconsistent with other "net" commands. I.e:
> >
> > net rpc user info someuser
> >
> > where the name does not have to be fully qualified
>
> The net command is a kitchen sink that needs to be
> broken into multiple commands.  You don't have to qualify
> the name in your example because it is implicitly
> qualified by the domain of the server you are connecting to.

I see, thanks.

> >> > net rpc rights grant Everybody SeMachineAccountPrivilege
> >>
> >> This is a security hole.  I really would recommend
> >> against this.  It's about the same as 'guest account = root'.
> >
> > Why? If it is, then how else do enable computers to
> > join your domain?
>
> It's the same as saying 'admin users = +users'.
>
> I suggest creating a group mapping (let's call it "Unix Admins")
> and then running

I still don't understand why this is a security hole. And even if
there is, I see no other way to solve my problem . There are a few
hundred computers all connected to a Windows Active Directory. They
need all to join the Samba domain. The only feasible way I know of
making the transistion is to give all users the
SeMachineAccountPrivilege and then have each user migrate his or her
own computer.

-- 
mvh Björn