[Samba] Non-root accounts cannot join the Samba PDC:s domain

BJörn Lindqvist bjourne at gmail.com
Tue Sep 5 11:28:42 GMT 2006

> BJörn Lindqvist wrote:
> > It is inconsistent with other "net" commands. I.e:
> >
> > net rpc user info someuser
> >
> > where the name does not have to be fully qualified
> The net command is a kitchen sink that needs to be
> broken into multiple commands.  You don't have to qualify
> the name in your example because it is implicitly
> qualified by the domain of the server you are connecting to.

I see, thanks.

> >> > net rpc rights grant Everybody SeMachineAccountPrivilege
> >>
> >> This is a security hole.  I really would recommend
> >> against this.  It's about the same as 'guest account = root'.
> >
> > Why? If it is, then how else do enable computers to
> > join your domain?
> It's the same as saying 'admin users = +users'.
> I suggest creating a group mapping (let's call it "Unix Admins")
> and then running

I still don't understand why this is a security hole. And even if
there is, I see no other way to solve my problem . There are a few
hundred computers all connected to a Windows Active Directory. They
need all to join the Samba domain. The only feasible way I know of
making the transistion is to give all users the
SeMachineAccountPrivilege and then have each user migrate his or her
own computer.

mvh Björn

More information about the samba mailing list