[Samba] enable client to join domain with no or any password?

David Mathog mathog at caltech.edu
Mon Aug 30 11:50:21 MDT 2010 

Jean-Jacques Moulis wrote:
> On Tue, 17 Aug 2010 13:33:25 -0700 David Mathog <mathog at caltech.edu>
wrote:
> 
> DM> I am trying to automate W7 joining to our Samba domain. It works fine
> DM> through the Windows GUI from the W7 workstations. However, for a
script
> DM> one would have to store password used for domain access, and since
that
> DM> is the server's root password, I really don't want to hard code that
> DM> into a file.
> 
> Grant the right to put a machine in the domain to a special user with
> no other privileges on the PDC or on the clients.

That worked as you said for the server side.  The /etc/passwd entry ends
in /sbin/nologon, and as far as I can tell, that locks it out from both
su and ssh.

Thanks.

This is a cloning application, trying it without sysprep.  It turns out
that to do this one must:

#the first two,below can be done on the master manually
unjoin (using the Samba server account listed above)
reboot
#after cloning...
change the computer name (using a local account)
reboot
(re)join (using the samba server account listed above)
reboot

The first and third actions are now "safe" in that even though the
password is exposed, the only thing that account can do is join/unjoin
a domain.

However, for the local computer name change as far as I can tell that
must be an Administrator account, so it isn't very safe to write it into
a file.  The only other way I can see to get around that is to do some
sort of binary hack in linux to overwrite the machine name in the
registry.  Presumably if one hits every single copy that will do the
same thing as the "change computer name" operation in the System control
panel, or the equivalent Powershell:

$CI = Get-WmiObject Win32_CompuerSystem -Authentication 6
$CI.Rename("Newname","<admin password>","<admin account>")

where the admin password/account are the local ones, not the domain ones.

Hmm.  I suppose on the master one could create a local admin account,
use those credentials to change the machine name and then in the join
script delete that admin account.  Not very elegant...

Thanks,

David Mathog
mathog at caltech.edu
Manager, Sequence Analysis Facility, Biology Division, Caltech

More information about the samba mailing list