[Samba] enable client to join domain with no or any password?

David Mathog mathog at caltech.edu
Thu Sep 2 16:27:40 MDT 2010

David Mathog wrote:
> Jean-Jacques Moulis wrote:
> > On Tue, 17 Aug 2010 13:33:25 -0700 David Mathog <mathog at caltech.edu>
> wrote:
> > 
> > DM> I am trying to automate W7 joining to our Samba domain. It works
> > DM> through the Windows GUI from the W7 workstations. However, for a
> script
> > DM> one would have to store password used for domain access, and since
> that
> > DM> is the server's root password, I really don't want to hard code that
> > DM> into a file.
> > 
> > Grant the right to put a machine in the domain to a special user with
> > no other privileges on the PDC or on the clients.
> That worked as you said for the server side.  The /etc/passwd entry ends
> in /sbin/nologon, and as far as I can tell, that locks it out from both
> su and ssh.

I spoke too soon.  

This special account works fine for the UnjoinDomainOrWorkgroup method.
 However, it fails every single time for the JoinDomainOrWorkgroup
method, in every case resulting in a 1326
status.  It didn't matter if the machine account existed, existed and
was unchanged (unjoin, reboot, join), or didn't exist. All of the same
JoinDomainOrWorkgroup operations succeed if I use root with the password
for root that is in smbpasswd.

Details about the special account:

% net rpc rights list sjacct
Enter root's password:
% grep sjacct /etc/passwd
sjacct:x:82:13:SMB JOIN account:/var/empty:/sbin/nologin
% grep 13 /etc/group

This is as buttoned down security wise on the linux side as I could make
it. Seems like samba really needs this account to do something on the
server, and it cannot.

Samba is 3.4.7-0.2mdv2008.1

Any suggestions?


David Mathog
mathog at caltech.edu
Manager, Sequence Analysis Facility, Biology Division, Caltech

More information about the samba mailing list