[Samba] enable client to join domain with no or any password?
David Mathog
mathog at caltech.edu
Thu Sep 2 16:27:40 MDT 2010
David Mathog wrote:
> Jean-Jacques Moulis wrote:
> > On Tue, 17 Aug 2010 13:33:25 -0700 David Mathog <mathog at caltech.edu>
> wrote:
> >
> > DM> I am trying to automate W7 joining to our Samba domain. It works
fine
> > DM> through the Windows GUI from the W7 workstations. However, for a
> script
> > DM> one would have to store password used for domain access, and since
> that
> > DM> is the server's root password, I really don't want to hard code that
> > DM> into a file.
> >
> > Grant the right to put a machine in the domain to a special user with
> > no other privileges on the PDC or on the clients.
>
> That worked as you said for the server side. The /etc/passwd entry ends
> in /sbin/nologon, and as far as I can tell, that locks it out from both
> su and ssh.
I spoke too soon.
This special account works fine for the UnjoinDomainOrWorkgroup method.
However, it fails every single time for the JoinDomainOrWorkgroup
method, in every case resulting in a 1326
status. It didn't matter if the machine account existed, existed and
was unchanged (unjoin, reboot, join), or didn't exist. All of the same
JoinDomainOrWorkgroup operations succeed if I use root with the password
for root that is in smbpasswd.
Details about the special account:
% net rpc rights list sjacct
Enter root's password:
SeMachineAccountPrivilege
% grep sjacct /etc/passwd
sjacct:x:82:13:SMB JOIN account:/var/empty:/sbin/nologin
% grep 13 /etc/group
news:x:13:
This is as buttoned down security wise on the linux side as I could make
it. Seems like samba really needs this account to do something on the
server, and it cannot.
Samba is 3.4.7-0.2mdv2008.1
Any suggestions?
Thanks,
David Mathog
mathog at caltech.edu
Manager, Sequence Analysis Facility, Biology Division, Caltech
More information about the samba
mailing list