Dan Peterson
2003-Jan-08 15:58 UTC
[Samba] Removing requirement for local machine accounts
I'm looking for a way to not have to worry about machine accounts on the server. My organization is looking to move thousands of machines and many locations to XP and, if possible, we'd like to avoid the headache of managing more system and samba accounts. Basically, I'd like a way to say "I don't care who joins my domain, just do whatever is necessary to make them think they have." I'd be willing to pay for such a feature (please contact me via email). It would also be nice if there was a way to alias all the system machine accounts into one system account (and, for that matter, the samba machine accounts into one samba account) and have samba do magic to keep what it needs seperated out somewhere I don't have to worry about (Is this kind of stuff in secrets.tdb?). Any help to reach my goal is appreciated. Thanks! -- Dan Peterson <danp@danp.net> http://danp.net "A bunch of programs like this adds complexity, which is a security problem itself." --Jim Reid, http://groups.google.com/groups?selm=aklouh$8t1$1@isrv4.isc.org
Bruno Gimenes Pereti
2003-Jan-08 16:25 UTC
[Samba] Removing requirement for local machine accounts
Hi Dan, To allow everyone to join your domain you can use this in your smb.conf (got this idea from Art): add user script = sudo /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %m$ With this you will give rights to everyone to create users, I think it's a little dangerous and you'll still have to manage the machine accounts created by the users. Hope it helps. Bruno. Dan Peterson wrote:> I'm looking for a way to not have to worry about machine accounts on the > server. My organization is looking to move thousands of machines and many > locations to XP and, if possible, we'd like to avoid the headache of > managing more system and samba accounts. Basically, I'd like a way to say "I > don't care who joins my domain, just do whatever is necessary to make them > think they have." I'd be willing to pay for such a feature (please contact > me via email). > > It would also be nice if there was a way to alias all the system machine > accounts into one system account (and, for that matter, the samba machine > accounts into one samba account) and have samba do magic to keep what it > needs seperated out somewhere I don't have to worry about (Is this kind of > stuff in secrets.tdb?). > > Any help to reach my goal is appreciated. Thanks!
Bradley W. Langhorst
2003-Jan-08 17:00 UTC
[Samba] Removing requirement for local machine accounts
On Wed, 2003-01-08 at 10:57, Dan Peterson wrote:> I'm looking for a way to not have to worry about machine accounts on the > server. My organization is looking to move thousands of machines and many > locations to XP and, if possible, we'd like to avoid the headache of > managing more system and samba accounts. Basically, I'd like a way to say "I > don't care who joins my domain, just do whatever is necessary to make them > think they have." I'd be willing to pay for such a feature (please contact > me via email).lucky for you this is already in place... as machines join a domain you can configure things so that the machine account is "auto-created" - see the howto collection. You may want to commission an automatic machine account deletion when machines leave the domain... As far as i know that doesn't happen yet.> > It would also be nice if there was a way to alias all the system machine > accounts into one system account (and, for that matter, the samba machine > accounts into one samba account) and have samba do magic to keep what it > needs seperated out somewhere I don't have to worry about (Is this kind of > stuff in secrets.tdb?).the aliasing idea can't work because each machine must have its own password(it's updated automatically every x days) brad -- Bradley W. Langhorst <brad@langhorst.com>
Buchan Milne
2003-Jan-09 12:00 UTC
[Samba] Removing requirement for local machine accounts
> Message: 7 > Date: Wed, 8 Jan 2003 09:32:22 -0700 > From: Dan Peterson <danp@danp.net> > To: samba@lists.samba.org > Subject: Re: [Samba] Removing requirement for local machine accounts > > Bruno Gimenes Pereti <pereti@ump.edu.br> wrote: > >>> add user script = sudo /usr/sbin/adduser -n -g machines -c Machine -d >>> /dev/null -s /bin/false %m$ > > > Unfortunately, this is where the headache comes from. We rsync necessary > password files (both system and samba) to many FreeBSD and Linux machines > every few minutes.You may want to consider using LDAP instead?> These are generated from a PostgreSQL database which we'd > rather not clutter with extra accounts if possible. So, that's why I'd like > each samba instance to just do whatever it needs to do to let machines think > they've joined the domain without caring about system and samba accounts.Well, I don't know about making the machines think they have joined the domain (they have password, which they need to access the domain), but you may want to look into using one of the _nua (no user account) backends in samba3. But, then you would need to sync whatever files contain the machine accounts. You may rather just want to implement LDAP (there may even be a postgres backend for ldap, which will probably only allow you to migrate to LDAP) instead, will simplify your whole setup and provide more features. Buchan -- |--------------Another happy Mandrake Club member--------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7