Robert
2004-May-01 11:18 UTC
[Samba] How do you handle this right now? Joining workstations to a samba domain.
Currently, we have a few windows NT4 domains and we are looking to upgrade to samba. I have played with samba on my own and am very comfortable with it. I have implemented pdc and bdc on both samba 2.x and 3.x with an LDAP backend. How do you currently handle adding workstations to the domain. I have done it on my test domain with the root user and by assigning a different password for the samba password from the actual root login. I noticed that in 2.2.8a, I was able to join the domain as a non root user with an LDAP backend as long as I added the user to the domain admin = parameter. This was however, not doable on the smbpasswd backend. With 3.0, I was not able to add the user unless it was done with the root user. For security reasons, I added "invalid users = root" to the global section, but added "invalid users = " to the IPC$ share so that root was able to join the workstations, but access no files or printers on the server. The problem with my situation is that there are multiple groups of administrators who needed to add machines to "their" respective domains. One group handles management of faculty workstations, another handles student lab machines, and there are a few groups around the place. For ease of management, we are going to use a single domain. How would you handle this? Should I just share the smb root password with ALL administrators, or would this cause problems? Thanks in advance.
Paul Gienger
2004-May-01 14:28 UTC
[Samba] How do you handle this right now? Joining workstations to a samba domain.
What I did on my setup was that I had an 'Administrator' account with a uid of 0. I'm not sure if this was made by the smbldap-tools populate script or if I hand created it, but it was uid 0 and had the proper sid to be the domain administrator as far as windows was concerned. The UID 0 part made sure that it was able to add user accounts under UNIX, and being a seperate account I could lock it down more so it couldn't log in on unix, which is what I'm most worried about at my shop. I did things like give it shell = /bin/nosuchshell, didn't give it any hosts (which means it can't log in when using check_host_attr if I remember the param right) and other fun stuff like that. Robert wrote:> Currently, we have a few windows NT4 domains and we are looking to > upgrade to samba. I have played with samba on my own and am very > comfortable with it. I have implemented pdc and bdc on both samba 2.x > and 3.x with an LDAP backend. > > > How do you currently handle adding workstations to the domain. I have > done it on my test domain with the root user and by assigning a > different password for the samba password from the actual root login. > I noticed that in 2.2.8a, I was able to join the domain as a non root > user with an LDAP backend as long as I added the user to the domain > admin = parameter. This was however, not doable on the smbpasswd > backend. With 3.0, I was not able to add the user unless it was done > with the root user. For security reasons, I added "invalid users = > root" to the global section, but added "invalid users = " to the IPC$ > share so that root was able to join the workstations, but access no > files or printers on the server. > > The problem with my situation is that there are multiple groups of > administrators who needed to add machines to "their" respective > domains. One group handles management of faculty workstations, > another handles student lab machines, and there are a few groups > around the place. For ease of management, we are going to use a > single domain. > > How would you handle this? Should I just share the smb root password > with ALL administrators, or would this cause problems? > > Thanks in advance. > >-- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Cell: 701-306-6254 Information Systems Consultant Fax: 701-281-1322 URL: www.ae-solutions.com mailto:pgienger@ae-solutions.com