samba - Dec 2002 - Method for joining machines to PDC without using root

currently, in order to join a win XP machine to a samba PDC, you
have to use the root account (although you can use an smbpasswd
and not the linux password).  is there any way to set up another
account to do this one particular task (one without uid=0)?.
 if we have users in remote places, i do not want to have to go over
 to their work station just to log them on the the domain.  alsoi don't 
want to
give them a login and password that could compromise the system
 the samba is running on (linux).

i think the answer is no from some of the information i found
by googling, but i wanted to verify the answer here.

my only other option would be to issue a:
smbpasswd root

make a temporary password, talk someone into joining
a domain on the phone, immediately change the password
back so it is secure.

-- 
___cliff rayman___cliff@genwax.com___http://www.genwax.com/

On Mon, 23 Dec 2002, ___cliff rayman___ wrote:
> currently, in order to join a win XP machine to a samba PDC, you
> have to use the root account (although you can use an smbpasswd
> and not the linux password).  is there any way to set up another
> account to do this one particular task (one without uid=0)?.
No. It has to be done as a 'root' privilidged account from samba's
perspective. ie: NT Administrator (which maps to root). As you noted, the
smb password for root does not need to be the same as the system root
password.
>  if we have users in remote places, i do not want to have to go over
>  to their work station just to log them on the the domain.  alsoi don't
> want to
> give them a login and password that could compromise the system
>  the samba is running on (linux).
>
> i think the answer is no from some of the information i found
> by googling, but i wanted to verify the answer here.
You have your verification. Got a better suggestion? Send us your patches
and we will look at them.
> my only other option would be to issue a:
> smbpasswd root
>
> make a temporary password, talk someone into joining
> a domain on the phone, immediately change the password
> back so it is secure.
No different from NT/2K really.

- John T.
-- 
John H Terpstra
Email: jht@samba.org

John H Terpstra wrote:
>On Mon, 23 Dec 2002, ___cliff rayman___ wrote:
>  
>
>
>You have your verification. Got a better suggestion? Send us your patches
>and we will look at them.
>
i know, suggestions are cheap, good patches are like diamonds :-)

if the problem is smbpasswd permissions, perhaps it can be set to mode
660 instead of 600, and with a group something like domainadd.  any
user with domainadd group, can add a windows box to the domain.

users can be created in this special group that could do nothing else
but add windows boxes to the domain.  no logins - no share permissions
etc..

i did look at the code, but it is way over my head without several hundred
hours of study.  :-)
>
>  
>
>>my only other option would be to issue a:
>>smbpasswd root
>>
>>make a temporary password, talk someone into joining
>>a domain on the phone, immediately change the password
>>back so it is secure.
>>    
>>
>
>No different from NT/2K really.
>
i assumed that this was a samba requirement and not a windows requirement.

-- 
___cliff rayman___cliff@genwax.com___http://www.genwax.com/

___cliff rayman___ wrote:
> currently, in order to join a win XP machine to a samba PDC, you
> have to use the root account (although you can use an smbpasswd
> and not the linux password).  is there any way to set up another
> account to do this one particular task (one without uid=0)?.
> if we have users in remote places, i do not want to have to go over
> to their work station just to log them on the the domain.  alsoi don't 
> want to
> give them a login and password that could compromise the system
> the samba is running on (linux).
AFAICT it works with a non-root user if you use LDAP instead of
smbpasswd.

<snip/>

-- 
Markus Schabel
+--------------------------------------------+
| TGM - Die Schule der Technik               |
| IT-Service                                 |
| A-1200 Wien, Wexstrasse 19-23              |
| Tel.: +43(1)33126/316 Fax: +43(1)33126/154 |
| eMail: markus.schabel@tgm.ac.at            |
+--------------------------------------------+

Alan Woodland wrote:
> Markus Schabel wrote:
> 
>> ___cliff rayman___ wrote:
>>
>>> currently, in order to join a win XP machine to a samba PDC, you
>>> have to use the root account (although you can use an smbpasswd
>>> and not the linux password).  is there any way to set up another
>>> account to do this one particular task (one without uid=0)?.
>>> if we have users in remote places, i do not want to have to go over
>>> to their work station just to log them on the the domain.  alsoi 
>>> don't want to
>>> give them a login and password that could compromise the system
>>> the samba is running on (linux).
>>
>>
>>
>> AFAICT it works with a non-root user if you use LDAP instead of
>> smbpasswd.
>>
>> <snip/>
>>
> 
> Im currently doing that with the new samba from cvs using smbgroupedit, 
> but it is possible with older sambas using (IIRC) domain admin group = 
> @groupname and having the users you want to be able to add machines to 
> the domain in that group. It does however make the user super user 
> equivilent when logged in through samba that way, but not super user on 
> the actual unix boxes.
> 
> Alan

I'm doing it with samba 2.2.7a. But I'd like something like "add 
computer group = valid-user", so that everybody with a user-account can
add his workstation to the domain (if the workstation's ip is logged as
active by the dhcp).

Probably it's possible to add computer-accounts via dhcp-log's (but I
think the problem here is that the DHCP-hostname could be different from
the NetBIOS-name.


-- 
Markus Schabel
+--------------------------------------------+
| TGM - Die Schule der Technik               |
| IT-Service                                 |
| A-1200 Wien, Wexstrasse 19-23              |
| Tel.: +43(1)33126/316 Fax: +43(1)33126/154 |
| eMail: markus.schabel@tgm.ac.at            |
+--------------------------------------------+