samba - May 2003 - root rq'd to join domain

I believe it was expected that Samba would allow domain joins by people in
the "admin group=" parameter -- I seem to remember reading that
somewhere... I also seem to remember (and have discovered) that, no, it is
in fact "root", or UID 0 only, who can accomplish this task. My
question
is, what are the ways around this? There are people in my organization who
will be joining machines to the domain (so I don't have to travel over
there to do something so trivial), but they are not part of my department
and can't officially be trusted with root privileges, beyond domain joins.

I know that the creation of additional UID 0 accounts is possible, but
most UNIX admins frown upon that sort of thing. However, I don't
believe it would be as big of a deal if there were some other way
to restrict this user so that it was only good for domain joins,
not root access on shares, etc.

Another idea -- don't know how feasible this is -- can the "add user
script=" and "delete user script=" commands simply be changed to
"sudo
useradd" or "sudo userdel"  instead of just useradd or userdel,
or does
some other part of the process other than these two commands require root
access.

There may be something else I'm overlooking... maybe manual machine
account creation? Does this not require root access (I know the creation
would, but then does the subsequent domain join only require domain admin
group access)?

This is another one of those things that I bet someone has run into before
me, and I'd appreciate hearing about any experience anyone has gained on
the subject.

---- _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  |  | Ryan Novosielski - Jr. UNIX Systems Admin
|$&| |__| |  | |__/ | \| _|  | novosirj@umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science Bldg - C630

Hi,
I'm using this script to create a machine account.
But you *have to* known the machine names and create them before as root 
by #addsmbpdcmachine MACHINE_NAME.
Then no admin. rights are required to join the domain (do not use create 
a machine account.on windoze).
Note: If a machine quit the domain you have to recreate it (just 
overwrite) before joining domain.
I hope this help
Best regards

Here is my script:
#!/bin/bash
# Add a new machine in Primary Domain Controller Samba
# T.TERRIER 15 feb 2002
# Note: Replace "staffgroup" by your group domain name
useradd -d /dev/null -g staffgroup -c $1.staffgroup -s /bin/false -M $1$
smbpasswd -a -m "$1"$
#!end of addsmbpdcmachine

Ryan Novosielski a ?crit:
>I believe it was expected that Samba would allow domain joins by people in
>the "admin group=" parameter -- I seem to remember reading that
>somewhere... I also seem to remember (and have discovered) that, no, it is
>in fact "root", or UID 0 only, who can accomplish this task. My
question
>is, what are the ways around this? There are people in my organization who
>will be joining machines to the domain (so I don't have to travel over
>there to do something so trivial), but they are not part of my department
>and can't officially be trusted with root privileges, beyond domain
joins.
>
>I know that the creation of additional UID 0 accounts is possible, but
>most UNIX admins frown upon that sort of thing. However, I don't
>believe it would be as big of a deal if there were some other way
>to restrict this user so that it was only good for domain joins,
>not root access on shares, etc.
>
>Another idea -- don't know how feasible this is -- can the "add
user
>script=" and "delete user script=" commands simply be changed
to "sudo
>useradd" or "sudo userdel"  instead of just useradd or
userdel, or does
>some other part of the process other than these two commands require root
>access.
>
>There may be something else I'm overlooking... maybe manual machine
>account creation? Does this not require root access (I know the creation
>would, but then does the subsequent domain join only require domain admin
>group access)?
>
>This is another one of those things that I bet someone has run into before
>me, and I'd appreciate hearing about any experience anyone has gained on
>the subject.
>
>---- _  _ _  _ ___  _  _  _
>|Y#| |  | |\/| |  \ |\ |  |  | Ryan Novosielski - Jr. UNIX Systems Admin
>|$&| |__| |  | |__/ | \| _|  | novosirj@umdnj.edu - 973/972.0922
(2-0922)
>\__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science Bldg - C630
>  
>

Perhaps the 'admin users = ' string can be used in the [global] section
to
provide other users/groups samba admin access.

|-----Original Message-----
|From: Thierry Terrier [mailto:thierry.terrier@atolltech.fr]
|Sent: Tuesday, May 20, 2003 9:48 AM
|To: samba@lists.samba.org
|Subject: Re: [Samba] root rq'd to join domain
|
|
|Hi,
|I'm using this script to create a machine account.
|But you *have to* known the machine names and create them 
|before as root 
|by #addsmbpdcmachine MACHINE_NAME.
|Then no admin. rights are required to join the domain (do not 
|use create 
|a machine account.on windoze).
|Note: If a machine quit the domain you have to recreate it (just 
|overwrite) before joining domain.
|I hope this help
|Best regards
|
|Here is my script:
|#!/bin/bash
|# Add a new machine in Primary Domain Controller Samba
|# T.TERRIER 15 feb 2002
|# Note: Replace "staffgroup" by your group domain name
|useradd -d /dev/null -g staffgroup -c $1.staffgroup -s 
|/bin/false -M $1$
|smbpasswd -a -m "$1"$
|#!end of addsmbpdcmachine
|
|Ryan Novosielski a ?crit:
|
|>I believe it was expected that Samba would allow domain joins 
|by people in
|>the "admin group=" parameter -- I seem to remember reading that
|>somewhere... I also seem to remember (and have discovered) 
|that, no, it is
|>in fact "root", or UID 0 only, who can accomplish this task. 
|My question
|>is, what are the ways around this? There are people in my 
|organization who
|>will be joining machines to the domain (so I don't have to travel over
|>there to do something so trivial), but they are not part of 
|my department
|>and can't officially be trusted with root privileges, beyond 
|domain joins.
|>
|>I know that the creation of additional UID 0 accounts is possible, but
|>most UNIX admins frown upon that sort of thing. However, I don't
|>believe it would be as big of a deal if there were some other way
|>to restrict this user so that it was only good for domain joins,
|>not root access on shares, etc.
|>
|>Another idea -- don't know how feasible this is -- can the "add
user
|>script=" and "delete user script=" commands simply be
changed to "sudo
|>useradd" or "sudo userdel"  instead of just useradd or 
|userdel, or does
|>some other part of the process other than these two commands 
|require root
|>access.
|>
|>There may be something else I'm overlooking... maybe manual machine
|>account creation? Does this not require root access (I know 
|the creation
|>would, but then does the subsequent domain join only require 
|domain admin
|>group access)?
|>
|>This is another one of those things that I bet someone has 
|run into before
|>me, and I'd appreciate hearing about any experience anyone 
|has gained on
|>the subject.
|>
|>---- _  _ _  _ ___  _  _  _
|>|Y#| |  | |\/| |  \ |\ |  |  | Ryan Novosielski - Jr. UNIX 
|Systems Admin
|>|$&| |__| |  | |__/ | \| _|  | novosirj@umdnj.edu - 
|973/972.0922 (2-0922)
|>\__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science 
|Bldg - C630
|>  
|>
|
|
|-- 
|To unsubscribe from this list go to the following URL and read the
|instructions:  http://lists.samba.org/mailman/listinfo/samba
|