samba - Jul 2004 - How do you create an accout that can ONLY add workstations to the domain

Is there some way to configure a special account which is able to only join
workstations to the domain? I believe the operation talks over IPC$ - such as
the NETDOM.EXE command. Can one set admin
users for IPC$ and thus join the domain without allowing that special account
too much access to Samba.

Maybe one extension of this would be allowing to join workstations to the domain
plus read only access to a share to draw files down from while preparing the
computer.

TIA!
-- 
Michael Lueck
Lueck Data Systems

Remove the upper case letters NOSPAM to contact me directly.

Michael Lueck wrote:
> Is there some way to configure a special account which is able to only 
> join workstations to the domain? I believe the operation talks over 
> IPC$ - such as the NETDOM.EXE command. Can one set admin users for 
> IPC$ and thus join the domain without allowing that special account 
> too much access to Samba.
The criteria that defines whether or not you can join machines is 
usually whether or not you can add system users in UNIX.  Traditionally 
this has meant that you need root (or uid=0) access.  With LDAP (as I 
think you are using, no?) I believe this requirement may have been 
blurred since you can define an ACL for adding things in the LDAP store.

You could maybe define a smb.conf include based on the user and/or group 
(there have been examples of this) and then only have the create script 
defined in that .conf file. 

This is just a thought off the top of my head, not that I've tried it or 
anything.  I may have to look at this myself though since sometimes our 
remote admin-less office needs to add a new machine.

-- 
Paul Gienger                     Office: 701-281-1884
Applied Engineering Inc.         
Information Systems Consultant   Fax:    701-281-1322
URL: www.ae-solutions.com        mailto: pgienger@ae-solutions.com

I just added...

[IPC$]
    admin users = installer


to the end of my smb.conf and the installer ID is able to join workstations to
the domain. I get an entry in the smbd log that no path was specified so it is
using /tmp... where does IPC$ usually
point, if not /tmp then I should make it the same as what it was with no [IPC$]
specified.

Any ideas what other default settings I have now destroyed by doing this [IPC$]
share specification?


-- 
Michael Lueck
Lueck Data Systems

Remove the upper case letters NOSPAM to contact me directly.