samba - Jan 2005 - Joining a samba domain on WinXP without a root login?

I've been able to succesfully join XP boxes to the samba domain on samba 
2.2.3a (yes, I know it's old), registering the machine name and so 
forth, as many guides and so forth have shown online. However, it 
requires entering root's smbpasswd when joining the domain -- and I'd 
rather not have a Windows machine with any sort of remotely related root 
access to our servers, especially having the capability of a root login.

I'm curious, since SAMBA is its own project and should be able to work 
around it, if it's possible to join the domain without allowing the user 
root to log into it. I've tried having invalid users = root, and 
experimented with the domain admin group and admin users settings to 
work around it, but to no avail. I've googled for a solution, and found 
no suggestions.

If it's only possible to join the domain with root logins enabled, how 
insecure is it, exactly, and what are the best methods of working around 
that? Is there a best equivalent way to Win9x logins for WinXP, so I 
don't have to create matching accounts on every machine?

Thanks.

At least with Samba 3 you can specify an account or group allowed to be root
within Samba's mind. For example...

[global]
########## NT Domain Related ##########
    admin users = @domadmin

Sets the Linux domadmin group as allowed to join boxes to the domain.

Do not set root as an invalid user as it has bad resulting behavior. Even though
you would never log in at a Windows client with a domain account of root...
still don't set it as an invalid user.

Of course working with current Samba code is highly suggested.

-- 
Michael Lueck
Lueck Data Systems

Remove the upper case letters NOSPAM to contact me directly.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hunter Rognstad wrote:
| I've been able to succesfully join XP boxes to the samba domain on samba
| 2.2.3a (yes, I know it's old), registering the machine name and so
| forth, as many guides and so forth have shown online. However, it
| requires entering root's smbpasswd when joining the domain -- and I'd
| rather not have a Windows machine with any sort of remotely related root
| access to our servers, especially having the capability of a root login.
|
| I'm curious, since SAMBA is its own project and should be able to work
| around it, if it's possible to join the domain without allowing the user
| root to log into it. I've tried having invalid users = root, and
| experimented with the domain admin group and admin users settings to
| work around it, but to no avail. I've googled for a solution, and found
| no suggestions.

I posted an experimental patch last week that  allows domains admins
(defined by the group mapping) to join machines to the domain.
It's at http://samba.org/~jerry/patches/post-3.0.10/

I'm reworking things now to use a privliege based model (based on
code by Simo Sorce) so it will change before 3.0.11 I'm sure.





cheers, jerry
====================================================================Alleviating
the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB5D0zIR7qMdg1EfYRAnaGAKCOeASLx1d2T2N+h8pKoLU/TB15WwCgtlQY
VF0M7tX7v0P5eXu33p022ao=Esrd
-----END PGP SIGNATURE-----