samba - Mar 2005 - Securing "machine auth account"

Please give me a sanity check here...

The docs all call out requiring root access to allow machines to join a 
Domain.

I do not want to give out the root password.  For adding machines to the 
domain, I just want my users to be able to type "let me in".  I could 
not find a solution on google, so I ran truss on the daemon during an 
add machine operation in combination with snoop, and came up with a 
solution.

The following is working in testing (Solaris 2.9, samba 3.0.10, PDC, 
NIS), anyone see any "gotchas" with this? (besides NIS ;-) )

In /etc/passwd:
samba:x:0:1:Dummy Account for Adding Machines to Domain:/dev/null:/bin/false

Corresponding entry in /etc/shadow, with an easy "public" password.

I can not log in via telnet, I can not even su to it as root on the 
console.  There is no home directory, and no shell, just an account with 
root permissions and a password.

I can add it to smbpasswd.  I can add machines to the domain using it.
The real root account is not in smbpasswd.  I am just using it for 
authentication.

This just seems to easy to not have been thought of before, so I am 
worried that I am missing something stupid...  Or does everyone already 
know this, and I just missed it in the docs...

I am aware that between the time that a machine trust account is created 
and the time it is activated, anyone could "steal" it.  This is a 
student network (K-5), and I want every system to join, so that is not 
an issue.

TIA,
Artie Efemok

On Monday 28 March 2005 23:12, info wrote:
> Please give me a sanity check here...
OK. So please check the chapter on "Rights and Privileges" in the 
Samba-HOWTO-Collection. You can obtain the latest build from:

http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf

If this does not solve your problem in a more sane manner please drop me a 
line.

Cheers,
John T.
>
> The docs all call out requiring root access to allow machines to join a
> Domain.
>
> I do not want to give out the root password.  For adding machines to the
> domain, I just want my users to be able to type "let me in".  I
could
> not find a solution on google, so I ran truss on the daemon during an
> add machine operation in combination with snoop, and came up with a
> solution.
>
> The following is working in testing (Solaris 2.9, samba 3.0.10, PDC,
> NIS), anyone see any "gotchas" with this? (besides NIS ;-) )
>
> In /etc/passwd:
> samba:x:0:1:Dummy Account for Adding Machines to
> Domain:/dev/null:/bin/false
This is a 'root' account because UID=0 means the account has
'root' level
privilege on UNIX.
>
> Corresponding entry in /etc/shadow, with an easy "public"
password.
>
> I can not log in via telnet, I can not even su to it as root on the
> console.  There is no home directory, and no shell, just an account with
> root permissions and a password.
>
> I can add it to smbpasswd.  I can add machines to the domain using it.
> The real root account is not in smbpasswd.  I am just using it for
> authentication.
>
> This just seems to easy to not have been thought of before, so I am
> worried that I am missing something stupid...  Or does everyone already
> know this, and I just missed it in the docs...
>
> I am aware that between the time that a machine trust account is created
> and the time it is activated, anyone could "steal" it.  This is a
> student network (K-5), and I want every system to join, so that is not
> an issue.
>
> TIA,
> Artie Efemok
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.

>
>
>On Monday 28 March 2005 23:12, info wrote:
>> Please give me a sanity check here...
>
>OK. So please check the chapter on "Rights and Privileges" in the 
>Samba-HOWTO-Collection. You can obtain the latest build from:
>
>http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
>
>If this does not solve your problem in a more sane manner please drop me a 
>line.
>
Ahhh:
"Samba 3.0.11 introduces support for the Windows privilege model. This 
model allows certain rights to be assigned to a user or group SID."

So I missed it by a .01 release...

Thanks
(snip)
<https://lists.samba.org/mailman/listinfo/samba>