David Mathog wrote: > Jean-Jacques Moulis wrote: > > On Tue, 17 Aug 2010 13:33:25 -0700 David Mathog <[email protected]> > wrote: > > > > DM> I am trying to automate W7 joining to our Samba domain. It works fine > > DM> through the Windows GUI from the W7 workstations. However, for a > script > > DM> one would have to store password used for domain access, and since > that > > DM> is the server's root password, I really don't want to hard code that > > DM> into a file. > > > > Grant the right to put a machine in the domain to a special user with > > no other privileges on the PDC or on the clients. > > That worked as you said for the server side. The /etc/passwd entry ends > in /sbin/nologon, and as far as I can tell, that locks it out from both > su and ssh.
I spoke too soon. This special account works fine for the UnjoinDomainOrWorkgroup method. However, it fails every single time for the JoinDomainOrWorkgroup method, in every case resulting in a 1326 status. It didn't matter if the machine account existed, existed and was unchanged (unjoin, reboot, join), or didn't exist. All of the same JoinDomainOrWorkgroup operations succeed if I use root with the password for root that is in smbpasswd. Details about the special account: % net rpc rights list sjacct Enter root's password: SeMachineAccountPrivilege % grep sjacct /etc/passwd sjacct:x:82:13:SMB JOIN account:/var/empty:/sbin/nologin % grep 13 /etc/group news:x:13: This is as buttoned down security wise on the linux side as I could make it. Seems like samba really needs this account to do something on the server, and it cannot. Samba is 3.4.7-0.2mdv2008.1 Any suggestions? Thanks, David Mathog [email protected] Manager, Sequence Analysis Facility, Biology Division, Caltech -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
