On Mon, 17 Mar 2003, Olaf Grewe wrote: > Hi John, > > Thanks for your quick reaction. If you don't mind, I'd like to ask you - > or someone from the list for that matter - for a slightly more granular > answer. I was trained to avoid the Administrator or root as much as > possible, not least for accountability reasons. For most tasks on *nix and > Windows it is possible to grant rights more granular than using root. So I > reckon this holds true for Samba also. Most likely, it's a matter of > having the Admin user in the right *nix group?
The smbpasswd file is owned by root. It is a little difficult to avoid Unix system security. In short, what ever user you use, the uid needs to be '0'. - John T. > > Regards > Olaf > > > On Mon, 17 Mar 2003, John H Terpstra wrote: > > > On Mon, 17 Mar 2003, Olaf Grewe wrote: > > > > > Hi, > > > > > > I recently joined a Samba server to a Samba PDC'd domain. It worked rather > > > smoothly after I figured out that I had to create a root account with > > > smbpasswd on the Samba PDC. Without it, I was stuck with the following > > > error: > > > > smbpasswd -j WHATEVER -r WHOCARES -Uname%password > > > error setting trust account password: NT_STATUS_ACCESS_DENIED > > > Unable to join domain WHATEVER > > > > > > I'd rather prefer to use my domain_adm account for this kind of tasks but > > > it's obviously lacking sufficient rights (whether on directories and/or > > > files, I don't know). The domain_adm account is obviously mentioned in the > > > domain admin group parameter of smb.conf and the machine account was added > > > to the smbpasswd of WHOCARES beforehand. > > > > > > My question is: Which rights does an admin account need to be able to join > > > other machines into a domain? Joining Samba to a Samba PDC'd domain > > > appears to be faily uncommon, as I didn't find much by searching the > > > respective lists and groups. > > > > When you want to make a MS Windows NT/2K/XP client a member of a MS > > Windwos network Domain, you must provide the name of an account and > > password for a user who has full "Domain Administrator" ability. That user > > is usually 'Administrator' on the domain controllers. > > > > The user 'root' is the equivalent of the MS Windows NT 'Administrator'. > > > > Obviously, every domain needs an 'Administrator' account. It is thus > > logical that 'root' needs to have an smbpasswd account. You can map this > > to administrator by setting in smb.conf [globals]: > > username map = /etc/samba/smbusers > > > > And in /etc/samba/smbusers: > > root = Administrator > > > > Att he end of the day, just like with MS Windows NT/2K only Adminsitrator > > (by default) has the right to add users/machines to the Domain. > > > > - John T. > > -- > > John H Terpstra > > Email: [EMAIL PROTECTED] > > > -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
