Ok lemme get this straight. You're saying that there needs to be a samba account with posix uid of 0 in order to join the domain? That doesn't make sense. If you're a domain admin, you're a domain admin. If this is the case, the samba team is forcing a huge security problem upon us as all domain admins would now need to have a posix id of 0....making them all effectively root. While domain admins are only superusers to samba, giving them all uid 0 would make them superusers globally. Not the brightest of ideas.
If you're saying that I need to be root *locally* to join with a domain admin account, then thats not an issue. I'm doing that. I ssh in as my normal user, run `sudo su -` to become full root, then execute `net join -U travis DOMAIN`. If this seems ok I'm going to start digging around the source code I guess. --Travis On Wed, 2004-04-07 at 03:15, Clint Sharp wrote: > On Tue, 2004-04-06 at 15:24, Travis Groth wrote: > > Uh...yes? root doesn't have a samba account. 'travis' is in the domain > > admins group though, which is all you need to join a domain afaik. Take > > a look at the ldap chunks and 'net groupmap list' output. Its either > > something really stupid or i've uncovered a bug...according to all the > > documentation I've seen and examples i've followed, I haven't missed > > anything. > > > > --Travis > > > > This may have been beaten to death on the list, but AFAIK you cannot > join a samba domain, even with a tdb or ldap backend w/o using the root > account. It's the only reason I've kept a root account around (that and > modifying ACLs, which is a seperate problem I haven't gotten around to > seeing if I can fix). In fact, my root account isn't even in the domain > admins group at this point. Without having to modify the smbpasswd file > and /etc/passwd file, I couldn't see a reason for having to be root to > join the domain anymore. I saw a patch (it's still in my inbox) for > 2.2.8 that would allow domain admins to join the domain by assuming root > privileges during the join, and I've considered attempting to adapt this > patch for Samba 3 but I haven't had the time to even look at (if I had a > Linux environment on my laptop I could work on this tomorrow on the > plane, but alas spending is frozen and no one's gotten around to buying > me vmware yet). > > Maybe someone else can shed some light as to why this restriction still > seems to exist in Samba 3 with an LDAP backend? > > Clint > > > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
