Adding Computer Accounts

To interact in a domain, a Windows NT/2000/XP system must be a member of the domain. Domain membership is implemented using computer accounts, which are similar to user accounts and allow a domain controller to keep information with which to authenticate computers on the network. That is, the domain controller must be able to tell if requests that arrive from a computer are coming from a computer that it “knows” as being part of the domain. Each Windows NT/2000/XP system in the domain has a computer account in the domain controllers’ database, which on a Windows NT/2000 hosted domain is the SAM database. Although Samba uses a different method (involving the smbpasswd file), it also treats computer accounts similarly to user accounts.

To create a computer account, an administrator configures a Windows NT/2000/XP system to be part of the domain. For Samba 2.2, the " domain administrator” is the root account on the Samba server, and you will need to run the command:

# smbpasswd -a root

to add the root user to Samba’s password database. In this case, do not provide smbpasswd with the same password as the actual root account on the server. Create a different password to be used solely for creating computer accounts. This will reduce the possibility of compromising the root password.

When the computer account is created, two things must happen on the Samba server. An entry is added to the smbpasswd file, with a “username” that is the NetBIOS name of the computer with a dollar sign ($) appended to it. This part is handled by the smbpasswd command, and you do not need to perform any additional action to implement it.

With Samba 2.2, an entry is also required in the /etc/passwd file[22] to give the computer account a user ID (UID) on the Samba server.

This account will never be used to log in to the Unix system, so it should not be given a valid home directory or login shell. To make this part work, you must set the add user script parameter in your Samba configuration file, using a command that adds the entry in the proper manner. On our Red Hat Linux system, we set add user script to:

/usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u

This command adds an entry in /etc/passwd similar to the following:

aztec$:x:505:100::/dev/null:/bin/false

Again, notice that the username ends in a dollar sign. The user account shown has a “home directory” of /dev/null, a group ID (GID) of 100, and a “login shell” of /bin/false. The -M flag in our useradd command prevents it from creating the home directory. Samba replaces the %u variable in the useradd command with the NetBIOS name of the computer, including the trailing dollar sign. The basic idea here is to create an entry with a valid username and UID. These are the only parts that Samba uses. It is important that the UID be unique, not also used for other accounts—especially ones that are associated with Samba users.

If you are using some other variety of Unix, you will need to replace our useradd command with a command that performs the same function on your system. If a command such as useradd does not come with your system, you can write a shell script yourself that performs the same function. In any case, the command should add a password hash that does not correspond to any valid password. For example, in the /etc/shadow file of our Linux server, we find the following two lines:

jay:%1%zQ7j7ok8$D/IubyRAY5ovM3bTrpUCn1:11566:0:99999:7:::
zapotec$:!!:11625:0:99999:7:::

The first line is for jay’s user account. The second field is the password hash—the long string between the first and second colons. The second line is for the computer account of zapotec, a domain member server. Its “username” ends with a dollar sign ($), and the second field in this case has been set to “!!”, which is an arbitrary string not produced from any password. Therefore, there is no valid password for this account on the Linux host. Just about any ASCII string can be used instead of “!!”. For example, you could use “DISABLED” instead.

Tip

It is possible to create the entries for /etc/passwd and smbpasswd manually; however, we suggest this method be used very carefully, and only for initial testing, or as a last resort. The reason for this is to maintain security. After the computer account has been created on the server, the next Windows NT/2000/XP system on the network with a matching NetBIOS name to log on to the domain will be associated with this account. This allows crackers a window of opportunity to take over computer accounts for their own purposes.



[22] The entry in /etc/passwd might not be required in future Samba versions.

Get Using Samba, Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.