Search This Blog

Showing posts with label SAMBA Trust Relation. Show all posts
Showing posts with label SAMBA Trust Relation. Show all posts

Thursday, December 15, 2011

How To Add Workstations To Your Samba Domain (SAMBA) - PART11


Adding workstations to a Samba domain is a two step process involving the creation of workstation trust accounts on the Samba server and then logging into each workstation to add them to the domain.

Create Samba Trust Accounts For Each Workstation

PDCs will accept user logins only from trusted PCs that have been placed in its PC client database. Samba can create these Machine Trusts in two ways, either manually or automatically.

Manual Creation Of Machine Trust Accounts (NT Only)

The commands in this example create a special Linux group for Samba clients and then add a special machine user that's a member of the group. The password for this user is then disabled and the machine is then added to the smbpasswd file to help keep track of which devices are members of the domain. In summary, a machine trust account needs to have entries in the /etc/passwd and /etc/smbpasswd files. Pay careful attention to the dollar sign ($) at the end and replace machine_name with the name of the Windows client machine.
[root@bigboy tmp]# groupadd samba-clients
[root@bigboy tmp]# /usr/sbin/useradd -g samba-clients \
-d /dev/null -s /bin/false machine_name$
[root@bigboy tmp]# passwd -l machine_name$
[root@bigboy tmp]# smbpasswd -a -m machine_name
This is the only way to configure machine trusts using Windows NT.

Dynamic Creation of Machine Trust Accounts

Although you can use the manual method, the recommended way of creating machine trust accounts is simply to allow the Samba server to create them as needed when the Windows clients join the domain which known as making a machine account on the fly. You can set this up by editing the /etc/samba/smb.conf file to automatically add the required users.
The easiest way to do this using SWAT in the Global menu to modify the add machine script parameter.
[global]
# <...remainder of parameters...>
add machine script = /usr/sbin/useradd -d /dev/null -g samba-clients -s /bin/false -M %u
When you have completed the modifications, you'll need to create the samba-clients Linux group that will be used to help identify the all the domain's Windows clients listed in the /etc/passwd file.
[root@bigboy tmp]# groupadd samba-clients
In Samba version 2, you need to add the client to the smbpasswd file also
[root@bigboy tmp]# smbpasswd -a -m machine_name
Samba version 3 adds it automatically.