Paul Gienger wrote:
The criteria that defines whether or not you can join machines is usually whether or not you can add system users in UNIX.
I guess I should have explained a bit more of what I have tried and chatted with John Terpstra about.
/etc/group domadmin:x:2000:mradmin
# initGrps.sh net groupmap modify ntgroup="Domain Admins" unixgroup=domadmin
(These two allow Win2K ifmember.exe /list to see that the logged in user is a domain admin, but the ID can not add workstations to the domain...)
# /etc/samba/smb.conf [global] admin users = @domadmin
And then the account may finally add workstations.
So that's all fine and dandy except now I have a utility ID in script files with passwords that has way too many permissions to the domain.
On a side note, if I remove the account from /etc/group yet leave it in the admin users = list, ifmember.exe /list no longer sees the domain admin membership, but joining the workstations to the domain still works. So, admin users = seems to be key for now, but it is unclear which share needs it, as admin users is a share level setting per the docs.
Some shares are created automatically if you do not specify / override the default settings. I'm thinking if I knew what share was critical I could add a section of that name, admin users = under it, and lock this ID to being an admin only for that one required share... IPC$ maybe? I am not turing up anyone doing an [IPC$] share, but I just might try it...
-- Michael Lueck Lueck Data Systems
Remove the upper case letters NOSPAM to contact me directly.
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
