Samba - adding Win2K/XP machines and users to a domain

Primary tabs

Samba - adding Win2K/XP machines and users to a domain

Topic: 
System Administration

1. Win2k machine accounts:

To allow domain login from machines running Windows NT or Windows 2000, you need to create both a Unix account, and a Samba account for every machine.

The machine account are specially named accounts witha  '$' character at the end -  i.e. machine$.

To add machine account, use your system add user script, most likely adduser. If your system does not support user names with a '$' character, you may edit your password database to add it manualy. You can use vipw.

The system accounts for machines do not need login shell neither home dir, so use false as login shell and /dev/null as home dir.

 

Example /etc/passwd:

mycomputer$:x:1040:202:MYCOMPUTER:/dev/null:/bin/false

 

Example /etc/shadow:

mycomputer$:!:12734:0:99999:7:::

 

Creating machine account with smbpasswd:

After adding system accounts, you must use smbpasswd to add Samba machine account. There you can use $ in usernames. So typical command will look like:

smbpasswd -a -m <machine-name>$

 

 

2. User accounts

To add a user account, simply repeat the above steps for user names. Create the Unix account as normal with adduser or vipw.

Normaly you would have user names without special characters, so you simply run adduser. Again, use false as shell and /dev/null as user home dir.

 

Example /etc/passwd:

jsmith:x:1001:100:John SMith:/home/jsmith:/bin/false

 

Example /etc/shadow:

lydian:$1$exUAjwqe$D.XAz7811x2xRVPxEH/:12428:0:99999:7:::-1173746168

 

Creating user account with smbpasswd:

After creating Unix accounts, add users to samba with smbpasswd:

smbpasswd -a <user-name>

 

3. Final Setup

Now you need to logon to the win machine as a user with admin rights.

You will need to know the domain control password for multiple steps.

Join the domain.

reboot the computer.

Login as *local* admin again.

Add domain users to power-users and administrator groups.

Logout

Login as domain user to test.

security: