6.2 MS Windows Workstation/Server Machine Trust Accounts
A Machine Trust Account is an account that is used to authenticate a client machine (rather than a user ) to the Domain Controller server. In Windows terminology, this is known as a " Computer Account ." The purpose of the machine account is to prevent a rogue user and Domain Controller from colluding to gain access to a domain member workstation.
The password of a Machine Trust Account acts as the shared secret for secure communication with the Domain Controller. This is a security feature to prevent an unauthorized machine with the same NetBIOS name from joining the domain and gaining access to domain user/ group accounts. Windows NT/200x/XP Professional clients use machine trust accounts, but Windows 9x/Me/XP Home clients do not. Hence, a Windows 9x/Me/XP Home client is never a true member of a Domain because it does not possess a Machine Trust Account, and, thus, has no shared secret with the Domain Controller.
A Windows NT4 PDC stores each Machine Trust Account in the Windows Registry. The introduction of MS Windows 2000 saw the introduction of Active Directory, the new repository for Machine Trust Accounts. A Samba PDC, however, stores each Machine Trust Account in two parts , as follows :
There are three ways to create Machine Trust Accounts:
6.2.1 Manual Creation of Machine Trust Accounts
The first step in manually creating a Machine Trust Account is to manually create the corresponding UNIX account in /etc/passwd . This can be done using vipw or another " add user " command that is normally used to create new UNIX accounts. The following is an example for a Linux-based Samba server:
root# /usr/sbin/useradd -g machines -d /dev/null -c "machine nickname" \ -s /bin/false machine_name$ root# passwd -1 machine_name$
In the above example above there is an existing system group " machines " which is used as the primary group for all machine accounts. In the following examples the " machines " group has numeric GID equal 100.
On *BSD systems, this can be done using the chpass utility:
root# chpass -a \ 'machine_name$:*:101:100::0:0:Windows machine_name:/dev/null:/sbin/ nologin '
The /etc/passwd entry will list the machine name with a " $ " appended, will not have a password, will have a null shell and no home directory. For example, a machine named " doppy " would have an /etc/passwd entry like this:
Above, machine_nickname can be any descriptive name for the client, i.e., BasementComputer. machine_name absolutely must be the NetBIOS name of the client to be joined to the domain. The "$" must be appended to the NetBIOS name of the client or Samba will not recognize this as a Machine Trust Account.
Now that the corresponding UNIX account has been created, the next step is to create the Samba account for the client containing the well-known initial Machine Trust Account password. This can be done using the smbpasswd command as shown here:
root# smbpasswd -a -m machine_name
where machine_name is the machine's NetBIOS name. The RID of the new machine account is generated from the UID of the corresponding UNIX account.
6.2.2 Managing Domain Machine Accounts using NT4 Server Manager
A working add machine script script is essential for machine trust accounts to be automatically created. This applies no matter whether one uses automatic account creation, or if one wishes to use the NT4 Domain Server Manager.
If the machine from which you are trying to manage the domain is an MS Windows NT4 workstation or MS Windows 200x/XP Professional, the tool of choice is the package called SRVTOOLS.EXE . When executed in the target directory it will unpack SrvMgr.exe and UsrMgr.exe (both are domain management tools for MS Windows NT4 workstation).
If your workstation is a Microsoft Windows 9x/Me family product you should download the Nexus.exe package from the Microsoft web site. When executed from the target directory this will unpack the same tools but for use on this platform.
Further information about these tools may be obtained from the following locations:
Launch the srvmgr.exe (Server Manager for Domains) and follow these steps:
S ERVER M ANAGER A CCOUNT M ACHINE A CCOUNT M ANAGEMENT
6.2.3 On-the-Fly Creation of Machine Trust Accounts
The second (and recommended) way of creating Machine Trust Accounts is simply to allow the Samba server to create them as needed when the client is joined to the domain.
Since each Samba Machine Trust Account requires a corresponding UNIX account, a method for automatically creating the UNIX account is usually supplied; this requires configuration of the add machine script option in smb.conf . This method is not required, however, corresponding UNIX accounts may also be created manually.
Here is an example for a Red Hat Linux system.
add machine script = /usr/sbin/useradd -d /dev/null -g 100 \ -s /bin/false -M %u
6.2.4 Making an MS Windows Workstation or Server a Domain Member
The procedure for making an MS Windows workstation or server a member of the domain varies with the version of Windows.
18.104.22.168 Windows 200x/XP Professional Client
When the user elects to make the client a Domain Member, Windows 200x prompts for an account and password that has privileges to create machine accounts in the domain. A Samba Administrator Account (i.e., a Samba account that has root privileges on the Samba server) must be entered here; the operation will fail if an ordinary user account is given.
For security reasons, the password for this Administrator Account should be set to a password that is other than that used for the root user in /etc/passwd .
The name of the account that is used to create Domain Member machine accounts can by anything the network administrator may choose. If it is other than root then this is easily mapped to root in the file named in the smb.conf parameter username map = /etc/samba/ smbusers .
The session key of the Samba Administrator Account acts as an encryption key for setting the password of the machine trust account. The Machine Trust Account will be created on-the-fly, or updated if it already exists.
22.214.171.124 Windows NT4 Client
If the Machine Trust Account was created manually, on the Identification Changes menu enter the domain name, but do not check the box Create a Computer Account in the Domain . In this case, the existing Machine Trust Account is used to join the machine to the domain.
If the Machine Trust Account is to be created on-the-fly, on the Identification Changes menu enter the domain name and check the box Create a Computer Account in the Domain . In this case, joining the domain proceeds as above for Windows 2000 (i.e., you must supply a Samba Administrator Account when prompted).
126.96.36.199 Samba Client
Joining a Samba client to a domain is documented in Section 6.3.