6.2 MS Windows WorkstationServer Machine Trust Accounts | The Official Samba-3 HOWTO and Reference Guide, 2nd Edition

6.2 MS Windows Workstation/Server Machine Trust Accounts

A Machine Trust Account is an account that is used to authenticate a client machine (rather than a user ) to the Domain Controller server. In Windows terminology, this is known as a " Computer Account ." The purpose of the machine account is to prevent a rogue user and Domain Controller from colluding to gain access to a domain member workstation.

The password of a Machine Trust Account acts as the shared secret for secure communication with the Domain Controller. This is a security feature to prevent an unauthorized machine with the same NetBIOS name from joining the domain and gaining access to domain user/ group accounts. Windows NT/200x/XP Professional clients use machine trust accounts, but Windows 9x/Me/XP Home clients do not. Hence, a Windows 9x/Me/XP Home client is never a true member of a Domain because it does not possess a Machine Trust Account, and, thus, has no shared secret with the Domain Controller.

A Windows NT4 PDC stores each Machine Trust Account in the Windows Registry. The introduction of MS Windows 2000 saw the introduction of Active Directory, the new repository for Machine Trust Accounts. A Samba PDC, however, stores each Machine Trust Account in two parts , as follows :

A Domain Security Account (stored in the passdb backend that has been configured in the smb.conf file. The precise nature of the account information that is stored depends on the type of backend database that has been chosen .

The older format of this data is the smbpasswd database that contains the UNIX login ID, the UNIX user identifier (UID), and the LanMan and NT encrypted passwords. There is also some other information in this file that we do not need to concern ourselves with here.

The two newer database types are called ldapsam, and tdbsam . Both store considerably more data than the older smbpasswd file did. The extra information enables new user account controls to be implemented.
A corresponding UNIX account, typically stored in /etc/passwd . Work is in progress to allow a simplified mode of operation that does not require UNIX user accounts, but this may not be a feature of the early releases of Samba-3.

There are three ways to create Machine Trust Accounts:

Manual creation from the UNIX/Linux command line. Here, both the Samba and corresponding UNIX account are created by hand.
Using the MS Windows NT4 Server Manager, either from an NT4 Domain Member server, or using the Nexus toolkit available from the Microsoft Web site. This tool can be run from any MS Windows machine as long as the user is logged on as the administrator account.
" On-the-fly " creation. The Samba Machine Trust Account is automatically created by Samba at the time the client is joined to the domain. (For security, this is the recommended method.) The corresponding UNIX account may be created automatically or manually.

6.2.1 Manual Creation of Machine Trust Accounts

The first step in manually creating a Machine Trust Account is to manually create the corresponding UNIX account in /etc/passwd . This can be done using vipw or another " add user " command that is normally used to create new UNIX accounts. The following is an example for a Linux-based Samba server:

 root# /usr/sbin/useradd -g machines -d /dev/null -c "machine nickname" \ -s /bin/false machine_name$ root# passwd -1 machine_name$

In the above example above there is an existing system group " machines " which is used as the primary group for all machine accounts. In the following examples the " machines " group has numeric GID equal 100.

On *BSD systems, this can be done using the chpass utility:

 root# chpass -a \ 'machine_name$:*:101:100::0:0:Windows machine_name:/dev/null:/sbin/ nologin '

The /etc/passwd entry will list the machine name with a " $ " appended, will not have a password, will have a null shell and no home directory. For example, a machine named " doppy " would have an /etc/passwd entry like this:

 doppy$:x:505:100:machine_nickname:/dev/null:/bin/false

Above, machine_nickname can be any descriptive name for the client, i.e., BasementComputer. machine_name absolutely must be the NetBIOS name of the client to be joined to the domain. The "$" must be appended to the NetBIOS name of the client or Samba will not recognize this as a Machine Trust Account.

Now that the corresponding UNIX account has been created, the next step is to create the Samba account for the client containing the well-known initial Machine Trust Account password. This can be done using the smbpasswd command as shown here:

 root# smbpasswd -a -m machine_name

where machine_name is the machine's NetBIOS name. The RID of the new machine account is generated from the UID of the corresponding UNIX account.

J OIN T HE C LIENT TO T HE D OMAIN I MMEDIATELY

Manually creating a Machine Trust Account using this method is the equivalent of creating a Machine Trust Account on a Windows NT PDC using the Server Manager. From the time at which the account is created to the time the client joins the domain and changes the password, your domain is vulnerable to an intruder joining your domain using a machine with the same NetBIOS name. A PDC inherently trusts members of the domain and will serve out a large degree of user information to such clients. You have been warned !

6.2.2 Managing Domain Machine Accounts using NT4 Server Manager

A working add machine script script is essential for machine trust accounts to be automatically created. This applies no matter whether one uses automatic account creation, or if one wishes to use the NT4 Domain Server Manager.

If the machine from which you are trying to manage the domain is an MS Windows NT4 workstation or MS Windows 200x/XP Professional, the tool of choice is the package called SRVTOOLS.EXE . When executed in the target directory it will unpack SrvMgr.exe and UsrMgr.exe (both are domain management tools for MS Windows NT4 workstation).

If your workstation is a Microsoft Windows 9x/Me family product you should download the Nexus.exe package from the Microsoft web site. When executed from the target directory this will unpack the same tools but for use on this platform.

Further information about these tools may be obtained from the following locations:

 http://support.microsoft.com/default.aspx?scid=kb;en-us;173673 http://support.microsoft.com/default.aspx?scid=kb;en-us;172540

Launch the srvmgr.exe (Server Manager for Domains) and follow these steps:

S ERVER M ANAGER A CCOUNT M ACHINE A CCOUNT M ANAGEMENT

From the menu select Computer .
Click Select Domain .
Click the name of the domain you wish to administer in the Select Domain panel and then click OK .
Again from the menu select Computer .
Select Add to Domain .
In the dialog box, click the radio button to Add NT Workstation of Server , then enter the machine name in the field provided, and click the Add button.

6.2.3 On-the-Fly Creation of Machine Trust Accounts

The second (and recommended) way of creating Machine Trust Accounts is simply to allow the Samba server to create them as needed when the client is joined to the domain.

Since each Samba Machine Trust Account requires a corresponding UNIX account, a method for automatically creating the UNIX account is usually supplied; this requires configuration of the add machine script option in smb.conf . This method is not required, however, corresponding UNIX accounts may also be created manually.

Here is an example for a Red Hat Linux system.

  add machine script = /usr/sbin/useradd -d /dev/null -g 100 \   -s /bin/false -M %u

6.2.4 Making an MS Windows Workstation or Server a Domain Member

The procedure for making an MS Windows workstation or server a member of the domain varies with the version of Windows.

6.2.4.1 Windows 200x/XP Professional Client

When the user elects to make the client a Domain Member, Windows 200x prompts for an account and password that has privileges to create machine accounts in the domain. A Samba Administrator Account (i.e., a Samba account that has root privileges on the Samba server) must be entered here; the operation will fail if an ordinary user account is given.

For security reasons, the password for this Administrator Account should be set to a password that is other than that used for the root user in /etc/passwd .

The name of the account that is used to create Domain Member machine accounts can by anything the network administrator may choose. If it is other than root then this is easily mapped to root in the file named in the smb.conf parameter username map = /etc/samba/ smbusers .

The session key of the Samba Administrator Account acts as an encryption key for setting the password of the machine trust account. The Machine Trust Account will be created on-the-fly, or updated if it already exists.

6.2.4.2 Windows NT4 Client

If the Machine Trust Account was created manually, on the Identification Changes menu enter the domain name, but do not check the box Create a Computer Account in the Domain . In this case, the existing Machine Trust Account is used to join the machine to the domain.

If the Machine Trust Account is to be created on-the-fly, on the Identification Changes menu enter the domain name and check the box Create a Computer Account in the Domain . In this case, joining the domain proceeds as above for Windows 2000 (i.e., you must supply a Samba Administrator Account when prompted).

6.2.4.3 Samba Client

Joining a Samba client to a domain is documented in Section 6.3.