Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




Samba HowTo Guide
Prev Home Next

Machine Trust Accounts

The net command looks in the smb.conf file to obtain its own configuration settings. Thus, the following command 'knows' which domain to join from the smb.conf file.

A Samba server domain trust account can be validated as shown in this example:

root#  net rpc testjoin
Join to 'MIDEARTH' is OK

Where there is no domain membership account, or when the account credentials are not valid, the following results will be observed:

net rpc testjoin -S DOLPHIN
Join to domain 'WORLDOCEAN' is not valid

The equivalent command for joining a Samba server to a Windows ADS domain is shown here:

root#  net ads testjoin
Using short domain name -- TAKEAWAY
Joined 'LEMONADE' to realm 'TAKEAWAY.BIZ'

In the event that the ADS trust was not established, or is broken for one reason or another, the following error message may be obtained:

root#  net ads testjoin -UAdministrator%secret
Join to domain is not valid

The following demonstrates the process of creating a machine trust account in the target domain for the Samba server from which the command is executed:

root#  net rpc join -S FRODO -Uroot%not24get
Joined domain MIDEARTH.

The joining of a Samba server to a Samba domain results in the creation of a machine account. An example of this is shown here:

root#  pdbedit -Lw merlin\$
176D8C554E99914BDF3407DEA2231D80:[S          ]:LCT-42891919:

The S in the square brackets means this is a server (PDC/BDC) account. The domain join can be cast to join purely as a workstation, in which case the S is replaced with a W (indicating a workstation account). The following command can be used to affect this:

root#  net rpc join member -S FRODO -Uroot%not24get
Joined domain MIDEARTH.

Note that the command-line parameter member makes this join specific. By default the type is deduced from the smb.conf file configuration. To specifically join as a PDC or BDC, the command-line parameter will be [PDC | BDC]. For example:

root#  net rpc join bdc -S FRODO -Uroot%not24get
Joined domain MIDEARTH.

It is best to let Samba figure out the domain join type from the settings in the smb.conf file.

The command to join a Samba server to a Windows ADS domain is shown here:

root#  net ads join -UAdministrator%not24get
Using short domain name -- GDANSK

There is no specific option to remove a machine account from an NT4 domain. When a domain member that is a Windows machine is withdrawn from the domain, the domain membership account is not automatically removed either. Inactive domain member accounts can be removed using any convenient tool. If necessary, the machine account can be removed using the following net command:

root#  net rpc user delete HERRING\$ -Uroot%not24get
Deleted user account.

The removal is made possible because machine accounts are just like user accounts with a trailing $ character. The account management operations treat user and machine accounts in like manner.

A Samba-3 server that is a Windows ADS domain member can execute the following command to detach from the domain:

root#  net ads leave

Detailed information regarding an ADS domain can be obtained by a Samba DMS machine by executing the following:

root#  net ads status

The volume of information is extensive. Please refer to the book “Samba-3 by Example”, Chapter 7 for more information regarding its use. This book may be obtained either in print or online from the Samba-3 by Example.

Samba HowTo Guide
Prev Home Next

  Published under the terms fo the GNU General Public License Design by Interspire