Creating machine trust accounts and connecting clients to the domain

On a Microsoft Windows NT PDC, machine trust accounts are user accounts owned by a single computer. The password of a Machine Trust Account acts as the shared secret for secure communication with the Domain Controller. This is a security feature to prevent an unauthorized machine with the same NetBIOS name from joining the domain and gaining access to domain user/group accounts. Hence, a Windows 9x/Me/XP Home client is never a true member of a Domain because it does not possess a Machine Trust Account, and, thus, has no shared secret with the Domain Controller.

A Windows NT4 PDC stores each Machine Trust Account in the Windows Registry. The introduction of MS Windows 2000 saw the introduction of Active Directory, the new repository for Machine Trust Accounts.

You can create trusted machine accounts on your Samba PDC in two ways:

• The first method is to manually create the password with a known value (such as the lower case netbios name of the machine) before you join the machine to the domain.
• The other method creates the trusted machine account when the admin joins the machine to the domain. This second method uses the session key of the administrative account as an encryption key for setting the password to a random value (recommended method).

First method – manually creating the password

To manually add a trusted machine account, you must first create an entry in your /etc/passwd file. This can be done using vipw or another " add user " command that is normally used to create new UNIX accounts. The following is an example for a Linux-based Samba server:

 root# /usr/sbin/useradd –g 100 –d /dev/null –c " machine nickname " –s /bin/false machine_name $

root# passwd –l machine_name$

The /etc/passwd entry will list the machine name with a "$" appended, will not have a password, will have a null shell and no home directory. For example, a machine named "doppy" would have an /etc/passwd entry like this:

machine$:x:505:501:
machine_nickname
:/dev/null:/bin/false

Above, machine_nickname can be any descriptive name for the client, i.e., BasementComputer. machine_name absolutely must be the NetBIOS name of the client to be joined to the domain. The "$" must be appended to the NetBIOS name of the client or Samba will not recognize this as a Machine Trust Account.

Now that the corresponding UNIX account has been created, the next step is to create the Samba account for the client containing the well-known initial Machine Trust Account password. This can be done using the smbpasswd command as shown here:

root# smbpasswd –a –m machine_name

where machine_name is the machine's NetBIOS name.

Join the client to the domain immediately

Manually creating a Machine Trust Account using this method is the equivalent of creating a Machine Trust Account on a Windows NT PDC using the Server Manager. From the time at which the account is created to the time the client joins the domain and changes the password, your domain is vulnerable to an intruder joining your domain using a machine with the same NetBIOS name. A PDC inherently trusts members of the domain and will serve out a large degree of user information to such clients. You have been warned!

On-the-Fly Creation of Machine Trust Accounts

The second (and recommended) way of creating Machine Trust Accounts is simply to allow the Samba server to create them as needed when the client is joined to the domain; this requires configuration of the add machine script option in smb.conf . Here is an example for a Red Hat 6.2 Linux system.

add user script = /usr/sbin/useradd –d /dev/null –g 100 –s /bin/false –M %u

In Samba 2.2.1, only the root account can be used to create machine accounts like this. Therefore, it is required to create an entry in smbpasswd for root . The password SHOULD be set to different password that the associated /etc/passwd entry for security reasons.