Default Shell for Samba Machine Accounts

Question

Using Samba, as a domain controller, I need to add Windows machines as users (in /etc/passwd), and to the Samba database as a machine. In the /etc/passwd file, I noticed about half the machines have a shell of /bin/sh, the other half have /bin/false.

I would prefer them all to be /bin/false, but only if that's acceptable, and the recommended way. Is there any security or functional restrictions to the machine account having /bin/false instead of /bin/sh? Currently, we are using Samba 3 on Debian Wheezy.

An example set of entries below:

cla-teach-54$:x:1367:1386::/home/cla-teach-54$:/bin/sh
cla-teach-55$:x:1369:1388::/home/cla-teach-55$:/bin/sh
cla-teach-56$:x:1562:1583::/home/cla-teach-56$:/bin/sh
cla-teach-57$:x:1846:1864::/home/cla-teach-57$:/bin/false
cla-teach-58$:x:1948:1960::/home/cla-teach-58$:/bin/false
cla-teach-59$:x:1949:1961::/home/cla-teach-59$:/bin/false

(note: none of the home folders exist)

Related: Does /usr/sbin/nologin as a login shell serve a security purpose? — slm, Oct 07 '14 at 17:23

score 1 · Accepted Answer · answered Oct 07 '14 at 17:02

1

It's not only acceptable, but also preferable to have them have /bin/false as a login shell, else someone could actually long onto the system and get shell access.

Remember to pass -s /bin/false to useradd to set the login shell to /bin/false

answered Oct 07 '14 at 17:02

Jan

7,772
2
35
41

Default Shell for Samba Machine Accounts

1 Answers1