The first step in manually creating a Machine Trust Account is to manually create the corresponding UNIX account in /etc/passwd. This can be done using vipw or another “adduser” command that is normally used to create new UNIX accounts. The following is an example for a Linux-based Samba server:

root# 

/usr/sbin/useradd -g machines -d /var/lib/nobody \
   -c 
"machine nickname"
 \
   -s /bin/false 
machine_name
$ 


root# 

passwd -l 
machine_name
$

In the example above there is an existing system group “machines” which is used as the primary group for all machine accounts. In the following examples the “machines” group numeric GID is 100.

On *BSD systems, this can be done using the chpass utility:

root# 

chpass -a \
'
machine_name
$:*:101:100::0:0:Windows 
machine_name
:/dev/null:/sbin/nologin'

The /etc/passwd entry will list the machine name with a “$” appended, and will not have a password, will have a null shell and no home directory. For example, a machine named “doppy” would have an /etc/passwd entry like this:

doppy$:x:505:100:
machine_nickname
:/dev/null:/bin/false

in which machine_nickname can be any descriptive name for the client, such as BasementComputer. machine_name absolutely must be the NetBIOS name of the client to be joined to the domain. The “$” must be appended to the NetBIOS name of the client or Samba will not recognize this as a Machine Trust Account.

Now that the corresponding UNIX account has been created, the next step is to create the Samba account for the client containing the well-known initial Machine Trust Account password. This can be done using the smbpasswd command as shown here:

root# 

smbpasswd -a -m 
machine_name

where machine_name is the machine's NetBIOS name. The RID of the new machine account is generated from the UID of the corresponding UNIX account.