1

Using Samba, as a domain controller, I need to add Windows machines as users (in /etc/passwd), and to the Samba database as a machine. In the /etc/passwd file, I noticed about half the machines have a shell of /bin/sh, the other half have /bin/false.

I would prefer them all to be /bin/false, but only if that's acceptable, and the recommended way. Is there any security or functional restrictions to the machine account having /bin/false instead of /bin/sh? Currently, we are using Samba 3 on Debian Wheezy.

An example set of entries below:

cla-teach-54$:x:1367:1386::/home/cla-teach-54$:/bin/sh
cla-teach-55$:x:1369:1388::/home/cla-teach-55$:/bin/sh
cla-teach-56$:x:1562:1583::/home/cla-teach-56$:/bin/sh
cla-teach-57$:x:1846:1864::/home/cla-teach-57$:/bin/false
cla-teach-58$:x:1948:1960::/home/cla-teach-58$:/bin/false
cla-teach-59$:x:1949:1961::/home/cla-teach-59$:/bin/false

(note: none of the home folders exist)

Canadian Luke
  • 1,056
  • 2
  • 12
  • 26
  • Related: [Does /usr/sbin/nologin as a login shell serve a security purpose?](http://unix.stackexchange.com/questions/155139/does-usr-sbin-nologin-as-a-login-shell-serve-a-security-purpose/155140#155140) – slm Oct 07 '14 at 17:23

1 Answers1

1

It's not only acceptable, but also preferable to have them have /bin/false as a login shell, else someone could actually long onto the system and get shell access.

Remember to pass -s /bin/false to useradd to set the login shell to /bin/false

Jan
  • 7,600
  • 2
  • 34
  • 41