Re: [Samba] machine account with w2k
High Brian, what you wrote I tried in my first experiment. I created the user domamdin like this: # useradd -m -u 500 -G 0 domadmin # pdbedit -a -U 500 -G 512 domadmin The Unix-user domadmin had the uid = 500, the primary-group = 500 (like normal users), and was a member of the root-group = 0. Whit this settings I was able to join my Samba-PDC with Windows-NT4.0-Workstations well, when I manually created a machine-account on the Samba. But when I tried to the same with a Windows2000-Workstation, then I got a login prompt. Then I tried to give in the domadmin with the password, the login-promt appeared again. It was not possible to join my Samba-PDC with Windows2000-Workstations. I tried different things until I read in the Samba-manual, that I should join a Samba-Domain with the user Root. This is normally not possible, because Root does not have an smb-account and im my smb.conf I have: invalid users = root . Yes, and because it was'nt successful with the user domadmin as member of group 0, I tried the really not nice thing, that I gave the user domadmin the uid 0, and this was successful. Please could you tell me, what I did wrong? Please see for this the documentation in my first mail, there are my smb.conf and the user-profile from the domadmin. By, Heinz. Heinz Allerberger Systemadministrator Zentrum Neurologie Universitätsklinikum Frankfurt am Main Tel: 069/6301-4274 Fax: 069/6301-6842 Piepser 18-0455 Brian Krusic wrote: The Domain Admin user domadmin must have the root-policies on the /etc/passwd like this: domadmin:x:0:0: This is incorrect as you should never have users with identical uids. You should mod the entry in etc/group to add your domadmin user to the root group. This gives it root privs. In my opinion it is not fine, because it is a security-hole, Incorrect. Only someone of root or admin privs should be able to initially join domains for if any one could, then a potential hacker to do so w/o admin/root privs and attain further domain trust by doing so. Bri- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] machine account with w2k
High, I found out, where the problem was: The Domain Admin user domadmin must have the root-policies on the /etc/passwd like this: domadmin:x:0:0: The user domadmin get the same rights as Root has, then it works properly. Then I am able to join a Windows2000-workstation with the user domadmin. In my opinion it is not fine, because it is a security-hole, but it works. Heinz Allerberger Systemadministrator Zentrum Neurologie Universitätsklinikum Frankfurt am Main Tel: 069/6301-4274 Fax: 069/6301-6842 Piepser 18-0455 Heinz Allerberger wrote: Dear Samba Friends, I've a problem to join with Windows2000-Clients a Samba-PDC. When I join the samba-pdc with a WinNT4.0-Client it is no problem, first I create a machine-account for the machine: 1. in /etc/group exists the group: machines:x:515: 2. useradd -g machines -d /dev/null -c nickname -s /bin/false neuch205$ 3. pdbedit -a -m -u neuch205 In this way, it isn't a problem to join the PDC with WinNT4.0-Clients, only that I log in as Administrator into the Windows-machine and give in the domainname an, then the client answers, without password-asking, I should reboot and the client joined successfully. When I try to do the same, I get an asking for an password. Ok, for that I created the user domadmin on the Samba as a member of the Domain Adminstrators, but this user is not accepted from the W2K-Client. I can not understand why not. Normally it should going on. Please have a look of my documentation about this: # Samba config file # [EMAIL PROTECTED] # Date: 2004/09/03 # Global parameters [global] unix charset = ISO8859-1 workgroup = NEUROCH server string = %h server (Samba %v) preferred master = Yes domain master = Yes local master = yes os level = 33 # entspricht NT Server dns proxy = No ldap ssl = no security = user encrypt passwords = yes update encrypted = Yes obey pam restrictions = Yes passdb backend = tdbsam, guest passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . invalid users = root domain logons = Yes logon path = \\%N\profiles\%U logon drive = H: logon home = \\neuch240\%U\.winprofile logon script = logon.cmd add machine script = /usr/sbin/useradd -g machines -d /dev/null -s /bin/false -M %u add user script = /usr/sbin/useradd %u delete user script = /usr/sbin/userdel %u add group script = /usr/local/bin/smbgrpadd.sh %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/bin/gpasswd -a %u %g delete user from group script = /usr/bin/gpasswd -d %u %g set primary group script = /usr/sbin/usermod -g %g %u syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 panic action = /usr/share/samba/panic-action %d [netlogon] path = /var/lib/samba/netlogon read only = yes browseable = no [profiles] path = /var/lib/samba/profiles read only = no create mask = 0600 directory mask = 0700 browseable = No [homes] comment = Home Directories read only = No create mask = 0755 browseable = No [shared] comment = shared Directory path = /home/shared read only = No create mask = 0777 browseable = no [printers] comment = All Printers path = /tmp create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers Unix username:neuch205$ NT username: Account Flags:[W ] User SID: S-1-5-21-1656000120-2433418590-619812953-4006 Primary Group SID:S-1-5-21-1656000120-2433418590-619812953-515 Full Name:neuch205$ Home Directory: \\neuch240\neuch205_\.winprofile HomeDir Drive:H: Logon Script: logon.cmd Profile Path: \\neuch240\profiles\neuch205_ Domain: NEUROCH Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Fri, 13 Dec 1901 21:45:51 GMT Kickoff time: Fri, 13 Dec 1901 21:45:51 GMT Password last set:Wed, 08 Sep 2004 10:26:17 GMT Password can change: Wed, 08 Sep 2004 10:26:17 GMT Password must change: Fri, 13 Dec 1901 21:45:51 GMT Last bad password : 0 Bad password count : 0 Logon hours : FF Unix username:domadmin NT username: Account Flags:[U ] User SID:
Re: [Samba] machine account with w2k
The Domain Admin user domadmin must have the root-policies on the /etc/passwd like this: domadmin:x:0:0: This is incorrect as you should never have users with identical uids. You should mod the entry in etc/group to add your domadmin user to the root group. This gives it root privs. In my opinion it is not fine, because it is a security-hole, Incorrect. Only someone of root or admin privs should be able to initially join domains for if any one could, then a potential hacker to do so w/o admin/root privs and attain further domain trust by doing so. Bri- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] machine account with w2k
Dear Samba Friends, I've a problem to join with Windows2000-Clients a Samba-PDC. When I join the samba-pdc with a WinNT4.0-Client it is no problem, first I create a machine-account for the machine: 1. in /etc/group exists the group: machines:x:515: 2. useradd -g machines -d /dev/null -c nickname -s /bin/false neuch205$ 3. pdbedit -a -m -u neuch205 In this way, it isn't a problem to join the PDC with WinNT4.0-Clients, only that I log in as Administrator into the Windows-machine and give in the domainname an, then the client answers, without password-asking, I should reboot and the client joined successfully. When I try to do the same, I get an asking for an password. Ok, for that I created the user domadmin on the Samba as a member of the Domain Adminstrators, but this user is not accepted from the W2K-Client. I can not understand why not. Normally it should going on. Please have a look of my documentation about this: -- Heinz Allerberger Systemadministrator Zentrum Neurologie Universitätsklinikum Frankfurt am Main Tel: 069/6301-4274 Fax: 069/6301-6842 Piepser 18-0455 # Samba config file # [EMAIL PROTECTED] # Date: 2004/09/03 # Global parameters [global] unix charset = ISO8859-1 workgroup = NEUROCH server string = %h server (Samba %v) preferred master = Yes domain master = Yes local master = yes os level = 33 # entspricht NT Server dns proxy = No ldap ssl = no security = user encrypt passwords = yes update encrypted = Yes obey pam restrictions = Yes passdb backend = tdbsam, guest passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . invalid users = root domain logons = Yes logon path = \\%N\profiles\%U logon drive = H: logon home = \\neuch240\%U\.winprofile logon script = logon.cmd add machine script = /usr/sbin/useradd -g machines -d /dev/null -s /bin/false -M %u add user script = /usr/sbin/useradd %u delete user script = /usr/sbin/userdel %u add group script = /usr/local/bin/smbgrpadd.sh %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/bin/gpasswd -a %u %g delete user from group script = /usr/bin/gpasswd -d %u %g set primary group script = /usr/sbin/usermod -g %g %u syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 panic action = /usr/share/samba/panic-action %d [netlogon] path = /var/lib/samba/netlogon read only = yes browseable = no [profiles] path = /var/lib/samba/profiles read only = no create mask = 0600 directory mask = 0700 browseable = No [homes] comment = Home Directories read only = No create mask = 0755 browseable = No [shared] comment = shared Directory path = /home/shared read only = No create mask = 0777 browseable = no [printers] comment = All Printers path = /tmp create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers Unix username:neuch205$ NT username: Account Flags:[W ] User SID: S-1-5-21-1656000120-2433418590-619812953-4006 Primary Group SID:S-1-5-21-1656000120-2433418590-619812953-515 Full Name:neuch205$ Home Directory: \\neuch240\neuch205_\.winprofile HomeDir Drive:H: Logon Script: logon.cmd Profile Path: \\neuch240\profiles\neuch205_ Domain: NEUROCH Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Fri, 13 Dec 1901 21:45:51 GMT Kickoff time: Fri, 13 Dec 1901 21:45:51 GMT Password last set:Wed, 08 Sep 2004 10:26:17 GMT Password can change: Wed, 08 Sep 2004 10:26:17 GMT Password must change: Fri, 13 Dec 1901 21:45:51 GMT Last bad password : 0 Bad password count : 0 Logon hours : FF Unix username:domadmin NT username: Account Flags:[U ] User SID: S-1-5-21-1656000120-2433418590-619812953-2000 Primary Group SID:S-1-5-21-1656000120-2433418590-619812953-512 Full Name: Home Directory: \\neuch240\domadmin\.winprofile HomeDir Drive:H: Logon Script: logon.cmd Profile Path: \\neuch240\profiles\domadmin Domain: NEUROCH Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Fri, 13 Dec 1901 21:45:51 GMT Kickoff time: Fri, 13 Dec 1901 21:45:51 GMT Password last set:Fri, 03 Sep 2004 11:18:37 GMT Password can change: Fri, 03 Sep 2004 11:18:37 GMT Password must change: Fri, 13 Dec 1901