Re: [Samba] machine account with w2k

2004-09-10 Thread Heinz Allerberger 
High Brian,
what you wrote I tried in my first experiment.
I created the user domamdin like this:
# useradd -m -u 500 -G 0 domadmin
# pdbedit -a -U 500 -G 512 domadmin
The Unix-user domadmin had the uid = 500, the primary-group = 500 
(like normal users), and was a member of the root-group = 0.

Whit this settings I was able to join my Samba-PDC with 
Windows-NT4.0-Workstations well, when I manually created a 
machine-account on the Samba. But when I tried to the same with a 
Windows2000-Workstation, then I got a login prompt. Then I tried to give 
in the domadmin with the password, the login-promt appeared again. It 
was not possible to join my Samba-PDC with Windows2000-Workstations. I 
tried different things until I read in the Samba-manual, that I should 
join a Samba-Domain with the user Root. This is normally not possible, 
because Root does not have an smb-account and im my smb.conf I have:  
invalid users = root .
Yes, and because it was'nt successful with the user domadmin as member 
of group 0, I tried the really not nice thing, that I gave the user 
domadmin the uid 0, and this was successful.

Please could you tell me, what I did wrong? Please see for this the 
documentation in my first mail, there are my smb.conf and the 
user-profile from the domadmin.

By, Heinz.
Heinz Allerberger
Systemadministrator
Zentrum Neurologie
Universitätsklinikum
Frankfurt am Main
Tel: 069/6301-4274
Fax: 069/6301-6842
Piepser 18-0455

Brian Krusic wrote:
The Domain Admin user domadmin must have the root-policies on the
/etc/passwd like this:
domadmin:x:0:0:
   

This is incorrect as you should never have users with identical uids.
You should mod the entry in etc/group to add your domadmin user to the root
group.  This gives it root privs.
 

In my opinion it is not fine, because it is a security-hole,
   

Incorrect.
Only someone of root or admin privs should be able to initially join domains
for if any one could, then a potential hacker to do so w/o admin/root privs
and attain further domain trust by doing so.
Bri-

 

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] machine account with w2k

2004-09-09 Thread Heinz Allerberger 
High,
I found out, where the problem was:
The Domain Admin user domadmin must have the root-policies on the 
/etc/passwd like this:
domadmin:x:0:0:
The user domadmin get the same rights as Root has, then  it works 
properly. Then I am able to join a Windows2000-workstation with the user 
domadmin.

In my opinion it is not fine, because it is a security-hole, but it works.
Heinz Allerberger
Systemadministrator
Zentrum Neurologie
Universitätsklinikum
Frankfurt am Main
Tel: 069/6301-4274
Fax: 069/6301-6842
Piepser 18-0455

Heinz Allerberger wrote:
Dear Samba Friends,
I've a problem to join with Windows2000-Clients a Samba-PDC.
When I join the samba-pdc with a WinNT4.0-Client it is no problem, 
first I create a machine-account for the machine:
1. in /etc/group exists the group: machines:x:515:
2. useradd -g machines -d /dev/null -c nickname -s /bin/false neuch205$
3. pdbedit -a -m -u neuch205

In this way, it isn't a problem to join the PDC with WinNT4.0-Clients, 
only that I log in as Administrator into the Windows-machine and give 
in the domainname an,
then the client answers, without password-asking, I should reboot and 
the client joined successfully.

When I try to do the same, I get an asking for an password. Ok, for 
that I created the user domadmin on the Samba as a member of the 
Domain Adminstrators, but this user is not accepted from the 
W2K-Client. I can not understand why not. Normally it should going on.

Please have a look of my documentation about this:

# Samba config file
# [EMAIL PROTECTED]
# Date: 2004/09/03
# Global parameters
[global]
unix charset = ISO8859-1
workgroup = NEUROCH
server string = %h server (Samba %v)

preferred master = Yes
domain master = Yes
local master = yes
os level = 33   # entspricht NT Server

dns proxy = No
ldap ssl = no
security = user
encrypt passwords = yes
update encrypted = Yes
obey pam restrictions = Yes
passdb backend = tdbsam, guest
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n .

invalid users = root

domain logons = Yes
logon path = \\%N\profiles\%U
logon drive = H:
logon home = \\neuch240\%U\.winprofile
logon script = logon.cmd
add machine script = /usr/sbin/useradd -g machines -d /dev/null -s /bin/false 
-M %u
add user script = /usr/sbin/useradd %u
delete user script = /usr/sbin/userdel %u
add group script = /usr/local/bin/smbgrpadd.sh %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/bin/gpasswd -a %u %g
delete user from group script = /usr/bin/gpasswd -d %u %g
set primary group script = /usr/sbin/usermod -g %g %u
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
[netlogon]
path = /var/lib/samba/netlogon
read only = yes
browseable = no
[profiles]
path = /var/lib/samba/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
[homes]
comment = Home Directories
read only = No
create mask = 0755
browseable = No
[shared]
comment = shared Directory
path = /home/shared
read only = No
create mask = 0777
browseable = no
[printers]
comment = All Printers
path = /tmp
create mask = 0700
printable = Yes
browseable = No
[print$]
	comment = Printer Drivers
	path = /var/lib/samba/printers
 


Unix username:neuch205$
NT username:
Account Flags:[W  ]
User SID: S-1-5-21-1656000120-2433418590-619812953-4006
Primary Group SID:S-1-5-21-1656000120-2433418590-619812953-515
Full Name:neuch205$
Home Directory:   \\neuch240\neuch205_\.winprofile
HomeDir Drive:H:
Logon Script: logon.cmd
Profile Path: \\neuch240\profiles\neuch205_
Domain:   NEUROCH
Account desc:
Workstations:
Munged dial:
Logon time:   0
Logoff time:  Fri, 13 Dec 1901 21:45:51 GMT
Kickoff time: Fri, 13 Dec 1901 21:45:51 GMT
Password last set:Wed, 08 Sep 2004 10:26:17 GMT
Password can change:  Wed, 08 Sep 2004 10:26:17 GMT
Password must change: Fri, 13 Dec 1901 21:45:51 GMT
Last bad password   : 0
Bad password count  : 0
Logon hours : FF
 


Unix username:domadmin
NT username:
Account Flags:[U  ]
User SID:

Re: [Samba] machine account with w2k

2004-09-09 Thread Brian Krusic 

 The Domain Admin user domadmin must have the root-policies on the
 /etc/passwd like this:
 domadmin:x:0:0:

This is incorrect as you should never have users with identical uids.

You should mod the entry in etc/group to add your domadmin user to the root
group.  This gives it root privs.

 In my opinion it is not fine, because it is a security-hole,
Incorrect.
Only someone of root or admin privs should be able to initially join domains
for if any one could, then a potential hacker to do so w/o admin/root privs
and attain further domain trust by doing so.

Bri-


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] machine account with w2k

2004-09-08 Thread Heinz Allerberger 
Dear Samba Friends,
I've a problem to join with Windows2000-Clients a Samba-PDC.
When I join the samba-pdc with a WinNT4.0-Client it is no problem, first 
I create a machine-account for the machine:
1. in /etc/group exists the group: machines:x:515:
2. useradd -g machines -d /dev/null -c nickname -s /bin/false neuch205$
3. pdbedit -a -m -u neuch205

In this way, it isn't a problem to join the PDC with WinNT4.0-Clients, 
only that I log in as Administrator into the Windows-machine and give in 
the domainname an,
then the client answers, without password-asking, I should reboot and 
the client joined successfully.

When I try to do the same, I get an asking for an password. Ok, for that 
I created the user domadmin on the Samba as a member of the Domain 
Adminstrators, but this user is not accepted from the W2K-Client. I can 
not understand why not. Normally it should going on.

Please have a look of my documentation about this:
--
Heinz Allerberger
Systemadministrator
Zentrum Neurologie
Universitätsklinikum
Frankfurt am Main
Tel: 069/6301-4274
Fax: 069/6301-6842
Piepser 18-0455
# Samba config file
# [EMAIL PROTECTED]
# Date: 2004/09/03

# Global parameters
[global]
unix charset = ISO8859-1
workgroup = NEUROCH
server string = %h server (Samba %v)

preferred master = Yes
domain master = Yes
local master = yes
os level = 33   # entspricht NT Server

dns proxy = No
ldap ssl = no

security = user
encrypt passwords = yes
update encrypted = Yes
obey pam restrictions = Yes
passdb backend = tdbsam, guest
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n .

invalid users = root

domain logons = Yes
logon path = \\%N\profiles\%U
logon drive = H:
logon home = \\neuch240\%U\.winprofile
logon script = logon.cmd

add machine script = /usr/sbin/useradd -g machines -d /dev/null -s /bin/false 
-M %u
add user script = /usr/sbin/useradd %u
delete user script = /usr/sbin/userdel %u
add group script = /usr/local/bin/smbgrpadd.sh %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/bin/gpasswd -a %u %g
delete user from group script = /usr/bin/gpasswd -d %u %g
set primary group script = /usr/sbin/usermod -g %g %u

syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000

panic action = /usr/share/samba/panic-action %d

[netlogon]
path = /var/lib/samba/netlogon
read only = yes
browseable = no

[profiles]
path = /var/lib/samba/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No

[homes]
comment = Home Directories
read only = No
create mask = 0755
browseable = No

[shared]
comment = shared Directory
path = /home/shared
read only = No
create mask = 0777
browseable = no

[printers]
comment = All Printers
path = /tmp
create mask = 0700
printable = Yes
browseable = No

[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
Unix username:neuch205$
NT username:
Account Flags:[W  ]
User SID: S-1-5-21-1656000120-2433418590-619812953-4006
Primary Group SID:S-1-5-21-1656000120-2433418590-619812953-515
Full Name:neuch205$
Home Directory:   \\neuch240\neuch205_\.winprofile
HomeDir Drive:H:
Logon Script: logon.cmd
Profile Path: \\neuch240\profiles\neuch205_
Domain:   NEUROCH
Account desc:
Workstations:
Munged dial:
Logon time:   0
Logoff time:  Fri, 13 Dec 1901 21:45:51 GMT
Kickoff time: Fri, 13 Dec 1901 21:45:51 GMT
Password last set:Wed, 08 Sep 2004 10:26:17 GMT
Password can change:  Wed, 08 Sep 2004 10:26:17 GMT
Password must change: Fri, 13 Dec 1901 21:45:51 GMT
Last bad password   : 0
Bad password count  : 0
Logon hours : FF

Unix username:domadmin
NT username:
Account Flags:[U  ]
User SID: S-1-5-21-1656000120-2433418590-619812953-2000
Primary Group SID:S-1-5-21-1656000120-2433418590-619812953-512
Full Name:
Home Directory:   \\neuch240\domadmin\.winprofile
HomeDir Drive:H:
Logon Script: logon.cmd
Profile Path: \\neuch240\profiles\domadmin
Domain:   NEUROCH
Account desc:
Workstations:
Munged dial:
Logon time:   0
Logoff time:  Fri, 13 Dec 1901 21:45:51 GMT
Kickoff time: Fri, 13 Dec 1901 21:45:51 GMT
Password last set:Fri, 03 Sep 2004 11:18:37 GMT
Password can change:  Fri, 03 Sep 2004 11:18:37 GMT
Password must change: Fri, 13 Dec 1901