Re: [Samba] enable client to join domain with no or any password?
David Mathog wrote: Jean-Jacques Moulis wrote: On Tue, 17 Aug 2010 13:33:25 -0700 David Mathog mat...@caltech.edu wrote: DM I am trying to automate W7 joining to our Samba domain. It works fine DM through the Windows GUI from the W7 workstations. However, for a script DM one would have to store password used for domain access, and since that DM is the server's root password, I really don't want to hard code that DM into a file. Grant the right to put a machine in the domain to a special user with no other privileges on the PDC or on the clients. That worked as you said for the server side. The /etc/passwd entry ends in /sbin/nologon, and as far as I can tell, that locks it out from both su and ssh. I spoke too soon. This special account works fine for the UnjoinDomainOrWorkgroup method. However, it fails every single time for the JoinDomainOrWorkgroup method, in every case resulting in a 1326 status. It didn't matter if the machine account existed, existed and was unchanged (unjoin, reboot, join), or didn't exist. All of the same JoinDomainOrWorkgroup operations succeed if I use root with the password for root that is in smbpasswd. Details about the special account: % net rpc rights list sjacct Enter root's password: SeMachineAccountPrivilege % grep sjacct /etc/passwd sjacct:x:82:13:SMB JOIN account:/var/empty:/sbin/nologin % grep 13 /etc/group news:x:13: This is as buttoned down security wise on the linux side as I could make it. Seems like samba really needs this account to do something on the server, and it cannot. Samba is 3.4.7-0.2mdv2008.1 Any suggestions? Thanks, David Mathog mat...@caltech.edu Manager, Sequence Analysis Facility, Biology Division, Caltech -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] enable client to join domain with no or any password?
More information. For the restricted access sjacct of the preceding post, it WILL join/unjoin correctly using the System control panel (this is on XP). It just doesn't join using those credentials in Powershell. Here are the two commands: $CI=Get-WmiObject win32_ComputerSystem -Authentication 6 $CI.JoinDomainOrWorkgroup(SAF,password,sjacct,,35) The second always comes back with 1326. It does so if the last parameter is 1,3,33, or 35 and if the third is sjacct or SAF\sjacct. But it will unjoin from within powershell, as this works: $CI.UnjoinDomainOrWorkgroup(password,sjacct) Conversely both Unjoin and JoinDomainOrWorkgroup work correctly for user root. Very frustrating! Thanks, David Mathog mat...@caltech.edu Manager, Sequence Analysis Facility, Biology Division, Caltech -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] enable client to join domain with no or any password?
Jean-Jacques Moulis wrote: On Tue, 17 Aug 2010 13:33:25 -0700 David Mathog mat...@caltech.edu wrote: DM I am trying to automate W7 joining to our Samba domain. It works fine DM through the Windows GUI from the W7 workstations. However, for a script DM one would have to store password used for domain access, and since that DM is the server's root password, I really don't want to hard code that DM into a file. Grant the right to put a machine in the domain to a special user with no other privileges on the PDC or on the clients. That worked as you said for the server side. The /etc/passwd entry ends in /sbin/nologon, and as far as I can tell, that locks it out from both su and ssh. Thanks. This is a cloning application, trying it without sysprep. It turns out that to do this one must: #the first two,below can be done on the master manually unjoin (using the Samba server account listed above) reboot #after cloning... change the computer name (using a local account) reboot (re)join (using the samba server account listed above) reboot The first and third actions are now safe in that even though the password is exposed, the only thing that account can do is join/unjoin a domain. However, for the local computer name change as far as I can tell that must be an Administrator account, so it isn't very safe to write it into a file. The only other way I can see to get around that is to do some sort of binary hack in linux to overwrite the machine name in the registry. Presumably if one hits every single copy that will do the same thing as the change computer name operation in the System control panel, or the equivalent Powershell: $CI = Get-WmiObject Win32_CompuerSystem -Authentication 6 $CI.Rename(Newname,admin password,admin account) where the admin password/account are the local ones, not the domain ones. Hmm. I suppose on the master one could create a local admin account, use those credentials to change the machine name and then in the join script delete that admin account. Not very elegant... Thanks, David Mathog mat...@caltech.edu Manager, Sequence Analysis Facility, Biology Division, Caltech -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] enable client to join domain with no or any password?
It looks like I am getting a little ahead of myself. Make that WAY ahead of myself. I _really_ do not understand the transaction between the client and the server when it joins or removes itself from a domain. I monitored this with log level set to 31 and wireshark running with host (server address). Then tried to remove a client from the domain first with powershell's remove-computer and then with start-control panels-system and change the name. (on client) powershell remove-computer -cred root (enter password) (enter Y) triggers on server, with logging at 31 [2010/08/18 14:04:38, 5] auth/token_util.c:522(debug_nt_user_token) NT user token: (NULL) [2010/08/18 14:04:38, 5] auth/token_util.c:548(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2010/08/18 14:04:38, 10] passdb/pdb_smbpasswd.c:1283(smbpasswd_getsampwnam) getsampwnam (smbpasswd): search by name: root (runs through a zillion users like this one) [2010/08/18 14:04:38, 5] passdb/pdb_smbpasswd.c:527(getsmbfilepwent) getsmbfilepwent: returning passwd entry for user auser, uid 2288 (until it gets to this) [2010/08/18 14:04:38, 5] passdb/pdb_smbpasswd.c:527(getsmbfilepwent) getsmbfilepwent: returning passwd entry for user root, uid 0 [2010/08/18 14:04:38, 7] passdb/pdb_smbpasswd.c:346(endsmbfilepwent) endsmbfilepwent_internal: closed password file. [2010/08/18 14:04:38, 10] passdb/pdb_smbpasswd.c:1305(smbpasswd_getsampwnam) getsampwnam (smbpasswd): found by name: root [2010/08/18 14:04:38, 5] lib/username.c:133(Get_Pwnam_alloc) Finding user root [2010/08/18 14:04:38, 5] lib/username.c:77(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is root [2010/08/18 14:04:38, 5] lib/username.c:110(Get_Pwnam_internals) Get_Pwnam_internals did find user [root]! [2010/08/18 14:04:38, 10] passdb/pdb_get_set.c:607(pdb_set_username) pdb_set_username: setting username root, was [2010/08/18 14:04:38, 11] passdb/pdb_get_set.c:509(pdb_set_init_flags) element 12 - now SET [2010/08/18 14:04:38, 10] passdb/pdb_get_set.c:676(pdb_set_fullname) pdb_set_full_name: setting full name root, was [2010/08/18 14:04:38, 11] passdb/pdb_get_set.c:509(pdb_set_init_flags) element 13 - now SET [2010/08/18 14:04:38, 10] passdb/pdb_get_set.c:630(pdb_set_domain) pdb_set_domain: setting domain SAF, was [2010/08/18 14:04:38, 11] passdb/pdb_get_set.c:521(pdb_set_init_flags) element 14 - now DEFAULT [2010/08/18 14:04:38, 11] passdb/pdb_get_set.c:521(pdb_set_init_flags) element 20 - now DEFAULT [2010/08/18 14:04:38, 10] passdb/pdb_get_set.c:722(pdb_set_profile_path) pdb_set_profile_path: setting profile path \\safserver\profiles\root\UNKNOWN, was (it is trying to do a normal login, but this isn't a normal account, in particular it does NOT have a home directory or an existing profile) Meanwhile wireshark on the client shows 5 12:05:15.585593000 131.215.12.46 131.215.12.42 SMB_NETLOGON SAM LOGON request from client 6 12:05:15.586523000 131.215.12.42 131.215.12.46 SMB_NETLOGON SAM Response - user unknown 7 12:05:15.68510 131.215.12.46 131.215.12.42 SMB_NETLOGON Query for PDC from SAF04 8 12:05:15.68579 131.215.12.42 131.215.12.46 SMB_NETLOGON Response from PDC: host SAFSERVER, domain SAF (this disconnect fails) (On client use start- control panel - SYSTEM to change SAF (Domain) - NOTSAF (workgroup) Wireshark shows the same 4 records as above, of course with a different time stamp, but BEFORE the client prompts for an account to use. Enter the account info (root/password for room in smbpasswd) and hit return and nothing new shows up in wireshark! Huh How can the client remove itself from the server without telling the server? Perhaps that actually happens at the mandatory reboot, where, inconveniently, wireshark is not running on the client.) FINALLY, just to make life really strange, this machine has no default suffix (). That isn't the strange part, there is a SearchList registry entry (bio.caltech.edu,caltech.edu) and since the machine answers to both machine.bio.caltech.edu and machine.caltech.edu everything works fine. When the machine is added back to the Samba domain with start - control panel - system W7 pops up an error message about the default suffix, and changes the suffix to the domain name at the mandatory reboot. Yes, it was told NOT to do this (under more options). This is a problem as the Domain name is not a proper DNS suffix, so that screws up the network. It can be set back to from a command prompt with: reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d /f but at the next boot the value is once again filled in with the Samba domain. In a command prompt ping thismachine (shows thismachine.SAF) but ping anothermachine (shows anothermachine.bio.caltech.edu) W7 seems hell bent on filling in the
Re: [Samba] enable client to join domain with no or any password?
It looks like I am getting a little ahead of myself. While it is possible to join/leave a domain from W7 clients via start-control panel - system so far I have not been able to do it from powershell (as administrator). For instance remove-computer -cred root prompts for the password, type it in, and it (eventually) says: ... the specified domain does not exist or cannot be contacted. Similar problems for add-computer. Anybody have this working with powershell? Thanks, David Mathog mat...@caltech.edu Manager, Sequence Analysis Facility, Biology Division, Caltech -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] enable client to join domain with no or any password?
On Tue, 17 Aug 2010 13:33:25 -0700 David Mathog mat...@caltech.edu wrote: DM I am trying to automate W7 joining to our Samba domain. It works fine DM through the Windows GUI from the W7 workstations. However, for a script DM one would have to store password used for domain access, and since that DM is the server's root password, I really don't want to hard code that DM into a file. Grant the right to put a machine in the domain to a special user with no other privileges on the PDC or on the clients. it doesn't need to be able to login on the PDC or the clients the storage of the password of such an account is a lesser problem. SeMachineAccountPrivilege This right controls whether or not the user can join client machines to a Samba-controlled domain http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html -- Jean-Jacques Moulis Tel: (013) 281684 ISYFax: (013) 139282 Linköping UniversityE-mail: j...@isy.liu.se 581 83 Linköping -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
