Access to administrative shares on Windows
in [Samba]
|
From: Gaiseric Vandal on 7 Jul 2010 23:00 On the Windows machines, have you tried setting up an additional share? Maybe the the issue is not specific to Administrative shares? FYI I did verify from an XP machine (not in the domain) that "net use \\server\ipc$ /user:mydom\administrator" does work- I do get prompted for the pw because the XP client is not in the domain, but at least it shows that the domain administrator can authenticate to a hidden share. Can you verify that MYDOM/Domain Admins is really in the local admins group on the Win machines. Can you login to the Win machine as a domain admin? And if so, can you do "Admin" type things like add local users? I had some group mapping issue once that meant that the domain admin group wasn't recognized by the Windows machines. -----Original Message----- From: samba-bounces(a)lists.samba.org [mailto:samba-bounces(a)lists.samba.org] On Behalf Of Jason Voorhees Sent: Wednesday, July 07, 2010 8:08 PM To: samba(a)lists.samba.org Subject: [Samba] Access to administrative shares on Windows Hi people: I'm running Samba 3.0.33 and 3.3.5 (both just for testing at different installations) under CentOS Linux 5.5. My Samba server is configured as PDC with an LDAP backend based on OpenLDAP+smbldaptools+gosa. I understand this: 1. Every Windows machine has a local Administrators group. 2. When a Windows machine joins my Samba domain (named MYDOM), the group "MYDOM\Domain Admins" is addedd to the local Administrators group of the Windows machine. 3. According to (2), root account is a member of "MYDOM\Domain Admins" group, I can verify this as follows: # net rpc group members "Domain Admins" MYDOM\root 4. Every Windows machine by default shares C$, ADMIN$ and IPC$ as administratives shares and they grant access to local Administrators group of the machine, and so to "MYDOM\Domain Admins" as a consequence of being previously joined to the domain. Are these four assumptions right? If yes I think it should be true that: - I would we able to access to C$ share of a machined joined to the domain using the credentials of MYDOM\root account Am I right? If yes, could someone tell me why these assumption isn't working in my scenario? Every time I try to access C$ share with MYDOM\root credentials I just get the login window again and again (similar when someone puts a wrong password). I tried to find some logging at Samba but I didn't find anything obvious, I even enabled all security policies audit at Windows but its log doesn't show anything useful. My smb.conf looks like: [global] workgroup = MYDOM netbios name = SAMBAPDC server string = Samba PDC Server passdb backend = ldapsam:ldap://127.0.0.1 passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No log level = 3 log file = /var/log/samba/log time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/bin/smbldap-useradd -m "%u" delete user script = /usr/bin/smbldap-userdel "%u" add group script = /usr/bin/smbldap-groupadd -p "%g" delete group script = /usr/bin/smbldap-groupdel "%g" add user to group script = /usr/bin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/bin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" add machine script = /usr/sbin/smbldap-useradd -w %u logon path = domain logons = Yes preferred master = Yes domain master = Yes ldap admin dn = uid=mailadmin,ou=users,dc=mydom,dc=com ldap delete dn = Yes ldap group suffix = ou=groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=computers ldap passwd sync = Yes ldap suffix = dc=mydom,dc=com ldap ssl = no ldap user suffix = ou=users idmap backend = ldap:ldap://127.0.0.1 idmap uid = 10000-20000 idmap gid = 10000-20000 Ok I know my configuration isn't perfect, surely there are some directives that aren't necessary but I hope someone can help me with this. Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
|
Pages: 1 Prev: [Samba] How to regenerate passdb.tdb Next: security = SHARE |