Prev: SMB Trans2 Response and STATUS_OBJECT_NAME_NOT_FOUND
Next: [Samba] security = SHARE
From: Jason Voorhees on 7 Jul 2010 20:10
Hi people:

I'm running Samba 3.0.33 and 3.3.5 (both just for testing at different
installations) under CentOS Linux 5.5. My Samba server is configured
as PDC with an LDAP backend based on OpenLDAP+smbldaptools+gosa.

I understand this:

1. Every Windows machine has a local Administrators group.
2. When a Windows machine joins my Samba domain (named MYDOM), the
group "MYDOM\Domain Admins" is addedd to the local Administrators
group of the Windows machine.
3. According to (2), root account is a member of "MYDOM\Domain Admins"
group, I can verify this as follows:

# net rpc group members "Domain Admins"
MYDOM\root

4. Every Windows machine by default shares C$, ADMIN$ and IPC$ as
administratives shares and they grant access to local Administrators
group of the machine, and so to "MYDOM\Domain Admins" as a consequence
of being previously joined to the domain.

Are these four assumptions right? If yes I think it should be true that:

- I would we able to access to C$ share of a machined joined to the
domain using the credentials of MYDOM\root account

Am I right? If yes, could someone tell me why these assumption isn't
working in my scenario? Every time I try to access C$ share with
MYDOM\root credentials I just get the login window again and again
(similar when someone puts a wrong password).

I tried to find some logging at Samba but I didn't find anything
obvious, I even enabled all security policies audit at Windows but its
log doesn't show anything useful. My smb.conf looks like:

[global]
workgroup = MYDOM
netbios name = SAMBAPDC
server string = Samba PDC Server
passdb backend = ldapsam:ldap://127.0.0.1
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
log level = 3
log file = /var/log/samba/log
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/bin/smbldap-useradd -m "%u"
delete user script = /usr/bin/smbldap-userdel "%u"
add group script = /usr/bin/smbldap-groupadd -p "%g"
delete group script = /usr/bin/smbldap-groupdel "%g"
add user to group script = /usr/bin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/bin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w %u
logon path =
domain logons = Yes
preferred master = Yes
domain master = Yes
ldap admin dn = uid=mailadmin,ou=users,dc=mydom,dc=com
ldap delete dn = Yes
ldap group suffix = ou=groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=computers
ldap passwd sync = Yes
ldap suffix = dc=mydom,dc=com
ldap ssl = no
ldap user suffix = ou=users
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000

Ok I know my configuration isn't perfect, surely there are some
directives that aren't necessary but I hope someone can help me with
this.

Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
 | 
Pages: 1
Prev: SMB Trans2 Response and STATUS_OBJECT_NAME_NOT_FOUND
Next: [Samba] security = SHARE