Hello! I'm installed samba-3.0.11 and property configured for work with LDAP, it's work fine for me, but i have small problems with security and management users! Important parameters my samba config [global] log level = 10 security = user domain master = yes domain logons = yes enable privileges = Yes workgroup = HOME netbios name = A delete user script = /opt/IDEALX/sbin/smbldap-userdel -k -r "%u" add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u" add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u" delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u add group script = /opt/IDEALX/sbin/smbldap-groupadd -a -p "%g" delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g" add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u" add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g" For explanations my problems, i have next settings. Machine "A" is PDC domain "HOME" Machine "B" is not member domain "HOME", member in workgroup "REMOTE" Machine "C" is member domain "HOME" Account: Administrator member in "Domain Admins" Account: nobody member in "Domain Guests" net rpc say: linux:/etc/samba # net -U Administrator rpc rights list 'HOME\Administrator' Password: SeMachineAccountPrivilege SeAddUsersPrivilege linux:/etc/samba # linux:/etc/samba # net -U Administrator rpc rights list 'HOME\nobody' Password: linux:/etc/samba # User Administrator UID: 512 ( i'm read post before and "Samba members" say "You don't need any more have uid: 0 ... use privileges" ;) ) User nobody UID: I'm use tools usrmgr.exe and srvmgr.exe Enter from "C" to domain "HOME" ... OK Create user in default group "Domain Users" ... OK Add machine to domain ........ OK Problem 1.>From machine "B" launch tools srvmgr.exe and select domain "HOME".Domain "HOME" not trust workgroup "REMOTE" and i'm enter to domain "HOME" as nobody Try add machine "INTRUDER" to domain "HOME" and have message "Access denied". I parse debug message ...... and has got problems ... Step1 samba added machine "INTRUDER" added to ldap through "add machine script", but not set samba attributes to this machine account Step2 Samba check privileges to user nobody and send message access denied to remote host Why ????? Any users not member in my domain "HOME", in my ldap server creates any "machine account" and .... o my god !!!! my database is big very big : ))) Problem 2. Launch tools usrmgr.exe Try create user Username: "John". Select to group button. User by default in member to "Domain Users" Added group "Domain Admins" press ok and next ok ... user is create ..... it's greet! Select propertes user "John" and press again button group. Select group "Domain Admins" and press "set primary group", next remove member in "Domain Users" And press to OK Devil :( I'm have error "Access denied" Why ??? Again parse debug message 1) Samba set for user "john" primary group "Domain Admins" 2) Samba try to remove user "john" from group "Domain Users", but samba say "User 'Jonh' have primary group 'Domain Users'" and generate message "Access denied" Script IDEALX have incorrect code in set "smbldap-usermod -g ". We MUST set primary group, but before user MUST be member to "old primary group" ... script IDEALX not do it this.. Problem 3. User Administrator have privileges 'SeAddUsersPrivilege'.... look up :) Try create group ... Group name: "Internet Access" Member in: Administrator,John Press button OK Devil again :( Have message "Access Denied" 1) Samba call script "add group script" group is create 2) Samba try append samba parameters to group "Internet Access" and say "_samr_set_groupinfo: access check ((granted: 0000000000; required: 0x00000002) _samr_set_groupinfo: ACCESS DENIED (granted: 0000000000; required: 0x00000002)" Please fixed samba-3.0.11 or explain what is wrong ??? Analysis code 3.0.11 say me ... is bad very bad .... Best regards, Senior engineer of network department MTCES the Magadan. Loskutov Sergey mailto:cyrat@tts.magadan.su phone. +7 90250 82016, +7 41322 27150
Gerald (Jerry) Carter
2005-Feb-17 17:43 UTC
[Samba] usermgr.exe vs. 3.0.11 [was Re: Problems to samba 3.0.11]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sergey Loskutov wrote : | Step1 | samba added machine "INTRUDER" added to ldap | through "add machine script", but not set samba | attributes to this machine account | Step2 | Samba check privileges to user nobody and send | message access denied to remote host | | Any users not member in my domain "HOME", in | my ldap server creates any "machine account" and .... | o my god !!!! my database is big very big : ))) This is by design. Your smbldap scripts are allowing normal users to add posixAccount entries. This is the way it has always been. So this begs the question, would be be upset if we changed the behavior so that we immediately bail out if you are not either connected as root or have the necessary privilege? I would be inclined to think this is the correct approach, but it would not be backwards compatible. | Problem 2. ... | Please fixed samba-3.0.11 or explain what is wrong ??? | | Analysis code 3.0.11 say me ... is bad very bad .... I think I can probebly reproduce this last 2 error easily enough. We'll try to get this corrected in the first 3.0.12preX release sometime next week. cheers, jerry ====================================================================Alleviating the pain of Windows(tm) ------- http://www.samba.org GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc "I never saved anything for the swim back." Ethan Hawk in Gattaca -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCFNeYIR7qMdg1EfYRAnqpAJ41/2Dcg79Nah+FkwQ3xc15RckbuACePrHb 9rEVoPLUAvjmUX2cxd2uz9k=7bKP -----END PGP SIGNATURE-----