RA Cohen
2005-Feb-24 15:12 UTC
[Samba] Samba Upgrade Yields Undesired Domain-Wide IE High Security
Forgive the repost, but I've changed the subject line since I haven't seen a reply yet...please help, I don't have much hair left! Hello All, I had been successfully running Samba 2.2.8a on a FreeBSD 4.7 box for a couple years using roaming profiles. The box was functioning as PDC. The hardware was getting old; I needed to migrate to a new server. So, I built a FreeBSD 5.3-RELEASE box on some relatively modern hardware and installed Samba 2.2.12. I copied the master.passwd file to the new box, did the pwd_mkdb, also copied the group file. Then I tarred all the home directories on the old server, and untarred them on the new server. Same with all the shares. Also used the same smb.conf file. As far as the users go, I am having them re-initialize their passwords thru Usermin so their Samba passwords are now synched with their FreeBSD/Unix passwords. I also manually joined each machine to the domain, first on the server by smbpasswd -a -m MACHINENAME, then actually went around to each (thank goodness only 65 machines) machine, unjoined it from the domain by putting them back into a workgroup, then joined the domain again. No problem. Users can log into the domain from any machine, get their roaming profiles, use their shares, etc. In short, everything seems to work BUT here's the "gotcha": Somehow, the security settings for Internet Explorer have been set to medium for the entire domain. I have not a clue how this has happened, but it means the users have to click thru numerous "When you send information to the internet, it might be possible for others to see that information. Do you want to continue?" This pops up anytime a form is submitted. Also, file downloads are now not possible. I fail to understand how this has happened. And, the IE settings cannot be changed, they simply revert back to the medium setting. It is this behavior that makes me conclude this is a domain-wide situation. When I log in to any of the machines as a local administrator, the IE settings are at a custom level that does permit more unrestricted browsing. I never created any policies for this, so I assume they were the defaults for Win2K with pretty much the latest patches, etc. I've also compared file permissions and ownerships with those on the old server, they seem to be the same. Any help would be greatly appreciated...Thank you in advance. Roy PS Here's the relevant parts of smb.conf: [global] workgroup = XXXX netbios name = YYYYYYYY server string = Samba PDC running %v encrypt passwords = Yes passwd program = /usr/bin passwd %u passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n *Enter*new*UNIX* password* %n\n *Retype*new*UNIX*password* %n\n *passwd: *all*authentication*tokens*updated*succ essfully* unix password sync = Yes log level = 2 log file = /var/log/samba/log.%m max log size = 50 name resolve order = wins lmhosts hosts bcast time server = Yes lpq cache time = 20 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 total print jobs = 100 logon drive = Q: logon home = \\%L\%U\.profile domain logons = Yes os level = 255 preferred master = Yes domain master = Yes wins support = Yes logon script = %u.bat domain admin group = netadmins [netlogon] path = /usr/local/samba/lib/netlogon browseable = No root preexec = perl /usr/local/samba/lib/netlogon/genlogon.pl %u %g %m root postexec = perl /usr/local/samba/lib/netlogon/genlogoff.pl %u __________________________________ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail
William Jojo
2005-Feb-24 15:37 UTC
[Samba] Samba Upgrade Yields Undesired Domain-Wide IE High Security
Roy, Have you verified that you are using the same SID after the migration? If the SID has changed, you cannot simply change it back as that will break your machine trusts. I imagine you have not received a response since you are running 2.2.12 which is a deprecated code path. You should really consider upgrading to 3.0.11. At any rate, if you do a smbpasswd -X on the two servers you'll find the two SIDs are different. I venture this guess based on the fact you omit information on secrets.tdb being copied over (and the smbpasswd file). The ntuser.dat files in your user workspaces are not owned by the user since the internal permissions reflect the old SID. There are several choices: 1) use smbpasswd -W to set the old SID on the new server and rejoin everything. Or just copy the secrets.tdb from the old server to the new assuming the servername and domain are the same. 2) Clean all the profiles and start over (not your best option). 3) Upgrade to 3.0.11 and use the profiles command in the bin dir of the distro to modify the internal ACLs of the ntuser.dat Any way you slice it, there's some work to be done. Personally I'd choose #1 to get your users happy and plan an upgrade to 3.0.11 as soon as you an muster the time and be mindful of secrets.tdb in the future since that is your servers identity (so to speak). You can save yourself much work next time by migrating the smbpasswd file in the private folder as well as the secrets.tdb. Bill On Thu, 24 Feb 2005, RA Cohen wrote:> Forgive the repost, but I've changed the subject line since I > haven't seen a reply yet...please help, I don't have much hair > left! > > Hello All, > > I had been successfully running Samba 2.2.8a on a FreeBSD 4.7 > box for a couple years using roaming profiles. The box was > functioning as PDC. The hardware was getting old; I needed to > migrate to a new server. So, I built a FreeBSD 5.3-RELEASE box > on some relatively modern hardware and installed Samba 2.2.12. I > copied the master.passwd file to the new box, did the pwd_mkdb, > also copied the group file. Then I tarred all the home > directories on the old server, and untarred them on the new > server. Same with all the shares. Also used the same smb.conf > file. > > As far as the users go, I am having them re-initialize their > passwords thru Usermin so their Samba passwords are now synched > with their FreeBSD/Unix passwords. I also manually joined each > machine to the domain, first on the server by smbpasswd -a -m > MACHINENAME, then actually went around to each (thank goodness > only 65 machines) machine, unjoined it from the domain by > putting them back into a workgroup, then joined the domain > again. No problem. Users can log into the domain from any > machine, get their roaming profiles, use their shares, etc. In > short, everything seems to work BUT here's the "gotcha": > > Somehow, the security settings for Internet Explorer have been > set to medium for the entire domain. I have not a clue how this > has happened, but it means the users have to click thru numerous > "When you send information to the internet, it might be possible > for others to see that information. Do you want to continue?" > This pops up anytime a form is submitted. Also, file downloads > are now not possible. > > I fail to understand how this has happened. And, the IE settings > cannot be changed, they simply revert back to the medium > setting. It is this behavior that makes me conclude this is a > domain-wide situation. When I log in to any of the machines as a > local administrator, the IE settings are at a custom level that > does permit more unrestricted browsing. I never created any > policies for this, so I assume they were the defaults for Win2K > with pretty much the latest patches, etc. I've also compared > file permissions and ownerships with those on the old server, > they seem to be the same. > > Any help would be greatly appreciated...Thank you in advance. > > Roy > > PS Here's the relevant parts of smb.conf: > > [global] > workgroup = XXXX > netbios name = YYYYYYYY > server string = Samba PDC running %v > encrypt passwords = Yes > passwd program = /usr/bin passwd %u > passwd chat = *New*UNIX*password* %n\n > *Retype*new*UNIX*password* %n\n *Enter*new*UNIX* > password* %n\n *Retype*new*UNIX*password* %n\n *passwd: > *all*authentication*tokens*updated*succ > essfully* > unix password sync = Yes > log level = 2 > log file = /var/log/samba/log.%m > max log size = 50 > name resolve order = wins lmhosts hosts bcast > time server = Yes > lpq cache time = 20 > socket options = TCP_NODELAY IPTOS_LOWDELAY > SO_SNDBUF=8192 SO_RCVBUF=8192 > total print jobs = 100 > logon drive = Q: > logon home = \\%L\%U\.profile > domain logons = Yes > os level = 255 > preferred master = Yes > domain master = Yes > wins support = Yes > logon script = %u.bat > domain admin group = netadmins > > [netlogon] > path = /usr/local/samba/lib/netlogon > browseable = No > root preexec = perl > /usr/local/samba/lib/netlogon/genlogon.pl %u %g %m > root postexec = perl > /usr/local/samba/lib/netlogon/genlogoff.pl %u > > > > > __________________________________ > Do you Yahoo!? > Read only the mail you want - Yahoo! Mail SpamGuard. > http://promotions.yahoo.com/new_mail > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >