Patrick Goetz
2022-Feb-12 13:57 UTC
[Samba] Ongoing internal DNS discrepancies: !root = SAMDOM\Administrator
I just noticed another DNS discrepancy involving the use of
/etc/samba/smb.conf:
-------------------
[global]
username map = /etc/samba/user.map
archives at data2:/$ cat /etc/samba/user.map
!root = SAMDOM\Administrator
When this is set, the root user can just do stuff:
root at samba-dc:~# samba-tool computer list
IBS100$
DATA2$
SAMBA-DC$
ERAP-GNOME$
root at samba-dc:~# samba-tool computer delete erap-gnome
Deleted computer erap-gnome
root at samba-dc:~# samba-tool computer list
IBS100$
DATA2$
SAMBA-DC$
unless it involves DNS, in which case not even a query can be executed
without explicit administrator authentication:
root at samba-dc:~# samba-tool dns query samba-dc ea.linuxcs.com data2 A
Password for [EA\root]:
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for
ncacn_ip_tcp:192.168.1.80[49153,sign,target_hostname=samba-dc,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.1.80]
NT_STATUS_LOGON_FAILURE
ERROR: Connecting to DNS RPC server samba-dc failed with (3221225581,
'The attempted logon is invalid. This is either due to a bad username or
authentication information.')
root at samba-dc:~# samba-tool dns query samba-dc ea.linuxcs.com data2 A -U
administrator
Password for [EA\administrator]:
Name=, Records=1, Children=0
A: 192.168.1.81 (flags=f0, serial=110, ttl=3600)
Since this is an Ubuntu system, root logins are disabled by default;
presumably this would work if I had root login enabled, but the issue is
why is it prompting me for authentication in the first place?
Rowland Penny
2022-Feb-12 14:05 UTC
[Samba] Ongoing internal DNS discrepancies: !root = SAMDOM\Administrator
On Sat, 2022-02-12 at 07:57 -0600, Patrick Goetz via samba wrote:> I just noticed another DNS discrepancy involving the use of > > /etc/samba/smb.conf: > ------------------- > [global] > username map = /etc/samba/user.map > > > archives at data2:/$ cat /etc/samba/user.map > !root = SAMDOM\Administrator > > > When this is set, the root user can just do stuff:root can do stuff without the user.map , what the user.map does is to map Administrator to the root user, this allows Administrator to do things from Windows on Unix. If you do not have a root user (and Ubuntu does have a root user, it isn't readily active), you can always use sudo. Rowland
Michael Tokarev
2022-Feb-12 14:07 UTC
[Samba] Ongoing internal DNS discrepancies: !root = SAMDOM\Administrator
12.02.2022 16:57, Patrick Goetz via samba wrote:> > I just noticed another DNS discrepancy involving the use of > > /etc/samba/smb.conf: > ------------------- > [global] > username map = /etc/samba/user.map > > > archives at data2:/$ cat /etc/samba/user.map > !root = SAMDOM\Administrator > > When this is set, the root user can just do stuff: > > ? root at samba-dc:~# samba-tool computer list > ? IBS100$I think you're mixing things here. root can do many samba-tool commands on the DC just fine without any username.map. But some commands are implemented by logging in to services over network instead of doing stuff directly against files in /var/lib/samba/. This has nothing do do with username.map. Also, username.map works the other way around, - to map someone logged as EA\Administrator to root, not to map root to EA\Administrator. ..> root at samba-dc:~# samba-tool dns query samba-dc ea.linuxcs.com data2 A > Password for [EA\root]:Give it -U Administrator option. username.map does works other way around. /mjt