samba - Nov 2002 - \System32\GroupPolicy named pipe?

Hi -

I'm using samba to connect some windows boxen to a distributed set of
unix machines.  I'm trying to unify some of the administrative
interfaces via mmc, specifically the group policy stuff.  When I try
to use the Group Policy snap-in to connect to my samba 2.2.1 servers,
I see the windows box do a Tree Connect Andx to
ADMIN$\System32\GroupPolicy, and then the samba box responds with
0x0004, permission denied.  Then the windows box goes and tries to
create ADMIN$\System32, which also fails.  I have sniffer dumps of
the exchange here (libpcap format, use Ethereal to open): 

http://lightconsulting.com/~thalakan/gpdump.cap

Poking around in the samba source code, it looks like ADMIN$ is
aliased to IPC$, but the System32 named pipe isn't created anywhere.
Does anyone have any thoughts on implementing this and whatever
associated protocol is necessary to modify server-side group policies
over it?

-- 
 - Jason                      Currently at: Home (Fremont, CA) (Partly Cloudy)

Everything journalists write is true, except when they write about
something you know.
		-- Dag-Erling Smorgrav,
		   June 1999, FreeBSD-Stable Mailing List

On Sun, 2002-12-01 at 08:08, Jason Spence wrote:
> Hi -
> 
> I'm using samba to connect some windows boxen to a distributed set of
> unix machines.  I'm trying to unify some of the administrative
> interfaces via mmc, specifically the group policy stuff.  When I try
> to use the Group Policy snap-in to connect to my samba 2.2.1 servers,
> I see the windows box do a Tree Connect Andx to
> ADMIN$\System32\GroupPolicy, and then the samba box responds with
> 0x0004, permission denied.  Then the windows box goes and tries to
> create ADMIN$\System32, which also fails.  I have sniffer dumps of
> the exchange here (libpcap format, use Ethereal to open): 
> 
> http://lightconsulting.com/~thalakan/gpdump.cap
A comparitive capture of what Win2k does could be useful here.
> Poking around in the samba source code, it looks like ADMIN$ is
> aliased to IPC$, but the System32 named pipe isn't created anywhere.
> Does anyone have any thoughts on implementing this and whatever
> associated protocol is necessary to modify server-side group policies
> over it?
ADMIN$ is actually a disk share under NT - so it's not a system32 pipe,
but actually c:\winnt\system32.   (admin$ is an alias for
%systempath%).  

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20021201/65d35ee8/attachment.bin

On Sun, 01 Dec 2002 11:48:34 +1100, Andrew Bartlett wrote:
>> http://lightconsulting.com/~thalakan/gpdump.cap
> 
> A comparitive capture of what Win2k does could be useful here.
Yes - maybe the MMC program tries to do all its operations by bashing away
at a file over SMB.  I think Access works like this as well.


Tim.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 30 Nov 2002, Jason Spence wrote:
> Hi -
> 
> I'm using samba to connect some windows boxen to a distributed set of
> unix machines.  I'm trying to unify some of the administrative
> interfaces via mmc, specifically the group policy stuff.  When I try
> to use the Group Policy snap-in to connect to my samba 2.2.1 servers,
> I see the windows box do a Tree Connect Andx to
> ADMIN$\System32\GroupPolicy, and then the samba box responds with
> 0x0004, permission denied.  Then the windows box goes and tries to
> create ADMIN$\System32, which also fails.  I have sniffer dumps of
> the exchange here (libpcap format, use Ethereal to open): 
The ADMIN$ share is hard coded in Samba to deal with some ASU
strangeness.  The snap-in is probably trying to open a file
which we won't allow on an IPC share IIRC.

This would take some work to fix.  



cheers, jerry
 ----------------------------------------------------------------------
 Hewlett-Packard            ------------------------- http://www.hp.com
 SAMBA Team                 ---------------------- http://www.samba.org
 GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
 ISBN 0-672-32269-2         "SAMS Teach Yourself Samba in 24 Hours"
2ed
 "You can never go home again, Oatman, but I guess you can shop
there."
                            --John Cusack - "Grosse Point Blank"
(1997)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE96/X8IR7qMdg1EfYRAvgmAJ41LYAcXGSaLY+9jqwftV0KHAxr0ACgwfF1
BnYnUOHR6katID/LFWlhemI=ajHh
-----END PGP SIGNATURE-----