Benjamin Adler
2003-Jan-18 00:10 UTC
[Samba] secretly replacing a windows domain client with samba
Hello! I have a problem: I work in a company which is strictly windows-only, and I really need to replace a windows-xp machine - which is a member of the company's domain - with a linux machine (using samba). This new linux machine will have to upload backups of its data to a share within the domain. Thus, it needs to be a member of the domain (correct?). Obviously, I need to join the linux-box to the domain without the domain-admins knowing, and thats where my problems start. If I understood correctly, every machine in the domain has a machine trust account (MTA) on the PDC. The MTA's username is the clients' NETBIOS machine name with a "$" appended, and the password is set to a random value by the client when first joining the domain. That way, one cannot just replace a machine thats member of the domain with another machine. The domain-admins would have to reset the MTA's password, so that the new machine can join. Since I cannot ask the domain-admins to do just that, I'm looking for a way to extract this machine password - which, to my understanding, is still stored on the old winxp-client - and use it in samba (samba stores that in the secrets.tdb, right?). Now my question: Have I understood the problem correctly? If yes, what can I do, is there a way to extract the machine password? Has anyone ever done this? I *think* that the PDC is a windows NT 4 machine, but I'm not sure. I DO have a valid user account for the domain, but it doesn't have any special privileges (like being domain admin :) Thanks a lot for your help! Ben Adler P.S: Please CC to my address, too!
Joerg Lenneis
2003-Jan-19 18:14 UTC
[Samba] Re: secretly replacing a windows domain client with samba
Benjamin Adler:> Hello! > I have a problem: I work in a company which is strictly windows-only, and > I really need to replace a windows-xp machine - which is a member of the > company's domain - with a linux machine (using samba).> This new linux machine will have to upload backups of its data to a share > within the domain. Thus, it needs to be a member of the domain (correct?).> Obviously, I need to join the linux-box to the domain without the > domain-admins knowing, and thats where my problems start.> If I understood correctly, every machine in the domain has a machine trust > account (MTA) on the PDC. The MTA's username is the clients' NETBIOS > machine name with a "$" appended, and the password is set to a random > value by the client when first joining the domain.> That way, one cannot just replace a machine thats member of the domain > with another machine. The domain-admins would have to reset the MTA's > password, so that the new machine can join.> Since I cannot ask the domain-admins to do just that, I'm looking for a > way to extract this machine password - which, to my understanding, is > still stored on the old winxp-client - and use it in samba (samba stores > that in the secrets.tdb, right?).> Now my question: Have I understood the problem correctly? If yes, what can > I do, is there a way to extract the machine password? Has anyone ever done > this?> I *think* that the PDC is a windows NT 4 machine, but I'm not sure. I DO > have a valid user account for the domain, but it doesn't have any special > privileges (like being domain admin :)[...] You have it slightly backwards: Samba is an SMB/CIFS file *server*, not a client, so all deliberations about secrets.tdb do not apply. There is a Linux client filesystem implentation available (smbfs) but that will not allow you to join a domain. best regards, -- Joerg Lenneis email: lenneis@wu-wien.ac.at
Simo Sorce
2003-Jan-22 18:28 UTC
[Samba] secretly replacing a windows domain client with samba
On Sat, 2003-01-18 at 01:09, Benjamin Adler wrote:> Hello! > > I have a problem: I work in a company which is strictly windows-only, and > I really need to replace a windows-xp machine - which is a member of the > company's domain - with a linux machine (using samba). > > This new linux machine will have to upload backups of its data to a share > within the domain. Thus, it needs to be a member of the domain (correct?).wrong to upload data, you only need a username and a password (normally) Simo. -- Simo Sorce - simo.sorce@xsec.it Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20030122/fd217fde/attachment.bin