Hi, I've joined my new SAMBA-3 in a NT4 PDC using the administrator user. The winbindd daemon is started but when I try : wbinfo -g, I see in the log file : could not enumerate domain groups! Error:NT_STATUS_ACCESS_DENIED Which could be the reasons of this error ? Thank you, Rapha?l
Raphael, I would guess that your NT4 domain has RestrictAnonymous set. Check HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous. If that is set to 1, you need to run wbinfo --set-auth-user=administrator%administratorspw, and then restart winbindd. -Marc> -----Original Message----- > From: Rapha?l Berghmans [mailto:rberghmans@arafox.com] > Sent: Monday, October 27, 2003 2:44 AM > To: samba-technical@lists.samba.org > Cc: samba@lists.samba.org > Subject: winbindd - NT_STATUS_ACCESS_DENIED > > > Hi, > > > I've joined my new SAMBA-3 in a NT4 PDC using the administrator user. > > The winbindd daemon is started but when I try : > > wbinfo -g, I see in the log file : > > could not enumerate domain groups! Error:NT_STATUS_ACCESS_DENIED > > Which could be the reasons of this error ? > > Thank you, > > Rapha?l >
Andrew,> NO, NO, NO!!! > > That should be > '--set-auth-user=NONadministrator%not-cared-about-password' > > You should *never* put an administrative user into this. You > should put > a user you don't care about, preferably one that you created just for > the purpose. > > If I see this 'advise' one more time, I'll put a special, load debug > watch in wbinfo on the string 'Administrator'... > > We only do this to get around the fact that we cannot do NTLM > logins as > our machine account. In AD, we use or machine account and > kerberos, to > avoid this mess.Ok, then why not an administrative user? What problems does it cause, and why is it bad? -Marc> -----Original Message----- > From: Andrew Bartlett > Sent: Monday, October 27, 2003 2:36 PM > To: Marc Kaplan > Cc: 'Rapha?l Berghmans'; samba-technical@lists.samba.org; > samba@lists.samba.org > Subject: RE: winbindd - NT_STATUS_ACCESS_DENIED > > > On Tue, 2003-10-28 at 04:06, Marc Kaplan wrote: > > Raphael, > > > > I would guess that your NT4 domain has RestrictAnonymous set. Check > > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Restri > ctAnonymous. > > If that is set to 1, you need to run wbinfo > > --set-auth-user=administrator%administratorspw, and then > restart winbindd. > > NO, NO, NO!!! > > That should be > '--set-auth-user=NONadministrator%not-cared-about-password' > > You should *never* put an administrative user into this. You > should put > a user you don't care about, preferably one that you created just for > the purpose. > > If I see this 'advise' one more time, I'll put a special, load debug > watch in wbinfo on the string 'Administrator'... > > We only do this to get around the fact that we cannot do NTLM > logins as > our machine account. In AD, we use or machine account and > kerberos, to > avoid this mess. > > Andrew Bartlett > > -- > Andrew Bartlett abartlet@pcug.org.au > Manager, Authentication Subsystems, Samba Team abartlet@samba.org > Student Network Administrator, Hawker College abartlet@hawkerc.net > http://samba.org http://build.samba.org http://hawkerc.net >
> It is always considers a 'bad thing' to store an > administrators password > in plaintext on the system.Thanks Andrew, I'm glad I know why this is bad. Since many people don't use their Administrators account, and instead use a different user account for administration, I think it would be useful to make this as a generic note in the --help and the man page for wbinfo. I would say though, that there is nothing wrong with storing their administrative user and password in a .tdb, so long as the user is aware of it. -Marc> -----Original Message----- > From: Andrew Bartlett > Sent: Monday, October 27, 2003 3:36 PM > To: Marc Kaplan > Cc: Andrew Bartlett; samba@lists.samba.org; > samba-technical@lists.samba.org > Subject: Re: [Samba] RE: winbindd - NT_STATUS_ACCESS_DENIED > > > On Tue, 2003-10-28 at 10:13, Marc Kaplan wrote: > > Andrew, > > > NO, NO, NO!!! > > > > > > That should be > > > '--set-auth-user=NONadministrator%not-cared-about-password' > > > > > > You should *never* put an administrative user into this. You > > > should put > > > a user you don't care about, preferably one that you > created just for > > > the purpose. > > > > > > If I see this 'advise' one more time, I'll put a special, > load debug > > > watch in wbinfo on the string 'Administrator'... > > > > > > We only do this to get around the fact that we cannot do NTLM > > > logins as > > > our machine account. In AD, we use or machine account and > > > kerberos, to > > > avoid this mess. > > > > Ok, then why not an administrative user? What problems does > it cause, and > > why is it bad? > > It is always considers a 'bad thing' to store an > administrators password > in plaintext on the system. Firstly, because administrative passwords > should be changed regularly, but more importantly, there is simply no > reason to open up such a gaping security hole. It isn't > hard to simply > pull that password back out of the secrets.tdb... > > Winbindd only needs to be 'not anonymous', it doesn't need any powers > beyond that. > > Andrew Bartlett > > -- > Andrew Bartlett abartlet@pcug.org.au > Manager, Authentication Subsystems, Samba Team abartlet@samba.org > Student Network Administrator, Hawker College abartlet@hawkerc.net > http://samba.org http://build.samba.org http://hawkerc.net >