samba - Nov 2003 - Join Machine to Domain

Hello,

Is it really possible that just the user root with the samba password can
join workstations into the domain?
I have also some other users who are domain administrator, but with this
users i can't join any workstations into the domain.
This is mor me a important security point, because I want to give some
people the acces right to join workstations into domain and only this
function. Also if the user root is just a domain user in samba you have no
rights to change something on a client, but when I start p.e. the user
manager it's possible to change users passwords and that isn't nice.

I use the following test enviroment:
OS: Linux
Samba 3 with backend ldapsam
OpenLdap 2.1

Regards


Manuel Piessnegger

Hi again,

In a other manual (http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html)
they write that there must exist a user with uid =0 that meens at the end
JUST ROOT OR UID=0 can join w2k client into a domain.

In the [SAMBA_3_0] and [HEAD] only a few basic entries are required: nobody
and administrator BUT an account with uidNumber=0 (root or administrator)
MUST ?be present if you need add XP/W2K ws. The reason: an administrative
account is demanded in the ws side in the join process, and that account
must have a uidNumber=0 in the unix world.

Is there really no other way as to work with a user with uid=0 in the unix
world?  I'm sorry but I make no more progress, hmm...... dead brain

By the way all Unix and Samba Accounts are presents in the LDAP


Manuel Piessnegger



The problem might be that by deafult only root has write acces to
smbpasswd and /etc/passwd and /etc/shadow
I have not verifeid this, though.
 Bart.

manuel.piessnegger@straumann.com wrote:
>
>
>Hello,
>
>Is it really possible that just the user root with the samba password can
>join workstations into the domain?
>I have also some other users who are domain administrator, but with this
>users i can't join any workstations into the domain.
>This is mor me a important security point, because I want to give some
>people the acces right to join workstations into domain and only this
>function. Also if the user root is just a domain user in samba you have no
>rights to change something on a client, but when I start p.e. the user
>manager it's possible to change users passwords and that isn't nice.
>
>I use the following test enviroment:
>OS: Linux
>Samba 3 with backend ldapsam
>OpenLdap 2.1
>
>Regards
>
>
>Manuel Piessnegger

I appreciate your help on this. I still am having problems. Attached a
some of the pertinent configuration files.

I can login in with any account so connection and password to access
ldap server works, just can't join domain. I get an error message bad
passwd or unknown user. I added the username map but root administrator still
doesn't work.

# Administrator, Users, tow.net
dn: uid=Administrator,ou=Users,dc=tow,dc=net
cn: Administrator
sn: Administrator
objectClass: inetOrgPerson
objectClass: sambaSAMAccount
objectClass: posixAccount
gidNumber: 0
uid: Administrator
uidNumber: 0
homeDirectory: /accounts/Administrator
sambaPwdLastSet: 1068814077
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 1068814077
sambaPwdMustChange: 2147483647
sambaHomePath: \\whs1\Administrator
sambaHomeDrive: H:
sambaProfilePath: \\whs1\profiles\
sambaLMPassword: E3B4E05BE6A182C9E13B8E8F6853DCAC
sambaNTPassword: F4858C7E53BB628AE91E00E9DB6CD467
sambaAcctFlags: [U          ]
sambaSID: S-1-5-21-1129281578-1295143107-3311307472-1000
loginShell: /bin/bash
gecos: Netbios Domain Administrator
sambaPrimaryGroupSID: S-1-5-21-1129281578-1295143107-3311307472-1001
userPassword:: e1NNRDV9ZGpiNFo3ODQ3VFlKYWJYZEM5ZGRtSkFpMklzPQ= 


smb.conf:


[global]
        workgroup = WarehamPS
        encrypt passwords = Yes
        time server = Yes
        socket options = TCP_NODELAY
        security = user
        logon script = netlogon.bat
        writable = Yes
        dns proxy = no
        directory mask = 02770
        preferred master = yes
        netbios name = WHS1
        server string = RedHat 8.0 LDAP Server
        passdb backend = ldapsam
        ldap passwd sync = Yes
        passwd program = /usr/local/samba/bin/smbpasswd %u
       passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUnix\spassword:* %n\n
        log file = /var/log/samba.%m
        debug level = 2
        max log size = 50
        add user script = /usr/local/sbin/smbldap-useradd.pl %u
#        delete user script = /usr/local/sbin/smbldap-useradd.pl
#        add group script = /usr/local/sbin/smbldap-groupadd.pl
        delete group script = /usr/local/sbin/smbldap-groupdel.pl
        add machine script = /usr/local/samba/bin/smbpasswd -a -m %u
#        add machine script = /usr/sbin/useradd -d /dev/null -g 502 -s
/bin/false -M %u
        logon script = netlogon.bat
        logon path = \\%N\profiles\%g
        logon drive = H:
        logon home = \\%L\%U
        domain logons = Yes
        os level = 64
        domain master = Yes
        dns proxy = No
        admin users = @domain_admins
#       wins support = Yes
        ldap suffix = dc=tow,dc=net
        ldap machine suffix = ou=Computers
        ldap user suffix = ou=Users
        ldap group suffix = ou=Groups
        ldap admin dn = cn=admin,dc=tow,dc=net
        ldap ssl = no
        username map = /usr/local/samba/private/smbusers
[homes]
        comment = Home Directories
        read only = no
        browseable = no
        writable = yes
        path = %H
#       valid users = %S
        hide files = /.*/
                                                                                
[profiles]
        path = /accounts/profiles
        read only = no
        create mask = 0600
        directory mask = 0700
                                                                                
[netlogon]
        comment = Netlogon share
        path = /usr/local/samba/netlogon
        locking = no
        browseable = no
        read only = yes
        write list = @domain_admins
                                                                                
[staff]
        comment = Staff common
        path = /accounts/staff
        read list = @staff @techstaff
        write list = @staff @techstaff
                                                                                
[programs]
        comment = Programs
        path = /accounts/programs
                                                                                
[adm-pgms$]
        comment = Admin Programs
        path = /accounts/adm_pgms
        read list = @techstaff
        write list = @techstaff
                                                                                
[images$]
        comment = Ghost image files
        path = /accounts/images
        write list = kent
        read list = @techstaff
                                                                                
[printers]
        comment = All Printers
        path = /var/spool/samba
        read only = Yes
        printable = Yes
        browseable = No

slapd.conf

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.4 2000/08/26
17:06:18 kurt Exp $
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/samba.schema
database        ldbm
suffix          "dc=tow,dc=net"
rootdn          "cn=admin,dc=tow,dc=net"
#rootpw         {SSHA}WhTBLrgNGnKeZYgS0bT6TfIL2jKBbOnr
#password-hash  {crypt}
directory       /usr/local/var/openldap-data/wareham
schemacheck     on
lastmod         on
# Indices to maintain
#index  objectClass                             eq
index   objectClass,uid,uidNumber,gidNumber     eq
#index  cn,mail,surname,givenname               eq,subinitial
index   cn,sn,st                                pres,eq,sub
#access to dn=".*dc=tow,dc=net
#       by self write
#       by * read
#access to attrs=userPassword,sambaNTPassword,sambaLMPassword
#       by self write
#       by anonymous auth
#       by * none
#access to *
#       by * read


output of net groupmap list:


[root@whs1 root]# net groupmap list
domain_users (S-1-5-21-1129281578-1295143107-3311307472-513) -> dusers
domain_guests (S-1-5-21-1129281578-1295143107-3311307472-514) -> nobody
domain_admins (S-1-5-21-1129281578-1295143107-3311307472-512) -> root
administrators (S-1-5-32-544) -> 544
users (S-1-5-21-1129281578-1295143107-3311307472-545) -> users
guests (S-1-5-21-1129281578-1295143107-3311307472-546) -> 546
power_users (S-1-5-21-1129281578-1295143107-3311307472-547) -> 547
account_operators (S-1-5-32-548) -> 548
server_operators (S-1-5-32-549) -> sys
print_operators (S-1-5-32-550) -> lp
backup_operators (S-1-5-32-551) -> bin
replicator (S-1-5-21-1129281578-1295143107-3311307472-552) -> daemon
computers (S-1-5-21-1129281578-1295143107-3311307472-515) -> dcomputers
Enterprise Admins (S-1-5-21-1129281578-1295143107-3311307472-519) -> 519
students (S-1-5-21-1129281578-1295143107-3311307472-2011) -> students
staff (S-1-5-21-1129281578-1295143107-3311307472-2007) -> staff
techstaff (S-1-5-21-1129281578-1295143107-3311307472-2009) -> techstaff
[root@whs1 root]#



On Fri, 2003-11-14 at 11:18, manuel.piessnegger@straumann.com
wrote:
> 
> 
> Hello,
> 
> first the ldap admin dn should be the same like the rootdn for the OpenLdap
> Server but must not be root.
> 
> Important for joining machines into a domain is that you have already
> created a user in ldap for root (uid=0), that meens posix and samba.
> After that you have to join in the machine with user root and the samba
> passowrod  (not the posix password).
> 
> This works when your samba server runs over the root account (root starts
> my samba daemon). If your samba server runs over a different user I think
> you have to choose this other samba admin account.
> 
> Regards
> 
> Manuel
> 
> 
> 
> 
>                                                                            
>              "Kent L.
>              Nasveschuk"
>              <kent@wareham.k12                                         
To
>              .ma.us>                   manuel.piessnegger@straumann.com
>                                                                         cc 
>              13.11.2003 19:07                                              
>                                                                    Subject 
>                                        Re: [Samba] Join Machine to Domain  
>                                                                            
>                                                                            
>                                                                            
>                                                                            
>                                                                            
>                                                                            
> 
> 
> 
> 
> I read your post today and was wondering if you were able to get your
> W2K machines to join your domain?
> 
> I'm having the same problem. I can't get the machines to join
domain. I
> keep getting login failure: unknown username or bad password.My
> administrator account in LDAP is uidNumber=0 but it still fails. I know
> that the passwords work cause I can log in as administrator and see the
> home directory and other shared directories. Makes me think the
> administrative (root) account is not setup correctly between samba and
> ldap.
> 
> Well, if you did get your to work let me know how.
> 
> 
> --
> Kent L. Nasveschuk <kent@wareham.k12.ma.us>
> 
-- 
Kent L. Nasveschuk <kent@wareham.k12.ma.us>