Rauno Tuul
2004-May-11 14:29 UTC
[Samba] adding machine accounts on-the-fly - 3.0.4 and LDAP
Hi, I want to achieve, that the IT staff could add machines (2000/XP) to samba-3 (LDAP backend) on the fly. Creating a new machine account to LDAP requires special access to samba (uid=0). In samba-2.2.x was a great parameter called "domain admin group". So everyone, who belonged to the specified group and root (uid=0) could modify LDAP. Others got message - "cannot access LDAP when not root". In samba-3 this parameter was removed (I don't get it, why?!?!). Until 3.0.2a I could pass the LDAP access check by specifying in smb.conf global admin users = @domain_admins So users, who where in domain_admins group, their uid was forced to 0 and they passed the LDAP check. (wrote about it: http://lists.samba.org/archive/samba/2003-September/073997.html ) After upgrading to 3.0.4 that trick also doesn't work. So at the moment using root account (uid=0) is the one and ONLY way to add machines to LDAP. All this LDAP access has nothing to do with groupmap. I created an administrator account (uid=0)(basically fake root) # smbldap-usershow.pl administrator dn: uid=root,ou=Users,dc=company,dc=lan objectClass: posixAccount,shadowAccount,sambaSamAccount,inetOrgPerson sambaDomainName: DOMAIN uidNumber: 0 gidNumber: 0 sambaSID: S-1-5-21-1347305728-752463190-2852647101-500 displayName: administrator cn: administrator uid: administrator sambaAcctFlags: [U ] sambaPrimaryGroupSID: S-1-5-21-1347305728-752463190-2852647101-514 The specified user does not belong to any group and has got no access rights on domain. RID -514 is "domain guest". On XP box ja log in as local admin. No machine account exists on PDC. On joining domain I enter "administrator/password" and samba creates successfully a new LDAP entry and returns error to client "Access denied". When entering the same "administrator/password" again (second time), XP successfully joins domain. When the machine is in domain and I log into that box as DOMAIN\administrator, I get no privileged access on that box. Entire joining was done without any relevance to group mapping (domain admins groupmap is not needed for join at this case). In this case I've an administrator account, which hasn't got any admin rights. Why can't there be a parameter, with what I could specify additional access to LDAP? like in 2.2.x was... I discussed about it earlier: http://lists.samba.org/archive/samba/2003-September/073608.html "Because you now have something much more powerful that provides real NT Groups to your NT/200x/XP clients." Well, where is the power, when I can't modify LDAP!?!?! Giving to each IT staff member a password on "administrator" account is a very bad option. Basically "administrator" account is meant to be a account of power. Restricting this isnt polite... but sharing the power to each membes is also bad and could have very bad consequences. What would be the solution? Best regards, Rauno Tuul
RRuegner
2004-May-12 00:08 UTC
[Samba] adding machine accounts on-the-fly - 3.0.4 and LDAP
Rauno Tuul schrieb:> Hi, > > I want to achieve, that the IT staff could add machines (2000/XP) to samba-3 > (LDAP backend) on the fly. > > Creating a new machine account to LDAP requires special access to samba > (uid=0). > > In samba-2.2.x was a great parameter called "domain admin group". So > everyone, who belonged to the specified group and root (uid=0) could modify > LDAP. > Others got message - "cannot access LDAP when not root". > > In samba-3 this parameter was removed (I don't get it, why?!?!). > Until 3.0.2a I could pass the LDAP access check by specifying in smb.conf > global > admin users = @domain_admins > So users, who where in domain_admins group, their uid was forced to 0 and > they passed the LDAP check. > (wrote about it: > http://lists.samba.org/archive/samba/2003-September/073997.html ) > > After upgrading to 3.0.4 that trick also doesn't work. > So at the moment using root account (uid=0) is the one and ONLY way to add > machines to LDAP. > > All this LDAP access has nothing to do with groupmap. > > I created an administrator account (uid=0)(basically fake root) > # smbldap-usershow.pl administrator > dn: uid=root,ou=Users,dc=company,dc=lan > objectClass: > posixAccount,shadowAccount,sambaSamAccount,inetOrgPerson > sambaDomainName: DOMAIN > uidNumber: 0 > gidNumber: 0 > sambaSID: S-1-5-21-1347305728-752463190-2852647101-500 > displayName: administrator > cn: administrator > uid: administrator > sambaAcctFlags: [U ] > sambaPrimaryGroupSID: S-1-5-21-1347305728-752463190-2852647101-514 > > The specified user does not belong to any group and has got no access rights > on domain. > RID -514 is "domain guest". > > On XP box ja log in as local admin. No machine account exists on PDC. > On joining domain I enter "administrator/password" and samba creates > successfully a new LDAP entry and returns error to client "Access denied". > When entering the same "administrator/password" again (second time), XP > successfully joins domain. > > When the machine is in domain and I log into that box as > DOMAIN\administrator, I get no privileged access on that box. > Entire joining was done without any relevance to group mapping (domain > admins groupmap is not needed for join at this case). > In this case I've an administrator account, which hasn't got any admin > rights. > > > Why can't there be a parameter, with what I could specify additional access > to LDAP? like in 2.2.x was... > I discussed about it earlier: > http://lists.samba.org/archive/samba/2003-September/073608.html > "Because you now have something much more powerful that > provides real NT Groups to your NT/200x/XP clients." > Well, where is the power, when I can't modify LDAP!?!?! > > Giving to each IT staff member a password on "administrator" account is a > very bad option. > Basically "administrator" account is meant to be a account of power. > Restricting this isnt polite... but sharing the power to each membes is also > bad and could have very bad consequences. > > What would be the solution? > > Best regards, > > Rauno TuulHi, you should have a group match in your ldap for the Group Domain Admins then it will work as you want Regards