Dear Samba Friends, I've a problem to join with Windows2000-Clients a Samba-PDC. When I join the samba-pdc with a WinNT4.0-Client it is no problem, first I create a machine-account for the machine: 1. in /etc/group exists the group: machines:x:515: 2. useradd -g machines -d /dev/null -c nickname -s /bin/false neuch205$ 3. pdbedit -a -m -u neuch205 In this way, it isn't a problem to join the PDC with WinNT4.0-Clients, only that I log in as Administrator into the Windows-machine and give in the domainname an, then the client answers, without password-asking, I should reboot and the client joined successfully. When I try to do the same, I get an asking for an password. Ok, for that I created the user "domadmin" on the Samba as a member of the "Domain Adminstrators", but this user is not accepted from the W2K-Client. I can not understand why not. Normally it should going on. Please have a look of my documentation about this: -- Heinz Allerberger Systemadministrator Zentrum Neurologie Universit?tsklinikum Frankfurt am Main Tel: 069/6301-4274 Fax: 069/6301-6842 Piepser 18-0455 -------------- next part -------------- # Samba config file # allerberger@em.uni-frankfurt.de # Date: 2004/09/03 # Global parameters [global] unix charset = ISO8859-1 workgroup = NEUROCH server string = %h server (Samba %v) preferred master = Yes domain master = Yes local master = yes os level = 33 # entspricht NT Server dns proxy = No ldap ssl = no security = user encrypt passwords = yes update encrypted = Yes obey pam restrictions = Yes passdb backend = tdbsam, guest passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . invalid users = root domain logons = Yes logon path = \\%N\profiles\%U logon drive = H: logon home = \\neuch240\%U\.winprofile logon script = logon.cmd add machine script = /usr/sbin/useradd -g machines -d /dev/null -s /bin/false -M %u add user script = /usr/sbin/useradd "%u" delete user script = /usr/sbin/userdel "%u" add group script = /usr/local/bin/smbgrpadd.sh "%g" delete group script = /usr/sbin/groupdel "%g" add user to group script = /usr/bin/gpasswd -a "%u" "%g" delete user from group script = /usr/bin/gpasswd -d "%u" "%g" set primary group script = /usr/sbin/usermod -g "%g" "%u" syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 panic action = /usr/share/samba/panic-action %d [netlogon] path = /var/lib/samba/netlogon read only = yes browseable = no [profiles] path = /var/lib/samba/profiles read only = no create mask = 0600 directory mask = 0700 browseable = No [homes] comment = Home Directories read only = No create mask = 0755 browseable = No [shared] comment = shared Directory path = /home/shared read only = No create mask = 0777 browseable = no [printers] comment = All Printers path = /tmp create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers -------------- next part -------------- Unix username: neuch205$ NT username: Account Flags: [W ] User SID: S-1-5-21-1656000120-2433418590-619812953-4006 Primary Group SID: S-1-5-21-1656000120-2433418590-619812953-515 Full Name: neuch205$ Home Directory: \\neuch240\neuch205_\.winprofile HomeDir Drive: H: Logon Script: logon.cmd Profile Path: \\neuch240\profiles\neuch205_ Domain: NEUROCH Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Fri, 13 Dec 1901 21:45:51 GMT Kickoff time: Fri, 13 Dec 1901 21:45:51 GMT Password last set: Wed, 08 Sep 2004 10:26:17 GMT Password can change: Wed, 08 Sep 2004 10:26:17 GMT Password must change: Fri, 13 Dec 1901 21:45:51 GMT Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -------------- next part -------------- Unix username: domadmin NT username: Account Flags: [U ] User SID: S-1-5-21-1656000120-2433418590-619812953-2000 Primary Group SID: S-1-5-21-1656000120-2433418590-619812953-512 Full Name: Home Directory: \\neuch240\domadmin\.winprofile HomeDir Drive: H: Logon Script: logon.cmd Profile Path: \\neuch240\profiles\domadmin Domain: NEUROCH Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Fri, 13 Dec 1901 21:45:51 GMT Kickoff time: Fri, 13 Dec 1901 21:45:51 GMT Password last set: Fri, 03 Sep 2004 11:18:37 GMT Password can change: Fri, 03 Sep 2004 11:18:37 GMT Password must change: Fri, 13 Dec 1901 21:45:51 GMT Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
High, I found out, where the problem was: The Domain Admin user "domadmin" must have the root-policies on the /etc/passwd like this: domadmin:x:0:0: The user domadmin get the same rights as Root has, then it works properly. Then I am able to join a Windows2000-workstation with the user "domadmin". In my opinion it is not fine, because it is a security-hole, but it works. Heinz Allerberger Systemadministrator Zentrum Neurologie Universit?tsklinikum Frankfurt am Main Tel: 069/6301-4274 Fax: 069/6301-6842 Piepser 18-0455 Heinz Allerberger wrote:> Dear Samba Friends, > > I've a problem to join with Windows2000-Clients a Samba-PDC. > When I join the samba-pdc with a WinNT4.0-Client it is no problem, > first I create a machine-account for the machine: > 1. in /etc/group exists the group: machines:x:515: > 2. useradd -g machines -d /dev/null -c nickname -s /bin/false neuch205$ > 3. pdbedit -a -m -u neuch205 > > In this way, it isn't a problem to join the PDC with WinNT4.0-Clients, > only that I log in as Administrator into the Windows-machine and give > in the domainname an, > then the client answers, without password-asking, I should reboot and > the client joined successfully. > > When I try to do the same, I get an asking for an password. Ok, for > that I created the user "domadmin" on the Samba as a member of the > "Domain Adminstrators", but this user is not accepted from the > W2K-Client. I can not understand why not. Normally it should going on. > > Please have a look of my documentation about this: > >------------------------------------------------------------------------ > ># Samba config file ># allerberger@em.uni-frankfurt.de ># Date: 2004/09/03 > ># Global parameters >[global] > unix charset = ISO8859-1 > workgroup = NEUROCH > server string = %h server (Samba %v) > > preferred master = Yes > domain master = Yes > local master = yes > os level = 33 # entspricht NT Server > > dns proxy = No > ldap ssl = no > > security = user > encrypt passwords = yes > update encrypted = Yes > obey pam restrictions = Yes > passdb backend = tdbsam, guest > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . > > invalid users = root > > domain logons = Yes > logon path = \\%N\profiles\%U > logon drive = H: > logon home = \\neuch240\%U\.winprofile > logon script = logon.cmd > > add machine script = /usr/sbin/useradd -g machines -d /dev/null -s /bin/false -M %u > add user script = /usr/sbin/useradd "%u" > delete user script = /usr/sbin/userdel "%u" > add group script = /usr/local/bin/smbgrpadd.sh "%g" > delete group script = /usr/sbin/groupdel "%g" > add user to group script = /usr/bin/gpasswd -a "%u" "%g" > delete user from group script = /usr/bin/gpasswd -d "%u" "%g" > set primary group script = /usr/sbin/usermod -g "%g" "%u" > > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 1000 > > panic action = /usr/share/samba/panic-action %d > >[netlogon] > path = /var/lib/samba/netlogon > read only = yes > browseable = no > >[profiles] > path = /var/lib/samba/profiles > read only = no > create mask = 0600 > directory mask = 0700 > browseable = No > >[homes] > comment = Home Directories > read only = No > create mask = 0755 > browseable = No > >[shared] > comment = shared Directory > path = /home/shared > read only = No > create mask = 0777 > browseable = no > >[printers] > comment = All Printers > path = /tmp > create mask = 0700 > printable = Yes > browseable = No > >[print$] > comment = Printer Drivers > path = /var/lib/samba/printers > > >------------------------------------------------------------------------ > >Unix username: neuch205$ >NT username: >Account Flags: [W ] >User SID: S-1-5-21-1656000120-2433418590-619812953-4006 >Primary Group SID: S-1-5-21-1656000120-2433418590-619812953-515 >Full Name: neuch205$ >Home Directory: \\neuch240\neuch205_\.winprofile >HomeDir Drive: H: >Logon Script: logon.cmd >Profile Path: \\neuch240\profiles\neuch205_ >Domain: NEUROCH >Account desc: >Workstations: >Munged dial: >Logon time: 0 >Logoff time: Fri, 13 Dec 1901 21:45:51 GMT >Kickoff time: Fri, 13 Dec 1901 21:45:51 GMT >Password last set: Wed, 08 Sep 2004 10:26:17 GMT >Password can change: Wed, 08 Sep 2004 10:26:17 GMT >Password must change: Fri, 13 Dec 1901 21:45:51 GMT >Last bad password : 0 >Bad password count : 0 >Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > > >------------------------------------------------------------------------ > >Unix username: domadmin >NT username: >Account Flags: [U ] >User SID: S-1-5-21-1656000120-2433418590-619812953-2000 >Primary Group SID: S-1-5-21-1656000120-2433418590-619812953-512 >Full Name: >Home Directory: \\neuch240\domadmin\.winprofile >HomeDir Drive: H: >Logon Script: logon.cmd >Profile Path: \\neuch240\profiles\domadmin >Domain: NEUROCH >Account desc: >Workstations: >Munged dial: >Logon time: 0 >Logoff time: Fri, 13 Dec 1901 21:45:51 GMT >Kickoff time: Fri, 13 Dec 1901 21:45:51 GMT >Password last set: Fri, 03 Sep 2004 11:18:37 GMT >Password can change: Fri, 03 Sep 2004 11:18:37 GMT >Password must change: Fri, 13 Dec 1901 21:45:51 GMT >Last bad password : 0 >Bad password count : 0 >Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > >
> The Domain Admin user "domadmin" must have the root-policies on the > /etc/passwd like this: > domadmin:x:0:0:This is incorrect as you should never have users with identical uids. You should mod the entry in etc/group to add your domadmin user to the root group. This gives it root privs.> In my opinion it is not fine, because it is a security-hole,Incorrect. Only someone of root or admin privs should be able to initially join domains for if any one could, then a potential hacker to do so w/o admin/root privs and attain further domain trust by doing so. Bri-
I have a problem with password in win2k clients Samba run in a HP-UX version 11.11 I connect to a server, map the drive, and give to me to put a login and a password, but when i reboot the client machine, give me again the login and password. I would like to stop the give to me a login and a password when i reboot the client machine. smb.conf: #======================= Global Settings ====================================[global] netbios name = l1000 workgroup = micromidia server string = Samba Server log file = /var/opt/samba/log.%m max log size = 1000 security = share password server encrypt passwords = no socket options = TCP_NODELAY local master = no preserve case = yes short preserve case = no dos filetime resolution = yes read only = no syslog = 0 #============================ Share Definitions =============================[tmp] comment = teste do samba share path = /tmp browseable = yes writeable = yes
Fernando wrote:>I have a problem with password in win2k clients >Samba run in a HP-UX version 11.11 > >I connect to a server, map the drive, and give to me to put a login and a >password, >but when i reboot the client machine, give me again the login and password. > >I would like to stop the give to me a login and a password when i reboot the >client machine. > > >smb.conf: > >#======================= Global Settings >====================================>[global] > netbios name = l1000 > workgroup = micromidia > server string = Samba Server > log file = /var/opt/samba/log.%m > max log size = 1000 > security = share > password server > encrypt passwords = no > socket options = TCP_NODELAY > local master = no > preserve case = yes > short preserve case = no > dos filetime resolution = yes > read only = no > syslog = 0 > >#============================ Share Definitions >=============================>[tmp] > comment = teste do samba share > path = /tmp > browseable = yes > writeable = yes > > > >hmmmm does adding "guest ok = Yes" in the [tmp] share help at all? Christian