samba - Sep 2004 - machine account with w2k

Dear Samba Friends,

I've a problem to join with Windows2000-Clients a Samba-PDC.
When I join the samba-pdc with a WinNT4.0-Client it is no problem, first 
I create a machine-account for the machine:
1. in /etc/group exists the group: machines:x:515:
2. useradd -g machines -d /dev/null -c nickname -s /bin/false neuch205$
3. pdbedit -a -m -u neuch205

In this way, it isn't a problem to join the PDC with WinNT4.0-Clients, 
only that I log in as Administrator into the Windows-machine and give in 
the domainname an,
then the client answers, without password-asking, I should reboot and 
the client joined successfully.

When I try to do the same, I get an asking for an password. Ok, for that 
I created the user "domadmin" on the Samba as a member of the
"Domain
Adminstrators", but this user is not accepted from the W2K-Client. I can 
not understand why not. Normally it should going on.

Please have a look of my documentation about this:

-- 
Heinz Allerberger
Systemadministrator
Zentrum Neurologie
Universit?tsklinikum
Frankfurt am Main
Tel: 069/6301-4274
Fax: 069/6301-6842
Piepser 18-0455

-------------- next part --------------
# Samba config file
# allerberger@em.uni-frankfurt.de
# Date: 2004/09/03

# Global parameters
[global]
	unix charset = ISO8859-1
	workgroup = NEUROCH
	server string = %h server (Samba %v)
	
	preferred master = Yes
	domain master = Yes
	local master = yes
	os level = 33	# entspricht NT Server
	
	dns proxy = No
	ldap ssl = no

	security = user
	encrypt passwords = yes
	update encrypted = Yes
	obey pam restrictions = Yes
	passdb backend = tdbsam, guest
	passwd program = /usr/bin/passwd %u
	passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:*
%n\n .
	
	invalid users = root
	
	domain logons = Yes
	logon path = \\%N\profiles\%U
	logon drive = H:
	logon home = \\neuch240\%U\.winprofile
	logon script = logon.cmd

	add machine script = /usr/sbin/useradd -g machines -d /dev/null -s /bin/false
-M %u
	add user script = /usr/sbin/useradd "%u"
	delete user script = /usr/sbin/userdel "%u"
	add group script = /usr/local/bin/smbgrpadd.sh "%g"
	delete group script = /usr/sbin/groupdel "%g"
	add user to group script = /usr/bin/gpasswd -a "%u" "%g"
	delete user from group script = /usr/bin/gpasswd -d "%u"
"%g"
	set primary group script = /usr/sbin/usermod -g "%g" "%u"

	syslog = 0
	log file = /var/log/samba/log.%m
	max log size = 1000

	panic action = /usr/share/samba/panic-action %d

[netlogon]
	path = /var/lib/samba/netlogon
	read only = yes
	browseable = no

[profiles]
	path = /var/lib/samba/profiles
	read only = no
	create mask = 0600
	directory mask = 0700
	browseable = No

[homes]
	comment = Home Directories
	read only = No
	create mask = 0755
	browseable = No

[shared]
	comment = shared Directory
	path = /home/shared
	read only = No
	create mask = 0777
	browseable = no

[printers]
	comment = All Printers
	path = /tmp
	create mask = 0700
	printable = Yes
	browseable = No

[print$]
	comment = Printer Drivers
	path = /var/lib/samba/printers
-------------- next part --------------
Unix username:        neuch205$
NT username:
Account Flags:        [W          ]
User SID:             S-1-5-21-1656000120-2433418590-619812953-4006
Primary Group SID:    S-1-5-21-1656000120-2433418590-619812953-515
Full Name:            neuch205$
Home Directory:       \\neuch240\neuch205_\.winprofile
HomeDir Drive:        H:
Logon Script:         logon.cmd
Profile Path:         \\neuch240\profiles\neuch205_
Domain:               NEUROCH
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Fri, 13 Dec 1901 21:45:51 GMT
Kickoff time:         Fri, 13 Dec 1901 21:45:51 GMT
Password last set:    Wed, 08 Sep 2004 10:26:17 GMT
Password can change:  Wed, 08 Sep 2004 10:26:17 GMT
Password must change: Fri, 13 Dec 1901 21:45:51 GMT
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

-------------- next part --------------
Unix username:        domadmin
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-1656000120-2433418590-619812953-2000
Primary Group SID:    S-1-5-21-1656000120-2433418590-619812953-512
Full Name:
Home Directory:       \\neuch240\domadmin\.winprofile
HomeDir Drive:        H:
Logon Script:         logon.cmd
Profile Path:         \\neuch240\profiles\domadmin
Domain:               NEUROCH
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Fri, 13 Dec 1901 21:45:51 GMT
Kickoff time:         Fri, 13 Dec 1901 21:45:51 GMT
Password last set:    Fri, 03 Sep 2004 11:18:37 GMT
Password can change:  Fri, 03 Sep 2004 11:18:37 GMT
Password must change: Fri, 13 Dec 1901 21:45:51 GMT
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

High,

I found out, where the problem was:

The Domain Admin user "domadmin" must have the root-policies on the 
/etc/passwd like this:
domadmin:x:0:0:
The user domadmin get the same rights as Root has, then  it works 
properly. Then I am able to join a Windows2000-workstation with the user 
"domadmin".

In my opinion it is not fine, because it is a security-hole, but it works.

Heinz Allerberger
Systemadministrator
Zentrum Neurologie
Universit?tsklinikum
Frankfurt am Main
Tel: 069/6301-4274
Fax: 069/6301-6842
Piepser 18-0455



Heinz Allerberger wrote:
> Dear Samba Friends,
>
> I've a problem to join with Windows2000-Clients a Samba-PDC.
> When I join the samba-pdc with a WinNT4.0-Client it is no problem, 
> first I create a machine-account for the machine:
> 1. in /etc/group exists the group: machines:x:515:
> 2. useradd -g machines -d /dev/null -c nickname -s /bin/false neuch205$
> 3. pdbedit -a -m -u neuch205
>
> In this way, it isn't a problem to join the PDC with WinNT4.0-Clients, 
> only that I log in as Administrator into the Windows-machine and give 
> in the domainname an,
> then the client answers, without password-asking, I should reboot and 
> the client joined successfully.
>
> When I try to do the same, I get an asking for an password. Ok, for 
> that I created the user "domadmin" on the Samba as a member of
the
> "Domain Adminstrators", but this user is not accepted from the 
> W2K-Client. I can not understand why not. Normally it should going on.
>
> Please have a look of my documentation about this:
>
>------------------------------------------------------------------------
>
># Samba config file
># allerberger@em.uni-frankfurt.de
># Date: 2004/09/03
>
># Global parameters
>[global]
>	unix charset = ISO8859-1
>	workgroup = NEUROCH
>	server string = %h server (Samba %v)
>	
>	preferred master = Yes
>	domain master = Yes
>	local master = yes
>	os level = 33	# entspricht NT Server
>	
>	dns proxy = No
>	ldap ssl = no
>
>	security = user
>	encrypt passwords = yes
>	update encrypted = Yes
>	obey pam restrictions = Yes
>	passdb backend = tdbsam, guest
>	passwd program = /usr/bin/passwd %u
>	passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
>	
>	invalid users = root
>	
>	domain logons = Yes
>	logon path = \\%N\profiles\%U
>	logon drive = H:
>	logon home = \\neuch240\%U\.winprofile
>	logon script = logon.cmd
>
>	add machine script = /usr/sbin/useradd -g machines -d /dev/null -s
/bin/false -M %u
>	add user script = /usr/sbin/useradd "%u"
>	delete user script = /usr/sbin/userdel "%u"
>	add group script = /usr/local/bin/smbgrpadd.sh "%g"
>	delete group script = /usr/sbin/groupdel "%g"
>	add user to group script = /usr/bin/gpasswd -a "%u"
"%g"
>	delete user from group script = /usr/bin/gpasswd -d "%u"
"%g"
>	set primary group script = /usr/sbin/usermod -g "%g"
"%u"
>
>	syslog = 0
>	log file = /var/log/samba/log.%m
>	max log size = 1000
>
>	panic action = /usr/share/samba/panic-action %d
>
>[netlogon]
>	path = /var/lib/samba/netlogon
>	read only = yes
>	browseable = no
>
>[profiles]
>	path = /var/lib/samba/profiles
>	read only = no
>	create mask = 0600
>	directory mask = 0700
>	browseable = No
>
>[homes]
>	comment = Home Directories
>	read only = No
>	create mask = 0755
>	browseable = No
>
>[shared]
>	comment = shared Directory
>	path = /home/shared
>	read only = No
>	create mask = 0777
>	browseable = no
>
>[printers]
>	comment = All Printers
>	path = /tmp
>	create mask = 0700
>	printable = Yes
>	browseable = No
>
>[print$]
>	comment = Printer Drivers
>	path = /var/lib/samba/printers
>  
>
>------------------------------------------------------------------------
>
>Unix username:        neuch205$
>NT username:
>Account Flags:        [W          ]
>User SID:             S-1-5-21-1656000120-2433418590-619812953-4006
>Primary Group SID:    S-1-5-21-1656000120-2433418590-619812953-515
>Full Name:            neuch205$
>Home Directory:       \\neuch240\neuch205_\.winprofile
>HomeDir Drive:        H:
>Logon Script:         logon.cmd
>Profile Path:         \\neuch240\profiles\neuch205_
>Domain:               NEUROCH
>Account desc:
>Workstations:
>Munged dial:
>Logon time:           0
>Logoff time:          Fri, 13 Dec 1901 21:45:51 GMT
>Kickoff time:         Fri, 13 Dec 1901 21:45:51 GMT
>Password last set:    Wed, 08 Sep 2004 10:26:17 GMT
>Password can change:  Wed, 08 Sep 2004 10:26:17 GMT
>Password must change: Fri, 13 Dec 1901 21:45:51 GMT
>Last bad password   : 0
>Bad password count  : 0
>Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
>  
>
>------------------------------------------------------------------------
>
>Unix username:        domadmin
>NT username:
>Account Flags:        [U          ]
>User SID:             S-1-5-21-1656000120-2433418590-619812953-2000
>Primary Group SID:    S-1-5-21-1656000120-2433418590-619812953-512
>Full Name:
>Home Directory:       \\neuch240\domadmin\.winprofile
>HomeDir Drive:        H:
>Logon Script:         logon.cmd
>Profile Path:         \\neuch240\profiles\domadmin
>Domain:               NEUROCH
>Account desc:
>Workstations:
>Munged dial:
>Logon time:           0
>Logoff time:          Fri, 13 Dec 1901 21:45:51 GMT
>Kickoff time:         Fri, 13 Dec 1901 21:45:51 GMT
>Password last set:    Fri, 03 Sep 2004 11:18:37 GMT
>Password can change:  Fri, 03 Sep 2004 11:18:37 GMT
>Password must change: Fri, 13 Dec 1901 21:45:51 GMT
>Last bad password   : 0
>Bad password count  : 0
>Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
>  
>

> The Domain Admin user "domadmin" must have the root-policies on
the
> /etc/passwd like this:
> domadmin:x:0:0:
This is incorrect as you should never have users with identical uids.

You should mod the entry in etc/group to add your domadmin user to the root
group.  This gives it root privs.
> In my opinion it is not fine, because it is a security-hole,
Incorrect.
Only someone of root or admin privs should be able to initially join domains
for if any one could, then a potential hacker to do so w/o admin/root privs
and attain further domain trust by doing so.

Bri-

I have a problem with password in win2k clients
Samba run in a HP-UX version 11.11

I connect  to a server, map the drive, and give to me to put a login and a
password,
but when i reboot the client machine, give me again the login and password.

I would like to stop the give to me a login and a password when i reboot the
client machine.


smb.conf:

#======================= Global Settings
====================================[global]
   netbios name = l1000
   workgroup = micromidia
   server string = Samba Server
   log file = /var/opt/samba/log.%m
   max log size = 1000
   security = share
   password server    encrypt passwords = no
   socket options = TCP_NODELAY
   local master = no
   preserve case = yes
   short preserve case = no
   dos filetime resolution = yes
   read only = no
   syslog = 0

#============================ Share Definitions
=============================[tmp]
 comment = teste do samba share
 path = /tmp
 browseable = yes
 writeable = yes

Fernando wrote:
>I have a problem with password in win2k clients
>Samba run in a HP-UX version 11.11
>
>I connect  to a server, map the drive, and give to me to put a login and a
>password,
>but when i reboot the client machine, give me again the login and password.
>
>I would like to stop the give to me a login and a password when i reboot the
>client machine.
>
>
>smb.conf:
>
>#======================= Global Settings
>====================================>[global]
>   netbios name = l1000
>   workgroup = micromidia
>   server string = Samba Server
>   log file = /var/opt/samba/log.%m
>   max log size = 1000
>   security = share
>   password server >   encrypt passwords = no
>   socket options = TCP_NODELAY
>   local master = no
>   preserve case = yes
>   short preserve case = no
>   dos filetime resolution = yes
>   read only = no
>   syslog = 0
>
>#============================ Share Definitions
>=============================>[tmp]
> comment = teste do samba share
> path = /tmp
> browseable = yes
> writeable = yes
>
>
>  
>
hmmmm does adding "guest ok = Yes" in the [tmp] share help at all?

Christian