Hi everyone. Could anyone tell me what would be the repercussion of adding all users to "Domain Admins" in a samba environment. The reason I am asking is because we are getting a picker object error when trying to add "Domain Users" to the Local Administrator group. Domain Admin gets added ok during join. Thanks. -- Dominique
Craig White
2005-Dec-01 20:29 UTC
[Samba] Security risk to adding users to "Domain Admin" group
On Thu, 2005-12-01 at 15:10 -0500, Samba wrote:> Hi everyone. > > Could anyone tell me what would be the repercussion of adding all users to "Domain Admins" in a samba environment. The > reason I am asking is because we are getting a picker object error when trying to add "Domain Users" to the Local > Administrator group. Domain Admin gets added ok during join.---- file security at all levels (local files/server based files). device security at all levels (local/server). password security at local level Seems to me that you should fix whatever isn't properly configured to solve your problem instead. from command line on samba server, what do you get when you run... net groupmap list # ? testparm -s # any errors? pdbedit -Lv Administrator # ? Craig
Craig White <craigwhite@azapple.com> on Thursday, December 1, 2005 at 3:28 PM -0500 wrote:>On Thu, 2005-12-01 at 15:10 -0500, Samba wrote: >> Hi everyone. >> >> Could anyone tell me what would be the repercussion of adding all users to "Domain Admins" in a samba environment. >The >> reason I am asking is because we are getting a picker object error when trying to add "Domain Users" to the Local >> Administrator group. Domain Admin gets added ok during join. >---- >file security at all levels (local files/server based files). >device security at all levels (local/server). >password security at local level > >Seems to me that you should fix whatever isn't properly configured to >solve your problem instead. > >from command line on samba server, what do you get when you run... > >net groupmap list # ? >testparm -s # any errors? >pdbedit -Lv Administrator # ? > >CraigHere's the output of the following commands. Samba is currently running on Mac OS X (10.4.3). Samba version 3.0.10 You will notice that "Domain Admins" and "Domain Users" are missing a space between the names. That due to us getting a picker error on with the space on our test server and which was verified by Apple. Thanks. -- Dominique -------- osx-webbwood:~ root# net groupmap list # [2005/12/01 15:40:02, 0] /SourceCache/samba/samba-92.9/samba/source/param/loadparm.c:map_parameter(2465) Unknown parameter encountered: "domain admins" [2005/12/01 15:40:02, 0] /SourceCache/samba/samba-92.9/samba/source/param/loadparm.c:lp_do_parameter(3155) Ignoring unknown parameter "domain admins" [2005/12/01 15:40:02, 0] pdb_ods.c:odssam_setgrpwent(2734) odssam_setgrpwent: update(0) [2005/12/01 15:40:02, 0] pdb_ods.c:odssam_getgrpwent(2754) odssam_getgrpwent: entriesAvailable(0) contextData(0x0) [2005/12/01 15:40:02, 0] pdb_ods.c:odssam_getgrpwent(2766) odssam_getgrpwent: entriesAvailable Take 2(33) contextData(0x321f50) [2005/12/01 15:40:02, 0] pdb_ods.c:odssam_getgrpwent(2754) odssam_getgrpwent: entriesAvailable(33) contextData(0x321f50) [2005/12/01 15:40:02, 0] pdb_ods.c:odssam_getgrpwent(2766) odssam_getgrpwent: entriesAvailable Take 2(15) contextData(0x312e30) [2005/12/01 15:40:02, 0] pdb_ods.c:odssam_getgrpwent(2754) odssam_getgrpwent: entriesAvailable(15) contextData(0x312e30) [2005/12/01 15:40:03, 0] pdb_ods.c:odssam_getgrpwent(2766) odssam_getgrpwent: entriesAvailable Take 2(8) contextData(0x0) [2005/12/01 15:40:03, 0] pdb_ods.c:odssam_getgrpwent(2754) odssam_getgrpwent: entriesAvailable(8) contextData(0x0) Nobody (S-1-0-0) -> nobody Domain Guests (S-1-5-21-871659489-3572045746-3147238601-514) -> nogroup System Group (S-1-5-21-100) -> wheel Local System (S-1-5-18) -> daemon Kernel Memory (S-1-5-21-102) -> kmem System (S-1-5-21-103) -> sys Terminal (S-1-5-21-104) -> tty System Operators (S-1-5-21-105) -> operator SMTP Mail (S-1-5-21-106) -> mail Binary (S-1-5-21-107) -> bin domainadmins (S-1-5-21-871659489-3572045746-3147238601-512) -> staff smmsp (S-1-5-21-125) -> smmsp Print Operators (S-1-5-32-550) -> lp SMTP Mail Access (S-1-5-21-127) -> postfix SMTP Mail Posting (S-1-5-21-128) -> postdrop guest (S-1-5-21-871659489-3572045746-3147238601-1063) -> guest utmp (S-1-5-21-145) -> utmp uucp (S-1-5-21-166) -> uucp Dialup (S-1-5-1) -> dialer Network Config Users (S-1-5-21-169) -> network HTTP Users (S-1-5-21-170) -> www MySQL Users (S-1-5-21-174) -> mysql SSH Users (S-1-5-21-175) -> sshd QuickTime Streaming (S-1-5-21-176) -> qtss Mailing List (S-1-5-21-178) -> mailman Application Server (S-1-5-21-179) -> appserverusr Administrators (S-1-5-32-544) -> admin App Server Admins (S-1-5-21-181) -> appserveradm Guests (S-1-5-32-546) -> unknown SPAM Assassin Group 2 (S-1-5-21-183) -> amavisd appowner (S-1-5-21-871659489-3572045746-3147238601-1175) -> appowner SPAM Assassin Group 1 (S-1-5-21-183) -> clamav Chat Server Group (S-1-5-21-184) -> jabber securityagent (S-1-5-21-871659489-3572045746-3147238601-1185) -> securityagent tokend (S-1-5-21-871659489-3572045746-3147238601-1183) -> tokend windowserver (S-1-5-21-871659489-3572045746-3147238601-1177) -> windowserver xgridagent (S-1-5-21-871659489-3572045746-3147238601-1173) -> xgridagent xgridcontroller (S-1-5-21-871659489-3572045746-3147238601-1171) -> xgridcontroller Everyone (S-1-1-0) -> everyone Authenticated Users (S-1-5-11) -> authedusers Interactive (S-1-5-4) -> interactusers Network (S-1-5-2) -> netusers Terminal Server User (S-1-5-13) -> consoleusers Creator Owner (S-1-3-0) -> owner Creator Group (S-1-3-1) -> group Accessibility Group (S-1-5-21-190) -> accessibility administrator (S-1-5-21-871659489-3572045746-3147238601-2003) -> administrator certusers (S-1-5-21-871659489-3572045746-3147238601-1059) -> certusers admin (S-1-5-21-871659489-3572045746-3147238601-1161) -> admin staff (S-1-5-21-871659489-3572045746-3147238601-1041) -> staff Teachers (S-1-5-21-871659489-3572045746-3147238601-3061) -> teachers Teacher Administrators (S-1-5-21-871659489-3572045746-3147238601-3063) -> teacheradministrators Students (S-1-5-21-871659489-3572045746-3147238601-3065) -> students School Administrators (S-1-5-21-871659489-3572045746-3147238601-3067) -> schooladministrators DomainUsers (S-1-5-21-871659489-3572045746-3147238601-513) -> domainusers DomainAdmins (S-1-5-21-871659489-3572045746-3147238601-512) -> domainadmins osx-webbwood:~ root# ---------------- osx-webbwood:~ root# testparm -s # Load smb config files from /private/etc/smb.conf Unknown parameter encountered: "domain admins" Ignoring unknown parameter "domain admins" Processing section "[Hand_In]" Processing section "[Hand_Out]" Processing section "[Teacher-Homes]" Processing section "[Work_Folder]" Processing section "[homes]" Processing section "[profiles]" Processing section "[printers]" Processing section "[Student_Files]" Processing section "[Student-Homes]" Processing section "[netlogon]" Processing section "[Users]" Processing section "[Programs]" Processing section "[Teacher_Files]" Processing section "[Utility]" Loaded services file OK. WARNING: You have some share names that are longer than 12 characters. These may not be accessible to some older clients. (Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.) Invalid combination of parameters for service Hand_In. Level II oplocks can only be set if oplocks are also set. Invalid combination of parameters for service Hand_Out. Level II oplocks can only be set if oplocks are also set. Invalid combination of parameters for service Teacher-Homes. Level II oplocks can only be set if oplocks are also set. Invalid combination of parameters for service Work_Folder. Level II oplocks can only be set if oplocks are also set. Invalid combination of parameters for service homes. Level II oplocks can only be set if oplocks are also set. Invalid combination of parameters for service printers. Level II oplocks can only be set if oplocks are also set. Invalid combination of parameters for service Student_Files. Level II oplocks can only be set if oplocks are also set. Invalid combination of parameters for service Student-Homes. Level II oplocks can only be set if oplocks are also set. Invalid combination of parameters for service Users. Level II oplocks can only be set if oplocks are also set. Invalid combination of parameters for service Programs. Level II oplocks can only be set if oplocks are also set. Invalid combination of parameters for service Teacher_Files. Level II oplocks can only be set if oplocks are also set. Invalid combination of parameters for service Utility. Level II oplocks can only be set if oplocks are also set. # Global parameters [global] dos charset = CP437 unix charset = UTF-8-MAC display charset = UTF-8-MAC workgroup = WEBBWOOD netbios name = WEBBWOODOSX server string = osx.webbwood auth methods = guest, opendirectory allow trusted domains = No map to guest = Bad User passdb backend = opendirectorysam, guest guest account = unknown log level = 2 defer sharing violations = No deadtime = 5 add user script = /usr/bin/opendirectorypdbconfig -c create_user_account -r %u -n "/LDAPv3/127.0.0.1" add machine script = /usr/bin/opendirectorypdbconfig -c create_computer_account -r %u -n "/LDAPv3/127.0.0.1" logon path = \\%N\profiles\%u logon drive = H: domain logons = Yes preferred master = Yes domain master = Yes wins support = Yes lock directory = /var/db/samba brlm = Yes printer admin = @admin, @staff vfs objects = darwin_acls [Hand_In] comment = macosx path = /Shared Items/Hand_In read only = No create mask = 0644 guest ok = Yes map archive = No [Hand_Out] comment = macosx path = /Shared Items/Hand_Out read only = No create mask = 0644 guest ok = Yes map archive = No [Teacher-Homes] comment = macosx path = /Volumes/Homes/Teacher-Homes read only = No create mask = 0644 guest ok = Yes map archive = No [Work_Folder] comment = macosx path = /Shared Items/Work_Folder read only = No create mask = 0644 guest ok = Yes map archive = No [homes] comment = User Home Directories read only = No create mask = 0750 browseable = No root preexec = /usr/sbin/inituser %U [profiles] path = /Users/Profiles read only = No browseable = No oplocks = Yes strict locking = No [printers] path = /tmp printable = Yes browseable = No [Student_Files] comment = macosx path = /Shared Items/Student_Files read only = No create mask = 0644 guest ok = Yes map archive = No [Student-Homes] comment = macosx path = /Volumes/Homes/Student-Homes read only = No create mask = 0644 guest ok = Yes map archive = No [netlogon] path = /etc/netlogon write list = @admin browseable = No oplocks = Yes strict locking = No [Users] comment = macosx path = /Users read only = No create mask = 0644 guest ok = Yes map archive = No [Programs] comment = macosx path = /Shared Items/Programs read only = No create mask = 0644 guest ok = Yes map archive = No [Teacher_Files] comment = macosx path = /Shared Items/Teacher_Files read only = No create mask = 0644 guest ok = Yes map archive = No [Utility] comment = macosx path = /Shared Items/Utility read only = No create mask = 0644 guest ok = Yes map archive = No osx-webbwood:~ root# ------------------- osx-webbwood:~ root# pdbedit -Lv Administrator # Unknown parameter encountered: "domain admins" Ignoring unknown parameter "domain admins" No builtin backend found, trying to load plugin Module '/usr/lib/samba/pdb/opendirectorysam.so' loaded Unix username: administrator NT username: Administrator Account Flags: [U ] User SID: S-1-5-21-871659489-3572045746-3147238601-2002 Primary Group SID: S-1-5-21-871659489-3572045746-3147238601-513 Full Name: Administrator Home Directory: \\webbwoodosx\administrator HomeDir Drive: H: Logon Script: Profile Path: \\webbwoodosx\profiles\administrator Domain: WEBBWOOD Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 22:14:07 UTC Kickoff time: Mon, 18 Jan 2038 22:14:07 UTC Password last set: 0 Password can change: 0 Password must change: Mon, 18 Jan 2038 22:14:07 UTC Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF osx-webbwood:~ root# --------