samba - Aug 2010 - enable client to join domain with no or any password?

I am trying to automate W7 joining to our Samba domain.  It works fine
through the Windows GUI from the W7 workstations.  However, for a script
one would have to store password used for domain access, and since that
is the server's root password, I really don't want to hard code that
into a file.

Is there a way to set (temporarily) a Samba server so that it will
accept (admin/anything) as valid credentials for joining a domain, where
"anything" is any string, not just the password?  

That is, something like this:

server:  set client_machine accept_only_password
(THIS IS THE DEFAULT)
client:  (powershell)
  $myCred = New-Object System.Management.Automation.PSCredential \
     admin,a_string_which_is_NOT_the_password
  Add-Computer SAMBA_domain -cred $myCred
(FAILURE, wrong password)
server:  set client_machine accept_any_password
client:  (powershell)
  Add-Computer SAMBA_domain -cred $myCred
(SUCCESS, wrong password, does not matter)
server:  set client_machine accept_only_password
(CLOSE THE HOLE)

That way the password would never be stored on the client. It should be
safe enough since the security hole is only opened for a single machine,
and then only for a limited time.

Thanks,

David Mathog
mathog at caltech.edu
Manager, Sequence Analysis Facility, Biology Division, Caltech

On Tue, 17 Aug 2010 13:33:25 -0700 David Mathog <mathog at caltech.edu>
wrote:

DM> I am trying to automate W7 joining to our Samba domain. It works fine
DM> through the Windows GUI from the W7 workstations. However, for a script
DM> one would have to store password used for domain access, and since that
DM> is the server's root password, I really don't want to hard code
that
DM> into a file.

Grant the right to put a machine in the domain to a special user with
no other privileges on the PDC or on the clients.
it doesn't need to be able to login on the PDC or the clients
the storage of the password of such an account is a lesser problem.

SeMachineAccountPrivilege 
This right controls whether or not the user can join client machines to a
Samba-controlled domain

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html


-- 
Jean-Jacques   Moulis                              Tel:  (013) 281684
ISY                                                Fax:  (013) 139282
Link?ping University                            E-mail: jj at isy.liu.se
581 83 Link?ping

It looks like I am getting a little ahead of myself.  While it is
possible to join/leave a domain from W7 clients via 
  start->control panel -> system
so far I have not been able to do it from powershell (as administrator).

For instance

remove-computer -cred root

prompts for the password, type it in, and it (eventually) says:

... the specified domain does not exist or cannot be contacted.

Similar problems for add-computer.

Anybody have this working with powershell?

Thanks,

David Mathog
mathog at caltech.edu
Manager, Sequence Analysis Facility, Biology Division, Caltech

> It looks like I am getting a little ahead of myself.
Make that WAY ahead of myself.

I _really_ do not understand the transaction between the client and the
server when it joins or removes itself from a domain.  I monitored this
with log level set to 31 and wireshark running with "host (server
address)".  Then tried to remove a client from the domain first with
powershell's "remove-computer" and then with 
  start->control panels->system
and change the name.

(on client)

powershell
remove-computer -cred root
(enter password)
(enter Y)

triggers on server, with logging at 31

[2010/08/18 14:04:38,  5] auth/token_util.c:522(debug_nt_user_token)
  NT user token: (NULL)
[2010/08/18 14:04:38,  5] auth/token_util.c:548(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2010/08/18 14:04:38, 10] passdb/pdb_smbpasswd.c:1283(smbpasswd_getsampwnam)
  getsampwnam (smbpasswd): search by name: root

(runs through a zillion users like this one)

[2010/08/18 14:04:38,  5] passdb/pdb_smbpasswd.c:527(getsmbfilepwent)
  getsmbfilepwent: returning passwd entry for user auser, uid 2288

(until it gets to this)

[2010/08/18 14:04:38,  5] passdb/pdb_smbpasswd.c:527(getsmbfilepwent)
  getsmbfilepwent: returning passwd entry for user root, uid 0
[2010/08/18 14:04:38,  7] passdb/pdb_smbpasswd.c:346(endsmbfilepwent)
  endsmbfilepwent_internal: closed password file.
[2010/08/18 14:04:38, 10] passdb/pdb_smbpasswd.c:1305(smbpasswd_getsampwnam)
  getsampwnam (smbpasswd): found by name: root
[2010/08/18 14:04:38,  5] lib/username.c:133(Get_Pwnam_alloc)
  Finding user root
[2010/08/18 14:04:38,  5] lib/username.c:77(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is root
[2010/08/18 14:04:38,  5] lib/username.c:110(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [root]!
[2010/08/18 14:04:38, 10] passdb/pdb_get_set.c:607(pdb_set_username)
  pdb_set_username: setting username root, was 
[2010/08/18 14:04:38, 11] passdb/pdb_get_set.c:509(pdb_set_init_flags)
  element 12 -> now SET
[2010/08/18 14:04:38, 10] passdb/pdb_get_set.c:676(pdb_set_fullname)
  pdb_set_full_name: setting full name root, was 
[2010/08/18 14:04:38, 11] passdb/pdb_get_set.c:509(pdb_set_init_flags)
  element 13 -> now SET
[2010/08/18 14:04:38, 10] passdb/pdb_get_set.c:630(pdb_set_domain)
  pdb_set_domain: setting domain SAF, was 
[2010/08/18 14:04:38, 11] passdb/pdb_get_set.c:521(pdb_set_init_flags)
  element 14 -> now DEFAULT
[2010/08/18 14:04:38, 11] passdb/pdb_get_set.c:521(pdb_set_init_flags)
  element 20 -> now DEFAULT
[2010/08/18 14:04:38, 10] passdb/pdb_get_set.c:722(pdb_set_profile_path)
  pdb_set_profile_path: setting profile path
\\safserver\profiles\root\UNKNOWN, was 

(it is trying to do a normal login, but this isn't a normal account, in
particular it does NOT have a home directory or an existing profile)

Meanwhile wireshark on the client shows

5	12:05:15.585593000	131.215.12.46	131.215.12.42	SMB_NETLOGON	SAM LOGON
request from client
6	12:05:15.586523000	131.215.12.42	131.215.12.46	SMB_NETLOGON	SAM
Response - user unknown
7	12:05:15.685100000	131.215.12.46	131.215.12.42	SMB_NETLOGON	Query for
PDC from SAF04
8	12:05:15.685790000	131.215.12.42	131.215.12.46	SMB_NETLOGON	Response
from PDC: host SAFSERVER, domain SAF

(this disconnect fails)

(On client use 
  start-> control panel -> SYSTEM
to change SAF (Domain) -> NOTSAF (workgroup)

Wireshark shows the same 4 records as above, of course with a different
time stamp, but BEFORE the client prompts for an account to use.  Enter
the account info (root/password for room in smbpasswd) and hit return
and nothing new shows up in wireshark!  Huh????  How can the client
remove itself from the server without telling the server?  Perhaps that
actually happens at the mandatory reboot, where, inconveniently,
wireshark is not running on the client.)


FINALLY, just to make life really strange, this machine has no default
suffix ("").  That isn't the strange part, there is a SearchList
registry entry ("bio.caltech.edu,caltech.edu") and since the machine
answers to both machine.bio.caltech.edu and machine.caltech.edu
everything works fine.  When the machine is added back to the Samba
domain with

   start -> control panel -> system

W7 pops up an error message about the default suffix, and changes the
suffix to the domain name at the mandatory reboot.  Yes, it was told NOT
to do this (under more options).  This is a problem as the Domain name
is not a proper DNS suffix, so that screws up the network.  It can be
set back to "" from a command prompt with:

reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v
Domain /t REG_SZ /d "" /f

but at the next boot the value is once again filled in with the Samba
domain.  In a command prompt

ping thismachine
(shows thismachine.SAF)

but

ping anothermachine
(shows anothermachine.bio.caltech.edu)

W7 seems hell bent on filling in the Primary DNS Suffix with the
controller's domain.  WHY?

Can somebody please shed some light on (any of) this?

Thank you,

David Mathog
mathog at caltech.edu
Manager, Sequence Analysis Facility, Biology Division, Caltech

Jean-Jacques Moulis wrote:
> On Tue, 17 Aug 2010 13:33:25 -0700 David Mathog <mathog at
caltech.edu>
wrote:
> 
> DM> I am trying to automate W7 joining to our Samba domain. It works
fine
> DM> through the Windows GUI from the W7 workstations. However, for a
script
> DM> one would have to store password used for domain access, and since
that
> DM> is the server's root password, I really don't want to hard
code that
> DM> into a file.
> 
> Grant the right to put a machine in the domain to a special user with
> no other privileges on the PDC or on the clients.
That worked as you said for the server side.  The /etc/passwd entry ends
in /sbin/nologon, and as far as I can tell, that locks it out from both
su and ssh.

Thanks.

This is a cloning application, trying it without sysprep.  It turns out
that to do this one must:

#the first two,below can be done on the master manually
unjoin (using the Samba server account listed above)
reboot
#after cloning...
change the computer name (using a local account)
reboot
(re)join (using the samba server account listed above)
reboot

The first and third actions are now "safe" in that even though the
password is exposed, the only thing that account can do is join/unjoin
a domain.

However, for the local computer name change as far as I can tell that
must be an Administrator account, so it isn't very safe to write it into
a file.  The only other way I can see to get around that is to do some
sort of binary hack in linux to overwrite the machine name in the
registry.  Presumably if one hits every single copy that will do the
same thing as the "change computer name" operation in the System
control
panel, or the equivalent Powershell:

$CI = Get-WmiObject Win32_CompuerSystem -Authentication 6
$CI.Rename("Newname","<admin
password>","<admin account>")

where the admin password/account are the local ones, not the domain ones.

Hmm.  I suppose on the master one could create a local admin account,
use those credentials to change the machine name and then in the join
script delete that admin account.  Not very elegant...

Thanks,

David Mathog
mathog at caltech.edu
Manager, Sequence Analysis Facility, Biology Division, Caltech

David Mathog wrote:
> Jean-Jacques Moulis wrote:
> > On Tue, 17 Aug 2010 13:33:25 -0700 David Mathog <mathog at
caltech.edu>
> wrote:
> > 
> > DM> I am trying to automate W7 joining to our Samba domain. It
works
fine
> > DM> through the Windows GUI from the W7 workstations. However, for
a
> script
> > DM> one would have to store password used for domain access, and
since
> that
> > DM> is the server's root password, I really don't want to
hard code that
> > DM> into a file.
> > 
> > Grant the right to put a machine in the domain to a special user with
> > no other privileges on the PDC or on the clients.
> 
> That worked as you said for the server side.  The /etc/passwd entry ends
> in /sbin/nologon, and as far as I can tell, that locks it out from both
> su and ssh.
I spoke too soon.  

This special account works fine for the UnjoinDomainOrWorkgroup method.
 However, it fails every single time for the JoinDomainOrWorkgroup
method, in every case resulting in a 1326
status.  It didn't matter if the machine account existed, existed and
was unchanged (unjoin, reboot, join), or didn't exist. All of the same
JoinDomainOrWorkgroup operations succeed if I use root with the password
for root that is in smbpasswd.

Details about the special account:

% net rpc rights list sjacct
Enter root's password:
SeMachineAccountPrivilege
% grep sjacct /etc/passwd
sjacct:x:82:13:SMB JOIN account:/var/empty:/sbin/nologin
% grep 13 /etc/group
news:x:13:

This is as buttoned down security wise on the linux side as I could make
it. Seems like samba really needs this account to do something on the
server, and it cannot.

Samba is 3.4.7-0.2mdv2008.1

Any suggestions?

Thanks,

David Mathog
mathog at caltech.edu
Manager, Sequence Analysis Facility, Biology Division, Caltech

More information.

For the restricted access "sjacct" of the preceding post, it WILL
join/unjoin correctly using the System control panel (this is on XP). 
It just doesn't join using those credentials in Powershell.  Here are
the two commands:

$CI=Get-WmiObject win32_ComputerSystem -Authentication 6
$CI.JoinDomainOrWorkgroup("SAF","<password>","sjacct","",35)

The second always comes back with 1326.  It does so if the last
parameter is 1,3,33, or 35 and if the third is "sjacct" or
"SAF\sjacct".
 But it will unjoin from within powershell, as this works:

$CI.UnjoinDomainOrWorkgroup("<password>","sjacct")

Conversely both Unjoin and JoinDomainOrWorkgroup work correctly for
user "root".

Very frustrating!

Thanks,

David Mathog
mathog at caltech.edu
Manager, Sequence Analysis Facility, Biology Division, Caltech