karel.de.macil at free.fr
2020-Oct-01 19:47 UTC
[Samba] Failed auth attempt i don't understand.
Le 01/10/2020 20:46, Rowland penny via samba a ?crit?:> On 01/10/2020 19:06, karel.de.macil at free.fr wrote: >> Le 01/10/2020 19:27, Rowland penny via samba a ?crit?: >>> >>> Is this on a DC or a Unix domain member ? >> >> this is a remote desktop attempt on a computer who is in the domain >> managed by the DC from which i get the log > I actually meant where the log came from.The log commes from the samba 4 DC of the domain.>> >>> Why are you using Administrator on Unix ? >> >> This is the default administrator account in samba4 but the behavior >> is the same with any account. > > No, it is the default administrator in AD and as such, shouldn't be > used used as a normal user. Another question is, do you use the > winbind 'ad' backend anywhere in your network and have you added a > uidNumber to Administrator ?for winbind, i'm not sur if i'm using it.. for the administrator and his uidNumber : and ldbsearch -H /root/sambackup/private/sam.ldb CN=administrator | grep uidNumber --> uidNumber: 10001> > >> >>> Might help if we see your smb.conf >> >> [global] >> ??????? netbios name = DC-TEST >> ??????? realm = LOCAL.MYDOMAIN >> ??????? server role = active directory domain controller >> ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbind, ntp_signd, kcc, dnsupdate, dns >> workgroup = IETR >> ??????? idmap_ldb:use rfc2307? = yes >> ??????? dns forwarder = 129.20.128.39 >> ??????? allow dns updates = nonsecure >> ??????? dns update command=/usr/sbin/samba_dnsupdate --use-samba-tool >> ??????? restrict anonymous = 2 >> ??????? printcap name = /dev/null >> ??????? load printers = no >> ??????? disable spoolss = yes >> ??????? printing = bsd >> ??????? log level = 6 >> ??????? #auth_audit:10@/var/log/samba/log.auth_audit >> ??????? disable netbios = yes >> ??????? smb ports = 445 >> [netlogon] >> ??????? path = /var/lib/samba/sysvol/local.mydomain/scripts >> ??????? read only = No >> ??????? vfs objects = full_audit >> [sysvol] >> ??????? path = /var/lib/samba/sysvol >> ??????? read only = No >> ??????? vfs objects = full_audit > > By setting 'vfs objects = full_audit', you have turned off the default > vfs objects, if you are going to set a vfs object on a DC, set it like > this: vfs objects = dfs_samba4 acl_xattr full_audit > > Rowlandok i'm gona try to change the conf file accordingly.
On 01/10/2020 20:47, karel.de.macil at free.fr wrote:> Le 01/10/2020 20:46, Rowland penny via samba a ?crit?: >> On 01/10/2020 19:06, karel.de.macil at free.fr wrote: >>> Le 01/10/2020 19:27, Rowland penny via samba a ?crit?: >>>> >>>> Is this on a DC or a Unix domain member ? >>> >>> this is a remote desktop attempt on a computer who is in the domain >>> managed by the DC from which i get the log >> I actually meant where the log came from. > The log commes from the samba 4 DC of the domain. > >>> >>>> Why are you using Administrator on Unix ? >>> >>> This is the default administrator account in samba4 but the behavior >>> is the same with any account. >> >> No, it is the default administrator in AD and as such, shouldn't be >> used used as a normal user. Another question is, do you use the >> winbind 'ad' backend anywhere in your network and have you added a >> uidNumber to Administrator ? > > for winbind, i'm not sur if i'm using it.. > > for the administrator and his uidNumber : > and ldbsearch -H /root/sambackup/private/sam.ldb CN=administrator | > grep uidNumber > --> uidNumber: 10001 >By doing that, you have turned Administrator into a normal Unix user, when it is supposed to be mapped to 'root'. I suggest you remove the uidNumber from Administrator. Also, if you are not using the winbind 'ad' backend, why have you added a uidNumber attribute to anything ? Rowland
karel.de.macil at free.fr
2020-Oct-01 20:00 UTC
[Samba] Failed auth attempt i don't understand.
Le 01/10/2020 21:55, Rowland penny via samba a ?crit?:> On 01/10/2020 20:47, karel.de.macil at free.fr wrote: >> Le 01/10/2020 20:46, Rowland penny via samba a ?crit?: >>> On 01/10/2020 19:06, karel.de.macil at free.fr wrote: >>>> Le 01/10/2020 19:27, Rowland penny via samba a ?crit?: >>>>> >>>>> Is this on a DC or a Unix domain member ? >>>> >>>> this is a remote desktop attempt on a computer who is in the domain >>>> managed by the DC from which i get the log >>> I actually meant where the log came from. >> The log commes from the samba 4 DC of the domain. >> >>>> >>>>> Why are you using Administrator on Unix ? >>>> >>>> This is the default administrator account in samba4 but the behavior >>>> is the same with any account. >>> >>> No, it is the default administrator in AD and as such, shouldn't be >>> used used as a normal user. Another question is, do you use the >>> winbind 'ad' backend anywhere in your network and have you added a >>> uidNumber to Administrator ? >> >> for winbind, i'm not sur if i'm using it.. >> >> for the administrator and his uidNumber : >> and ldbsearch -H /root/sambackup/private/sam.ldb CN=administrator | >> grep uidNumber >> --> uidNumber: 10001 >> > By doing that, you have turned Administrator into a normal Unix user, > when it is supposed to be mapped to 'root'. I suggest you remove the > uidNumber from Administrator.I can do that> Also, if you are not using the winbind 'ad' backend, why have you > added a uidNumber attribute to anything ?If the goal of winbind is to map windows user to unix user so i suppose i use it cause this happened on some of my server. I will check.> Rowland