[Samba] [Fwd: samba 30alpha21 + NT4/2K WS-s]
Bradley W. Langhorst
brad at langhorst.com
Fri Feb 28 20:58:56 GMT 2003
On Fri, 2003-02-28 at 13:09, john at ylenurme.ee wrote:
> [netlogon] share is like that:
> comment = Network Logon Service
> path = /home/samba/netlogon
> guest ok = no
> writable = no
> browseable = yes
> public = yes
this is what i'm using ...
path = /etc/samba/netlogon
write list = root
guest ok = Yes
nt acl support = No
do you have scriptPath set in ldap?
i don't use logon scripts so i'm not sure you need it - just an idea.
> Another thing was that smbgroupedit -v showd several Domain Admins and
> Domain Users group (with different SIDs).. So i took experimental step
> and deleted some of them, leaving exactly one of every group..
> Can this be somehow connected to 1st problem?
i have one of each of these.
probably you changed your sid during your experiments...
it might be a good idea to wipe out all your tdb files and rejoin
your machines (that is if your still in testing mode)
> Also samba complained that:
> get_domain_user_groups: primary gid of user [john] is not a Domain group
> ! get_domain_user_groups: You should fix it, NT doesn't like that
i get that sometimes - i just ignore it...
> Third problem is locally stored profiles. How I could make such set up
> that when user logs out from WS , then WS would copy changed profile
> back to server and delete it from WS ?
> It's question of security and hard disk space..
you can do that with a setting in gpedit.msc
don't remember which one but i think i'll be obvious.
> How could i set up client name resolution so that X client canot
> announce itself as DC/browse master etc?
> I every client resolves names via boadcast then when my DC goes down and
> someone brings up his nt/samba server he could do lotof damaga - collect
> people passwords etc...
just use wins - it reduces broadcasting significantly.
it would not be entirely trivial to just bring up a fake pdc
you'd need to know the domain SID
fake authentication of clients
and fake up some profiles to be downloaded to the user.
I don't think the client authenticates the server with samba.
someone with more knowledge of the internals might be able to comment
more usefully on this front...
Bradley W. Langhorst <brad at langhorst.com>
More information about the samba-technical