[Samba] [Fwd: samba 30alpha21 + NT4/2K WS-s]

Bradley W. Langhorst brad at langhorst.com
Fri Feb 28 20:58:56 GMT 2003 

On Fri, 2003-02-28 at 13:09, john at ylenurme.ee wrote:
> [netlogon] share is like that:
> 
> [netlogon]
>    comment = Network Logon Service
>    path = /home/samba/netlogon
>    guest ok = no
>    writable = no
>    browseable = yes
>    public = yes
this is what i'm using ...
[netlogon]
        path = /etc/samba/netlogon
        write list = root
        guest ok = Yes
        nt acl support = No

do you have scriptPath set in ldap?
i don't use logon scripts so i'm not sure you need it - just an idea.

> 
> Another thing was that smbgroupedit -v showd several Domain Admins and
> Domain Users group (with different SIDs).. So i took experimental step
> and deleted some of them, leaving exactly one of every group..
> Can this be somehow connected to 1st problem?
i have one of each of these.
probably you changed your sid during your experiments...
it might be a good idea to wipe out all your tdb files and rejoin
your machines (that is if your still in testing mode)

> Also samba complained that:
> 
> get_domain_user_groups: primary gid of user [john] is not a Domain group
> ! get_domain_user_groups: You should fix it, NT doesn't like that
i get that sometimes - i just ignore it...

> Third problem is locally stored profiles. How I could make such set up
> that when user logs out from WS , then WS would copy changed profile
> back to server and delete it from WS ?
> It's question of security and hard disk space..
you can do that with a setting in gpedit.msc
don't remember which one but i think i'll be obvious.
> 
> 4)
> How could i set up client name resolution so that X client canot
> announce itself as DC/browse master etc?
> I every client resolves names via boadcast then when my DC goes down and
> someone brings up his nt/samba server he could do lotof damaga - collect
> people passwords etc...
just use wins - it reduces broadcasting significantly.
it would not be entirely trivial to just bring up a fake pdc
you'd need to know the domain SID
fake authentication of clients 
and fake up some profiles to be downloaded to the user.

I don't think the client authenticates the server with samba.
someone with more knowledge of the internals might be able to comment
more usefully on this front...

brad

-- 
Bradley W. Langhorst <brad at langhorst.com>

More information about the samba-technical mailing list