Is there a simple way to find out of the DC has restrict-anonymous set?

Gerald (Jerry) Carter jerry at samba.org
Thu Jun 26 04:20:11 GMT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 21 Jun 2003, Richard Sharpe wrote:

> Hi,
> 
> In our environment, which is a NAS, we would like to be able to inform the 
> administators that they need to create/supply an account for winbindd to 
> do its magic. This might also be needed if they are connecting our NAS to 
> a native-mode AD domain.
> 
> Is there something simple that we can do with wbinfo to determine this? 
> Since we have already asked them for an account that has privilege to join 
> the domain, perhaps we should try to get back the pwnam entry for that 
> account, and if it fails with anonymous access, clearly we need some real 
> account details (which might be the account used to join the domain).

Just write something that tries to open the samr pipe anonymously and to a 
samr_connect() IIRC.  In RA==0x01 you should get access denied.
(hint: check winbindd logs and the failure is pretty obvious).

You probably don't want to cache the admin password used to join the 
domain.  Most people would just use a normal user account for
the winbind auth creds.



cheers, jerry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE++nR7IR7qMdg1EfYRAls4AKCz+DlqLEqj/8XaXcyvH8OSWIKmTgCg2mtY
GmmJclKlKobZGCbWdEHBg40=
=2/uW
-----END PGP SIGNATURE-----




More information about the samba-technical mailing list