Is there a simple way to find out of the DC has
restrict-anonymous set?
Gerald (Jerry) Carter
jerry at samba.org
Thu Jun 26 04:20:11 GMT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sat, 21 Jun 2003, Richard Sharpe wrote:
> Hi,
>
> In our environment, which is a NAS, we would like to be able to inform the
> administators that they need to create/supply an account for winbindd to
> do its magic. This might also be needed if they are connecting our NAS to
> a native-mode AD domain.
>
> Is there something simple that we can do with wbinfo to determine this?
> Since we have already asked them for an account that has privilege to join
> the domain, perhaps we should try to get back the pwnam entry for that
> account, and if it fails with anonymous access, clearly we need some real
> account details (which might be the account used to join the domain).
Just write something that tries to open the samr pipe anonymously and to a
samr_connect() IIRC. In RA==0x01 you should get access denied.
(hint: check winbindd logs and the failure is pretty obvious).
You probably don't want to cache the admin password used to join the
domain. Most people would just use a normal user account for
the winbind auth creds.
cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQE++nR7IR7qMdg1EfYRAls4AKCz+DlqLEqj/8XaXcyvH8OSWIKmTgCg2mtY
GmmJclKlKobZGCbWdEHBg40=
=2/uW
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list