Net help analyzing logfiles: Printer permissions in Domain
Marc Haber
Marc.Haber-lists at gmx.de
Mon Dec 21 11:43:36 GMT 1998
On Fri, 18 Dec 1998 12:43:58 +1100, you wrote:
>On Thu, 17 Dec 1998 09:54:43 +1100, Marc Haber wrote:
>>mh is my account. This account is present in the NT domain, in
>>/etc/passwd and smbpasswd. asback is the user that should do the
>>printing in production service; this account currently is only present
>>in the NT domain.
>
>So what else should samba do with asback than "mapping" it to the guest account?
>There is no other way for samba to map it to a user id.
Yes, but I feel that it should match against valid_users before that
mapping takes place.
>>I have thought that the whole concept of integrating
>>a samba box into an NT domain is about not having to enter every NT
>>account into /etc/passwd manually.
>
>Think about the implications: As which unix user should do samba the file and
>print operations?
as nobody. After verifying that the user who tries to access the share
is a valid_user.
>Configure "public = yes" and remark "valid users". Try to connect to your printer
>share as user asback. If it doesn't work my tip was worthless and you better
>forget about it.
>
>If it works, you have to investigate further: Remove asback from the "valid users"
>list, reboot your client box and try again. If it still works, you have a security
>hole. If it doesn't work, your problem is solved.
- public=yes, valid-users=mh : rejected
- public=yes, valid-users=mh asback : rejected
- public=yes, valid-users=commented out : works
I suspect that samba first checks for a local account. If this
does not exist, it is mapped to the nobody user, thus the rights
of the nobody user apply. I think this is broken because in this
case, the username has been verified by the domain logon.
logs attached.
Greetings
Marc
|1998/12/18 16:56:09 Server exit (caught signal)
|Added interface ip=192.168.10.10 bcast=192.168.10.255 nmask=255.255.255.0
|1998/12/18 16:56:14 loaded services
|1998/12/18 16:56:14 becoming a daemon
|bind succeeded on port 139
|waiting for a connection
|Initialised IPC area of size 102400
|1998/12/18 16:56:24 changed root to /
|open_oplock_ipc: opening loopback UDP socket.
|bind succeeded on port 0
|open_oplock ipc: pid = 19521, oplock_port = 1078
|priming nmbd
|sending a packet of len 1 to (127.0.0.1) on port 137 of type DGRAM
|1998/12/18 16:56:24 Transaction 0 of length 72
|netbios connect: name1=PALANDT name2=BP-FS00
|Trying username bp-fs00
|1998/12/18 16:56:24 Transaction 1 of length 174
|switch message SMBnegprot (pid 19521)
|Requested protocol [PC NETWORK PROGRAM 1.0]
|Requested protocol [XENIX CORE]
|Requested protocol [MICROSOFT NETWORKS 1.03]
|Requested protocol [LANMAN1.0]
|Requested protocol [Windows for Workgroups 3.1a]
|Requested protocol [LM1.2X002]
|Requested protocol [LANMAN2.1]
|Requested protocol [NT LM 0.12]
|resolve_name: Attempting lmhosts lookup for name BP-FS00
|resolve_name: Attempting host lookup for name BP-FS00
|Connecting to 192.168.10.1 at port 139
|connected to password server bp-fs00
|got session
|password server OK
|using password server validation
|Selected protocol NT LM 0.12
|1998/12/18 16:56:24 Transaction 2 of length 190
|switch message SMBsesssetupX (pid 19521)
|Domain=[BARTSCH] NativeOS=[Windows NT 1381] NativeLanMan=[]
|sesssetupX:name=[root]
|trying NetWkstaUserLogon with password server BP-FS00
|password server BP-FS00 accepted the password
|root is in 11 groups
|0 1 12 14 15 16 80 81 82 83 65534
|uid 0 registered to name root
|Clearing default real name
|Chained message
|switch message SMBtconX (pid 19521)
|Trying username ipc$
|ACCEPTED: validated uid ok as non-guest
|found free connection number 102
|Connect path is /tmp
|chdir to /tmp
|chdir to /home/mh
|1998/12/18 16:56:28 bp-fs00 (192.168.10.1) connect to service IPC$ as user root (uid=0,gid=0) (pid 19521)
|1998/12/18 16:56:28 tconX service=ipc$ user=root cnum=102
|1998/12/18 16:56:28 Transaction 3 of length 82
|switch message SMBopenX (pid 19521)
|chdir to /tmp
|1998/12/18 16:56:28 error packet at line 101 cmd=45 (SMBopenX) eclass=2 ecode=4
|1998/12/18 16:56:28 Transaction 4 of length 103
|switch message SMBtrans (pid 19521)
|trans <\PIPE\LANMAN> data=0 params=19 setup=0
|named pipe command on <LANMAN> name
|Got API command 0 of form <WrLeh> <B13BWz>
|(tdscnt=0,tpscnt=19,mdrcnt=4096,mprcnt=8)
|Doing RNetShareEnum
|RNetShareEnum gave 3 entries of 3 (1 4096 155 4096)
|1998/12/18 16:56:28 Transaction 5 of length 82
|switch message SMBopenX (pid 19521)
|1998/12/18 16:56:28 error packet at line 101 cmd=45 (SMBopenX) eclass=2 ecode=4
|1998/12/18 16:56:28 Transaction 6 of length 103
|switch message SMBtrans (pid 19521)
|trans <\PIPE\LANMAN> data=0 params=19 setup=0
|named pipe command on <LANMAN> name
|Got API command 0 of form <WrLeh> <B13BWz>
|(tdscnt=0,tpscnt=19,mdrcnt=4096,mprcnt=8)
|Doing RNetShareEnum
|RNetShareEnum gave 3 entries of 3 (1 4096 155 4096)
|chdir to /home/mh
|1998/12/18 16:57:06 Transaction 7 of length 43
|switch message SMBulogoffX (pid 19521)
|1998/12/18 16:57:06 ulogoffX vuid=100
|1998/12/18 16:57:06 Transaction 8 of length 200
|switch message SMBsesssetupX (pid 19521)
|Domain=[BARTSCH] NativeOS=[Windows NT 1381] NativeLanMan=[] sesssetupX:name=[asback]
|Trying username asbacK
|trying NetWkstaUserLogon with password server BP-FS00
|password server BP-FS00 accepted the password
|Trying username asbacK
|No such user asback - using guest account
|nobody is in 1 groups
|65534
|uid 65534 registered to name nobody
|Clearing default real name
|Chained message
|switch message SMBtconX (pid 19521)
|Trying username dasipdrucK
|ACCEPTED: guest account and guest ok
|rejected invalid user nobody
|1998/12/18 16:57:09 invalid username/password for dasipdruck
|1998/12/18 16:57:09 error packet at line 171 cmd=117 (SMBtconX) eclass=2 ecode=2
|error string = Invalid argument
|1998/12/18 16:57:09 Transaction 9 of length 43
|switch message SMBulogoffX (pid 19521)
|1998/12/18 16:57:09 ulogoffX vuid=101
|Closing connections
|1998/12/18 16:58:05 Server exit (caught signal)
|Closing connections
|1998/12/18 16:58:05 bp-fs00 (192.168.10.1) closed connection to service IPC$
|Yielding connection to 102 IPC$
|1998/12/18 16:58:05 Server exit (caught signal)
|Added interface ip=192.168.10.10 bcast=192.168.10.255 nmask=255.255.255.0
|1998/12/18 16:58:11 loaded services
|1998/12/18 16:58:11 becoming a daemon
|bind succeeded on port 139
|waiting for a connection
|Initialised IPC area of size 102400
|1998/12/18 16:58:13 changed root to /
|open_oplock_ipc: opening loopback UDP socket.
|bind succeeded on port 0
|open_oplock ipc: pid = 19554, oplock_port = 1103
|priming nmbd
|sending a packet of len 1 to (127.0.0.1) on port 137 of type DGRAM
|1998/12/18 16:58:13 Transaction 0 of length 72
|netbios connect: name1=PALANDT name2=BP-FS00
|Trying username bp-fs00
|1998/12/18 16:58:13 Transaction 1 of length 174
|switch message SMBnegprot (pid 19554)
|Requested protocol [PC NETWORK PROGRAM 1.0]
|Requested protocol [XENIX CORE]
|Requested protocol [MICROSOFT NETWORKS 1.03]
|Requested protocol [LANMAN1.0]
|Requested protocol [Windows for Workgroups 3.1a]
|Requested protocol [LM1.2X002]
|Requested protocol [LANMAN2.1]
|Requested protocol [NT LM 0.12]
|resolve_name: Attempting lmhosts lookup for name BP-FS00
|resolve_name: Attempting host lookup for name BP-FS00
|Connecting to 192.168.10.1 at port 139
|connected to password server bp-fs00
|got session
|password server OK
|using password server validation
|Selected protocol NT LM 0.12
|1998/12/18 16:58:14 Transaction 2 of length 200
|switch message SMBsesssetupX (pid 19554)
|Domain=[BARTSCH] NativeOS=[Windows NT 1381] NativeLanMan=[]
|sesssetupX:name=[asback]
|Trying username asbacK
|trying NetWkstaUserLogon with password server BP-FS00
|password server BP-FS00 accepted the password
|Trying username asbacK
|No such user asback - using guest account
|nobody is in 1 groups
|65534
|uid 65534 registered to name nobody
|Clearing default real name
|Chained message
|switch message SMBtconX (pid 19554)
|Trying username dasipdrucK
|ACCEPTED: guest account and guest ok
|rejected invalid user nobody
|1998/12/18 16:58:17 invalid username/password for dasipdruck
|1998/12/18 16:58:17 error packet at line 171 cmd=117 (SMBtconX) eclass=2 ecode=2
|1998/12/18 16:58:17 Transaction 3 of length 43
|switch message SMBulogoffX (pid 19554)
|1998/12/18 16:58:17 ulogoffX vuid=100
|end of file from client
|Closing connections
|1998/12/18 16:58:17 Server exit (normal exit)
|Closing connections
|1998/12/18 17:01:13 Server exit (caught signal)
|Added interface ip=192.168.10.10 bcast=192.168.10.255 nmask=255.255.255.0
|1998/12/18 17:01:18 loaded services
|1998/12/18 17:01:18 becoming a daemon
|bind succeeded on port 139
|waiting for a connection
|Initialised IPC area of size 102400
|1998/12/18 17:01:21 changed root to /
|open_oplock_ipc: opening loopback UDP socket.
|bind succeeded on port 0
|open_oplock ipc: pid = 19604, oplock_port = 1127
|priming nmbd
|sending a packet of len 1 to (127.0.0.1) on port 137 of type DGRAM
|1998/12/18 17:01:21 Transaction 0 of length 72
|netbios connect: name1=PALANDT name2=BP-FS00
|Trying username bp-fs00
|1998/12/18 17:01:21 Transaction 1 of length 174
|switch message SMBnegprot (pid 19604)
|Requested protocol [PC NETWORK PROGRAM 1.0]
|Requested protocol [XENIX CORE]
|Requested protocol [MICROSOFT NETWORKS 1.03]
|Requested protocol [LANMAN1.0]
|Requested protocol [Windows for Workgroups 3.1a]
|Requested protocol [LM1.2X002]
|Requested protocol [LANMAN2.1]
|Requested protocol [NT LM 0.12]
|resolve_name: Attempting lmhosts lookup for name BP-FS00
|resolve_name: Attempting host lookup for name BP-FS00
|Connecting to 192.168.10.1 at port 139
|connected to password server bp-fs00
|got session
|password server OK
|using password server validation
|Selected protocol NT LM 0.12
|1998/12/18 17:01:21 Transaction 2 of length 200
|switch message SMBsesssetupX (pid 19604)
|Domain=[BARTSCH] NativeOS=[Windows NT 1381] NativeLanMan=[]
|sesssetupX:name=[asback]
|Trying username asbacK
|trying NetWkstaUserLogon with password server BP-FS00
|password server BP-FS00 accepted the password
|Trying username asbacK
|No such user asback - using guest account
|nobody is in 1 groups
|65534
|uid 65534 registered to name nobody
|Clearing default real name
|Chained message
|switch message SMBtconX (pid 19604)
|Trying username dasipdrucK
|ACCEPTED: guest account and guest ok
|found free connection number 62
|Connect path is /var/spool/samba
|nobody is in 1 groups
|65534
|chdir to /var/spool/samba
|chdir to /home/mh
|1998/12/18 17:01:24 bp-fs00 (192.168.10.1) connect to service dasiPDruck as user nobody (uid=65534,gid=65534) (pid 19604)
|1998/12/18 17:01:24 tconX service=dasipdruck user=nobody cnum=62
|palandt:/home/mh #
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29
More information about the samba
mailing list