[Samba] machine account with w2k

Heinz Allerberger allerberger at em.uni-frankfurt.de
Thu Sep 9 15:26:00 GMT 2004 

High,

I found out, where the problem was:

The Domain Admin user "domadmin" must have the root-policies on the 
/etc/passwd like this:
domadmin:x:0:0:
The user domadmin get the same rights as Root has, then  it works 
properly. Then I am able to join a Windows2000-workstation with the user 
"domadmin".

In my opinion it is not fine, because it is a security-hole, but it works.

Heinz Allerberger
Systemadministrator
Zentrum Neurologie
Universitätsklinikum
Frankfurt am Main
Tel: 069/6301-4274
Fax: 069/6301-6842
Piepser 18-0455



Heinz Allerberger wrote:

> Dear Samba Friends,
>
> I've a problem to join with Windows2000-Clients a Samba-PDC.
> When I join the samba-pdc with a WinNT4.0-Client it is no problem, 
> first I create a machine-account for the machine:
> 1. in /etc/group exists the group: machines:x:515:
> 2. useradd -g machines -d /dev/null -c nickname -s /bin/false neuch205$
> 3. pdbedit -a -m -u neuch205
>
> In this way, it isn't a problem to join the PDC with WinNT4.0-Clients, 
> only that I log in as Administrator into the Windows-machine and give 
> in the domainname an,
> then the client answers, without password-asking, I should reboot and 
> the client joined successfully.
>
> When I try to do the same, I get an asking for an password. Ok, for 
> that I created the user "domadmin" on the Samba as a member of the 
> "Domain Adminstrators", but this user is not accepted from the 
> W2K-Client. I can not understand why not. Normally it should going on.
>
> Please have a look of my documentation about this:
>
>------------------------------------------------------------------------
>
># Samba config file
># allerberger at em.uni-frankfurt.de
># Date: 2004/09/03
>
># Global parameters
>[global]
>	unix charset = ISO8859-1
>	workgroup = NEUROCH
>	server string = %h server (Samba %v)
>	
>	preferred master = Yes
>	domain master = Yes
>	local master = yes
>	os level = 33	# entspricht NT Server
>	
>	dns proxy = No
>	ldap ssl = no
>
>	security = user
>	encrypt passwords = yes
>	update encrypted = Yes
>	obey pam restrictions = Yes
>	passdb backend = tdbsam, guest
>	passwd program = /usr/bin/passwd %u
>	passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
>	
>	invalid users = root
>	
>	domain logons = Yes
>	logon path = \\%N\profiles\%U
>	logon drive = H:
>	logon home = \\neuch240\%U\.winprofile
>	logon script = logon.cmd
>
>	add machine script = /usr/sbin/useradd -g machines -d /dev/null -s /bin/false -M %u
>	add user script = /usr/sbin/useradd "%u"
>	delete user script = /usr/sbin/userdel "%u"
>	add group script = /usr/local/bin/smbgrpadd.sh "%g"
>	delete group script = /usr/sbin/groupdel "%g"
>	add user to group script = /usr/bin/gpasswd -a "%u" "%g"
>	delete user from group script = /usr/bin/gpasswd -d "%u" "%g"
>	set primary group script = /usr/sbin/usermod -g "%g" "%u"
>
>	syslog = 0
>	log file = /var/log/samba/log.%m
>	max log size = 1000
>
>	panic action = /usr/share/samba/panic-action %d
>
>[netlogon]
>	path = /var/lib/samba/netlogon
>	read only = yes
>	browseable = no
>
>[profiles]
>	path = /var/lib/samba/profiles
>	read only = no
>	create mask = 0600
>	directory mask = 0700
>	browseable = No
>
>[homes]
>	comment = Home Directories
>	read only = No
>	create mask = 0755
>	browseable = No
>
>[shared]
>	comment = shared Directory
>	path = /home/shared
>	read only = No
>	create mask = 0777
>	browseable = no
>
>[printers]
>	comment = All Printers
>	path = /tmp
>	create mask = 0700
>	printable = Yes
>	browseable = No
>
>[print$]
>	comment = Printer Drivers
>	path = /var/lib/samba/printers
>  
>
>------------------------------------------------------------------------
>
>Unix username:        neuch205$
>NT username:
>Account Flags:        [W          ]
>User SID:             S-1-5-21-1656000120-2433418590-619812953-4006
>Primary Group SID:    S-1-5-21-1656000120-2433418590-619812953-515
>Full Name:            neuch205$
>Home Directory:       \\neuch240\neuch205_\.winprofile
>HomeDir Drive:        H:
>Logon Script:         logon.cmd
>Profile Path:         \\neuch240\profiles\neuch205_
>Domain:               NEUROCH
>Account desc:
>Workstations:
>Munged dial:
>Logon time:           0
>Logoff time:          Fri, 13 Dec 1901 21:45:51 GMT
>Kickoff time:         Fri, 13 Dec 1901 21:45:51 GMT
>Password last set:    Wed, 08 Sep 2004 10:26:17 GMT
>Password can change:  Wed, 08 Sep 2004 10:26:17 GMT
>Password must change: Fri, 13 Dec 1901 21:45:51 GMT
>Last bad password   : 0
>Bad password count  : 0
>Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
>  
>
>------------------------------------------------------------------------
>
>Unix username:        domadmin
>NT username:
>Account Flags:        [U          ]
>User SID:             S-1-5-21-1656000120-2433418590-619812953-2000
>Primary Group SID:    S-1-5-21-1656000120-2433418590-619812953-512
>Full Name:
>Home Directory:       \\neuch240\domadmin\.winprofile
>HomeDir Drive:        H:
>Logon Script:         logon.cmd
>Profile Path:         \\neuch240\profiles\domadmin
>Domain:               NEUROCH
>Account desc:
>Workstations:
>Munged dial:
>Logon time:           0
>Logoff time:          Fri, 13 Dec 1901 21:45:51 GMT
>Kickoff time:         Fri, 13 Dec 1901 21:45:51 GMT
>Password last set:    Fri, 03 Sep 2004 11:18:37 GMT
>Password can change:  Fri, 03 Sep 2004 11:18:37 GMT
>Password must change: Fri, 13 Dec 1901 21:45:51 GMT
>Last bad password   : 0
>Bad password count  : 0
>Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
>  
>

More information about the samba mailing list