[Samba] Problems to samba 3.0.11
Sergey Loskutov
cyrat at tts.magadan.su
Thu Feb 17 00:55:08 GMT 2005
Hello!
I'm installed samba-3.0.11 and property configured for work with LDAP,
it's work fine for me, but i have small problems with security and
management users!
Important parameters my samba config
[global]
log level = 10
security = user
domain master = yes
domain logons = yes
enable privileges = Yes
workgroup = HOME
netbios name = A
delete user script = /opt/IDEALX/sbin/smbldap-userdel -k -r "%u"
add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"
delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u
add group script = /opt/IDEALX/sbin/smbldap-groupadd -a -p "%g"
delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
For explanations my problems, i have next settings.
Machine "A" is PDC domain "HOME"
Machine "B" is not member domain "HOME", member in workgroup "REMOTE"
Machine "C" is member domain "HOME"
Account: Administrator member in "Domain Admins"
Account: nobody member in "Domain Guests"
net rpc say:
linux:/etc/samba # net -U Administrator rpc rights list 'HOME\Administrator'
Password:
SeMachineAccountPrivilege
SeAddUsersPrivilege
linux:/etc/samba #
linux:/etc/samba # net -U Administrator rpc rights list 'HOME\nobody'
Password:
linux:/etc/samba #
User Administrator UID: 512 ( i'm read post before and "Samba members"
say "You don't need any more have uid: 0 ... use privileges" ;) )
User nobody UID:
I'm use tools usrmgr.exe and srvmgr.exe
Enter from "C" to domain "HOME" ... OK
Create user in default group "Domain Users" ... OK
Add machine to domain ........ OK
Problem 1.
>From machine "B" launch tools srvmgr.exe and select domain "HOME".
Domain "HOME" not trust workgroup "REMOTE" and i'm enter to domain "HOME" as
nobody
Try add machine "INTRUDER" to domain "HOME" and have message "Access
denied".
I parse debug message ...... and has got problems ...
Step1
samba added machine "INTRUDER" added to ldap through "add machine script",
but not set samba attributes to this machine account
Step2
Samba check privileges to user nobody and send message access denied to
remote host
Why ?????
Any users not member in my domain "HOME", in my ldap server creates any
"machine account" and .... o my god !!!! my database is big very big : )))
Problem 2.
Launch tools usrmgr.exe
Try create user
Username: "John". Select to group button. User by default in member to
"Domain Users"
Added group "Domain Admins" press ok and next ok ... user is create .....
it's greet!
Select propertes user "John" and press again button group. Select group
"Domain Admins" and press "set primary group", next remove member in
"Domain Users"
And press to OK
Devil :(
I'm have error "Access denied"
Why ??? Again parse debug message
1) Samba set for user "john" primary group "Domain Admins"
2) Samba try to remove user "john" from group "Domain Users", but samba say
"User 'Jonh' have primary group 'Domain Users'" and generate message "Access
denied"
Script IDEALX have incorrect code in set "smbldap-usermod -g ". We MUST set
primary group, but before user MUST be member to "old primary group" ...
script IDEALX
not do it this..
Problem 3.
User Administrator have privileges 'SeAddUsersPrivilege'.... look up :)
Try create group ...
Group name: "Internet Access"
Member in: Administrator,John
Press button OK
Devil again :(
Have message "Access Denied"
1) Samba call script "add group script" group is create
2) Samba try append samba parameters to group "Internet Access" and say
"_samr_set_groupinfo: access check ((granted: 0000000000; required:
0x00000002)
_samr_set_groupinfo: ACCESS DENIED (granted: 0000000000; required:
0x00000002)"
Please fixed samba-3.0.11 or explain what is wrong ???
Analysis code 3.0.11 say me ... is bad very bad ....
Best regards,
Senior engineer of network department MTCES the Magadan.
Loskutov Sergey
mailto:cyrat at tts.magadan.su
phone. +7 90250 82016, +7 41322 27150
More information about the samba
mailing list