[Samba] Access to administrative shares on Windows
jvoorhees1 at gmail.com
Wed Jul 7 18:08:26 MDT 2010
I'm running Samba 3.0.33 and 3.3.5 (both just for testing at different
installations) under CentOS Linux 5.5. My Samba server is configured
as PDC with an LDAP backend based on OpenLDAP+smbldaptools+gosa.
I understand this:
1. Every Windows machine has a local Administrators group.
2. When a Windows machine joins my Samba domain (named MYDOM), the
group "MYDOM\Domain Admins" is addedd to the local Administrators
group of the Windows machine.
3. According to (2), root account is a member of "MYDOM\Domain Admins"
group, I can verify this as follows:
# net rpc group members "Domain Admins"
4. Every Windows machine by default shares C$, ADMIN$ and IPC$ as
administratives shares and they grant access to local Administrators
group of the machine, and so to "MYDOM\Domain Admins" as a consequence
of being previously joined to the domain.
Are these four assumptions right? If yes I think it should be true that:
- I would we able to access to C$ share of a machined joined to the
domain using the credentials of MYDOM\root account
Am I right? If yes, could someone tell me why these assumption isn't
working in my scenario? Every time I try to access C$ share with
MYDOM\root credentials I just get the login window again and again
(similar when someone puts a wrong password).
I tried to find some logging at Samba but I didn't find anything
obvious, I even enabled all security policies audit at Windows but its
log doesn't show anything useful. My smb.conf looks like:
workgroup = MYDOM
netbios name = SAMBAPDC
server string = Samba PDC Server
passdb backend = ldapsam:ldap://127.0.0.1
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
log level = 3
log file = /var/log/samba/log
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/bin/smbldap-useradd -m "%u"
delete user script = /usr/bin/smbldap-userdel "%u"
add group script = /usr/bin/smbldap-groupadd -p "%g"
delete group script = /usr/bin/smbldap-groupdel "%g"
add user to group script = /usr/bin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/bin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w %u
logon path =
domain logons = Yes
preferred master = Yes
domain master = Yes
ldap admin dn = uid=mailadmin,ou=users,dc=mydom,dc=com
ldap delete dn = Yes
ldap group suffix = ou=groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=computers
ldap passwd sync = Yes
ldap suffix = dc=mydom,dc=com
ldap ssl = no
ldap user suffix = ou=users
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
Ok I know my configuration isn't perfect, surely there are some
directives that aren't necessary but I hope someone can help me with
More information about the samba