[Samba] Access to administrative shares on Windows

Jason Voorhees jvoorhees1 at gmail.com
Wed Jul 7 18:08:26 MDT 2010 

Hi people:

I'm running Samba 3.0.33 and 3.3.5 (both just for testing at different
installations) under CentOS Linux 5.5. My Samba server is configured
as PDC with an LDAP backend based on OpenLDAP+smbldaptools+gosa.

I understand this:

1. Every Windows machine has a local Administrators group.
2. When a Windows machine joins my Samba domain (named MYDOM), the
group "MYDOM\Domain Admins" is addedd to the local Administrators
group of the Windows machine.
3. According to (2), root account is a member of "MYDOM\Domain Admins"
group, I can verify this as follows:

# net rpc group members "Domain Admins"
MYDOM\root

4. Every Windows machine by default shares C$, ADMIN$ and IPC$ as
administratives shares and they grant access to local Administrators
group of the machine, and so to "MYDOM\Domain Admins" as a consequence
of being previously joined to the domain.

Are these four assumptions right? If yes I think it should be true that:

- I would we able to access to C$ share of a machined joined to the
domain using the credentials of MYDOM\root account

Am I right? If yes, could someone tell me why these assumption isn't
working in my scenario? Every time I try to access C$ share with
MYDOM\root credentials I just get the login window again and again
(similar when someone puts a wrong password).

I tried to find some logging at Samba but I didn't find anything
obvious, I even enabled all security policies audit at Windows but its
log doesn't show anything useful. My smb.conf looks like:

 [global]
        workgroup = MYDOM
        netbios name = SAMBAPDC
        server string = Samba PDC Server
        passdb backend = ldapsam:ldap://127.0.0.1
        passwd program = /usr/sbin/smbldap-passwd %u
        passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
        client NTLMv2 auth = Yes
        client lanman auth = No
        client plaintext auth = No
        log level = 3
        log file = /var/log/samba/log
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        add user script = /usr/bin/smbldap-useradd -m "%u"
        delete user script = /usr/bin/smbldap-userdel "%u"
        add group script = /usr/bin/smbldap-groupadd -p "%g"
        delete group script = /usr/bin/smbldap-groupdel "%g"
        add user to group script = /usr/bin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/bin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
        add machine script = /usr/sbin/smbldap-useradd -w %u
        logon path =
        domain logons = Yes
        preferred master = Yes
        domain master = Yes
        ldap admin dn = uid=mailadmin,ou=users,dc=mydom,dc=com
        ldap delete dn = Yes
        ldap group suffix = ou=groups
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=computers
        ldap passwd sync = Yes
        ldap suffix = dc=mydom,dc=com
        ldap ssl = no
        ldap user suffix = ou=users
        idmap backend = ldap:ldap://127.0.0.1
        idmap uid = 10000-20000
        idmap gid = 10000-20000

Ok I know my configuration isn't perfect, surely there are some
directives that aren't necessary but I hope someone can help me with
this.

Thanks

More information about the samba mailing list