[Samba] Access to administrative shares on Windows

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Jul 7 20:58:55 MDT 2010

On the Windows machines, have you tried setting up an additional share?
Maybe the the issue is not specific to Administrative shares?


I did verify from an XP machine (not in the domain) that "net use
\\server\ipc$ /user:mydom\administrator" does work-  I do get prompted for
the pw because the XP client is not in the domain, but at least it shows
that the domain administrator can authenticate to a hidden share.

Can you verify that MYDOM/Domain Admins is really in the local admins group
on the Win machines.  Can you login to the Win machine as a domain admin?
And if so, can you do "Admin" type things like add local users?    

I had some group mapping issue once that meant that the domain admin group
wasn't recognized by the Windows machines.  

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Jason Voorhees
Sent: Wednesday, July 07, 2010 8:08 PM
To: samba at lists.samba.org
Subject: [Samba] Access to administrative shares on Windows

Hi people:

I'm running Samba 3.0.33 and 3.3.5 (both just for testing at different
installations) under CentOS Linux 5.5. My Samba server is configured
as PDC with an LDAP backend based on OpenLDAP+smbldaptools+gosa.

I understand this:

1. Every Windows machine has a local Administrators group.
2. When a Windows machine joins my Samba domain (named MYDOM), the
group "MYDOM\Domain Admins" is addedd to the local Administrators
group of the Windows machine.
3. According to (2), root account is a member of "MYDOM\Domain Admins"
group, I can verify this as follows:

# net rpc group members "Domain Admins"

4. Every Windows machine by default shares C$, ADMIN$ and IPC$ as
administratives shares and they grant access to local Administrators
group of the machine, and so to "MYDOM\Domain Admins" as a consequence
of being previously joined to the domain.

Are these four assumptions right? If yes I think it should be true that:

- I would we able to access to C$ share of a machined joined to the
domain using the credentials of MYDOM\root account

Am I right? If yes, could someone tell me why these assumption isn't
working in my scenario? Every time I try to access C$ share with
MYDOM\root credentials I just get the login window again and again
(similar when someone puts a wrong password).

I tried to find some logging at Samba but I didn't find anything
obvious, I even enabled all security policies audit at Windows but its
log doesn't show anything useful. My smb.conf looks like:

        workgroup = MYDOM
        netbios name = SAMBAPDC
        server string = Samba PDC Server
        passdb backend = ldapsam:ldap://
        passwd program = /usr/sbin/smbldap-passwd %u
        passwd chat = *New*password* %n\n *Retype*new*password* %n\n
        client NTLMv2 auth = Yes
        client lanman auth = No
        client plaintext auth = No
        log level = 3
        log file = /var/log/samba/log
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        add user script = /usr/bin/smbldap-useradd -m "%u"
        delete user script = /usr/bin/smbldap-userdel "%u"
        add group script = /usr/bin/smbldap-groupadd -p "%g"
        delete group script = /usr/bin/smbldap-groupdel "%g"
        add user to group script = /usr/bin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/bin/smbldap-groupmod -x "%u"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
        add machine script = /usr/sbin/smbldap-useradd -w %u
        logon path =
        domain logons = Yes
        preferred master = Yes
        domain master = Yes
        ldap admin dn = uid=mailadmin,ou=users,dc=mydom,dc=com
        ldap delete dn = Yes
        ldap group suffix = ou=groups
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=computers
        ldap passwd sync = Yes
        ldap suffix = dc=mydom,dc=com
        ldap ssl = no
        ldap user suffix = ou=users
        idmap backend = ldap:ldap://
        idmap uid = 10000-20000
        idmap gid = 10000-20000

Ok I know my configuration isn't perfect, surely there are some
directives that aren't necessary but I hope someone can help me with

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list