[Samba] Access to administrative shares on Windows
gaiseric.vandal at gmail.com
Wed Jul 7 20:58:55 MDT 2010
On the Windows machines, have you tried setting up an additional share?
Maybe the the issue is not specific to Administrative shares?
I did verify from an XP machine (not in the domain) that "net use
\\server\ipc$ /user:mydom\administrator" does work- I do get prompted for
the pw because the XP client is not in the domain, but at least it shows
that the domain administrator can authenticate to a hidden share.
Can you verify that MYDOM/Domain Admins is really in the local admins group
on the Win machines. Can you login to the Win machine as a domain admin?
And if so, can you do "Admin" type things like add local users?
I had some group mapping issue once that meant that the domain admin group
wasn't recognized by the Windows machines.
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Jason Voorhees
Sent: Wednesday, July 07, 2010 8:08 PM
To: samba at lists.samba.org
Subject: [Samba] Access to administrative shares on Windows
I'm running Samba 3.0.33 and 3.3.5 (both just for testing at different
installations) under CentOS Linux 5.5. My Samba server is configured
as PDC with an LDAP backend based on OpenLDAP+smbldaptools+gosa.
I understand this:
1. Every Windows machine has a local Administrators group.
2. When a Windows machine joins my Samba domain (named MYDOM), the
group "MYDOM\Domain Admins" is addedd to the local Administrators
group of the Windows machine.
3. According to (2), root account is a member of "MYDOM\Domain Admins"
group, I can verify this as follows:
# net rpc group members "Domain Admins"
4. Every Windows machine by default shares C$, ADMIN$ and IPC$ as
administratives shares and they grant access to local Administrators
group of the machine, and so to "MYDOM\Domain Admins" as a consequence
of being previously joined to the domain.
Are these four assumptions right? If yes I think it should be true that:
- I would we able to access to C$ share of a machined joined to the
domain using the credentials of MYDOM\root account
Am I right? If yes, could someone tell me why these assumption isn't
working in my scenario? Every time I try to access C$ share with
MYDOM\root credentials I just get the login window again and again
(similar when someone puts a wrong password).
I tried to find some logging at Samba but I didn't find anything
obvious, I even enabled all security policies audit at Windows but its
log doesn't show anything useful. My smb.conf looks like:
workgroup = MYDOM
netbios name = SAMBAPDC
server string = Samba PDC Server
passdb backend = ldapsam:ldap://127.0.0.1
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
log level = 3
log file = /var/log/samba/log
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/bin/smbldap-useradd -m "%u"
delete user script = /usr/bin/smbldap-userdel "%u"
add group script = /usr/bin/smbldap-groupadd -p "%g"
delete group script = /usr/bin/smbldap-groupdel "%g"
add user to group script = /usr/bin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/bin/smbldap-groupmod -x "%u"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w %u
logon path =
domain logons = Yes
preferred master = Yes
domain master = Yes
ldap admin dn = uid=mailadmin,ou=users,dc=mydom,dc=com
ldap delete dn = Yes
ldap group suffix = ou=groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=computers
ldap passwd sync = Yes
ldap suffix = dc=mydom,dc=com
ldap ssl = no
ldap user suffix = ou=users
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
Ok I know my configuration isn't perfect, surely there are some
directives that aren't necessary but I hope someone can help me with
To unsubscribe from this list go to the following URL and read the
More information about the samba