[Samba] Bug with winbindd

Joffrey AUDIN jaudin at adista.fr
Thu Apr 3 04:20:23 MDT 2014 

### first command
net rpc rights list accounts -Uadm-me  (I don't have the administrator password, adm-me is a administrator account)
Enter adm-me's password:
BUILTIN\Print Operators
No privileges assigned

BUILTIN\Account Operators
No privileges assigned

BUILTIN\Backup Operators
No privileges assigned

BUILTIN\Server Operators
No privileges assigned

BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege

Everyone
No privileges assigned

##### Second command
net rpc rights grant 'EXPLOIT\Domain Admins' seDiskOperatorPrivilege -Uadm-jaudin
Enter adm-jaudin's password:
Successfully granted rights.

### PAM
It's not exactly like this in FreeBSD, but my Pam conf.d if set like yours. I think the problem is with winbindd

'Joffrey

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of L.P.H. van Belle
Sent: jeudi 3 avril 2014 12:06
To: samba at lists.samba.org
Subject: Re: [Samba] Bug with winbindd

Other question Joffery. 

Since im having a lot of troubles setting up Privileges. 
Can you test 1 thing for me. 

does these work :

net rpc rights list accounts -Uadministrator and net rpc rights grant 'YOURDOMAINNAME\Domain Admins' SeDiskOperatorPrivilege -Uadministrator

for the ssh login, 

try this :  ( debian/ubuntu systems ) 

cp /etc/pam.d/sshd /etc/pam.d/sshd.original cat << EOF > /etc/pam.d/sshd
# copy from /etc/pam.d/common-auth      - authentication settings common to all services
#
auth    sufficient                      pam_winbind.so
auth    [success=1 default=ignore]      pam_unix.so nullok_secure use_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

# copy from /etc/pam.d/common-account   - authorization settings common to all services
#
account sufficient pam_winbind.so
account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
account requisite                       pam_deny.so
account required                        pam_permit.so

# copy from /etc/pam.d/common-session   - session-related modules common to all services
#
session required                        pam_mkhomedir.so
session required                        pam_winbind.so
session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session required                        pam_unix.so
EOF



Greetz, 

Louis




>-----Oorspronkelijk bericht-----
>Van: jaudin at adista.fr [mailto:samba-bounces at lists.samba.org]
>Namens Joffrey AUDIN
>Verzonden: donderdag 3 april 2014 11:48
>Aan: 'Rowland Penny'; samba at lists.samba.org
>Onderwerp: Re: [Samba] Bug with winbindd
>
>sorry
>I said one subcommand of wbinfo.
>wbinfo si on my FreeBSD domain member.
>The domain controller is the Windows 2012R2 (no wbinfo)
>
>But, I rebooted the Windows Controller and wbinfo -I works on the Unix 
>member.
>I need to check why authentification with ssh doesn't work.
>
>'Joffrey
>
>-----Original Message-----
>From: samba-bounces at lists.samba.org
>[mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
>Sent: jeudi 3 avril 2014 11:37
>To: samba at lists.samba.org
>Subject: Re: [Samba] Bug with winbindd
>
>On 03/04/14 10:30, Joffrey AUDIN wrote:
>> I don't understand
>> Your AD is a Samba server ? In my case, it's a Windows 2012
>R2 server. I don't have the 'wbinfo' command.
>> The problem is with all accounts, not only the administrator.
>>
>> 'Joffrey
>>
>> -----Original Message-----
>> From: samba-bounces at lists.samba.org
>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
>> Sent: jeudi 3 avril 2014 11:22
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] Bug with winbindd
>>
>> On 03/04/14 09:52, L.P.H. van Belle wrote:
>>> Since i was already testing with winbind also.
>>>
>>> I experiance the same on the MEMBER server.
>>>
>>> wbinfo -D DOMAIN gives nice all info.
>>> wbinfo -i Administrator
>>> or
>>> wbinfo -i DOMAIN\Administrator
>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>>
>>> Did not work, BUT on my DC. ...
>>>
>>> i get :
>>> wbinfo -i Administrator
>>> 
>INTERNAL\Administrator:*:0:100::/home/INTERNAL/Administrator:/bin/fal
>>> se
>>>
>>> ( the GID 100 is correct here i did modify that in my AD )
>>>
>>>
>>> Greetz,
>>>
>>> louis
>>>
>>>
>> I will third that, I get exactly the same results
>>
>> Rowland
>>
>This is confused of England here ;-)
>
>You posted:
>
>[quote]
>
>But one fails :
>wbinfo  -i administrator
>failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info 
>for user administrator
>
>[unquote]
>
>You have now posted:
>
>[quote]
>
>In my case, it's a Windows 2012 R2 server. I don't have the 'wbinfo' 
>command.
>
>[unquote]
>
>
>First you have used wbinfo, then suddenly you do not have the wbinfo 
>command????
>
>Which is it ????
>
>Rowland
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list