[Samba] Bug with winbindd
Joffrey AUDIN
jaudin at adista.fr
Thu Apr 3 04:20:23 MDT 2014
### first command
net rpc rights list accounts -Uadm-me (I don't have the administrator password, adm-me is a administrator account)
Enter adm-me's password:
BUILTIN\Print Operators
No privileges assigned
BUILTIN\Account Operators
No privileges assigned
BUILTIN\Backup Operators
No privileges assigned
BUILTIN\Server Operators
No privileges assigned
BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
Everyone
No privileges assigned
##### Second command
net rpc rights grant 'EXPLOIT\Domain Admins' seDiskOperatorPrivilege -Uadm-jaudin
Enter adm-jaudin's password:
Successfully granted rights.
### PAM
It's not exactly like this in FreeBSD, but my Pam conf.d if set like yours. I think the problem is with winbindd
'Joffrey
-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of L.P.H. van Belle
Sent: jeudi 3 avril 2014 12:06
To: samba at lists.samba.org
Subject: Re: [Samba] Bug with winbindd
Other question Joffery.
Since im having a lot of troubles setting up Privileges.
Can you test 1 thing for me.
does these work :
net rpc rights list accounts -Uadministrator and net rpc rights grant 'YOURDOMAINNAME\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
for the ssh login,
try this : ( debian/ubuntu systems )
cp /etc/pam.d/sshd /etc/pam.d/sshd.original cat << EOF > /etc/pam.d/sshd
# copy from /etc/pam.d/common-auth - authentication settings common to all services
#
auth sufficient pam_winbind.so
auth [success=1 default=ignore] pam_unix.so nullok_secure use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
# copy from /etc/pam.d/common-account - authorization settings common to all services
#
account sufficient pam_winbind.so
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
# copy from /etc/pam.d/common-session - session-related modules common to all services
#
session required pam_mkhomedir.so
session required pam_winbind.so
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
EOF
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: jaudin at adista.fr [mailto:samba-bounces at lists.samba.org]
>Namens Joffrey AUDIN
>Verzonden: donderdag 3 april 2014 11:48
>Aan: 'Rowland Penny'; samba at lists.samba.org
>Onderwerp: Re: [Samba] Bug with winbindd
>
>sorry
>I said one subcommand of wbinfo.
>wbinfo si on my FreeBSD domain member.
>The domain controller is the Windows 2012R2 (no wbinfo)
>
>But, I rebooted the Windows Controller and wbinfo -I works on the Unix
>member.
>I need to check why authentification with ssh doesn't work.
>
>'Joffrey
>
>-----Original Message-----
>From: samba-bounces at lists.samba.org
>[mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
>Sent: jeudi 3 avril 2014 11:37
>To: samba at lists.samba.org
>Subject: Re: [Samba] Bug with winbindd
>
>On 03/04/14 10:30, Joffrey AUDIN wrote:
>> I don't understand
>> Your AD is a Samba server ? In my case, it's a Windows 2012
>R2 server. I don't have the 'wbinfo' command.
>> The problem is with all accounts, not only the administrator.
>>
>> 'Joffrey
>>
>> -----Original Message-----
>> From: samba-bounces at lists.samba.org
>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
>> Sent: jeudi 3 avril 2014 11:22
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] Bug with winbindd
>>
>> On 03/04/14 09:52, L.P.H. van Belle wrote:
>>> Since i was already testing with winbind also.
>>>
>>> I experiance the same on the MEMBER server.
>>>
>>> wbinfo -D DOMAIN gives nice all info.
>>> wbinfo -i Administrator
>>> or
>>> wbinfo -i DOMAIN\Administrator
>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>>
>>> Did not work, BUT on my DC. ...
>>>
>>> i get :
>>> wbinfo -i Administrator
>>>
>INTERNAL\Administrator:*:0:100::/home/INTERNAL/Administrator:/bin/fal
>>> se
>>>
>>> ( the GID 100 is correct here i did modify that in my AD )
>>>
>>>
>>> Greetz,
>>>
>>> louis
>>>
>>>
>> I will third that, I get exactly the same results
>>
>> Rowland
>>
>This is confused of England here ;-)
>
>You posted:
>
>[quote]
>
>But one fails :
>wbinfo -i administrator
>failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info
>for user administrator
>
>[unquote]
>
>You have now posted:
>
>[quote]
>
>In my case, it's a Windows 2012 R2 server. I don't have the 'wbinfo'
>command.
>
>[unquote]
>
>
>First you have used wbinfo, then suddenly you do not have the wbinfo
>command????
>
>Which is it ????
>
>Rowland
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list