[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.

Marco Gaiarin gaio at sv.lnf.it
Mon Sep 24 14:42:33 UTC 2018 

Mandi! Rowland Penny via samba
  In chel di` si favelave...

> There is no 'local Administrator', the domain user Administrator is
> mapped to the local user 'root'. So if the domain user 'Administrator'
> has the password 'thispass' and maps to 'root', who has the password
> 'diffpass', then the user will be rejected because the user is known
> (root) and the password is wrong (thispass).

OK, interesting. With this hint, gone back to the logs i've got:

 [2018/09/24 11:31:02.652917,  2] ../auth/auth_log.c:760(log_authentication_event_human_readable)
   Auth: [SMB2,(null)] user [unci-unci]\[Administrator] at [lun, 24 set 2018 11:31:02.652908 CEST] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [UNCI-UNCI] remote host [ipv4:10.5.2.145:63155] mapped to [unci-unci]\[root]. local host [ipv4:10.5.1.26:445]

so seems that effectively locan Administrator user (eg,
UNCI-UNCI\Administrator) get mapped to 'root', where indeed password
does not match (and UNCI-UNCI\root does not exist ;).


What really does not understand is:

a) why evidently in samba 4.5 this mapping get NOT done.

b) i've tried to modify 'user.map' from:

	!root = LNFFVG\Administrator LNFFVG\administrator Administrator administrator

to
	!root = LNFFVG\Administrator LNFFVG\administrator

hoping in strict matching, but seems that match still get done (but
i've only reload smbd, not restarted it).


And, sorry rowland, there IS A 'local Administrator' for every windows
PC, and is a different user from DOMAIN\Administrator...

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list