[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
L.P.H. van Belle
belle at bazuin.nl
Mon Sep 24 14:50:53 UTC 2018
You know what windows did with the "default" local, Administrator on the PC..
They disabled them...
If you joined a domain, then still, the PC administrator is disabled.
And the users is called PCNAME\Administrator and not Administrator
You have "BUILTIN\Administrator" on the servers. ( or SERVERNAME\Administrator )
I hope this helps you understanding your problem a bit more.
See also:
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Marco Gaiarin via samba
> Verzonden: maandag 24 september 2018 16:43
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] DM: samba 4.5 -> 4.8, guest access and
> machine account access troubles.
>
> Mandi! Rowland Penny via samba
> In chel di` si favelave...
>
> > There is no 'local Administrator', the domain user Administrator is
> > mapped to the local user 'root'. So if the domain user
> 'Administrator'
> > has the password 'thispass' and maps to 'root', who has the password
> > 'diffpass', then the user will be rejected because the user is known
> > (root) and the password is wrong (thispass).
>
> OK, interesting. With this hint, gone back to the logs i've got:
>
> [2018/09/24 11:31:02.652917, 2]
> ../auth/auth_log.c:760(log_authentication_event_human_readable)
> Auth: [SMB2,(null)] user [unci-unci]\[Administrator] at
> [lun, 24 set 2018 11:31:02.652908 CEST] with [NTLMv2] status
> [NT_STATUS_WRONG_PASSWORD] workstation [UNCI-UNCI] remote
> host [ipv4:10.5.2.145:63155] mapped to [unci-unci]\[root].
> local host [ipv4:10.5.1.26:445]
>
> so seems that effectively locan Administrator user (eg,
> UNCI-UNCI\Administrator) get mapped to 'root', where indeed password
> does not match (and UNCI-UNCI\root does not exist ;).
>
>
> What really does not understand is:
>
> a) why evidently in samba 4.5 this mapping get NOT done.
>
> b) i've tried to modify 'user.map' from:
>
> !root = LNFFVG\Administrator LNFFVG\administrator
> Administrator administrator
>
> to
> !root = LNFFVG\Administrator LNFFVG\administrator
>
> hoping in strict matching, but seems that match still get done (but
> i've only reload smbd, not restarted it).
>
>
> And, sorry rowland, there IS A 'local Administrator' for every windows
> PC, and is a different user from DOMAIN\Administrator...
>
> --
> dott. Marco Gaiarin GNUPG
> Key ID: 240A3D66
> Associazione ``La Nostra Famiglia''
> http://www.lanostrafamiglia.it/
> Polo FVG - Via della Bontà , 7 - 33078 - San Vito al
> Tagliamento (PN)
> marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711
> f +39-0434-842797
>
> Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
> http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list