[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.

L.P.H. van Belle belle at bazuin.nl
Mon Sep 24 14:50:53 UTC 2018


You know what windows did with the "default" local, Administrator on the PC..  
They disabled them... 

If you joined a domain, then still, the PC administrator is disabled. 

And the users is called PCNAME\Administrator and not Administrator
You have "BUILTIN\Administrator"  on the servers. ( or SERVERNAME\Administrator )


I hope this helps you understanding your problem a bit more. 
See also: 
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts 


Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: maandag 24 september 2018 16:43
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] DM: samba 4.5 -> 4.8, guest access and 
> machine account access troubles.
> 
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > There is no 'local Administrator', the domain user Administrator is
> > mapped to the local user 'root'. So if the domain user 
> 'Administrator'
> > has the password 'thispass' and maps to 'root', who has the password
> > 'diffpass', then the user will be rejected because the user is known
> > (root) and the password is wrong (thispass).
> 
> OK, interesting. With this hint, gone back to the logs i've got:
> 
>  [2018/09/24 11:31:02.652917,  2] 
> ../auth/auth_log.c:760(log_authentication_event_human_readable)
>    Auth: [SMB2,(null)] user [unci-unci]\[Administrator] at 
> [lun, 24 set 2018 11:31:02.652908 CEST] with [NTLMv2] status 
> [NT_STATUS_WRONG_PASSWORD] workstation [UNCI-UNCI] remote 
> host [ipv4:10.5.2.145:63155] mapped to [unci-unci]\[root]. 
> local host [ipv4:10.5.1.26:445]
> 
> so seems that effectively locan Administrator user (eg,
> UNCI-UNCI\Administrator) get mapped to 'root', where indeed password
> does not match (and UNCI-UNCI\root does not exist ;).
> 
> 
> What really does not understand is:
> 
> a) why evidently in samba 4.5 this mapping get NOT done.
> 
> b) i've tried to modify 'user.map' from:
> 
> 	!root = LNFFVG\Administrator LNFFVG\administrator 
> Administrator administrator
> 
> to
> 	!root = LNFFVG\Administrator LNFFVG\administrator
> 
> hoping in strict matching, but seems that match still get done (but
> i've only reload smbd, not restarted it).
> 
> 
> And, sorry rowland, there IS A 'local Administrator' for every windows
> PC, and is a different user from DOMAIN\Administrator...
> 
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list