[Samba] Ongoing internal DNS discrepancies: !root = SAMDOM\Administrator
Patrick Goetz
pgoetz at math.utexas.edu
Sat Feb 12 13:57:34 UTC 2022
I just noticed another DNS discrepancy involving the use of
/etc/samba/smb.conf:
-------------------
[global]
username map = /etc/samba/user.map
archives at data2:/$ cat /etc/samba/user.map
!root = SAMDOM\Administrator
When this is set, the root user can just do stuff:
root at samba-dc:~# samba-tool computer list
IBS100$
DATA2$
SAMBA-DC$
ERAP-GNOME$
root at samba-dc:~# samba-tool computer delete erap-gnome
Deleted computer erap-gnome
root at samba-dc:~# samba-tool computer list
IBS100$
DATA2$
SAMBA-DC$
unless it involves DNS, in which case not even a query can be executed
without explicit administrator authentication:
root at samba-dc:~# samba-tool dns query samba-dc ea.linuxcs.com data2 A
Password for [EA\root]:
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for
ncacn_ip_tcp:192.168.1.80[49153,sign,target_hostname=samba-dc,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.1.80]
NT_STATUS_LOGON_FAILURE
ERROR: Connecting to DNS RPC server samba-dc failed with (3221225581,
'The attempted logon is invalid. This is either due to a bad username or
authentication information.')
root at samba-dc:~# samba-tool dns query samba-dc ea.linuxcs.com data2 A -U
administrator
Password for [EA\administrator]:
Name=, Records=1, Children=0
A: 192.168.1.81 (flags=f0, serial=110, ttl=3600)
Since this is an Ubuntu system, root logins are disabled by default;
presumably this would work if I had root login enabled, but the issue is
why is it prompting me for authentication in the first place?
More information about the samba
mailing list