Re: [Samba] \System32\GroupPolicy named pipe?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, 30 Nov 2002, Jason Spence wrote: Hi - I'm using samba to connect some windows boxen to a distributed set of unix machines. I'm trying to unify some of the administrative interfaces via mmc, specifically the group policy stuff. When I try to use the Group Policy snap-in to connect to my samba 2.2.1 servers, I see the windows box do a Tree Connect Andx to ADMIN$\System32\GroupPolicy, and then the samba box responds with 0x0004, permission denied. Then the windows box goes and tries to create ADMIN$\System32, which also fails. I have sniffer dumps of the exchange here (libpcap format, use Ethereal to open): The ADMIN$ share is hard coded in Samba to deal with some ASU strangeness. The snap-in is probably trying to open a file which we won't allow on an IPC share IIRC. This would take some work to fix. cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc ISBN 0-672-32269-2 SAMS Teach Yourself Samba in 24 Hours 2ed You can never go home again, Oatman, but I guess you can shop there. --John Cusack - Grosse Point Blank (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE96/X8IR7qMdg1EfYRAvgmAJ41LYAcXGSaLY+9jqwftV0KHAxr0ACgwfF1 BnYnUOHR6katID/LFWlhemI= =ajHh -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] \System32\GroupPolicy named pipe?
On Sun, Dec 01, 2002 at 11:48:34AM +1100, Andrew Bartlett wrote: On Sun, 2002-12-01 at 08:08, Jason Spence wrote: Hi - I'm using samba to connect some windows boxen to a distributed set of unix machines. I'm trying to unify some of the administrative interfaces via mmc, specifically the group policy stuff. When I try to use the Group Policy snap-in to connect to my samba 2.2.1 servers, I see the windows box do a Tree Connect Andx to ADMIN$\System32\GroupPolicy, and then the samba box responds with 0x0004, permission denied. Then the windows box goes and tries to create ADMIN$\System32, which also fails. I have sniffer dumps of the exchange here (libpcap format, use Ethereal to open): http://lightconsulting.com/~thalakan/gpdump.cap A comparitive capture of what Win2k does could be useful here. Actually, 172.16.0.254 in that capture is the Win2k SP3 box. -- - Jason Currently at: Home (Fremont, CA) (Partly Cloudy) Avoid Quiet and Placid persons unless you are in Need of Sleep. -- National Lampoon, Deteriorata -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] \System32\GroupPolicy named pipe?
On Sun, Dec 01, 2002 at 12:25:40PM +1100, Andrew Bartlett wrote: Just a clarification: You can do IPC operations on disk shares, and some domain clients use ADMIN$ for the IPC part of the domain join. As Samba doesn't want to provide a 'disk' share that admins can't control, it maps it as an IPC share. If I taught samba how to deal with a ADMIN$ share which defined a path = XXX while at the same time keeping the IPC functionality, would that violate any assumptions other code has? You make it sound like it might be a security risk too... -- - Jason Currently at: Home (Fremont, CA) (Partly Cloudy) Caution: breathing may be hazardous to your health. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] \System32\GroupPolicy named pipe?
On Mon, 2002-12-02 at 06:59, Jason Spence wrote: On Sun, Dec 01, 2002 at 12:25:40PM +1100, Andrew Bartlett wrote: Just a clarification: You can do IPC operations on disk shares, and some domain clients use ADMIN$ for the IPC part of the domain join. As Samba doesn't want to provide a 'disk' share that admins can't control, it maps it as an IPC share. If I taught samba how to deal with a ADMIN$ share which defined a path = XXX while at the same time keeping the IPC functionality, would that violate any assumptions other code has? You make it sound like it might be a security risk too... Not as far as I know - see param/loadparm.c for the function that adds ADMIN$ and IPC$ - you would just remove that 'add'. Hmm, you might even get away with defining admin$ as a share... Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
[Samba] \System32\GroupPolicy named pipe?
Hi - I'm using samba to connect some windows boxen to a distributed set of unix machines. I'm trying to unify some of the administrative interfaces via mmc, specifically the group policy stuff. When I try to use the Group Policy snap-in to connect to my samba 2.2.1 servers, I see the windows box do a Tree Connect Andx to ADMIN$\System32\GroupPolicy, and then the samba box responds with 0x0004, permission denied. Then the windows box goes and tries to create ADMIN$\System32, which also fails. I have sniffer dumps of the exchange here (libpcap format, use Ethereal to open): http://lightconsulting.com/~thalakan/gpdump.cap Poking around in the samba source code, it looks like ADMIN$ is aliased to IPC$, but the System32 named pipe isn't created anywhere. Does anyone have any thoughts on implementing this and whatever associated protocol is necessary to modify server-side group policies over it? -- - Jason Currently at: Home (Fremont, CA) (Partly Cloudy) Everything journalists write is true, except when they write about something you know. -- Dag-Erling Smorgrav, June 1999, FreeBSD-Stable Mailing List -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] \System32\GroupPolicy named pipe?
On Sun, 2002-12-01 at 08:08, Jason Spence wrote: Hi - I'm using samba to connect some windows boxen to a distributed set of unix machines. I'm trying to unify some of the administrative interfaces via mmc, specifically the group policy stuff. When I try to use the Group Policy snap-in to connect to my samba 2.2.1 servers, I see the windows box do a Tree Connect Andx to ADMIN$\System32\GroupPolicy, and then the samba box responds with 0x0004, permission denied. Then the windows box goes and tries to create ADMIN$\System32, which also fails. I have sniffer dumps of the exchange here (libpcap format, use Ethereal to open): http://lightconsulting.com/~thalakan/gpdump.cap A comparitive capture of what Win2k does could be useful here. Poking around in the samba source code, it looks like ADMIN$ is aliased to IPC$, but the System32 named pipe isn't created anywhere. Does anyone have any thoughts on implementing this and whatever associated protocol is necessary to modify server-side group policies over it? ADMIN$ is actually a disk share under NT - so it's not a system32 pipe, but actually c:\winnt\system32. (admin$ is an alias for %systempath%). Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: [Samba] \System32\GroupPolicy named pipe?
On Sun, 2002-12-01 at 11:48, Andrew Bartlett wrote: On Sun, 2002-12-01 at 08:08, Jason Spence wrote: Hi - I'm using samba to connect some windows boxen to a distributed set of unix machines. I'm trying to unify some of the administrative interfaces via mmc, specifically the group policy stuff. When I try to use the Group Policy snap-in to connect to my samba 2.2.1 servers, I see the windows box do a Tree Connect Andx to ADMIN$\System32\GroupPolicy, and then the samba box responds with 0x0004, permission denied. Then the windows box goes and tries to create ADMIN$\System32, which also fails. I have sniffer dumps of the exchange here (libpcap format, use Ethereal to open): http://lightconsulting.com/~thalakan/gpdump.cap A comparitive capture of what Win2k does could be useful here. Poking around in the samba source code, it looks like ADMIN$ is aliased to IPC$, but the System32 named pipe isn't created anywhere. Does anyone have any thoughts on implementing this and whatever associated protocol is necessary to modify server-side group policies over it? ADMIN$ is actually a disk share under NT - so it's not a system32 pipe, but actually c:\winnt\system32. (admin$ is an alias for %systempath%). Just a clarification: You can do IPC operations on disk shares, and some domain clients use ADMIN$ for the IPC part of the domain join. As Samba doesn't want to provide a 'disk' share that admins can't control, it maps it as an IPC share. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part