Re: [Samba] Joining a samba domain on WinXP without a root login?
I have tried applied this patch and it doesnt seem to work! i used bash# patch -p1 /tmp/domain_admin-join.patch then ./configure --prefix=/usr/local/ --with-ldapsam then make then make install I already have a machine account in LDAP my user is a member of domain admins bash# id ws0dwi uid=186712(ws0dwi) gid=901(uni-staff-itacs) groups=901(uni-staff-itacs),512(Domain Admins),513(Domain Users),902(uni-staff-itacs-systems),921(uni-staff-srvs),922(uni-staff-srvs-devtrust) On windows 2000 pro i get a msg box saying Logon failure: unkown username or bad password Error logs on samba say: [2005/01/12 10:38:07, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/01/12 10:38:07, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511) init_sam_from_ldap: Entry found for user: ws0dwi [2005/01/12 10:38:07, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [ws0dwi] - [ws0dwi] - [ws0dwi] succeeded [2005/01/12 10:38:08, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain UNI-STAFF - S-1-5-21-82148923-2461359520-1342846908 [2005/01/12 10:38:08, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93) _samr_open_domain: ACCESS DENIED (requested: 0x0211) [2005/01/12 10:38:08, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain UNI-STAFF - S-1-5-21-82148923-2461359520-1342846908 [2005/01/12 10:38:08, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115) _samr_create_user: ACCESS DENIED (granted: 0x0201; required: 0x0010) [2005/01/12 10:38:09, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511) init_sam_from_ldap: Entry found for user: ws0dwi [2005/01/12 10:38:09, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [ws0dwi] - [ws0dwi] - [ws0dwi] succeeded any ideas? We really need this feature Cheers, Dan Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hunter Rognstad wrote: | I've been able to succesfully join XP boxes to the samba domain on samba | 2.2.3a (yes, I know it's old), registering the machine name and so | forth, as many guides and so forth have shown online. However, it | requires entering root's smbpasswd when joining the domain -- and I'd | rather not have a Windows machine with any sort of remotely related root | access to our servers, especially having the capability of a root login. | | I'm curious, since SAMBA is its own project and should be able to work | around it, if it's possible to join the domain without allowing the user | root to log into it. I've tried having invalid users = root, and | experimented with the domain admin group and admin users settings to | work around it, but to no avail. I've googled for a solution, and found | no suggestions. I posted an experimental patch last week that allows domains admins (defined by the group mapping) to join machines to the domain. It's at http://samba.org/~jerry/patches/post-3.0.10/ I'm reworking things now to use a privliege based model (based on code by Simo Sorce) so it will change before 3.0.11 I'm sure. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB5D0zIR7qMdg1EfYRAnaGAKCOeASLx1d2T2N+h8pKoLU/TB15WwCgtlQY VF0M7tX7v0P5eXu33p022ao= =Esrd -END PGP SIGNATURE- -- Daniel Wilson Systems Administrator IT Communications Service University of Sunderland Unit1 Technology Park Chester Road Sunderland SR2 7PT Tel: 0191 515 2695 This e-mail contains information which is confidential and may be privileged and is for the exclusive use of the recipient. It is the responsibility of the recipient to ensure that this message and its attachments are virus free. Any views or opinions presented are solely those of the author and do not necessarily represent those of the University, unless otherwise specifically stated. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining a samba domain on WinXP without a root login?
Sorry please ignore this, forgot to kill all smbd proccesses before i make make install, so an old process was running (which didnt have patch)! Thanks so much for this patch it work brilliantly! :) Regards Dan Daniel Wilson wrote: I have tried applied this patch and it doesnt seem to work! i used bash# patch -p1 /tmp/domain_admin-join.patch then ./configure --prefix=/usr/local/ --with-ldapsam then make then make install I already have a machine account in LDAP my user is a member of domain admins bash# id ws0dwi uid=186712(ws0dwi) gid=901(uni-staff-itacs) groups=901(uni-staff-itacs),512(Domain Admins),513(Domain Users),902(uni-staff-itacs-systems),921(uni-staff-srvs),922(uni-staff-srvs-devtrust) On windows 2000 pro i get a msg box saying Logon failure: unkown username or bad password Error logs on samba say: [2005/01/12 10:38:07, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/01/12 10:38:07, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511) init_sam_from_ldap: Entry found for user: ws0dwi [2005/01/12 10:38:07, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [ws0dwi] - [ws0dwi] - [ws0dwi] succeeded [2005/01/12 10:38:08, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain UNI-STAFF - S-1-5-21-82148923-2461359520-1342846908 [2005/01/12 10:38:08, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93) _samr_open_domain: ACCESS DENIED (requested: 0x0211) [2005/01/12 10:38:08, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain UNI-STAFF - S-1-5-21-82148923-2461359520-1342846908 [2005/01/12 10:38:08, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115) _samr_create_user: ACCESS DENIED (granted: 0x0201; required: 0x0010) [2005/01/12 10:38:09, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511) init_sam_from_ldap: Entry found for user: ws0dwi [2005/01/12 10:38:09, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [ws0dwi] - [ws0dwi] - [ws0dwi] succeeded any ideas? We really need this feature Cheers, Dan Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hunter Rognstad wrote: | I've been able to succesfully join XP boxes to the samba domain on samba | 2.2.3a (yes, I know it's old), registering the machine name and so | forth, as many guides and so forth have shown online. However, it | requires entering root's smbpasswd when joining the domain -- and I'd | rather not have a Windows machine with any sort of remotely related root | access to our servers, especially having the capability of a root login. | | I'm curious, since SAMBA is its own project and should be able to work | around it, if it's possible to join the domain without allowing the user | root to log into it. I've tried having invalid users = root, and | experimented with the domain admin group and admin users settings to | work around it, but to no avail. I've googled for a solution, and found | no suggestions. I posted an experimental patch last week that allows domains admins (defined by the group mapping) to join machines to the domain. It's at http://samba.org/~jerry/patches/post-3.0.10/ I'm reworking things now to use a privliege based model (based on code by Simo Sorce) so it will change before 3.0.11 I'm sure. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB5D0zIR7qMdg1EfYRAnaGAKCOeASLx1d2T2N+h8pKoLU/TB15WwCgtlQY VF0M7tX7v0P5eXu33p022ao= =Esrd -END PGP SIGNATURE- -- Daniel Wilson Systems Administrator IT Communications Service University of Sunderland Unit1 Technology Park Chester Road Sunderland SR2 7PT Tel: 0191 515 2695 This e-mail contains information which is confidential and may be privileged and is for the exclusive use of the recipient. It is the responsibility of the recipient to ensure that this message and its attachments are virus free. Any views or opinions presented are solely those of the author and do not necessarily represent those of the University, unless otherwise specifically stated. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Joining a samba domain on WinXP without a root login?
I've been able to succesfully join XP boxes to the samba domain on samba 2.2.3a (yes, I know it's old), registering the machine name and so forth, as many guides and so forth have shown online. However, it requires entering root's smbpasswd when joining the domain -- and I'd rather not have a Windows machine with any sort of remotely related root access to our servers, especially having the capability of a root login. I'm curious, since SAMBA is its own project and should be able to work around it, if it's possible to join the domain without allowing the user root to log into it. I've tried having invalid users = root, and experimented with the domain admin group and admin users settings to work around it, but to no avail. I've googled for a solution, and found no suggestions. If it's only possible to join the domain with root logins enabled, how insecure is it, exactly, and what are the best methods of working around that? Is there a best equivalent way to Win9x logins for WinXP, so I don't have to create matching accounts on every machine? Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
