Re: [Samba] login scripts do not run
Folks, If you want to execute a batch or command file that will update the windows client clock you need to note that only Administrator has the right (privilege) to update the system clock. This means that you need to update user rights and privileges so that "Everyone" or "Domain Users" can update the clock. This is NOT a samba problem - it is a Windows security settings issue. Log onto your Windows XP Pro system. Open up: Start->Control Panel->Administrative Tools->Local Security Settings In the left panel: Local Policies->User Rights Assignment In the right panel: Change the system time Give the appropriate users or groups the right to change the system time. Reboot the Windows XP Pro machine. Now when you log on the time will update as the logon script executes. This stuff is so simple! :) not that simple when you have to support dozen computers. in that case command line utility (from approriate Resource Kit ?) is much better solution. - John T. On Wednesday 22 September 2004 20:59, Raymond Lillard wrote: [EMAIL PROTECTED] wrote: I have a simple script that sets the time on a Windows client at startup. The one-line script: net time \\myhost /set /yes Works perfectly well when I double-click it from Windows Explorer, so I don't think the problem lies there. The relevant lines in my smb.conf file: [global] time server = yes logon script = smbtimeset.BAT [netlogon] comment = shared scripts path = /usr/share/samba/scripts public = no writable = no browseable = no I've set the log level to '3' and there aren't any messages at all relating to running a startup script. Any ideas? Well, yes I do. I was looking into this earlier today. You don't say enough about your workgroup/domain, but I have this problem too. In my case, I am running v3.0.6 as a PDC. All of my MS clients are NT4-SP6 or better (well newer anyway). Most are WinXP. What I find in the event log of WinXP clients is a message to the effect that the client has joined a NT4 domain (in this case, my Samba PDC) and the MS NT4 generation domain server does not support NTP. A bit of searching has found this: http://groups.google.com/groups?q=ntpclient+nt4-domain&hl=en&lr=&ie=UTF-8&c 2coff=1&selm=%23Oa8EadWCHA.3360%40tkmsftngp11&rnum=1 This article contains two links at the bottom which look promising too. I'm about to start playing with it, but I would be good to hear a Samba solution. I don't like hacking the registry. Ray -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 OpenLDAP by Example, ISBN: 0131488732 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] login scripts do not run
Hi Denis, as i said ,be happy with your version of the universe Denis Vlasenko schrieb: On Friday 24 September 2004 00:21, rruegner wrote: Hi Denis, this is nonsens , if a user wants to break your security he will do it anyway, win auth is easy enough to be breaked by any user also in native win setups. I have first-hand practical experience in that ;) If you want be secure use no windows, i gave advice for the netlogon problem and wanted help out with the prog cpau which is very usefull as it can crypt admin account and pass, i dont want to be struggeled in security. As to original question, timekeeping problem can be nicely solved by either native Windows Simple NTP (I deployed one on the job), or by NTP. Last I checked their code was supporting dozens of platforms, including Win. Which is a pity, code got rather ugly... Cpau is enough crypto to ban a normal user for seeing admin users and his pass ( which must be cool enough ), Of course you can use unsafe methods. It's not a crime. Just don't pretend that this is a Right Thing to do. but after all having enough time you will brake any security. Yes. How many trillion years do you need to break AES? Security is a concept not relate to just one thing, i.e. if the user can boot the computer from a floopy or a cd he will find out the local admin account in seconds having the right tools, so dont feed me with your paranoia stuff Shall I start to use telnet instead of ssh because of this? No. I think that the fact that one has some unsafe net cannot be used as an excuse to deploying some additional tools which are unsafe too. Move to more secure setup. You can do it at whatever slow pace you want if you have other priorities, but do not go backward. Also any network sniffer and varias other tools may brake in security anyway i.e man in the middle etc), but this is another discussion. If you dont like this nice little tool, just let it go and wait for wonder until windows get secure in the matter nix systems are -- vda -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] login scripts do not run
On Friday 24 September 2004 00:21, rruegner wrote: > Hi Denis, this is nonsens , if a user wants to break your security he > will do it anyway, win auth is easy enough to be breaked by any user > also in native win setups. I have first-hand practical experience in that ;) > If you want be secure use no windows, i gave advice for the netlogon > problem and wanted help out with the prog cpau which is very usefull > as it can crypt admin account and pass, i dont want to be struggeled in > security. As to original question, timekeeping problem can be nicely solved by either native Windows Simple NTP (I deployed one on the job), or by NTP. Last I checked their code was supporting dozens of platforms, including Win. Which is a pity, code got rather ugly... > Cpau is enough crypto to ban a normal user for seeing admin users and > his pass ( which must be cool enough ), Of course you can use unsafe methods. It's not a crime. Just don't pretend that this is a Right Thing to do. > but after all having enough time you will brake any security. Yes. How many trillion years do you need to break AES? > Security is a concept not relate to just one thing, > i.e. if the user can boot the computer from a floopy or a cd he will > find out the local admin account in seconds having the right tools, > so dont feed me with your paranoia stuff Shall I start to use telnet instead of ssh because of this? No. I think that the fact that one has some unsafe net cannot be used as an excuse to deploying some additional tools which are unsafe too. Move to more secure setup. You can do it at whatever slow pace you want if you have other priorities, but do not go backward. > Also any network sniffer and varias other tools may brake in security > anyway i.e man in the middle etc), but this is another discussion. > If you dont like this nice little tool, just let it go and wait for > wonder until windows get secure in the matter nix systems are -- vda -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] login scripts do not run
Mayebe I should have explained more of what is encrypted. Below is an example of what is encrypted: 5B1CC95BAF6B10DD09D42ADE1A14D8D27134E31B1FBD6BDBB90993FC9D284C730E53ABC70C7ACC4C661CE4BD6E00F8C372A3B9A2A18C142AE0D1CB23B8870C772045D1FDA1D3B13729D75B66D97FB1360B1599735F2E2FBA2B3723C10F2A81A79BD4D7B89AF2684B8D245597F89D71962786FFE9069D1D93CD8EC895C1084440D7ADE53C9A4584A0DCCDAAB86433934767E9D72A3E48ABF02B870C9BB1A657114FE340972054C578602DB4A032ED0FFFD1B83149FDBBB73A34941D13626B84DA That contains the username, password, path to command to run, domain, and an option for a directory to start in. It is used like this: rurasp.exe somefile.rap where the contents of somefile.rap is the string of characters above. Does that help? Denis Vlasenko <[EMAIL PROTECTED]> wrote: > On Thursday 23 September 2004 20:18, kent wrote: > > Hello, > > We have been successfully using RUNASP.exe > > (http://www.mast-computer.com/c_9-s_7-l_en.html). You have to pay for licensing > > however. We use it for everything, running programs, udate Norton AV. Password > > is encrypted. Is very simple to use. > > If this script is runnable by the user then user can see that > encrypted password and use it to launch some malicious code > instead using this tool with admin rights. > > Correct me if im wrong. > -- > vda > > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] login scripts do not run
Hi Denis, this is nonsens , if a user wants to break your security he will do it anyway, win auth is easy enough to be breaked by any user also in native win setups. If you want be secure use no windows, i gave advice for the netlogon problem and wanted help out with the prog cpau which is very usefull as it can crypt admin account and pass, i dont want to be struggeled in security. Cpau is enough crypto to ban a normal user for seeing admin users and his pass ( which must be cool enough ), but after all having enough time you will brake any security. Security is a concept not relate to just one thing, i.e. if the user can boot the computer from a floopy or a cd he will find out the local admin account in seconds having the right tools, so dont feed me with your paranoia stuff Also any network sniffer and varias other tools may brake in security anyway i.e man in the middle etc), but this is another discussion. If you dont like this nice little tool , just let it go and wait for wonder until windows get secure in the matter nix systems are Regards Denis Vlasenko schrieb: On Thursday 23 September 2004 19:50, rruegner wrote: Hi, no the admin account and pass can be crypted so its usefull stuff How will you prevent user from running this under debugger and sniffing password from the program data segment? -- vda -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] login scripts do not run
On Thursday 23 September 2004 19:50, rruegner wrote: > Hi, > no the admin account and pass can be crypted > so its usefull stuff How will you prevent user from running this under debugger and sniffing password from the program data segment? -- vda -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] login scripts do not run
Yes, I had done this but forgot to mention it. FYI, it's the same for W2K as for XP. On my W2K client, I have given 'Everyone' persmission to change the time setting. Quoting John H Terpstra <[EMAIL PROTECTED]>: > Folks, > > If you want to execute a batch or command file that will update the windows > client clock you need to note that only Administrator has the right > (privilege) to update the system clock. This means that you need to update > user rights and privileges so that "Everyone" or "Domain Users" can update > the clock. This is NOT a samba problem - it is a Windows security settings > issue. > > Log onto your Windows XP Pro system. Open up: > Start->Control Panel->Administrative Tools->Local Security Settings > > In the left panel: > Local Policies->User Rights Assignment > > In the right panel: > Change the system time > > Give the appropriate users or groups the right to change the system time. > > Reboot the Windows XP Pro machine. > > Now when you log on the time will update as the logon script executes. > > This stuff is so simple! :) > > - John T. > > On Wednesday 22 September 2004 20:59, Raymond Lillard wrote: > > [EMAIL PROTECTED] wrote: > > > I have a simple script that sets the time on a Windows client at > > > startup. > > > The one-line script: > > > net time \\myhost /set /yes > > > Works perfectly well when I double-click it from Windows Explorer, so I > > > don't think the problem lies there. > > > > > > The relevant lines in my smb.conf file: > > > > > > [global] > > > time server = yes > > > logon script = smbtimeset.BAT > > > > > > [netlogon] > > >comment = shared scripts > > >path = /usr/share/samba/scripts > > >public = no > > >writable = no > > >browseable = no > > > > > > > > > > > > I've set the log level to '3' and there aren't any messages at all > > > relating to running a startup script. > > > > > > Any ideas? > > > > Well, yes I do. > > > > I was looking into this earlier today. > > > > You don't say enough about your workgroup/domain, but I > > have this problem too. In my case, I am running v3.0.6 > > as a PDC. All of my MS clients are NT4-SP6 or better > > (well newer anyway). Most are WinXP. > > > > What I find in the event log of WinXP clients is a message > > to the effect that the client has joined a NT4 domain > > (in this case, my Samba PDC) and the MS NT4 generation > > domain server does not support NTP. > > > > A bit of searching has found this: > > > > http://groups.google.com/groups?q=ntpclient+nt4-domain&hl=en&lr=&ie=UTF-8&c > >2coff=1&selm=%23Oa8EadWCHA.3360%40tkmsftngp11&rnum=1 > > > > This article contains two links at the bottom > > which look promising too. > > > > I'm about to start playing with it, but I would be > > good to hear a Samba solution. I don't like > > hacking the registry. > > > > Ray > > -- > John H Terpstra > Samba-Team Member > Phone: +1 (650) 580-8668 > > Author: > The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 > Samba-3 by Example, ISBN: 0131472216 > Hardening Linux, ISBN: 0072254971 > OpenLDAP by Example, ISBN: 0131488732 > Other books in production. > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] login scripts do not run
Hi, no the admin account and pass can be crypted so its usefull stuff reading related progs osr stuff before posting may help you out next time Regards Denis Vlasenko schrieb: On Thursday 23 September 2004 10:15, rruegner wrote: Hi, all you can use cpau ( run as replacement ) to make any script ( bat etc ) running with admin rights, theres also a little prog called hidecmd which makes the run of the netlogon invisible. And thus make admin password visible to user??! No thank you. After alle the script must be readable under native linux and in the samba share and build with a dos compatible editor like notepad. -- vda -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] login scripts do not run
On Thursday 23 September 2004 10:15, rruegner wrote: > Hi, all > you can use cpau ( run as replacement ) to make any script ( bat etc ) > running with admin rights, theres also a little prog called hidecmd > which makes the run of the netlogon invisible. And thus make admin password visible to user??! No thank you. > After alle the script must be readable under native linux and in the > samba share and build with a dos compatible editor like notepad. -- vda -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] login scripts do not run
Hi, all you can use cpau ( run as replacement ) to make any script ( bat etc ) running with admin rights, theres also a little prog called hidecmd which makes the run of the netlogon invisible. After alle the script must be readable under native linux and in the samba share and build with a dos compatible editor like notepad. Regards John H Terpstra schrieb: Folks, If you want to execute a batch or command file that will update the windows client clock you need to note that only Administrator has the right (privilege) to update the system clock. This means that you need to update user rights and privileges so that "Everyone" or "Domain Users" can update the clock. This is NOT a samba problem - it is a Windows security settings issue. Log onto your Windows XP Pro system. Open up: Start->Control Panel->Administrative Tools->Local Security Settings In the left panel: Local Policies->User Rights Assignment In the right panel: Change the system time Give the appropriate users or groups the right to change the system time. Reboot the Windows XP Pro machine. Now when you log on the time will update as the logon script executes. This stuff is so simple! :) - John T. On Wednesday 22 September 2004 20:59, Raymond Lillard wrote: [EMAIL PROTECTED] wrote: I have a simple script that sets the time on a Windows client at startup. The one-line script: net time \\myhost /set /yes Works perfectly well when I double-click it from Windows Explorer, so I don't think the problem lies there. The relevant lines in my smb.conf file: [global] time server = yes logon script = smbtimeset.BAT [netlogon] comment = shared scripts path = /usr/share/samba/scripts public = no writable = no browseable = no I've set the log level to '3' and there aren't any messages at all relating to running a startup script. Any ideas? Well, yes I do. I was looking into this earlier today. You don't say enough about your workgroup/domain, but I have this problem too. In my case, I am running v3.0.6 as a PDC. All of my MS clients are NT4-SP6 or better (well newer anyway). Most are WinXP. What I find in the event log of WinXP clients is a message to the effect that the client has joined a NT4 domain (in this case, my Samba PDC) and the MS NT4 generation domain server does not support NTP. A bit of searching has found this: http://groups.google.com/groups?q=ntpclient+nt4-domain&hl=en&lr=&ie=UTF-8&c 2coff=1&selm=%23Oa8EadWCHA.3360%40tkmsftngp11&rnum=1 This article contains two links at the bottom which look promising too. I'm about to start playing with it, but I would be good to hear a Samba solution. I don't like hacking the registry. Ray -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] login scripts do not run
Folks, If you want to execute a batch or command file that will update the windows client clock you need to note that only Administrator has the right (privilege) to update the system clock. This means that you need to update user rights and privileges so that "Everyone" or "Domain Users" can update the clock. This is NOT a samba problem - it is a Windows security settings issue. Log onto your Windows XP Pro system. Open up: Start->Control Panel->Administrative Tools->Local Security Settings In the left panel: Local Policies->User Rights Assignment In the right panel: Change the system time Give the appropriate users or groups the right to change the system time. Reboot the Windows XP Pro machine. Now when you log on the time will update as the logon script executes. This stuff is so simple! :) - John T. On Wednesday 22 September 2004 20:59, Raymond Lillard wrote: > [EMAIL PROTECTED] wrote: > > I have a simple script that sets the time on a Windows client at > > startup. > > The one-line script: > > net time \\myhost /set /yes > > Works perfectly well when I double-click it from Windows Explorer, so I > > don't think the problem lies there. > > > > The relevant lines in my smb.conf file: > > > > [global] > > time server = yes > > logon script = smbtimeset.BAT > > > > [netlogon] > >comment = shared scripts > >path = /usr/share/samba/scripts > >public = no > >writable = no > >browseable = no > > > > > > > > I've set the log level to '3' and there aren't any messages at all > > relating to running a startup script. > > > > Any ideas? > > Well, yes I do. > > I was looking into this earlier today. > > You don't say enough about your workgroup/domain, but I > have this problem too. In my case, I am running v3.0.6 > as a PDC. All of my MS clients are NT4-SP6 or better > (well newer anyway). Most are WinXP. > > What I find in the event log of WinXP clients is a message > to the effect that the client has joined a NT4 domain > (in this case, my Samba PDC) and the MS NT4 generation > domain server does not support NTP. > > A bit of searching has found this: > > http://groups.google.com/groups?q=ntpclient+nt4-domain&hl=en&lr=&ie=UTF-8&c >2coff=1&selm=%23Oa8EadWCHA.3360%40tkmsftngp11&rnum=1 > > This article contains two links at the bottom > which look promising too. > > I'm about to start playing with it, but I would be > good to hear a Samba solution. I don't like > hacking the registry. > > Ray -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 OpenLDAP by Example, ISBN: 0131488732 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] login scripts do not run
[EMAIL PROTECTED] wrote: I have a simple script that sets the time on a Windows client at startup. The one-line script: net time \\myhost /set /yes Works perfectly well when I double-click it from Windows Explorer, so I don't think the problem lies there. The relevant lines in my smb.conf file: [global] time server = yes logon script = smbtimeset.BAT [netlogon] comment = shared scripts path = /usr/share/samba/scripts public = no writable = no browseable = no I've set the log level to '3' and there aren't any messages at all relating to running a startup script. Any ideas? Well, yes I do. I was looking into this earlier today. You don't say enough about your workgroup/domain, but I have this problem too. In my case, I am running v3.0.6 as a PDC. All of my MS clients are NT4-SP6 or better (well newer anyway). Most are WinXP. What I find in the event log of WinXP clients is a message to the effect that the client has joined a NT4 domain (in this case, my Samba PDC) and the MS NT4 generation domain server does not support NTP. A bit of searching has found this: http://groups.google.com/groups?q=ntpclient+nt4-domain&hl=en&lr=&ie=UTF-8&c2coff=1&selm=%23Oa8EadWCHA.3360%40tkmsftngp11&rnum=1 This article contains two links at the bottom which look promising too. I'm about to start playing with it, but I would be good to hear a Samba solution. I don't like hacking the registry. Ray -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] login scripts do not run
try this, create a directory called Netlogon, and set your share path to the Netlogon directory, I did not see what your MASK is or DIRECTOREY MASK is ? Mark Sarria Sylmar High School Network Administrator - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 22, 2004 1:11 PM Subject: [Samba] login scripts do not run > > I have a simple script that sets the time on a Windows client at > startup. > The one-line script: > net time \\myhost /set /yes > Works perfectly well when I double-click it from Windows Explorer, so I > don't think the problem lies there. > > The relevant lines in my smb.conf file: > > [global] > time server = yes > logon script = smbtimeset.BAT > > [netlogon] >comment = shared scripts >path = /usr/share/samba/scripts >public = no >writable = no >browseable = no > > > > I've set the log level to '3' and there aren't any messages at all > relating to running a startup script. > > Any ideas? > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] login scripts do not run
I have a simple script that sets the time on a Windows client at startup. The one-line script: net time \\myhost /set /yes Works perfectly well when I double-click it from Windows Explorer, so I don't think the problem lies there. The relevant lines in my smb.conf file: [global] time server = yes logon script = smbtimeset.BAT [netlogon] comment = shared scripts path = /usr/share/samba/scripts public = no writable = no browseable = no I've set the log level to '3' and there aren't any messages at all relating to running a startup script. Any ideas? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
