Samba domain logon

Carl Yost Jr carlyos at Buffalo.com
Mon Mar 15 16:45:23 EST 2004 

Hmmmmmmmmm isn't that a !@&@!......... Have to remember that one. 
----- Original Message -----
From: Justin Bennett <justin.bennett at dynabrade.com>
Date: Mon, 15 Mar 2004 10:11:00 -0500
To: nflug at nflug.org
Subject: Re: Samba domain logon

> :) everyone has an opinion I won't state mine of MS right now. It 
> appears that he added a 'user' on the local pc that is an overide for 
> the domain:
> 
> "yes, from control panel
> 
> add user -> username and xxxxx as domain
> group : other (administrators)
> ok"
> 
> He added a user, but it's not really a user (doesn't show up when I do a remote manager) just lets you authenticate to the domain, then gives you local admin rights for a that user.
> 
> see:
> 
> http://www.dynabrade.com/jbennett/users.jpg
> 
> 
> 
> Justin Bennett
> Network Administrator
> RHCE (Redhat Certified Linux Engineer)
> Dynabrade, Inc.
> 8989 Sheridan Dr.
> Clarence, NY 14031
>  
> 
> 
> 
> On 03/15/2004 9:45 AM, Carl Yost Jr wrote:
> 
> >" This person is on a winblows box?"
> >
> >LOL this group makes me laugh :)
> >
> >
> >----- Original Message -----
> >From: Cyber Source <peter at thecybersource.com>
> >Date: Mon, 15 Mar 2004 09:43:21 -0500
> >To: nflug at nflug.org
> >Subject: Re: Samba domain logon
> >
> >  
> >
> >>This person is on a winblows box? anything is possible, especially with 
> >>xp. Can you log on from a different windows box there at your place with 
> >>this persons credentials and see what you get?
> >>
> >>Justin Bennett wrote:
> >>
> >>    
> >>
> >>>Any way he could have given admin priv. to them on the local box? 
> >>>Delegation wizard or something?
> >>>
> >>>Justin Bennett
> >>>Network Administrator
> >>>RHCE (Redhat Certified Linux Engineer)
> >>>Dynabrade, Inc.
> >>>8989 Sheridan Dr.
> >>>Clarence, NY 14031
> >>>
> >>>
> >>>
> >>>
> >>>On 03/15/2004 9:29 AM, Cyber Source wrote:
> >>>
> >>>      
> >>>
> >>>>It does sound like it's caching or,
> >>>>1. Did you restart smb after changing?
> >>>>2. Is there another group with these users in that might be allowing 
> >>>>a loophole of some sort?
> >>>>
> >>>>
> >>>>
> >>>>Justin Bennett wrote:
> >>>>
> >>>>        
> >>>>
> >>>>>As usual I have a weird one.
> >>>>>
> >>>>>I have a samba 2.2.7 domain controller. Everyone logs onto the 
> >>>>>domain. This is our remote europe site. They had admin rights, all 
> >>>>>memebers of a @domadm group set as the domain admin group. Over the 
> >>>>>weekend I removed most of the users from this group only allowing 
> >>>>>one person to be an admin.
> >>>>>
> >>>>>After that the acting admin over there (an accountant) says people 
> >>>>>didn't have their profiles (roaming in the users home).
> >>>>>
> >>>>>He said he logged in as an admin
> >>>>>
> >>>>>"and I created user 'user' with xxxx(our domain there) domain giving 
> >>>>>administrators rights, then logged in as 'user', and she found all 
> >>>>>her settings back again, inclunding printing. "
> >>>>>
> >>>>>(keep in mind his native language is not english.) I'm not sure what 
> >>>>>he did exactly thats why I included it, maybe someone has done 
> >>>>>something similar and it rings a bell...
> >>>>>
> >>>>>I thought he just created local users, however I verified they are 
> >>>>>still logging into the domain, however they appear to have admin 
> >>>>>rights again.
> >>>>>
> >>>>>It sounds like he used the GUI tool to try and grant admin rights on 
> >>>>>the domain. As far as I know as long as the user isn't in the domadm 
> >>>>>group they shouldn't have admin rights correct? Can this be cached 
> >>>>>on the machine?
> >>>>>
> >>>>>Any ideas why they may have admin right still?
> >>>>>
> >>>>>Justin
> >>>>>
> >>>>>
> >>>>>          
> >>>>>
> >
> >  
> >

-- 
_______________________________________________
http://www.Buffalo.com , WNY's #1 Website

More information about the nflug mailing list