SAMBA Domain Controller

From wiki.breedveld.net
Revision as of 18:35, 6 January 2014 by Roland (Talk | contribs)

Jump to: navigation, search

Samba Domain on XP:

Start->run->MMC
->File->add/remove snap-in->Add
-->Add
--->Group Policy Object Editor->Add
---->(Group Policy Object must be 'Local Computer')->Finish
--->Close
-->OK
->Local Computer Policy
->Computer Configuration
->Windows Settings
->Security Settings
->Local Policies
->Security Options
->Disable "Domain Member: Digitally encrypt or sign secure channel data (always)"
Restart, and you should be able to log on with your Samba username and password.

Samba Domain on Windows7:

Start-> MMC
->File->add/remove snap-in->Add
-->Select Group Policy Object Editor->Add
---->(Group Policy Object must be 'Local Computer')->Finish
-->OK
->Local Computer Policy
->Computer Configuration
->Windows Settings
->Security Settings
->Local Policies
->Security Options
->Disable "Domain Member: Digitally encrypt or sign secure channel data (always)"

samba config:

testparm -s 

save this as samba_w7.reg, run it to load in the registry:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\lanmanserver\parameters]
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\lanmanworkstation\parameters]
"DNSNameResolutionRequired"=dword:00000000
"DomainCompatibilityMode"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\netlogon\parameters]
"DisablePasswordChange"=dword:00000001
"RequireSignOrSeal"=dword:00000001
"RequireStrongKey"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"SlowLinkDetectEnabled"=dword:00000000
"DeleteRoamingCache"=dword:00000001
"WaitForNetwork"=dword:00000000
"CompatibleRUPSecurity"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=dword:00000000
"LocalAccountTokenFilterPolicy"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\Setup]
"RestartSetup"=dword:00000000
"SetupType"=dword:00000000
"SystemSetupInProgress"=dword:00000000
"SetupPhase"=dword:00000000
"CmdLine"=""
"OOBEInProgress"=dword:00000000

Reboot after this


add user

smbpasswd -a <user>

add machine

smbpasswd -a -m <machine>

delete user

smbpasswd -x <user>

machine verwijderen en vervolgens opnieuw aanmelden

pdbedit -x CLIENT-PC$
userdel CLIENT-PC$

List all users, with settings:

pdbedit -Lv

on workstation, scan and repair corruptions:

sfc /scanall

div. commands (samba):

net rpc rights list -all
net -S server -U domadmin rpc rights grant 'DOMAIN\Domain Admins' SeMachineAccountPrivilege
net rpc rights grant 'DOMAIN\Domain Admins' SeMachineAccountPrivilege -S server -U domadmin
getfacl -t  /data/profiles/roland
net groupmap add ntgroup="Domain Admins" unixgroup=domadm rid=512 type=d
net rpc group add demo -L -Uroot%not24get
net rpc group addmem demo "DOM\Domain Users" 
net groupmap list
net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins rid=512 type=d 
net groupmap add ntgroup="Domain Users" unixgroup=ntusers rid=513 type=d
net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d
groupadd Orks
groupadd Elves
groupadd Gnomes
net groupmap add ntgroup="Orks"   unixgroup=Orks   type=d
net groupmap add ntgroup="Elves"  unixgroup=Elves  type=d
net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d
net rpc trust create otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
  other_netbios_domain=dom2 otherdomain=dom2.dom trustpw=12345678 -S srv1.dom1.dom
net rpc trust create otherserver=srv2.dom2.test otheruser=dom2adm -S srv1.dom1.dom

Default ID's

Well-Known Entity	RID	Type	Essential
Domain Administrator	500	User	No
Domain Guest	501	User	No
Domain KRBTGT	502	User	No
Domain Admins	512	Group	Yes
Domain Users	513	Group	Yes
Domain Guests	514	Group	Yes
Domain Computers	515	Group	No
Domain Controllers	516	Group	No
Domain Certificate Admins	517	Group	No
Domain Schema Admins	518	Group	No
Domain Enterprise Admins	519	Group	No
Domain Policy Admins	520	Group	No
Builtin Admins	544	Alias	No
Builtin users	545	Alias	No
Builtin Guests	546	Alias	No
Builtin Power Users	547	Alias	No
Builtin Account Operators	548	Alias	No
Builtin System Operators	549	Alias	No
Builtin Print Operators	550	Alias	No
Builtin Backup Operators	551	Alias	No
Builtin Replicator	552	Alias	No
Builtin RAS Servers	553	Alias	No

div. commands (workstation):

net localgroup administrators /add domain_name\entity

The registry commands are:

net registry enumerate - Enumerate registry keys and values.
net registry enumerate_recursive - Enumerate registry key and its subkeys.
net registry createkey - Create a new registry key.
net registry deletekey - Delete a registry key.
net registry deletekey_recursive - Delete a registry key with subkeys.
net registry getvalue - Print a registry value.
net registry getvalueraw - Print a registry value (raw format).
net registry setvalue - Set a new registry value.
net registry increment - Increment a DWORD registry value under a lock.
net registry deletevalue - Delete a registry value.
net registry getsd - Get security descriptor.
net registry getsd_sdd1 - Get security descriptor in sddl format.
net registry setsd_sdd1 - Set security descriptor from sddl format string.
net registry import - Import a registration entries (.reg) file.
net registry export - Export a registration entries (.reg) file.
net registry convert - Convert a registration entries (.reg) file.
net registry check - Check and reapair a registry database.