[Samba] security = server problem
Béla Csendes
bcsendes at nyme.hu
Fri Apr 25 06:58:30 GMT 2003
I am using Samba 2.0.9 on S1 SuSE box and Samba 2.2.5 on S2 Suse box. S1
is acting as PDC for 98, NT clients.
(logon script, shares from S1, and S2). Users's passwords are stored on
S1, S2 uses security = server and
password server = S1 options in smb.conf.
I have upgraded both to Samba 2.2.8, but the logon script wants to
connect to share from S2, it is
prompted for a password.
I have probed it (from my linux box):
smbclient //S2/Share -U xxx (user xxx is in S1'smbpasswd, and is not in
S2'smbpasswd - security = server)
I have got:
session setup failed: NT_STATUS_LOGON_FAILURE
smbclient //S2/Share -U yyy (user yyy is in S1'smbpasswd AND S2'smbpasswd)
It's OK.
Any idea?
Thanks,
Bela Csendes
University of West Hungary
--------------------------------------------------
My log file (debug level=10):
[2003/04/25 08:16:44, 3] smbd/password.c:server_cryptkey(1046)
connected to password server S1
[2003/04/25 08:16:44, 3] smbd/password.c:server_cryptkey(1065)
got session
[2003/04/25 08:16:44, 6] lib/util_sock.c:write_socket(518)
write_socket(24,168)
[2003/04/25 08:16:44, 6] lib/util_sock.c:write_socket(521)
write_socket(24,168) wrote 168
[2003/04/25 08:16:44, 5] lib/util_sock.c:read_socket_with_timeout(293)
read_socket_with_timeout: timeout read. EOF from client.
[2003/04/25 08:16:44, 10] lib/util_sock.c:receive_smb(609)
receive_smb: length < 0 !
[2003/04/25 08:16:44, 10] lib/util_sock.c:client_receive_smb(676)
client_receive_smb failed
[2003/04/25 08:16:44, 5] lib/util.c:show_msg(275)
size=0
smb_com=0x0
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=0
smb_flg2=0
[2003/04/25 08:16:44, 5] lib/util.c:show_msg(281)
smb_tid=0
smb_pid=0
smb_uid=0
smb_mid=0
smt_wct=0
[2003/04/25 08:16:44, 5] lib/util.c:show_msg(291)
smb_bcc=0
[2003/04/25 08:16:44, 1] smbd/password.c:server_cryptkey(1068)
S1 rejected the negprot
---------------------------------------------
My smb.conf files:
S1:
[global]
coding system =
client code page = 852
code page directory = /usr/local/samba/lib/codepages
workgroup = GI
netbios name = S1
netbios aliases =
netbios scope =
server string = NYME Eco
interfaces =
bind interfaces only = No
security = USER
encrypt passwords = Yes
update encrypted = No
allow trusted domains = Yes
hosts equiv =
min passwd length = 5
map to guest = Bad User
null passwords = No
obey pam restrictions = No
password server =
smb passwd file = /usr/local/samba/private/smbpasswd
root directory =
pam password change = No
passwd program = /usr/bin/passwd
passwd chat = *new*password* %n\n *new*password* %n\n *changed*
passwd chat debug = No
username map =
password level = 0
username level = 0
unix password sync = No
restrict anonymous = No
lanman auth = Yes
use rhosts = No
admin log = No
log level = 1
syslog = 1
syslog only = No
log file =
max log size = 50
timestamp logs = Yes
debug hires timestamp = No
debug pid = No
debug uid = No
protocol = NT1
large readwrite = Yes
max protocol = NT1
min protocol = CORE
read bmpx = No
read raw = Yes
write raw = Yes
acl compatibility =
nt smb support = Yes
nt pipe support = Yes
nt status support = Yes
announce version = 4.9
announce as = NT
max mux = 50
max xmit = 16644
name resolve order = lmhosts host wins bcast
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = No
unix extensions = No
change notify timeout = 60
deadtime = 0
getwd cache = Yes
keepalive = 30
lpq cache time = 10
max smbd processes = 0
max disk size = 0
max open files = 10000
name cache timeout = 660
read size = 16384
socket options = TCP_NODELAY
stat cache size = 50
use mmap = Yes
total print jobs = 0
load printers = Yes
printcap name = /etc/printcap
disable spoolss = No
enumports command =
addprinter command =
deleteprinter command =
show add printer wizard = Yes
os2 driver map =
strip dot = No
mangling method = hash
character set = ISO8859-2
mangled stack = 50
stat cache = Yes
domain admin group =
domain guest group =
machine password timeout = 604800
add user script = /usr/sbin/useradd -c GepW2000 -d /dev/null -s
/bin/false -M %u
delete user script =
logon script = %G.bat
logon path = \\%L\%U\profiles
logon drive = h:
logon home = \\%L\%U
domain logons = Yes
os level = 64
lm announce = Auto
lm interval = 60
preferred master = Yes
local master = Yes
domain master = Yes
browse list = Yes
enhanced browsing = Yes
dns proxy = Yes
wins proxy = Yes
wins server = 193.225.93.11
wins support = No
wins hook =
kernel oplocks = Yes
lock spin count = 3
lock spin time = 10
oplock break wait time = 0
add share command =
change share command =
delete share command =
config file =
preload =
lock dir = /usr/local/samba/var/locks
pid directory = /usr/local/samba/var/locks
default service =
message command =
dfree command =
valid chars =
remote announce = 193.225.117.255 172.16.255.255
remote browse sync =
socket address = 0.0.0.0
homedir map =
time offset = 0
NIS homedir = No
source environment =
panic action =
hide local users = No
winbind uid =
winbind gid =
template homedir = /home/%D/%U
template shell = /bin/false
winbind separator = \
winbind cache time = 15
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = No
comment = Szerver beßllÝtßsai
path =
alternate permissions = No
username =
guest account = nobody
invalid users =
valid users =
admin users = admin
read list =
write list =
printer admin =
force user =
force group =
read only = Yes
create mask = 0744
force create mode = 00
security mask = 0777
force security mode = 00
directory mask = 0755
force directory mode = 00
directory security mask = 0777
force directory security mode = 00
force unknown acl user = 00
inherit permissions = No
inherit acls = No
guest only = No
guest ok = No
only user = No
hosts allow = 192.168. 193.225.93. 193.225.117. 172.16. 193.224.99.
172.18. 172.19.
hosts deny = 193.225.93.1
status = Yes
nt acl support = Yes
profile acls = No
block size = 1024
max connections = 0
min print space = 0
strict allocate = No
strict sync = No
sync always = No
write cache size = 0
max print jobs = 1000
printable = No
postscript = No
printing = bsd
print command = lpr -r -P%p %s
lpq command = lpq -P%p
lprm command = lprm -P%p %j
lppause command =
lpresume command =
queuepause command =
queueresume command =
printer name =
use client driver = No
default devmode = No
printer driver =
printer driver file = /usr/local/samba/lib/printers.def
printer driver location =
default case = lower
case sensitive = No
preserve case = Yes
short preserve case = Yes
mangle case = No
mangling char = ~
hide dot files = Yes
hide unreadable = No
delete veto files = No
veto files =
hide files =
veto oplock files =
map system = No
map hidden = No
map archive = Yes
mangled names = Yes
mangled map =
browseable = Yes
blocking locks = Yes
csc policy = manual
fake oplocks = No
locking = Yes
oplocks = Yes
level2 oplocks = Yes
oplock contention limit = 2
posix locking = Yes
strict locking = No
share modes = Yes
copy =
include =
exec =
preexec close = No
postexec =
root preexec =
root preexec close = No
root postexec =
available = Yes
volume =
fstype = NTFS
set directory = No
wide links = Yes
follow symlinks = Yes
dont descend =
magic script =
magic output =
delete readonly = No
dos filemode = No
dos filetimes = No
dos filetime resolution = No
fake directory create times = No
vfs object =
vfs options =
[profiles]
comment = Roaming profiles
path = /home/%U/profiles
read only = No
create mask = 0600
directory mask = 0700
[netlogon]
comment = Logon script & policies
path = /home/netlogon
create mask = 0644
-----------------------------------------
S2:
[global]
coding system =
client code page = 852
code page directory = /usr/local/samba/lib/codepages
workgroup = GI
netbios name = S2
netbios aliases =
netbios scope =
server string = NYME Eco
interfaces =
bind interfaces only = No
security = SERVER
encrypt passwords = Yes
update encrypted = No
allow trusted domains = Yes
hosts equiv =
min passwd length = 5
map to guest = Never
null passwords = No
obey pam restrictions = No
password server = S1
smb passwd file = /usr/local/samba/private/smbpasswd
root directory =
pam password change = No
passwd program = /usr/bin/passwd
passwd chat = *new*password* %n\n *new*password* %n\n *changed*
passwd chat debug = No
username map =
password level = 0
username level = 0
unix password sync = No
restrict anonymous = No
lanman auth = Yes
use rhosts = No
admin log = No
log level = 1
syslog = 1
syslog only = No
log file =
max log size = 50
timestamp logs = Yes
debug hires timestamp = No
debug pid = No
debug uid = No
protocol = NT1
large readwrite = Yes
max protocol = NT1
min protocol = CORE
read bmpx = No
read raw = Yes
write raw = Yes
acl compatibility =
nt smb support = Yes
nt pipe support = Yes
nt status support = Yes
announce version = 4.9
announce as = NT
max mux = 50
max xmit = 16644
name resolve order = lmhosts host wins bcast
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = No
unix extensions = No
change notify timeout = 60
deadtime = 0
getwd cache = Yes
keepalive = 300
lpq cache time = 10
max smbd processes = 0
max disk size = 0
max open files = 10000
name cache timeout = 660
read size = 16384
socket options = TCP_NODELAY SO_RCVBUF=8192
stat cache size = 50
use mmap = Yes
total print jobs = 0
load printers = Yes
printcap name = /etc/printcap
disable spoolss = No
enumports command =
addprinter command =
deleteprinter command =
show add printer wizard = Yes
os2 driver map =
strip dot = No
mangling method = hash
character set = ISO8859-2
mangled stack = 50
stat cache = Yes
domain admin group =
domain guest group =
machine password timeout = 604800
add user script =
delete user script =
logon script =
logon path = \\%N\%U\profile
logon drive =
logon home = \\%N\%U
domain logons = No
os level = 20
lm announce = Auto
lm interval = 60
preferred master = Auto
local master = No
domain master = Auto
browse list = Yes
enhanced browsing = Yes
dns proxy = Yes
wins proxy = Yes
wins server = 193.225.93.11
wins support = No
wins hook =
kernel oplocks = No
lock spin count = 3
lock spin time = 10
oplock break wait time = 0
add share command =
change share command =
delete share command =
config file =
preload =
lock dir = /usr/local/samba/var/locks
pid directory = /usr/local/samba/var/locks
default service =
message command =
dfree command =
valid chars =
remote announce = 193.225.117.255 193.224.99.255 192.168.100.255
172.16.255.255
remote browse sync =
socket address = 0.0.0.0
homedir map =
time offset = 0
NIS homedir = No
source environment =
panic action =
hide local users = No
winbind uid =
winbind gid =
template homedir = /home/%D/%U
template shell = /bin/false
winbind separator = \
winbind cache time = 15
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = No
comment = Szerver beßllÝtßsai
path =
alternate permissions = No
username =
guest account = nobody
invalid users =
valid users =
admin users =
read list =
write list =
printer admin =
force user =
force group =
read only = Yes
create mask = 0744
force create mode = 00
security mask = 0777
force security mode = 00
directory mask = 0755
force directory mode = 00
directory security mask = 0777
force directory security mode = 00
force unknown acl user = 00
inherit permissions = No
inherit acls = No
guest only = No
guest ok = No
only user = No
hosts allow = 192.168. 193.225.93. 193.225.117. 172.16. 193.224.99.
193.224. 172.18. 172.19. 193.225.132. 193.225.10.
hosts deny =
status = Yes
nt acl support = Yes
profile acls = No
block size = 1024
max connections = 0
min print space = 0
strict allocate = No
strict sync = No
sync always = No
write cache size = 0
max print jobs = 1000
printable = No
postscript = No
printing = bsd
print command = lpr -r -P%p %s
lpq command = lpq -P%p
lprm command = lprm -P%p %j
lppause command =
lpresume command =
queuepause command =
queueresume command =
printer name =
use client driver = No
default devmode = No
printer driver =
printer driver file = /usr/local/samba/lib/printers.def
printer driver location =
default case = lower
case sensitive = No
preserve case = Yes
short preserve case = Yes
mangle case = No
mangling char = ~
hide dot files = Yes
hide unreadable = No
delete veto files = No
veto files =
hide files =
veto oplock files =
map system = No
map hidden = No
map archive = Yes
mangled names = Yes
mangled map =
browseable = Yes
blocking locks = Yes
csc policy = manual
fake oplocks = No
locking = Yes
oplocks = Yes
level2 oplocks = Yes
oplock contention limit = 2
posix locking = Yes
strict locking = No
share modes = Yes
copy =
include =
exec =
preexec close = No
postexec =
root preexec =
root preexec close = No
root postexec =
available = Yes
volume =
fstype = NTFS
set directory = No
wide links = Yes
follow symlinks = Yes
dont descend =
magic script =
magic output =
delete readonly = No
dos filemode = No
dos filetimes = No
dos filetime resolution = No
fake directory create times = No
vfs object =
vfs options =
More information about the samba
mailing list