[Samba] SAMBA and 2 form factor auth

Russell Handorf rhandorf at handorf.org
Tue Sep 26 15:50:08 GMT 2006


Thanks Gerald,

Finally, the other kicker of the problem is when I mount the samba share 
on the system locally, SAMBA constantly attempts to reauthenticate with 
the RADIUS server, which in turn constantly fails the connection as the 
password has indeed changed (they're one time passwords)

08:52:35.554507 IP 192.168.0.200.8294 > crypto.radius: RADIUS, Access 
Request (1), id: 0x91 length: 90
08:52:35.848306 IP crypto.radius > 192.168.0.200.8294: RADIUS, Access 
Reject (3), id: 0x91 length: 20
08:52:43.024629 IP 192.168.0.200.8295 > crypto.radius: RADIUS, Access 
Request (1), id: 0xc3 length: 90
08:52:43.388771 IP crypto.radius > 192.168.0.200.8295: RADIUS, Access 
Reject (3), id: 0xc3 length: 20

Maybe I should look into making a RADIUS server that cache's last used 
passwords? Or is there a way to have SAMBA just accept the session as 
being previously authenticated and never re authenticating?

r


Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Russell Handorf wrote:
>   
>> fileserver:~# smbclient -U rhandorf -L \\\\localhost
>> Password:
>> Domain=[<snip>] OS=[Unix] Server=[Samba 3.0.14a-Debian]
>>
>>        Sharename       Type      Comment
>>        ---------       ----      -------
>>        netlogon        Disk      Network Logon Service
>>        public          Disk             IPC$            IPC       IPC
>> Service (samba file services)
>>        ADMIN$          IPC       IPC Service (samba file services)
>>        rhandorf        Disk      Home directory of rhandorf
>> session setup failed: NT_STATUS_LOGON_FAILURE
>> NetBIOS over TCP disabled -- no workgroup available
>>
>> ======
>>
>> So, why does it auth twice? Why doesnt SAMBA keep 
>> the first auth session as a success, and of course fail
>> on the second when my token has changed?
>>     
>
> Restrict the connection to port 139 (-p 139)
> and smbclient will resuse the first connection.
> The problem is that the first one uses port 445 by default
> but you can only get browse lists over port 139.  So it
> has to retry.
>
>
>
>
>
>
> cheers, jerry
> =====================================================================
> Samba                                    ------- http://www.samba.org
> Centeris                         -----------  http://www.centeris.com
> "What man is a man who does not make the world better?"      --Balian
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.4 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFFGUFpIR7qMdg1EfYRAj1pAKCiSoGjsNLVBbwrsH/9J6Sg2CNd8gCg3qN3
> Uf5kW0g+mf5UQOCbdfrsMKI=
> =IdZ1
> -----END PGP SIGNATURE-----
>   


More information about the samba mailing list