Bad machine accounts
Jeremy Allison
jallison at whistle.com
Thu May 21 23:16:47 GMT 1998
Andrew Perrin - Demography wrote:
>
> Well, blake now browses okay, so I'll skip those. Logs available for your
> reading pleasure on the web are:
>
> 1.) boserup (the pdc) when aperrin logs into kitagawa:
> http://demog.berkeley.edu/~aperrin/bos.connect.log
> 2.) blake when aperrin logs into kitagawa:
> http://demog.berkeley.edu/~aperrin/bla.connect.log
> 3.) boserup when aperrin tries to connect to \\boserup\aperrin or
> \\boserup\homes:
> http://demog.berkeley.edu/~aperrin/bos.usehome.log
>
Phew - nailed it. That one was a *bastard* to find.
The problem is you have 'revalidate = true' set in
your smb.conf global section on BOSERUP.
This is interacting badly with the 'security=user'
parameter - as is really is meant to be used for
security=share settings.
What happens is that the tconX call is made with
no password, as you have already given a valid
encrypted password in the sessionsetupandX.
The default tconX case with no password is this piece of
code in password.c
/* check for a previously validated username/password pair */
if (!ok && !lp_revalidate(snum) &&
(vuser != 0) && !vuser->guest &&
user_ok(vuser->name,snum)) {
fstrcpy(user,vuser->name);
*guest = False;
DEBUG(3,("ACCEPTED: validated uid ok as non-guest\n"));
ok = True;
}
Note that having revalidate set screws it up, as it causes
this code not to be executed.
I'll check with Andrew for the exact meaning of the
revalidate parameter, as I think it may be redundent
with security=user, in which case we can replace this
code with
&& (!lp_revalidate(snum) || lp_security() > SEC_SHARE) &&....
But this is a security sensitive change so I'll not
make it lightly.
Jeremy.
--
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------
More information about the samba-ntdom
mailing list