Bad machine accounts

Andrew Perrin - Demography aperrin at demog.Berkeley.EDU
Tue May 26 17:19:41 GMT 1998 

Well, I changed this last week and it didn't work; but then this morning
it started working fine after the cvs update.  so... thanks to Jeremy and
others for the advice; and to whatever changes were made over the weekend
in the cvs branch if they mattered :).

ap

---------------------------------------------------------------------
Andrew J. Perrin - aperrin at demog.berkeley.edu - NT/Unix Admin/Support
Department of Demography    -    University of California at Berkeley
2232 Piedmont Avenue #2120  -    Berkeley, California, 94720-2120 USA
http://demog.berkeley.edu/~aperrin --------------------------SEIU1199

On Thu, 21 May 1998, Jeremy Allison wrote:

> Andrew Perrin - Demography wrote:
> > 
> > Well, blake now browses okay, so I'll skip those.  Logs available for your
> > reading pleasure on the web are:
> > 
> > 1.) boserup (the pdc) when aperrin logs into kitagawa:
> > http://demog.berkeley.edu/~aperrin/bos.connect.log
> > 2.) blake when aperrin logs into kitagawa:
> > http://demog.berkeley.edu/~aperrin/bla.connect.log
> > 3.) boserup when aperrin tries to connect to \\boserup\aperrin or
> > \\boserup\homes:
> > http://demog.berkeley.edu/~aperrin/bos.usehome.log
> > 
> 
> Phew - nailed it. That one was a *bastard* to find.
> 
> The problem is you have 'revalidate = true' set in
> your smb.conf global section on BOSERUP.
> 
> This is interacting badly with the 'security=user'
> parameter - as is really is meant to be used for
> security=share settings.
> 
> What happens is that the tconX call is made with
> no password, as you have already given a valid
> encrypted password in the sessionsetupandX.
> 
> The default tconX case with no password is this piece of 
> code in password.c
> 
>   /* check for a previously validated username/password pair */
>  if (!ok && !lp_revalidate(snum) &&
>       (vuser != 0) && !vuser->guest &&
>       user_ok(vuser->name,snum)) {
>     fstrcpy(user,vuser->name);
>     *guest = False;
>     DEBUG(3,("ACCEPTED: validated uid ok as non-guest\n"));
>     ok = True;
>  }
> 
> Note that having revalidate set screws it up, as it causes
> this code not to be executed.
> 
> I'll check with Andrew for the exact meaning of the
> revalidate parameter, as I think it may be redundent
> with security=user, in which case we can replace this
> code with 
> 
> && (!lp_revalidate(snum) || lp_security() > SEC_SHARE) &&....
> 
> But this is a security sensitive change so I'll not
> make it lightly.
> 
> Jeremy.
> 
> 
> -- 
> --------------------------------------------------------
> Buying an operating system without source is like buying
> a self-assembly Space Shuttle with no instructions.
> --------------------------------------------------------
>

More information about the samba-ntdom mailing list