NT server security problems and questions
Heiko Nardmann
h.nardmann at secunet.de
Wed Sep 16 08:28:15 GMT 1998
Hi!
Please excuse me if this is the wrong list I'm posting to.
I'm having problems with using 'security = server'.
Our situation is as follows:
The LAN consists mainly out of NT workstations.
Now we needed one Unix machine for a new project.
So I setup a ix86 Linux machine and tried to use 'security = server'.
I set 'password server = 10.151.4.11' which is the IP of our NT server.
I have read the man page of smb.conf, and the files WinNT.txt,
ENCRYPTION.txt and security_level.txt.
I have setup the following smb.conf file:
[global]
security = server
password server = 10.151.4.11
#security = user
#security = share
# biete die Drucker an
load printers = yes
# default maessig wird BSD lp verwendet
printer = lp
printing = bsd
printcap name = /etc/printcap
lpq cache time = 30
print command = /usr/bin/lpr -r -P%p %s
lpq command = /usr/bin/lpq -P%p
lprm command = /usr/bin/lprm -P%p %j
# zeige die Share Liste im Netz an
browse list = yes
browseable = yes
# root darf sich hier nicht anmelden
invalid users = root
# aktuelle Workgroup
workgroup = SECUNET-SI
# Adresse des WINS Servers
wins server=129.0.20.99
# Kommentar bei der Auflistung
server string = Linux Workstation (Linux Samba %v)
# zeige diesen Rechner als NT 4.0
announce version = 4.0
# keine automatische Disconnection
deadtime = 0
# Ablegen von Lock Files
lock directory = /var/lock/samba
# nmbd wird nicht Local Master Browser
local master = false
# lokales Laufwerk, an das das Homedirectory gekoppelt wird
logon drive = h:
# kein volles Login
networkstation user login = yes
# Socket Optionen
socket options = SO_KEEPALIVE
# verschluesselte Passwords
encrypt passwords = yes
#update encrypted = yes
#unix password sync = yes
null passwords = true
case sensitive = yes
; Please uncomment the following entry and replace the
; ip number and netmask with the correct numbers for
; your ethernet interface.
; interfaces = 192.168.1.1/255.255.255.0
; If you want Samba to act as a wins server, please set
; 'wins support = yes'
wins support = no
; If you want Samba to use an existing wins server,
; please uncomment the following line and replace
; the dummy with the wins server's ip number.
; wins server = 192.168.1.1
[homes]
comment = Heimatverzeichnis
browseable = no
writable = yes
create mask = 0750
directory mask = 0750
dos filetime resolution = true
mangled names = yes
user = %S
preserve case = yes
; The following share gives all users access to the Server's CD drive,
; assuming it is mounted under /cd. To enable this share, please remove
; the semicolons before the lines
;
[cdrom]
comment = Linux CD-ROM
path = /cdrom
read only = yes
locking = no
[printers]
comment = All Printers
browseable = no
printable = yes
public = no
read only = yes
create mode = 0700
directory = /tmp
I know that many entries are already default values but I rather have
them
in here explicit than having to look into the man page for the default
value.
I also set up a /etc/smbpasswd file using the mkdsmbpasswd script.
I just removed all entries but the ones for the users really needed.
So it currently looks like this:
#
# SMB password file.
#
stein:10479:NO
PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:10000::
foss:10479:NO
PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:10000::
lehnert:10479:NO
PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:10000::
nardmann:10479:NO
PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:10000::
The following is the output I get trying the setup with both providing
the local
unix password and the domain password (the output is in both cases the
same):
sn-pc133:nardmann[~]>smbclient -L sn-pc133 -U nardmann
Added interface ip=10.151.4.73 bcast=10.151.7.255 nmask=255.255.252.0
Server time is Wed Sep 16 11:56:40 1998
Timezone is UTC+2.0
Password:
Session setup failed for username=nardmann myname=SN-PC133
destname=SN-PC133 ERRSRV - ERRbadpw (Bad password - name/password pair
in a Tree Connect or Session Setup are invalid.)
You might find the -U, -W or -n options useful
Sometimes you have to use `-n USERNAME' (particularly with OS/2)
Some servers also insist on uppercase-only passwords
In the meantime I do a 'tail -f /var/log/log.smb'.
After starting 'smbclient -L sn-pc133 -U nardmann' but before
typing in the password I already get the following output from the tail
command:
10.151.4.11 rejected the session
password server is not connected
So the NT server just rejects my samba server.
This is currently my main problem.
Is there anyone who has experienced the same problem
and maybe has found a solution for it?
BTW: I have Version 1.9.18p8 installed on this machine.
--
Ciao ... Heiko Nardmann
More information about the samba-ntdom
mailing list