NT server security problems and questions

Heiko Nardmann h.nardmann at secunet.de
Wed Sep 16 08:28:15 GMT 1998


Please excuse me if this is the wrong list I'm posting to.

I'm having problems with using 'security = server'.

Our situation is as follows:
The LAN consists mainly out of NT workstations.
Now we needed one Unix machine for a new project.
So I setup a ix86 Linux machine and tried to use 'security = server'.
I set 'password server =' which is the IP of our NT server.

I have read the man page of smb.conf, and the files WinNT.txt,
ENCRYPTION.txt and security_level.txt.

I have setup the following smb.conf file:

   security = server
   password server =
   #security = user
   #security = share

   # biete die Drucker an
   load printers = yes
   # default maessig wird BSD lp verwendet
   printer = lp
   printing = bsd
   printcap name = /etc/printcap
   lpq cache time = 30
   print command = /usr/bin/lpr -r -P%p %s
   lpq command = /usr/bin/lpq -P%p
   lprm command = /usr/bin/lprm -P%p %j

   # zeige die Share Liste im Netz an
   browse list = yes
   browseable = yes

   # root darf sich hier nicht anmelden
   invalid users = root

   # aktuelle Workgroup
   workgroup = SECUNET-SI

   # Adresse des WINS Servers
   wins server=

   # Kommentar bei der Auflistung
   server string = Linux Workstation (Linux Samba %v)

   # zeige diesen Rechner als NT 4.0
   announce version = 4.0

   # keine automatische Disconnection
   deadtime = 0

   # Ablegen von Lock Files
   lock directory = /var/lock/samba

   # nmbd wird nicht Local Master Browser
   local master = false

   # lokales Laufwerk, an das das Homedirectory gekoppelt wird
   logon drive = h:

   # kein volles Login
   networkstation user login = yes

   # Socket Optionen
   socket options = SO_KEEPALIVE

   # verschluesselte Passwords
   encrypt passwords = yes
   #update encrypted = yes
   #unix password sync = yes
   null passwords = true

   case sensitive = yes

; Please uncomment the following entry and replace the
; ip number and netmask with the correct numbers for
; your ethernet interface.
;   interfaces =

; If you want Samba to act as a wins server, please set
; 'wins support = yes'
   wins support = no

; If you want Samba to use an existing wins server,
; please uncomment the following line and replace
; the dummy with the wins server's ip number.
;   wins server =

   comment = Heimatverzeichnis
   browseable = no
   writable = yes
   create mask = 0750
   directory mask = 0750
   dos filetime resolution = true
   mangled names = yes
   user = %S
   preserve case = yes

; The following share gives all users access to the Server's CD drive,
; assuming it is mounted under /cd. To enable this share, please remove
; the semicolons before the lines
   comment = Linux CD-ROM
   path = /cdrom
   read only = yes
   locking = no

   comment = All Printers
   browseable = no
   printable = yes
   public = no
   read only = yes
   create mode = 0700
   directory = /tmp

I know that many entries are already default values but I rather have
in here explicit than having to look into the man page for the default

I also set up a /etc/smbpasswd file using the mkdsmbpasswd script.
I just removed all entries but the ones for the users really needed.
So it currently looks like this:

# SMB password file.

The following is the output I get trying the setup with both providing
the local
unix password and the domain password (the output is in both cases the

sn-pc133:nardmann[~]>smbclient -L sn-pc133 -U nardmann
Added interface ip= bcast= nmask=
Server time is Wed Sep 16 11:56:40 1998
Timezone is UTC+2.0
Session setup failed for username=nardmann myname=SN-PC133
destname=SN-PC133   ERRSRV - ERRbadpw (Bad password - name/password pair
in a Tree Connect or Session Setup are invalid.)
You might find the -U, -W or -n options useful
Sometimes you have to use `-n USERNAME' (particularly with OS/2)
Some servers also insist on uppercase-only passwords

In the meantime I do a 'tail -f /var/log/log.smb'.
After starting 'smbclient -L sn-pc133 -U nardmann' but before
typing in the password I already get the following output from the tail
command: rejected the session
password server  is not connected

So the NT server just rejects my samba server.
This is currently my main problem.

Is there anyone who has experienced the same problem
and maybe has found a solution for it?

BTW: I have Version 1.9.18p8 installed on this machine.

Ciao ... Heiko Nardmann

More information about the samba-ntdom mailing list