NT server security problems and questions

Alan Mak siumk at hkstar.com
Wed Sep 16 12:10:05 GMT 1998 

Hi Nardmann,

Have you tried to set your Samba server to the same domain as your NT?
And I guess you must have run the testparms command already.
Correct me if I am wrong -> the output from the testparms is more real
than just looking into the smb.conf file.


Regards,

Alan

Heiko Nardmann wrote:
> 
> Hi!
> 
> Please excuse me if this is the wrong list I'm posting to.
> 
> I'm having problems with using 'security = server'.
> 
> Our situation is as follows:
> The LAN consists mainly out of NT workstations.
> Now we needed one Unix machine for a new project.
> So I setup a ix86 Linux machine and tried to use 'security = server'.
> I set 'password server = 10.151.4.11' which is the IP of our NT server.
> 
> I have read the man page of smb.conf, and the files WinNT.txt,
> ENCRYPTION.txt and security_level.txt.
> 
> I have setup the following smb.conf file:
> 
> [global]
>    security = server
>    password server = 10.151.4.11
>    #security = user
>    #security = share
> 
>    # biete die Drucker an
>    load printers = yes
>    # default maessig wird BSD lp verwendet
>    printer = lp
>    printing = bsd
>    printcap name = /etc/printcap
>    lpq cache time = 30
>    print command = /usr/bin/lpr -r -P%p %s
>    lpq command = /usr/bin/lpq -P%p
>    lprm command = /usr/bin/lprm -P%p %j
> 
>    # zeige die Share Liste im Netz an
>    browse list = yes
>    browseable = yes
> 
>    # root darf sich hier nicht anmelden
>    invalid users = root
> 
>    # aktuelle Workgroup
>    workgroup = SECUNET-SI
> 
>    # Adresse des WINS Servers
>    wins server=129.0.20.99
> 
>    # Kommentar bei der Auflistung
>    server string = Linux Workstation (Linux Samba %v)
> 
>    # zeige diesen Rechner als NT 4.0
>    announce version = 4.0
> 
>    # keine automatische Disconnection
>    deadtime = 0
> 
>    # Ablegen von Lock Files
>    lock directory = /var/lock/samba
> 
>    # nmbd wird nicht Local Master Browser
>    local master = false
> 
>    # lokales Laufwerk, an das das Homedirectory gekoppelt wird
>    logon drive = h:
> 
>    # kein volles Login
>    networkstation user login = yes
> 
>    # Socket Optionen
>    socket options = SO_KEEPALIVE
> 
>    # verschluesselte Passwords
>    encrypt passwords = yes
>    #update encrypted = yes
>    #unix password sync = yes
>    null passwords = true
> 
>    case sensitive = yes
> 
> ; Please uncomment the following entry and replace the
> ; ip number and netmask with the correct numbers for
> ; your ethernet interface.
> ;   interfaces = 192.168.1.1/255.255.255.0
> 
> ; If you want Samba to act as a wins server, please set
> ; 'wins support = yes'
>    wins support = no
> 
> ; If you want Samba to use an existing wins server,
> ; please uncomment the following line and replace
> ; the dummy with the wins server's ip number.
> ;   wins server = 192.168.1.1
> 
> [homes]
>    comment = Heimatverzeichnis
>    browseable = no
>    writable = yes
>    create mask = 0750
>    directory mask = 0750
>    dos filetime resolution = true
>    mangled names = yes
>    user = %S
>    preserve case = yes
> 
> ; The following share gives all users access to the Server's CD drive,
> ; assuming it is mounted under /cd. To enable this share, please remove
> ; the semicolons before the lines
> ;
> [cdrom]
>    comment = Linux CD-ROM
>    path = /cdrom
>    read only = yes
>    locking = no
> 
> [printers]
>    comment = All Printers
>    browseable = no
>    printable = yes
>    public = no
>    read only = yes
>    create mode = 0700
>    directory = /tmp
> 
> I know that many entries are already default values but I rather have
> them
> in here explicit than having to look into the man page for the default
> value.
> 
> I also set up a /etc/smbpasswd file using the mkdsmbpasswd script.
> I just removed all entries but the ones for the users really needed.
> So it currently looks like this:
> 
> #
> # SMB password file.
> #
> stein:10479:NO
> PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:10000::
> foss:10479:NO
> PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:10000::
> lehnert:10479:NO
> PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:10000::
> nardmann:10479:NO
> PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:10000::
> 
> The following is the output I get trying the setup with both providing
> the local
> unix password and the domain password (the output is in both cases the
> same):
> 
> sn-pc133:nardmann[~]>smbclient -L sn-pc133 -U nardmann
> Added interface ip=10.151.4.73 bcast=10.151.7.255 nmask=255.255.252.0
> Server time is Wed Sep 16 11:56:40 1998
> Timezone is UTC+2.0
> Password:
> Session setup failed for username=nardmann myname=SN-PC133
> destname=SN-PC133   ERRSRV - ERRbadpw (Bad password - name/password pair
> in a Tree Connect or Session Setup are invalid.)
> You might find the -U, -W or -n options useful
> Sometimes you have to use `-n USERNAME' (particularly with OS/2)
> Some servers also insist on uppercase-only passwords
> 
> In the meantime I do a 'tail -f /var/log/log.smb'.
> After starting 'smbclient -L sn-pc133 -U nardmann' but before
> typing in the password I already get the following output from the tail
> command:
> 
> 10.151.4.11 rejected the session
> password server  is not connected
> 
> So the NT server just rejects my samba server.
> This is currently my main problem.
> 
> Is there anyone who has experienced the same problem
> and maybe has found a solution for it?
> 
> BTW: I have Version 1.9.18p8 installed on this machine.
> 
> --
> Ciao ... Heiko Nardmann

More information about the samba-ntdom mailing list