NT server security problems and questions
Alan Mak
siumk at hkstar.com
Wed Sep 16 12:10:05 GMT 1998
Hi Nardmann,
Have you tried to set your Samba server to the same domain as your NT?
And I guess you must have run the testparms command already.
Correct me if I am wrong -> the output from the testparms is more real
than just looking into the smb.conf file.
Regards,
Alan
Heiko Nardmann wrote:
>
> Hi!
>
> Please excuse me if this is the wrong list I'm posting to.
>
> I'm having problems with using 'security = server'.
>
> Our situation is as follows:
> The LAN consists mainly out of NT workstations.
> Now we needed one Unix machine for a new project.
> So I setup a ix86 Linux machine and tried to use 'security = server'.
> I set 'password server = 10.151.4.11' which is the IP of our NT server.
>
> I have read the man page of smb.conf, and the files WinNT.txt,
> ENCRYPTION.txt and security_level.txt.
>
> I have setup the following smb.conf file:
>
> [global]
> security = server
> password server = 10.151.4.11
> #security = user
> #security = share
>
> # biete die Drucker an
> load printers = yes
> # default maessig wird BSD lp verwendet
> printer = lp
> printing = bsd
> printcap name = /etc/printcap
> lpq cache time = 30
> print command = /usr/bin/lpr -r -P%p %s
> lpq command = /usr/bin/lpq -P%p
> lprm command = /usr/bin/lprm -P%p %j
>
> # zeige die Share Liste im Netz an
> browse list = yes
> browseable = yes
>
> # root darf sich hier nicht anmelden
> invalid users = root
>
> # aktuelle Workgroup
> workgroup = SECUNET-SI
>
> # Adresse des WINS Servers
> wins server=129.0.20.99
>
> # Kommentar bei der Auflistung
> server string = Linux Workstation (Linux Samba %v)
>
> # zeige diesen Rechner als NT 4.0
> announce version = 4.0
>
> # keine automatische Disconnection
> deadtime = 0
>
> # Ablegen von Lock Files
> lock directory = /var/lock/samba
>
> # nmbd wird nicht Local Master Browser
> local master = false
>
> # lokales Laufwerk, an das das Homedirectory gekoppelt wird
> logon drive = h:
>
> # kein volles Login
> networkstation user login = yes
>
> # Socket Optionen
> socket options = SO_KEEPALIVE
>
> # verschluesselte Passwords
> encrypt passwords = yes
> #update encrypted = yes
> #unix password sync = yes
> null passwords = true
>
> case sensitive = yes
>
> ; Please uncomment the following entry and replace the
> ; ip number and netmask with the correct numbers for
> ; your ethernet interface.
> ; interfaces = 192.168.1.1/255.255.255.0
>
> ; If you want Samba to act as a wins server, please set
> ; 'wins support = yes'
> wins support = no
>
> ; If you want Samba to use an existing wins server,
> ; please uncomment the following line and replace
> ; the dummy with the wins server's ip number.
> ; wins server = 192.168.1.1
>
> [homes]
> comment = Heimatverzeichnis
> browseable = no
> writable = yes
> create mask = 0750
> directory mask = 0750
> dos filetime resolution = true
> mangled names = yes
> user = %S
> preserve case = yes
>
> ; The following share gives all users access to the Server's CD drive,
> ; assuming it is mounted under /cd. To enable this share, please remove
> ; the semicolons before the lines
> ;
> [cdrom]
> comment = Linux CD-ROM
> path = /cdrom
> read only = yes
> locking = no
>
> [printers]
> comment = All Printers
> browseable = no
> printable = yes
> public = no
> read only = yes
> create mode = 0700
> directory = /tmp
>
> I know that many entries are already default values but I rather have
> them
> in here explicit than having to look into the man page for the default
> value.
>
> I also set up a /etc/smbpasswd file using the mkdsmbpasswd script.
> I just removed all entries but the ones for the users really needed.
> So it currently looks like this:
>
> #
> # SMB password file.
> #
> stein:10479:NO
> PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:10000::
> foss:10479:NO
> PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:10000::
> lehnert:10479:NO
> PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:10000::
> nardmann:10479:NO
> PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:10000::
>
> The following is the output I get trying the setup with both providing
> the local
> unix password and the domain password (the output is in both cases the
> same):
>
> sn-pc133:nardmann[~]>smbclient -L sn-pc133 -U nardmann
> Added interface ip=10.151.4.73 bcast=10.151.7.255 nmask=255.255.252.0
> Server time is Wed Sep 16 11:56:40 1998
> Timezone is UTC+2.0
> Password:
> Session setup failed for username=nardmann myname=SN-PC133
> destname=SN-PC133 ERRSRV - ERRbadpw (Bad password - name/password pair
> in a Tree Connect or Session Setup are invalid.)
> You might find the -U, -W or -n options useful
> Sometimes you have to use `-n USERNAME' (particularly with OS/2)
> Some servers also insist on uppercase-only passwords
>
> In the meantime I do a 'tail -f /var/log/log.smb'.
> After starting 'smbclient -L sn-pc133 -U nardmann' but before
> typing in the password I already get the following output from the tail
> command:
>
> 10.151.4.11 rejected the session
> password server is not connected
>
> So the NT server just rejects my samba server.
> This is currently my main problem.
>
> Is there anyone who has experienced the same problem
> and maybe has found a solution for it?
>
> BTW: I have Version 1.9.18p8 installed on this machine.
>
> --
> Ciao ... Heiko Nardmann
More information about the samba-ntdom
mailing list