security problems - rather serious.

[Seth Vidal]

Hi,


I have a linux machine w/ two samba servers running on it: one is called
puck the other is called nt-linux
Both are running samba 2.0.7 (rh packaging)

the nt-linux server uses encrypted passwords
the puck server uses unencrypted passwords (for older systems)

I have update encrypted set to yes in the smb.conf of puck (the system w/
unecrypted passwords) and I'm pointing both smb.conf's to the same
smbpasswd file.

I have null passwords = false in both smb.conf's.

I have set quite a few users to have null passwords (in the smbpasswd file
(via smbpasswd -n username))  so that the unencrypted password server will
be able to update their passwords.

So I figured setting null passwords = false would deny people attempting
to connect w/no password access to the encrypted password server.

The problem is that this is not happening.

when I attempt to connect w/o a password from win98 to the encrypted
password server I am allowed to login and given write access to the areas
that should only be writable by the user (namely their homedir)

This is a SERIOUS problem b/c it means null passwords = no is not being
obeyed.

Has anyone else encountered this problem?
Is this the way its supposed to work?