samba-tng: cvs update. important configuration info

Luke Kenneth Casson Leighton lkcl at samba.org
Sun Jan 2 17:11:24 GMT 2000


just as NT needs a workstation trust account for itself, now so does
samba-tng cvs latest.

i am seeing how far i can get, just for fun, by removing anything that
isn't actually file serving from smbd.  that _includes_ user
authentication, which now uses nt-style NetrSamLogon in exactly the same
way as "security = domain", but this is now _also_ used for "security =
user", "encrypted passwords = yes".

in order for this to work, you must add a trust account for the samba
server itself, in order that it may securely verify users against itself
:-)  even on loop-back, i am treating user authentication attempts as
hostile!!!

btw, when i said that i wanted to remote anything that isn't file servicg
from smbd, i didn't say it was going to be practical... for a while.

i'll see about doing an install script that sets up the initial
own-trust-account automatically... later :-) :-)

f.y.i, those people who need reminders on how to set up wksta trust
account pwds.

>From lkcl at samba.anu.edu.au Mon Jan  3 04:10:39 2000
Date: Mon, 3 Jan 2000 04:08:40 +1100
From: Luke Leighton <lkcl at samba.anu.edu.au>
To: Multiple recipients of list SAMBA-CVS <samba-cvs at samba.org>
Subject: CVS update: samba/source/rpcclient


Date:	Monday January 3, 19100 @ 4:03
Author:	lkcl

Update of /data/cvs/samba/source/rpcclient
In directory samba:/data/people/lkcl/samba-tng/source/rpcclient

Modified Files:
      Tag: SAMBA_TNG
	cmd_netlogon.c 
Log Message:
fixing up NETLOGON usage.  password validation must now go through
password_ok() which checks server security, domain security followed
by unix pwdb.

if using "encrypted sswords = yeses", you _must_ now run netlogond.
if using "security = user", you _must_ add a workstation
trust account your_own_server_name$ to unix pwdb _and_ follow
it up with smbpasswd -a -j your_own_server_name$ _or
rpcclient -S your_server -Uadmin%pass -l log
lsaquery createuser your_owk_server_name$ -j

both smbpasswd _or_ rpcclient _must_ be run as root.
(this may change for rpcclient in the near future, if i
implement LsaSetPrivateData to set the trust account,
remotely).




More information about the samba-ntdom mailing list