[samba-tng] "invalid users = root" causes tng to fail.

Luke Kenneth Casson Leighton lkcl at samba.org
Sat Mar 11 00:48:31 GMT 2000

On Fri, 10 Mar 2000, Karl Denninger wrote:

> "valid users = root" does NOT have to be there.

correct.  actually, what i've done, because it's become_vuser() and only
used in dce/rpc daemons, is to disable check_vuser_ok() which means that
valid users and invalid users doesn't apply to the msrpc services, any

if anyone _really_ wants to be able to deny or permit access to msrpc
services, let me know, and i'll arrange something.

the ultimate intention is to have security descriptors on a per-pipe
basis, allowing a clear, fine-grained access control  that will have
sensible defaults such as, allow all access to everyone anonymously (just
like nt) except to \PIPE\winreg and \PIPE\svcctl, which will have
user-only-access and administrator-only-access or some-such.
> Its NOT in my smb.conf, and TNG now DOES work.
> However, the "invalid users = root" line in the global section WILL screw
> you.  That's what was screwing me (Luke and I finally figured it out).

thx 4 help, karl!

> BTW, Win98 is quite slow (delays of ~10 seconds or so) validating against
> TNG.  Win2k is almost immediate.  Win98 is NOT slow validating against
> 2.0.6.

interesting.  i wonder if that's possibly because win95 only sends a LM#,
which is tried as an NT# first and _then_ a LM#, which will be _two_ calls
to domain_client_validate, which will be _two_ loopback connection
attempts to \PIPE\NETLOGON.


More information about the samba-technical mailing list