[samba-tng] "invalid users = root" causes tng to fail.
Luke Kenneth Casson Leighton
lkcl at samba.org
Sat Mar 11 00:48:31 GMT 2000
On Fri, 10 Mar 2000, Karl Denninger wrote:
> "valid users = root" does NOT have to be there.
correct. actually, what i've done, because it's become_vuser() and only
used in dce/rpc daemons, is to disable check_vuser_ok() which means that
valid users and invalid users doesn't apply to the msrpc services, any
if anyone _really_ wants to be able to deny or permit access to msrpc
services, let me know, and i'll arrange something.
the ultimate intention is to have security descriptors on a per-pipe
basis, allowing a clear, fine-grained access control that will have
sensible defaults such as, allow all access to everyone anonymously (just
like nt) except to \PIPE\winreg and \PIPE\svcctl, which will have
user-only-access and administrator-only-access or some-such.
> Its NOT in my smb.conf, and TNG now DOES work.
> However, the "invalid users = root" line in the global section WILL screw
> you. That's what was screwing me (Luke and I finally figured it out).
thx 4 help, karl!
> BTW, Win98 is quite slow (delays of ~10 seconds or so) validating against
> TNG. Win2k is almost immediate. Win98 is NOT slow validating against
interesting. i wonder if that's possibly because win95 only sends a LM#,
which is tried as an NT# first and _then_ a LM#, which will be _two_ calls
to domain_client_validate, which will be _two_ loopback connection
attempts to \PIPE\NETLOGON.
More information about the samba-technical