[samba-tng] "invalid users = root" causes tng to fail.
Karl Denninger
karl at Denninger.Net
Sat Mar 11 01:15:30 GMT 2000
On Sat, Mar 11, 2000 at 11:48:31AM +1100, Luke Kenneth Casson Leighton wrote:
> On Fri, 10 Mar 2000, Karl Denninger wrote:
>
> > "valid users = root" does NOT have to be there.
>
> correct. actually, what i've done, because it's become_vuser() and only
> used in dce/rpc daemons, is to disable check_vuser_ok() which means that
> valid users and invalid users doesn't apply to the msrpc services, any
> more.
>
> if anyone _really_ wants to be able to deny or permit access to msrpc
> services, let me know, and i'll arrange something.
Isn't there a potential problem if you can do msrpc things in general?
> the ultimate intention is to have security descriptors on a per-pipe
> basis, allowing a clear, fine-grained access control that will have
> sensible defaults such as, allow all access to everyone anonymously (just
> like nt) except to \PIPE\winreg and \PIPE\svcctl, which will have
> user-only-access and administrator-only-access or some-such.
>
> > Its NOT in my smb.conf, and TNG now DOES work.
> >
> > However, the "invalid users = root" line in the global section WILL screw
> > you. That's what was screwing me (Luke and I finally figured it out).
>
> thx 4 help, karl!
>
> > BTW, Win98 is quite slow (delays of ~10 seconds or so) validating against
> > TNG. Win2k is almost immediate. Win98 is NOT slow validating against
> > 2.0.6.
>
> interesting. i wonder if that's possibly because win95 only sends a LM#,
> which is tried as an NT# first and _then_ a LM#, which will be _two_ calls
> to domain_client_validate, which will be _two_ loopback connection
> attempts to \PIPE\NETLOGON.
>
> hmmm.
Possibly, yes. The time delay is VERY noticable. It *does* log in, but you
may think it has hung up while waiting.
--
--
Karl Denninger (karl at denninger.net) Web: http://childrens-justice.org
Isn't it time we started putting KIDS first? See the above URL for
a plan to do exactly that!
More information about the samba-technical
mailing list