[samba-tng] "invalid users = root" causes tng to fail.

Karl Denninger karl at Denninger.Net
Sat Mar 11 01:15:30 GMT 2000


On Sat, Mar 11, 2000 at 11:48:31AM +1100, Luke Kenneth Casson Leighton wrote:
> On Fri, 10 Mar 2000, Karl Denninger wrote:
> 
> > "valid users = root" does NOT have to be there.
> 
> correct.  actually, what i've done, because it's become_vuser() and only
> used in dce/rpc daemons, is to disable check_vuser_ok() which means that
> valid users and invalid users doesn't apply to the msrpc services, any
> more.
> 
> if anyone _really_ wants to be able to deny or permit access to msrpc
> services, let me know, and i'll arrange something.

Isn't there a potential problem if you can do msrpc things in general?

> the ultimate intention is to have security descriptors on a per-pipe
> basis, allowing a clear, fine-grained access control  that will have
> sensible defaults such as, allow all access to everyone anonymously (just
> like nt) except to \PIPE\winreg and \PIPE\svcctl, which will have
> user-only-access and administrator-only-access or some-such.
>  
> > Its NOT in my smb.conf, and TNG now DOES work.
> > 
> > However, the "invalid users = root" line in the global section WILL screw
> > you.  That's what was screwing me (Luke and I finally figured it out).
> 
> thx 4 help, karl!
> 
> > BTW, Win98 is quite slow (delays of ~10 seconds or so) validating against
> > TNG.  Win2k is almost immediate.  Win98 is NOT slow validating against
> > 2.0.6.
> 
> interesting.  i wonder if that's possibly because win95 only sends a LM#,
> which is tried as an NT# first and _then_ a LM#, which will be _two_ calls
> to domain_client_validate, which will be _two_ loopback connection
> attempts to \PIPE\NETLOGON.
> 
> hmmm.

Possibly, yes.  The time delay is VERY noticable.  It *does* log in, but you
may think it has hung up while waiting.

--
-- 
Karl Denninger (karl at denninger.net)  Web: http://childrens-justice.org
Isn't it time we started putting KIDS first?  See the above URL for
a plan to do exactly that!


More information about the samba-technical mailing list