SAMBA on OS X Server [SEC=UNCLASSIFIED]

walter.hill at customs.gov.au walter.hill at customs.gov.au
Mon Mar 1 20:35:30 MST 2010


Bjorn et al,

I created the specified registry key to allow anonymous authentication, however it doesn't not appear to have worked in this instance. The SIDs still aren't resolving.

Additionally I removed then reinserted the w2k8r2 machine from the domain.

Do you recall the version of samba, on the server, which your w2k8r2 box was trusting?

Walter.

> Hi,
> 
> On 2010-02-26 at 14:35 +0800 walter.hill at customs.gov.au sent off:
> > The immediate issue is making the 2008R2 server a domain member (I have)
> > but I've uncovered what I believe is the "trust problem" addressed by
> > samba 3.4.4 - SIDs aren't resolving back to their actual names.
> 
> I saw problems like this, too. A w2k8r2 server with an outgoing trust to a
> Samba domain  fails to resolve the "foreign" Samba domain's SIDs to names.
> The
> reason why this fail is that the w2k8r2 server tries to authenticate on
> the
> samba domain with its own machine account to do the lookup sid calls. The
> server should know that the only account it can use to authenticate is the
> interdomain trust account. So finally authentication fails and w2k8r2
> gives up
> immediately. w2k3 makes all this anonymously, which succeeds.
> 
> I've had some discussion with Microsoft support staff about this
> misbehaviour or bug of w2k8r2. They argued that it's a security feature
> not to
> do it anonymously any more. So far they could however not explain very
> well why
> it's "saver" to authenticate with a non-existing account in the foreign
> domain.
> 
> There is a workaround to make w2k8r2 authenticate anonymously again: set
> HKLM\System\CurrentControlSet\Control\Lsa\UseMachineId to 0.
> 
> This workaround for the w2k8r2 misbehaviour may however cause other
> trouble in
> certain setups, see MS KB972069 for example.
> 
> Björn
> --
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen

***************************************************************************************************
IMPORTANT:

* This transmission is intended for the use of the addressee only and might contain sensitive or legally privileged information. If you are NOT the intended recipient, you are notified that any use or dissemination of this communication is strictly prohibited. If you receive this transmission in error, please notify the author immediately by telephone and delete all copies of this transmission together with any attachments. 

* The Australian Customs and Border Protection Service DOES NOT AUTHORISE the recipient to further disclose this email or its contents without permission of the originator.

* Unsolicited commercial emails MUST NOT be forwarded to the originator of this transmission unless prior consent has been given.

***************************************************************************************************


More information about the samba-technical mailing list