security = server not working properly (PR#2786)

Andrew Tridgell samba-bugs at samba.anu.edu.au
Wed Dec 31 06:48:33 GMT 1997 

> I have the following in my smb.conf for NT servers (3.51 and 4.0):
> 
> security = server
> password server = %m
> 
> This works fine for 1.9.17p3 and earlier, but doesn't work with 1.9.17p4,
> 1.9.17p5, or 1.9.18alpha14.
> 
> Here is the error I'm getting:
> 
> NetwkstaUserLogon gave error 59
> password server BUD failed NetWkstaUserLogon
> 
> BTW,  bud is the name of the NT client I'm trying to access samba from.

In 1.9.18 you can disable the NetWkstaUserLogon call at compile time
in local.h.

The password server behaviour changed because we discovered that bugs
in some NT servers allowed anyone to login with no password if they
chose an account name that did not exist on the password server. The 
NT password server was saying "yes, it's OK to login" even when the 
account didn't exist at all! Adding the NetWkstaUserLogon call fixed 
the problem, and follows the "recommended" method that MS have 
recently documented for pass through authentication.

The problem now is that some NT servers (in particular NT
workstation?) don't support the NetWkstaUserLogon call. The call also
doesn't work for accounts in trust relationships.

The eventual solution for this will be to replace the password server
code in Samba with NT domain code as that is developed. For now you 
have the choice of compiling Samba either with or without the 
NetWkstaUserLogon call in the password server code.

In 1.9.18 you can enable/disable this call in local.h. In 1.9.17p5
you could apply the following patch. Applying this patch will make
the password server code behave like the code in earlier versions
of Samba. If you do this then please ensure that you test to see
that users are prevented from logging in if they give a bogus 
username/password. You may have a NT server that is affected by the
bug that this code is designed to avoid.


--- password.c	1997/10/21 10:09:28	1.25.2.4
+++ password.c	1997/12/31 06:43:06
@@ -1619,6 +1619,7 @@
 	}
 
 
+#if 0
 	if (!cli_NetWkstaUserLogon(&cli,user,local_machine)) {
 		DEBUG(1,("password server %s failed NetWkstaUserLogon\n", cli.desthost));
 		cli_tdis(&cli);
@@ -1638,6 +1639,7 @@
 		cli_tdis(&cli);
 		return False;
 	}
+#endif
 
 	DEBUG(3,("password server %s accepted the password\n", cli.desthost));


Cheers, Andrew

--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Andrew Tridgell                            Dept. of Computer Science
email: samba-bugs at samba.anu.edu.au         Australian National University 
Phone: +61 6 254 8209                      Fax:  61 6 249 0010
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

More information about the samba mailing list