Profile on NT Domain

Luke Kenneth Casson Leighton lkcl at switchboard.net
Thu Nov 6 16:26:34 GMT 1997


nOn Fri, 7 Nov 1997, Heinrich Rebehn wrote:

> Hi all,
> 
> today i tried the NT Domain logon for the first time using
> samba-1.9.18alpha10.
> I had no problem getting the "Welcome to the ANTSMB domain" message :-))
> and can also login using username and password from smbpasswd.

hooray!!!!  

> But after login i first get the message "your roaming profile is
> not available, using a local copy..." and then

oo!

> "D:\WINNT\profiles\rebehn.000\Desktop\I is not accessible.
> The filename directory name or volume label syntax is incorrect"

ok, there's either a bug in the format of the SAM Logon response, _or_ 
it's using the default location (\\samba_server_\homes\profile)



> If I click on cancel, i get an empty desktop and all i can do is
> press CTRL/ALT/DEL to log out again.
> Some questions:
> 1. Why does NT think i'm using a roaming profile?

because the default configuration options in samba tell it to.


> 2. My user name is rebehn, not rebehn.000

this is a normal problem, even for 1.9.17p4 if you configure your profile 
to be stored on a samba server.  it can't deal with the time/date stamp 
problems, so it creates another copy of your profile, and stores it in 
rebehn.000, then rebehn.001, etc.

i think i've seen up to 015 for the guest here at the cafe.......


> 3. in the above error message, the "I" in "\I" looks strange,
>    maybe a garbage character, thus the incorrect syntax.

this is what makes me think that it's a  problem with the format of the 
SAM Logon response.


> 
> Here's my setup:
> - samba-1.9.18alpha10
> - NT 4.0 SP1
> - smb.conf:
> --------------------------------------------------------------------------
>    status = yes
>    security = user
>    encrypt passwords = yes
>    load printers = yes
>    log level = 1
>    log file = /usr/local/samba/var/log.%m
>    password level = 2
>    read prediction = yes
>    socket options = TCP_NODELAY 
>    valid chars = ö:Ö å:Å ä:Ä 
>    share modes = yes
>    locking = yes
>    strict locking = yes
>    keepalive = 30
> 
> workgroup = ANTSMB
> domain sid = S-1-5-21-123-456-789-123
> domain logons = yes
> 
> [homes]
>         guest ok = no
>         read only = no
>         comment = Home Directory
> 
> [netlogon]
>         comment = Samba Network Logon Service
>         path = /usr/local/samba/lib/netlogon
>         case sensitive = no
>         guest ok = yes
>         locking = no
>         writable = no
> --------------------------------------------------------------------------
> 
> netlogon is empty, do i really need it?

i think it might.

> Samba runs under Linux-2.0.30-pre10 with automount support enabled.
> 
> What's even worse: I have just discovered that i can even login with
> no password,

correct: we know that the SAM Logon request contains an rc4 obfuscation 
of the Lan Manager and NT 16 byte OWF clear-text-equivalent passwords.  
we haven't put password checking in, yet because of ITAR regulations on 
rc4, and because we don't quite understand the obfuscation mechanism yet 
(i've not been able to test it, yet).

it doesn't matter much anyway: the SAM Logon stuff is completely 
independent of the SMB connections.

in other words, while you can do a SAM Logon with your username and no 
password, you will *still* need a username and password to connect to 
shares on your samba server.

does that make sense to you?
 
> i accidently hit return, got logged in and even get a
> desktop! Strange....

this copy of the desktop is being downloaded from your local cache.  
either that, or the SMB password.
 
> Any ideas what i've done wrong?

absolutely nothing :)  thank you for trying out 18alpha10, and for 
reporting your experiences with it.   if you happen to have Net Monitor, 
i'd appreciate it if you could run it on another NT machine while doing 
a SAM login for rebahn, do a "Copy" on the SAM Logon request and response 
packets, and "Paste" to a text file.  before sending it to me, change the 
password for the user "rebahn".

i'd like to know that the SAM Logon response packet is well-formed, 
according to NetMonitor...

luke


<a href="mailto:lkcl at switchboard.net"  > Luke Kenneth Casson Leighton </a>
<a href="http://mailhost.cb1.com/~lkcl"> Lynx2.7-friendly Home Page   </a>
<br><b> "Apply the Laws of Nature to your environment because your
         environment applies the Laws of Nature to you"               </b>



More information about the samba mailing list