security = server accepts TWO passwords?

[Simon Hyde]

On Mon, 20 Oct 1997 01:22:38 +1000, you wrote:

>>In other news, I'm still having a problem connecting to
>>Samba 1.9.17(p2 or p3) using security = server from Win 95 and NT
>>clients.  The password server is NT 3.51.  This ONLY happens to
>>users who have restricted client access to the NT password server.
>>I've tried listing the client, the Samba server, the NT server, and
>>my mother's maiden NetBIOS name in the access list to no avail.
>>
>>Is anyone using Samba 1.9.17p2 or greater in a similar situation
>>with success?  Giving users unrestricted access solves the problem.
>
>Try granting the users with restricted client access the right to connect
>to the server from the Samba server. Since unrestricted access solves the
>problem, I'm guessing that when the Samba server connects to authenticate
>the user, the NT server thinks the user is connectiong _from_ the Samba
>server, sees that the user isn't allowed to connect from there, and refuses
>to authenticate the password.  Somebody correct me if I'm wrong, but
>doesn't Samba test the password in "security = server" mode by trying to
>log into the password server?
Almost there but not quite so simple, previously (1.9.16 and below) samba
would connect to the password server as under the name of the client on the
samba server. This caused the the NT server to kill any connections it had
to the client since as far as NT is concerned a machine can't have 2 IP
addresses so the other must be a ghost. This was changed in 1.9.17 to
instead identify itself as a combination of the remote machine's netbios
name and the PID of the smbd process attempting to authenticate. This was
considered the lesser of 2 evils since you can turn the errors off by
removing station restrictions, but you can't remove the dropping of
connections problem.

There's more info on this, and a workaround if you want to go back to the
old method in an email posted a week or so ago titled "access problems for
restricted clients"