security = server accepts TWO passwords?

Edan Idzerda edan at mtu.edu
Tue Oct 21 01:15:42 GMT 1997 



Simon Hyde <shyde at poboxes.com> wrote:
> Almost there but not quite so simple, previously (1.9.16 and below) samba
> would connect to the password server as under the name of the client on the

How frustrating that no one responded quite so succintly about this
problem when I wrote about it on Oct 2.  Perhaps they did and I missed
it buried in a digest.  (And can't find it in the archives.)


> addresses so the other must be a ghost. This was changed in 1.9.17 to
> instead identify itself as a combination of the remote machine's netbios
> name and the PID of the smbd process attempting to authenticate. This was
> considered the lesser of 2 evils since you can turn the errors off by
> removing station restrictions, but you can't remove the dropping of
> connections problem.

I found the patch [1] in the digest archives and I believe I understand
the problem now.  Is there something wrong with the logic of the Samba
server sending its own netbios name along with the username to 
be validated?  It would be a more acceptable solution in our 
environment to allow user 'logon' access to the Samba server than
to eliminate all access restrictions.

I've patched password.c to send the hostname returned by get_myname() 
when making a connection to the password server.  The reasons for
*not* doing this escape me, and I'm slightly annoyed that there wasn't
any quick note in the docs that access lists wouldn't work... but amen 
for source code.

Thanks to Mr. Hyde for pointing me in the right direction.  I've
included my somewhat-of-a-hack patch for others enjoyment.   

- edan


[1] http://samba.canberra.edu.au/pub/samba/digest/currentyear/0259.html


*** password.orig       Mon Oct 20 21:04:28 1997
--- password.c  Mon Oct 20 21:09:01 1997
***************
*** 1594,1606 ****
       connections if the same client name connects
       twice. Instead, synthesize a name from our pid.
       and the remote machine name.
     */
    {
!     char buf[32]; /* create name as PIDname */
!     sprintf(buf,"%d", getpid());
!     strncpy(&buf[strlen(buf)], remote_machine, 31 - strlen(buf));
!     buf[31] = '\0';
!     DEBUG(1,("negprot w/password server as %s\n",buf));
      name_mangle(buf,p,' ');
      len += name_len(p);
    }
--- 1594,1608 ----
       connections if the same client name connects
       twice. Instead, synthesize a name from our pid.
       and the remote machine name.
+ 
+      No, how about just send *our* hostname to the password
+      server?  That way we can still have access lists that work.
+      Edan Idzerda <edan at mtu.edu>
     */
    {
!     char buf[32]; 
!     get_myname(buf, NULL);
!     DEBUG(2,("negprot w/password server as %s\n",buf));
      name_mangle(buf,p,' ');
      len += name_len(p);
    }

More information about the samba mailing list