9x/NT/2000 clients with security=server

Stijn Hoop stijn at win.tue.nl
Fri Mar 10 12:10:58 GMT 2000 

Hi,

I have a problem authenticating users using samba-2.0.6/Solaris 7 (sparc
ultra-1), using the security=server option.

We want to have a single print-server for both the UNIX and Windows
clients on our network. The windows machines authenticate user using
an NT4-domain.

I've setup samba so that it always runs as user 'lprsmb' used to print
to the UNIX-printserver with a wrapper script (print command = ...).
See the attached smb.conf.

This way, clients connect to the server using their NT-username/password
and can print without us synchronizing the NT-usernames with the UNIX-ones.

So far so good, Win9x clients and smbclient are able to connect without
a hitch.

We recently tested a Win2000 client however, and although we could install
the printer, it refused to print. Samba only logged an authentication failure.
All the while the Win9x clients were able to print etc.

I suspect an encryption problem. Most of our Win95's are sending plaintext
passwords (yes, bad idea, but it grew out of WfW 3.11). However,
following the smb.conf manpage I set the encrypt passwords parameter to yes
because thats what the PDC expects.

I haven't yet tested the Win2k sending plaintext passwords, because I don't
know what registry entry to change.

So my questions are:

- is the above described setup 'reasonable' or is there a better way to
  do what I want?
- could it be an encryption problem, or is Win2k just not supported as
  a client in 2.0.6?
- I wasn't able to test with NT - should this also work out of the box?
- what registry entry in Win2k should I change if I want to test the
  plaintext password?

Thanks for the excellent product that is samba!

--Stijn

-------------- next part --------------
#======================= Global Settings =====================================
[global]

################
# WIN-workgroup specific options
   workgroup = WIN
   server string = Printerserver
   local master = no
   os level = 0
   domain master = no 
   preferred master = no
   security = server
   password server = winex1
   encrypt passwords = yes

################
# IP options
;   interfaces = 192.168.12.2/24 192.168.13.2/24 
   hosts allow = 131.155. 127.
   wins server = 131.155.2.25

################
# Global printing options
# Try setting this to yes?
   load printers = no
# For SysV, otherwise /etc/printcap is used
;   printcap name = lpstat
# This may be necessary
;   printing = lprng
# This must be a user that can do lpr -U [user] (daemon on my BSD)
   force user = lprsmb

################
# Log options
   log file = /var/tuelocal/samba-2.0.6/log/samba.%m
   max log size = 50
   socket options = TCP_NODELAY 

#============================ Share Definitions ==============================

# I haven't tried the automatic print loading, but if you do you need
# somthing like this.
;[printers]
;   comment = All Printers
;   path = /usr/spool/samba
;   browseable = yes
;   guest ok = yes
;   writable = no
;   printable = yes
;   print command = /home/stijn/bin/lprsmb %p %s %U

# My test shares. Maybe automatic loading of printers is easier but I haven't
# tested this yet.
[psbcf]
   comment = psbcf
   path = /var/tuelocal/samba-2.0.6/spool/psbcf
   printer = psbcf
   guest ok = no
   writable = no
   printable = yes
   print command = /var/tuelocal/samba-2.0.6/bin/lprsmb %p %s %U

[ps6z1]
   comment = ps6z1
   path = /var/tuelocal/samba-2.0.6/spool/ps6z1
   printer = ps6z1
   guest ok = no
   writable = no
   printable = yes
   print command = /var/tuelocal/samba-2.0.6/bin/lprsmb %p %s %U

More information about the samba mailing list