Password server option necessary?

MCCALL,DON (HP-USA,ex1) don_mccall at hp.com
Tue Jan 30 19:30:23 GMT 2001 

Nimish,
if you have a line in your smb.conf file stating security=server which you
stated in your original mail, this overrides the default security = user.
If you remove the security=server statement from the smb.conf file, then
restart samba, then it will be in user mode.  If you have made the registry
hack to allow all of your clients to send cleartext passwords,
AND you add the following line in your smb.conf global section:

encrypt passwords = no

Then you can be guaranteed that when you attempt to make a connection from
your win2k client, the negotiate prococol will inform him that this server
ONLY accepts cleartext passwords, and when the win2k client sends him the
cleartext password, it will be encrypted via the UNIX one way encryption
algorythm and verified against your user (assuming exact same unix user name
as pc user name) password in /etc/password or nis database, depending on how
you have /etc/nsswitch set up to validate passwords.

If your users logout of their win2k workstations, and then log back in, and
try to access the shares (do they still show up in my computer, or my
network places?) AND Samba is still up, the negotiate protocol, session
setup&X, treeconnect&x, etc should be done in the background by the win2k
client.  If it is STILL asking you for a password at that time, then I'd
take a look at the win2k experts (I'm not one of them) and see under what
cirmstances win2k would 'loose' a cached password for a user/share...
Hope this helps,

Don
-----Original Message-----
From: Nimish Philip [mailto:nimish.philip at kssb.kroschu.com]
Sent: Tuesday, January 30, 2001 10:31 AM
To: MCCALL,DON (HP-USA,ex1); samba at us5.samba.org
Subject: Re: Password server option necessary?


Hello Don

Firstly, thank you for your reply.

I believe samba 2.0.7 defaults to user-security, so when users login at
their
Win2k PC's
they should automatically be logged onto the Unix server as well, right?
(all
users have full accounts on the Unix server)

Do I still need to create users with smbpasswd?

I have edited the registries of all the Win2k clients as well to
EnablePlainTextPassword as per the MS support website.

A user can login and see the workgroup,when they try to access a share they
are asked for a username and password which is identical to their login
username and password.

They are then able to map this share as a drive.

The problem is, when they logout and login again, they cannot access the
mapped drives.
They have to disconnect the previously mapped drives  and then remap the
shares again going through the whole process again, login etc..( they
meaning
I ..:-))

I can't figure out what's causing this. Maybe some win2k setting?

Many thanks!

"MCCALL,DON (HP-USA,ex1)" wrote:

> Hello Nimish,
> No, that's not the way it works - the whole point of security = server is
> that you are TELLING samba that someone ELSE will be doing ntlmV1 password
> authentication FOR you.  The password server = line needs to be there to
> tell samba WHO to pass authentication off to.  You should specify the
> "workgroup = " to be the DOMAIN of the NT server that will be doing your
> password authentication, and the password server = line be a list of
> PDC/BDC's in that domain, or a "*" which will tell samba to go FIND a
> PDC/BDC in that domain.
>
> If you want Samba to do it's own authentication, you should be in
> security=USER mode, and set up your smbpasswd file with the usernames and
> passwords of the users you want to have access to your machine.
>
> I won't go into detail, but please read chapter 6 in the O'Reilly "Using
> Samba" book; you can purchase it, or read it online in html format at
> http://us2.samba.org/samba/oreilly/using_samba/
>
> Hope this helps,
> Don
>
> -----Original Message-----
> From: Nimish Philip [mailto:nimish.philip at kssb.kroschu.com]
> Sent: Tuesday, January 30, 2001 2:31 AM
> To: samba at us5.samba.org
> Subject: Password server option necessary?
>
> Hello
>
> My security setting is server i.e security = server
> Is it then necessary/mandatory  to have an explicit password server =
> <whatever> declaration?
>
> Can't the server running samba act as the password server?
>
> The setup is samba 2.0.7 on Solaris 2.5.1 and i'm trying to login and
> map drives from a Win2k Server machine.
>
> This is a snip of my log file...
>
> [2001/01/30 09:14:55, 1] smbd/files.c:file_init(216)
>   file_init: Information only: requested 10000 open files, 1014 are
> available.
> [2001/01/30 09:15:37, 0] smbd/password.c:server_cryptkey(1025)
>   password server not available
> [2001/01/30 09:15:37, 1] smbd/password.c:server_validate(1069)
>   password server  is not connected
> [2001/01/30 09:15:37, 1] smbd/reply.c:reply_sesssetup_and_X(925)
>   Rejecting user 'nimish': authentication failed
>
> --
>  Nimish Philip (I.T. Department)
>  Kromberg & Schubert Brits South Africa (Pty) Ltd.
>  Phone  : +27 12 2501100 ext: 1117
>  Fax    : +27 12 2501122

--
 Nimish Philip (I.T. Department)
 Kromberg & Schubert Brits South Africa (Pty) Ltd.
 Phone  : +27 12 2501100 ext: 1117
 Fax    : +27 12 2501122

More information about the samba mailing list