[Samba] Linux server, Win2k client: Almost works, what am I missing?

Joel Hammer Joel at HammersHome.com
Thu May 16 19:20:03 GMT 2002 

I don't know much more about this issue. You sound a lot like the guy with
the win2k printing problem currently looking for help. (WinY2k Printing
Access).
Joel

On Thu, May 16, 2002 at 06:08:44PM -0500, Kris Kelley wrote:
> I wrote:
> > > Once I fired up Samba, I tried to access it from a Win2k box, on which
> > > I'm logged in as DEVGROUP/skunk (user "skunk" also exists on the linux
> > > box, and the passwords are the same in both environments).  This failed
> > > with the usual "account is not authorized to log in from this station"
> > > error (clear text passwords are enabled on the Win2K box)...
> > > 
> > > However, when I used the "net use" CLI command to log in with user
> > > "nobody", supplying "nobody"'s password, it worked!  The share was
> > > successfully mounted...
> > > 
> > > I then tried putting "skunk" into Samba's user database [but] 
> > > I still couldn't access the share as user "skunk"; I got the
> > > same error message on the Win2K side and the same Samba log entries on
> > > the linux side.
> > > 
> > > I should note that when I use smbclient, I can access the test share
> > > just fine as user "skunk" on the linux box.
> > >
> > > There is no Win2k user "nobody" within the DEVGROUP domain, if that
> > > provides any clue.
> 
> Joel Hammer wrote:
> > ...this sounds like you are failing Test #10 in
> > DIAGNOSIS.txt in the source documents.
> > It suggests you enable encrypted passwords on the samba server.
> > Maybe you didn't do the hack properly.
> 
> The hack consists of changing a single value.  A value named
> "enableplaintextpasswords" is changed from 0 (not enabled) to 1
> (enabled).
> 
> At any rate, I am becoming convinced that this is not an encryption
> issue.  Why would encryption, or a lack of encryption, allow one user
> ("nobody") to access the share, but not another user ("skunk")?
>  
> But just to be sure, I re-enabled encrypted passwords on the Win2k box
> and then also enabled encrypted passwords in Samba.  Using smbpasswd, I
> set up passwords for both "skunk" and "nobody".  The very same thing
> happened:  If I used user "nobody", I could access the share from the
> Win2K box, but I could not with user "skunk"!  I know the password file
> is being utilized, because if I disable user "nobody" (smbpasswd -d), I
> am no longer to access the share as that user.
> 
> I wonder if this is something specific to the DEVGROUP/skunk account
> that is being instigated by the Windows domain, somehow.  For another
> test, I logged into WIN2KBOX as a DEVGROUP user besides "skunk", and
> tried accessing the share with "skunk" ("net use /user:skunk
> \\skunkworx\test").  At first it would let me in if the Samba password
> for "skunk" was *different* than his Windows domain password, but after
> several more attempts I could access the share even when they were the
> same!  But then suddenly the DEVGROUP/skunk was locked out of all
> Windows boxes!  When the sysadmin unlocked the account and
> DEVGROUP/skunk was again able to log inot WIN2KBOX, again I could not
> access the share as "skunk" (the passwords were again the same at this
> point).
> 
> Confused?  I am!
> 
> I guess I'm going to try all this with an account that's hopefully less
> volatile.  DEVGROUP/skunk is a domain admin and handles several
> automated tasks on various machines within DEVGROUP, so I shouldn't be
> playing with that account anyway.  But does this sound plausible?  Could
> something within DEVGROUP be throwing a monkey wrench into the works
> that makes Samba (sometimes) refuse access to the account, even though
> tbe Windows boxex have no trouble?  I'm more than willing to believe
> that, but I don't want to sweep this under the rug if there's still an
> issue that's going to bite me later.
> 
> This is now my smb.conf file:
> 
>    [global]
>       workgroup = DEVGROUP
>       security = user
>       netbios name = skunkworx
>       encrypt passwords = yes
>    [test] 
>       comment = test share
>       path = /export/samba/test
>       read only = no
> 
> Thanks for all the help!
> 
> ---Kris Kelley
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list