[Samba] null session and winbindd questions

Benjamin Herbert herbert at isis.visi.com
Fri Nov 15 16:12:01 GMT 2002


Hello,

I am running Samba 2.2.5 (built from source) on a Linux 7.3 machine.  I
have samba setup to use domain authentication and everything is working
fine.  The security administrator did a scan on the Windows 2000 server
being used for authentication.  He found a vulnerability attributed to
the fact that winbindd needs null sessions on the W2k machine to be
enabled (since winbindd sends a null username and null password).
Obviously we want to correct this situation.  I thought I could correct
it when I created the account for the samba server on the W2k box by
selecting the account group to be "Pre-Windows 2000 Compatible Access".
For some reason this did not work.  Does anyone know why this didn't
work?

Another way around this is to have winbindd send a legitimate username
and password by running 'wbinfo -Ausername%password'.  This method
raises some questions.  First, does winbindd send the username and
password encrypted.  Second do you have to run 'wbinfo -A..' every time
you restart winbindd or is it sufficient to run it only once?

Thanks for the information.

-Ben



More information about the samba mailing list