[Samba] null session and winbindd questions

Andrew Bartlett abartlet at samba.org
Fri Nov 15 22:01:01 GMT 2002 

On Sat, 2002-11-16 at 03:11, Benjamin Herbert wrote:
> 
> Hello,
> 
> I am running Samba 2.2.5 (built from source) on a Linux 7.3 machine.  I
> have samba setup to use domain authentication and everything is working
> fine.  The security administrator did a scan on the Windows 2000 server
> being used for authentication.  He found a vulnerability attributed to
> the fact that winbindd needs null sessions on the W2k machine to be
> enabled (since winbindd sends a null username and null password).
> Obviously we want to correct this situation.  I thought I could correct
> it when I created the account for the samba server on the W2k box by
> selecting the account group to be "Pre-Windows 2000 Compatible Access".
> For some reason this did not work.  Does anyone know why this didn't
> work?

Samba cannot even connect to the server with this account, so giving it
extra privileges doesn't help.  You need to give those privileges to the
anonymous user, add a 'user' account for the server or upgrade to Samba
3.0 (which supports this natively - an AD machine account can login and
gain the relevant info).

> Another way around this is to have winbindd send a legitimate username
> and password by running 'wbinfo -Ausername%password'.  This method
> raises some questions.  First, does winbindd send the username and
> password encrypted.  Second do you have to run 'wbinfo -A..' every time
> you restart winbindd or is it sufficient to run it only once?

This password is stored in a TDB, is much the same way that the machine
account password is, and is transferred over the network using the
normal challenge-response authentication methods.  

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20021115/20e9d5c4/attachment.bin

More information about the samba mailing list