[Samba] security = server "random" failures

Andrew Bartlett abartlet at samba.org
Thu Jan 16 21:51:00 GMT 2003

On Thu, 2003-01-16 at 08:58, Jon Niehof wrote:
> I have a Windows 2K SP2 terminal server and a Samba 2.2.7a 
> server. The Samba server uses security=server with the 2K 
> terminal server as the password server. Users log in to the 
> terminal server and attempt to access (always the same) 
> share on the Samba box. When there are no sessions open to 
> the Samba server the connection from the terminal server 
> always works; subsequent connections (with the first one 
> open) fail about 70% of the time.

Sounds about standard for security=server.  It's not a nice hack.  Make
sure nothing is timing out the connection.

> Log snippets (one success, followed by one failure, log 
> level 1).
> [2003/01/15 15:57:55, 1] smbd/service.c:make_connection(636)
>    tyr ( connect to service LEGAL as user test2 
> (uid=1014, gid=103) (
> pid 529)
> [2003/01/15 15:57:56, 1] smbd/password.c:server_validate(1175)
>    password server TYR.IMAGE.COM rejected the password
> I found in the mailing list archives the following tidbit 
> from Andrew Bartlett, dated 13 Aug 2002:
> "Don't use 'security=server' when you have a real PDC. 
> That's what security=domain is for.  Furthermore, due to 
> bugs only (possilby) corrected in Win2k SP3 you must use 
> Samba 2.2.5 or above, as the PDC will otherwise randomly 
> refuse authenticaion."
> Does this statement still apply to 2.2.7a? I'm loathe to 
> install SP3 because of EULA concerns and, of course, 
> throwing big chunks of patches into a production server.
> Anything else that might make this work?

Samba 3.0 includes more protections for security=server, but it is still
fundamentally flawed.  Why can't you use 'security=domain'?

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030116/17206fa3/attachment.bin

More information about the samba mailing list