[Samba] Windows 2000 Domain Controller Security Setting

Stewart, Eric eric at lib.usf.edu
Fri Jan 24 16:13:01 GMT 2003

	I sent an email last night regarding a security issue we were having
with our Windows 2000 domain controllers and Samba's interaction with them.
	It turns out part of the issue is that security settings don't
propagate to the domain controllers without rebooting them all.
	But, slightly contrary to my previous email:

The application to view these settings is (on a domain controller):

"Start" -> "Program Files" -> "Administrative Tools" ->
	"Domain Controller Security Policy"

The settings in question are:

(1) "Windows Settings" - "Security Settings" - "Account Policies" -
	"Kerberos Policy" -> "Enforce user logon restrictions"


(2) "Windows Settings" - "Security Settings" - "Local Policies" -
	"Security Options" ->
	"Additional restrictions for anonymous connections"

	Now, contrary to my previous email, (1) actually appears to have
*nothing* to do with the issues (drives not wanting to be mapped from a
Samba server).
	(2) However, appears to be the key.  There are three possible
settings for this:

(A) "None.  Rely on default permissions"
(B) "Do not allow enumeration of SAM accounts and shares"
(C) "No access without explicit anonymous permissions"

	In our testing this morning (because the problem reoccured), we've
discovered that (A) and (B) don't cause a problem (though I've heard that
there is evidence that (B) doesn't do what it says it does).  When (C) is
selected (and the domain controllers are rebooted to put it into effect),
Samba servers using "security = domain" will not be able to pass through the
authentication, and hence, won't allow shares to be accessed.
	However, in Samba's defense on this issue, Windows NT 4.0
Workstations don't even let people log on with (C) set.  And yes, we still
run a few of those.

	So, in summary:
	(C) is a desired setting for (2), to stop people from getting a list
of Domain usernames from Domain Controllers.  Once that list is obtained,
some tools apparently throw the dictionary at accounts.  If account lockout
policies have been defined, accounts start getting locked out when the
dictionary attacks are attempted.  However, with these settings, NT 4.0
Workstations cannot be logged in (not your problem), and Samba servers will
not allow shares to be mapped when "security = domain" (not really a problem
I guess, but if it's fixable, it would be a big "plus" in Samba's court).

	Unless you know of some way to tell 2000 DC's to explicitly allow
Samba servers to have anonymous access, this is an (admittedly minor) issue
that might be worth looking at.

Eric Stewart - Network Admin, USF Tampa Campus Library - eric at lib.usf.edu
   Sysadmins are like epic heroes invested with supreme powers and arcane
   lore, duty-bound to protect their users from villains, fires, and
   themselves. - Feen, Benjy: Origin of Sysadmins,
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the samba mailing list