[Samba] Windows sometimes authenticates with wrong user
AndyLiebman at aol.com
AndyLiebman at aol.com
Wed Dec 14 02:47:10 GMT 2005
Sorry in advance for the long post. But this is a bit of a detective story.
We are having an authentication issue with a small number of Windows XP
(SP2) machines. The Windows machines are set up to have only a single user --
let's say the user is called "Writer". There is no password set up for this user
called "Writer". User1 logs on to the machine and connects to our Linux Samba
Server (3.0.13). None of the shares on the server allow guests (guest ok =
no) -- so when connecting to a "public" share on the server, User1 is prompted
for a username and password. User1 supplies his Linux/samba username and
password -- the server authenticates him -- and now he can access the "public"
shares. His own private shares also now become visible (home directory, and
shares defined with a %u variable in the path).
All is fine. This is how things are supposed to work
But now, User1 logs off (literally logs off Windows -- back to the Windows
user log on screen -- fast user switching is NOT enabled) and a couple of
minutes later User2 logs on. When User2 clicks on a public share, on these
Windows machines she is NOT asked for a username and password. Instead, she
immediately gets access to the "public" share and can also see and use all of
User1's private shares!
For some reason, it seems Windows is still telling the Samba Server that it
is User1 who is connecting -- Windows has not forgotten that User1 logged out
-- and Samba just obliges and serves up User1's shares.
We see the same behavior if we disconnect shares via "net use * /d". The
shares disconnect, but when we connect again we're not asked to authenticate
again.
This behavior is extremely rare. We have thousands of Windows clients
accessing hundreds of Samba Servers. In many of the cases, users log on and log off
just as I described above without any problem. But we have a few machines
out in the field that just keep behaving in this unexpected way (Note:
Unfortunately, it's not always feasible for users to log in on every Windows client
where they might work with usernames and passwords that match their
Linux/samba names and passwords. We encourage organizations that have users moving
around a lot to set up a PDC, but many can't do that so they use our "on the
spot" authentication.)
My question is: is there a way to force Windows to clear all knowledge of
what user was previously using a machine?
I kind of doubt this is a Samba issue. But COULD IT BE POSSIBLE that Samba
is matching up a Username to a Mac address or IP address and therefore not
recognizing that one user has logged out (disconnecting all network shares) and
another logged on? Is there something that can make Samba hold on to thinking
User1 is still connected when it's acutally User2? If so, what can we do to
correct THIS?
Can a switch that's in between the client and server be a culprit?
As a related issue -- we produce servers that are deployed in isolated and
totally separate environments. The servers ALL go out with the exact same
NetBios names. They are essentially clones of one another -- and all have the
same set of "public" shares. We always test the servers in our office before
they go out. Over time, a couple of our Windows clients in the office just
won't connect to certain "public" shares on the Samba Machines. We get an error
message to the effect of "Windows can't find this resource requested or you
don't have authority to access this resource. Please consult with your network
administrator" We don't get a username and password prompt. If we click on a
DIFFERENT public share, we get the username and password prompt. After
authenticating, we can THEN access the first share that gave us the error.
My question is, can Windows machines get stuck thinking that a share called
\\Server\ShareA that it ONCE connected to on a "Server Serial # 131" is
still supposed to be the same share that when we try to connect to
\\Server\ShareA on "Server Serial # 133 -- and because it's not exactly the same share (how
could windows figure that out -- by the Mac Address of the Server?), it
throws the error?
Again, we cycle many "server clones" into and out of our place and this is a
rare event. But we have a two Windows clients that sometimes seem to resist
the switch from one server to another. The Windows clients can be shut down
for days, but when we boot them up again and try to connect to a completely
different server, we can have this issue. Is there some sort of cache on the
Windows clients that we can clear out?
By the way, we use Samba 3.0.13 on our systems because of a couple of
specific Samba issues that appeared in 3.0.14 and 3.0.20 that affect our software
and that haven't yet been resolved.
We also do NOT tell Windows to "reconnect at logon".
Hope somebody can shed some light here.
Thanks,
Andy
More information about the samba
mailing list