SV: [Samba] Problems with Samba and security hardened WinXP SP2 c
lients
jonas.back at ppm.nu
jonas.back at ppm.nu
Tue Feb 22 17:04:03 GMT 2005
Thanks! Setting spnego = yes worked perfectly!
> We're running Fedora Core and Samba-3.0.8-0.pre1.3 and we're
authenticating
> our Windows XP users against Active Directory running on Windows 2003.
> Everything works fine!
>
> But now we're trying to secure and harden our WinXP machines and now when
> any user logged into a secured WinXP they get the errormessage "The
account
> is not authorized to log in from this station". I browsed the net and most
> solutions tell me to change the smb.conf to:
> encrypt passwords = yes
>
> However, this didn't work (later, it turned out it worked without this
> setting anyway). But since it did work before securing the WinXP I started
> looking into the policysettings of the client. I found that the following
> GPO-setting was the reason why it stopped working:
> Microsoft network client: Digitally sign communications (always)
> If we set this to Disabled it works again.
>
> This security option setting determines whether packet signing is required
> by the SMB client component. Enabling this setting prevents the Microsoft
> network client from communicating with a server unless that server agrees
to
> perform SMB packet signing. You risk gettings your sessions hijcaked
> otherwise.
>
> Doesn't Samba support this?
Try spnego = yes
Steve
More information about the samba
mailing list