[Samba] Samba Upgrade Yields Undesired Domain-Wide IE High Security
RA Cohen
roy2098 at yahoo.com
Thu Feb 24 15:12:04 GMT 2005
Forgive the repost, but I've changed the subject line since I
haven't seen a reply yet...please help, I don't have much hair
left!
Hello All,
I had been successfully running Samba 2.2.8a on a FreeBSD 4.7
box for a couple years using roaming profiles. The box was
functioning as PDC. The hardware was getting old; I needed to
migrate to a new server. So, I built a FreeBSD 5.3-RELEASE box
on some relatively modern hardware and installed Samba 2.2.12. I
copied the master.passwd file to the new box, did the pwd_mkdb,
also copied the group file. Then I tarred all the home
directories on the old server, and untarred them on the new
server. Same with all the shares. Also used the same smb.conf
file.
As far as the users go, I am having them re-initialize their
passwords thru Usermin so their Samba passwords are now synched
with their FreeBSD/Unix passwords. I also manually joined each
machine to the domain, first on the server by smbpasswd -a -m
MACHINENAME, then actually went around to each (thank goodness
only 65 machines) machine, unjoined it from the domain by
putting them back into a workgroup, then joined the domain
again. No problem. Users can log into the domain from any
machine, get their roaming profiles, use their shares, etc. In
short, everything seems to work BUT here's the "gotcha":
Somehow, the security settings for Internet Explorer have been
set to medium for the entire domain. I have not a clue how this
has happened, but it means the users have to click thru numerous
"When you send information to the internet, it might be possible
for others to see that information. Do you want to continue?"
This pops up anytime a form is submitted. Also, file downloads
are now not possible.
I fail to understand how this has happened. And, the IE settings
cannot be changed, they simply revert back to the medium
setting. It is this behavior that makes me conclude this is a
domain-wide situation. When I log in to any of the machines as a
local administrator, the IE settings are at a custom level that
does permit more unrestricted browsing. I never created any
policies for this, so I assume they were the defaults for Win2K
with pretty much the latest patches, etc. I've also compared
file permissions and ownerships with those on the old server,
they seem to be the same.
Any help would be greatly appreciated...Thank you in advance.
Roy
PS Here's the relevant parts of smb.conf:
[global]
workgroup = XXXX
netbios name = YYYYYYYY
server string = Samba PDC running %v
encrypt passwords = Yes
passwd program = /usr/bin passwd %u
passwd chat = *New*UNIX*password* %n\n
*Retype*new*UNIX*password* %n\n *Enter*new*UNIX*
password* %n\n *Retype*new*UNIX*password* %n\n *passwd:
*all*authentication*tokens*updated*succ
essfully*
unix password sync = Yes
log level = 2
log file = /var/log/samba/log.%m
max log size = 50
name resolve order = wins lmhosts hosts bcast
time server = Yes
lpq cache time = 20
socket options = TCP_NODELAY IPTOS_LOWDELAY
SO_SNDBUF=8192 SO_RCVBUF=8192
total print jobs = 100
logon drive = Q:
logon home = \\%L\%U\.profile
domain logons = Yes
os level = 255
preferred master = Yes
domain master = Yes
wins support = Yes
logon script = %u.bat
domain admin group = netadmins
[netlogon]
path = /usr/local/samba/lib/netlogon
browseable = No
root preexec = perl
/usr/local/samba/lib/netlogon/genlogon.pl %u %g %m
root postexec = perl
/usr/local/samba/lib/netlogon/genlogoff.pl %u
__________________________________
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
http://promotions.yahoo.com/new_mail
More information about the samba
mailing list