[Samba] Samba Upgrade Yields Undesired Domain-Wide IE High Security

[RA Cohen]

Forgive the repost, but I've changed the subject line since I
haven't seen a reply yet...please help, I don't have much hair
left!

Hello All,

I had been successfully running Samba 2.2.8a on a FreeBSD 4.7
box for a couple years using roaming profiles. The box was
functioning as PDC. The hardware was getting old; I needed to
migrate to a new server. So, I built a FreeBSD 5.3-RELEASE box
on some relatively modern hardware and installed Samba 2.2.12. I
copied the master.passwd file to the new box, did the pwd_mkdb,
also copied the group file. Then I tarred all the home
directories on the old server, and untarred them on the new
server. Same with all the shares. Also used the same smb.conf
file.

As far as the users go, I am having them re-initialize their
passwords thru Usermin so their Samba passwords are now synched
with their FreeBSD/Unix passwords. I also manually joined each
machine to the domain, first on the server by smbpasswd -a -m
MACHINENAME, then actually went around to each (thank goodness
only 65 machines) machine, unjoined it from the domain by
putting them back into a workgroup, then joined the domain
again. No problem. Users can log into the domain from any
machine, get their roaming profiles, use their shares, etc. In
short, everything seems to work BUT here's the "gotcha":

Somehow, the security settings for Internet Explorer have been
set to medium for the entire domain. I have not a clue how this
has happened, but it means the users have to click thru numerous
"When you send information to the internet, it might be possible
for others to see that information. Do you want to continue?"
This pops up anytime a form is submitted. Also, file downloads
are now not possible.

I fail to understand how this has happened. And, the IE settings
cannot be changed, they simply revert back to the medium
setting. It is this behavior that makes me conclude this is a
domain-wide situation. When I log in to any of the machines as a
local administrator, the IE settings are at a custom level that
does permit more unrestricted browsing. I never created any
policies for this, so I assume they were the defaults for Win2K
with pretty much the latest patches, etc. I've also compared
file permissions and ownerships with those on the old server,
they seem to be the same.

Any help would be greatly appreciated...Thank you in advance.

Roy

PS Here's the relevant parts of smb.conf:

[global]
        workgroup = XXXX
        netbios name = YYYYYYYY
        server string = Samba PDC running %v
        encrypt passwords = Yes
        passwd program = /usr/bin passwd %u
        passwd chat = *New*UNIX*password* %n\n
*Retype*new*UNIX*password* %n\n *Enter*new*UNIX*
password* %n\n *Retype*new*UNIX*password* %n\n *passwd:
*all*authentication*tokens*updated*succ
essfully*
        unix password sync = Yes
        log level = 2
        log file = /var/log/samba/log.%m
        max log size = 50
        name resolve order = wins lmhosts hosts bcast
        time server = Yes
        lpq cache time = 20
        socket options = TCP_NODELAY IPTOS_LOWDELAY
SO_SNDBUF=8192 SO_RCVBUF=8192
        total print jobs = 100
        logon drive = Q:
        logon home = \\%L\%U\.profile
        domain logons = Yes
        os level = 255
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        logon script = %u.bat
        domain admin group = netadmins

[netlogon]
        path = /usr/local/samba/lib/netlogon
        browseable = No
        root preexec = perl
/usr/local/samba/lib/netlogon/genlogon.pl %u %g %m
        root postexec = perl
/usr/local/samba/lib/netlogon/genlogoff.pl %u



		
__________________________________ 
Do you Yahoo!? 
Read only the mail you want - Yahoo! Mail SpamGuard. 
http://promotions.yahoo.com/new_mail