[Samba] SERIOUS PROBLEM - Root Account Locked

Jason Baker jbaker at glastender.com
Wed Aug 8 20:51:27 GMT 2007 

> Do you have a process (like a service or scheduled task) running on a 
> client machine as user 'root' with an incorrect cached password? 
No actually, this is what seems to be happening:
I log into a windows xp pro workstation as Administrator and browse the 
network. I double-click on a network share, in this case a samba 
computer called HENBANE. If I view pdbedit -Lv -u root from another 
computer while I'm doing this, I can watch the bad login count rise from 
0 to 8. I then get a message that pops up on the Windows workstation 
that says something to the effect of "account locked".
I added guest account = nobody to my smb.conf file and now I can browse 
the HENBANE share after being prompted for a username and password, but 
the bad password count for root now shows 2, and it rises higher each 
time I access a share that requires a username and password.

*Jason Baker
*/IT Coordinator/


*Glastender Inc.*
5400 North Michigan Road
Saginaw, Michigan 48604 USA
800.748.0423
Phone: 989.752.4275 ext. 228
Fax: 989.752.4444
www.glastender.com <http://www.glastender.com>

-----BEGIN GEEK CODE BLOCK----- 
Version: 3.1
GIT$ d- s: a C++$ LU+++$ P+ L++>L++++ !E--- W+++ N o? K?
w !O M !V PS PE++ Y? PGP- t 5? X+ R+ tv+ b- DI-- D++ G e+ h--- 
r+++ y+++
------END GEEK CODE BLOCK------



Jonathan Johnson wrote:
> Do you have a process (like a service or scheduled task) running on a 
> client machine as user 'root' with an incorrect cached password?
>
> Jon Johnson
> Sutinen Consulting, Inc.
> www.sutinen.com
>
> Jason Baker wrote:
>> My root account keeps getting locked out automatically. I am running 
>> Samba 3.0.25b on a CentOS server, as PDC with LDAP backend. I have 
>> accounts set to lock after 8 un-successful login attempts. I zeroed 
>> out the bad password count, and then in less than a few seconds the 
>> account gets locked again and a /pdbedit -Lv -u root /yields the 
>> following:
>> Unix username:        root
>> Logon time:           0
>> Logoff time:          never
>> Kickoff time:         never
>> Password last set:    Wed, 01 Jan 1969 03:00:00 EST
>> Password can change:  Wed, 08 Jan 1969 03:00:00 EST
>> Password must change: never
>> Last bad password   : Wed, 08 Aug 2007 13:51:14 EDT
>> Bad password count  : 8
>>
>> If I enter w on the command line, it only shows that two (authorized) 
>> users are logged into the server. So I'm confident that no one from 
>> the outside is attempting to log in as root. Below is my conf file. 
>> If I go into LDAP Account Manager and unlock the account, it will 
>> stay unlocked for a few minutes (or seconds), then it is locked out 
>> again. With the account lock I cannot join machines to the domain, 
>> nor change domain permissions for users and groups. Any suggestions 
>> would be helpful.
>>
>> [global]
>>        unix charset = LOCALE
>>        workgroup = glastendernet
>>        netbios name = aster
>>        server string = Glastender Domain Controller running %v
>>        interfaces = eth1, lo, tun+
>>        bind interfaces only = yes
>>        os level = 255
>>        preferred master = yes
>>        local master = yes
>>        domain master = yes
>>        security = user
>>        time server = yes
>>        username map = /etc/samba/smbusers
>>        wins support = yes
>>        encrypt passwords = yes
>>        pam password change = yes
>>        name resolve order = wins bcast hosts
>>        winbind nested groups = no
>>        passdb backend = ldapsam:ldap://aster.glastender.com
>>        ldap passwd sync = Yes
>>        ldap suffix = dc=glastender,dc=com
>>        ldap admin dn = cn=Manager,dc=glastender,dc=com
>>        ldap ssl = no
>>        ldap group suffix = ou=Groups
>>        ldap user suffix = ou=People
>>        ldap machine suffix = ou=People
>>        ldap idmap suffix = ou=Idmap
>>        idmap backend = ldap:ldap://aster.glastender.com
>>        idmap uid = 10000-20000
>>        idmap gid = 10000-20000
>>        map acl inherit = yes
>>        add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
>>        #delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
>>        add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"
>>        add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
>>        #delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
>>        add user to group script = /opt/IDEALX/sbin/smbldap-groupmod 
>> -m "%u" "%g"
>>        delete user from group script = 
>> /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
>>        set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g 
>> "%g" "%u"
>>        domain logons = yes
>>        log file = /var/log/samba/log.%m
>>        log level = 0
>>        syslog = 0
>>        max log size = 50
>>        #smb ports = 139 445
>>        smb ports = 139
>>        hosts allow = 127.0.0.1 172.16.0.0/255.255.0.0 
>> 192.168.100.0/255.255.255.0
>>        # User profiles and home directories
>>        logon drive = U:
>>        logon path = \\%L\profiles\%U
>>        logon script = %U.bat
>>        large readwrite = no
>>        read raw = no
>>        write raw = no
>>        printcap name = /etc/printcap
>>        load printers = no
>>        printing =
>>       template shell = /bin/false
>>       winbind use default domain = yes
>>
>>

More information about the samba mailing list