[Samba] SERIOUS PROBLEM - Root Account Locked

Jason Baker jbaker at glastender.com
Thu Aug 9 12:45:04 GMT 2007


Jonathan,
You are a genius!
That fixed it. Using root = Administrator never seemed to make much 
sense to me when I was setting up my Samba domain, and now I know why. I 
simply didn't set it up correctly. I set the root password and made root 
user ID 0, but when I mapped root = Administrator, I didn't make the 
connection that the Administrator account on the local windows machine 
should have the samba/LDAP root password also. I commented out the line 
root = Administrator from the smbusers file and all works excellent now.
The reason I never noticed it before, was because I didn't have bad 
password set. About a week or so ago I set the bad password attempt 
limit to 8, thats when I started having this problem. When I would 
browse the Samba domain shares under the Administrator account in 
Windows, it was passing the local account credentials for Administrator 
to the server, and the server was complaining because, really, root = 
Administrator and Administrator = root, but the passwords didn't match.
Thanks again for the quick reply.

*Jason Baker
*/IT Coordinator/


*Glastender Inc.*
5400 North Michigan Road
Saginaw, Michigan 48604 USA
800.748.0423
Phone: 989.752.4275 ext. 228
Fax: 989.752.4444
www.glastender.com <http://www.glastender.com>

-----BEGIN GEEK CODE BLOCK----- 
Version: 3.1
GIT$ d- s: a C++$ LU+++$ P+ L++>L++++ !E--- W+++ N o? K?
w !O M !V PS PE++ Y? PGP- t 5? X+ R+ tv+ b- DI-- D++ G e+ h--- 
r+++ y+++
------END GEEK CODE BLOCK------



Jonathan Johnson wrote:
> This sounds like you have 'root = Administrator' in your 
> /etc/samba/smbusers file. Is the password you are using for 
> Administrator *different* from what is set for root in Samba 
> ("smbpasswd root" to change)? That could be the issue.
>  
> Note that typically, Linux and Samba use different password databases, 
> so even though they map the same user name, the passwords may be 
> different.
>  
> Jon Johnson
> Sutinen Consulting, Inc.
> www.sutinen.com
>  
> ------------------------------------------------------------------------
> *From:* Jason Baker [mailto:jbaker at glastender.com]
> *Sent:* Wed 8/8/2007 1:51 PM
> *To:* Jonathan Johnson
> *Cc:* samba at lists.samba.org
> *Subject:* Re: [Samba] SERIOUS PROBLEM - Root Account Locked
>
>> Do you have a process (like a service or scheduled task) running on a 
>> client machine as user 'root' with an incorrect cached password? 
> No actually, this is what seems to be happening:
> I log into a windows xp pro workstation as Administrator and browse 
> the network. I double-click on a network share, in this case a samba 
> computer called HENBANE. If I view pdbedit -Lv -u root from another 
> computer while I'm doing this, I can watch the bad login count rise 
> from 0 to 8. I then get a message that pops up on the Windows 
> workstation that says something to the effect of "account locked".
> I added guest account = nobody to my smb.conf file and now I can 
> browse the HENBANE share after being prompted for a username and 
> password, but the bad password count for root now shows 2, and it 
> rises higher each time I access a share that requires a username and 
> password.
>
> *Jason Baker
> */IT Coordinator/
>
>
> *Glastender Inc.*
> 5400 North Michigan Road
> Saginaw, Michigan 48604 USA
> 800.748.0423
> Phone: 989.752.4275 ext. 228
> Fax: 989.752.4444
> www.glastender.com <http://www.glastender.com/>
>
> -----BEGIN GEEK CODE BLOCK----- 
> Version: 3.1
> GIT$ d- s: a C++$ LU+++$ P+ L++>L++++ !E--- W+++ N o? K?
> w !O M !V PS PE++ Y? PGP- t 5? X+ R+ tv+ b- DI-- D++ G e+ h--- 
> r+++ y+++
> ------END GEEK CODE BLOCK------
>
>
>
> Jonathan Johnson wrote:
>> Do you have a process (like a service or scheduled task) running on a 
>> client machine as user 'root' with an incorrect cached password?
>>
>> Jon Johnson
>> Sutinen Consulting, Inc.
>> www.sutinen.com
>>
>> Jason Baker wrote:
>>> My root account keeps getting locked out automatically. I am running 
>>> Samba 3.0.25b on a CentOS server, as PDC with LDAP backend. I have 
>>> accounts set to lock after 8 un-successful login attempts. I zeroed 
>>> out the bad password count, and then in less than a few seconds the 
>>> account gets locked again and a /pdbedit -Lv -u root /yields the 
>>> following:
>>> Unix username:        root
>>> Logon time:           0
>>> Logoff time:          never
>>> Kickoff time:         never
>>> Password last set:    Wed, 01 Jan 1969 03:00:00 EST
>>> Password can change:  Wed, 08 Jan 1969 03:00:00 EST
>>> Password must change: never
>>> Last bad password   : Wed, 08 Aug 2007 13:51:14 EDT
>>> Bad password count  : 8
>>>
>>> If I enter w on the command line, it only shows that two 
>>> (authorized) users are logged into the server. So I'm confident that 
>>> no one from the outside is attempting to log in as root. Below is my 
>>> conf file. If I go into LDAP Account Manager and unlock the account, 
>>> it will stay unlocked for a few minutes (or seconds), then it is 
>>> locked out again. With the account lock I cannot join machines to 
>>> the domain, nor change domain permissions for users and groups. Any 
>>> suggestions would be helpful.
>>>
>>> [global]
>>>        unix charset = LOCALE
>>>        workgroup = glastendernet
>>>        netbios name = aster
>>>        server string = Glastender Domain Controller running %v
>>>        interfaces = eth1, lo, tun+
>>>        bind interfaces only = yes
>>>        os level = 255
>>>        preferred master = yes
>>>        local master = yes
>>>        domain master = yes
>>>        security = user
>>>        time server = yes
>>>        username map = /etc/samba/smbusers
>>>        wins support = yes
>>>        encrypt passwords = yes
>>>        pam password change = yes
>>>        name resolve order = wins bcast hosts
>>>        winbind nested groups = no
>>>        passdb backend = ldapsam:ldap://aster.glastender.com
>>>        ldap passwd sync = Yes
>>>        ldap suffix = dc=glastender,dc=com
>>>        ldap admin dn = cn=Manager,dc=glastender,dc=com
>>>        ldap ssl = no
>>>        ldap group suffix = ou=Groups
>>>        ldap user suffix = ou=People
>>>        ldap machine suffix = ou=People
>>>        ldap idmap suffix = ou=Idmap
>>>        idmap backend = ldap:ldap://aster.glastender.com
>>>        idmap uid = 10000-20000
>>>        idmap gid = 10000-20000
>>>        map acl inherit = yes
>>>        add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
>>>        #delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
>>>        add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"
>>>        add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
>>>        #delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
>>>        add user to group script = /opt/IDEALX/sbin/smbldap-groupmod 
>>> -m "%u" "%g"
>>>        delete user from group script = 
>>> /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
>>>        set primary group script = /opt/IDEALX/sbin/smbldap-usermod 
>>> -g "%g" "%u"
>>>        domain logons = yes
>>>        log file = /var/log/samba/log.%m
>>>        log level = 0
>>>        syslog = 0
>>>        max log size = 50
>>>        #smb ports = 139 445
>>>        smb ports = 139
>>>        hosts allow = 127.0.0.1 172.16.0.0/255.255.0.0 
>>> 192.168.100.0/255.255.255.0
>>>        # User profiles and home directories
>>>        logon drive = U:
>>>        logon path = \\%L\profiles\%U
>>>        logon script = %U.bat
>>>        large readwrite = no
>>>        read raw = no
>>>        write raw = no
>>>        printcap name = /etc/printcap
>>>        load printers = no
>>>        printing =
>>>       template shell = /bin/false
>>>       winbind use default domain = yes
>>>
>>>


More information about the samba mailing list