Kees Damen wrote:>
> Hello,
>
> We recently switched from "security = user" to
> "security = server". And are now using a NT4 server for
> password authentication. This method gives less problems
> with NT4/W2K Workstations and encrypted passwords.
>
> When we where using "security = user" Samba authentication
> was against the local Unix password files and login was fast
> without any delay. After the switch there was a 3 seconds
> login delay when connecting for the first share. I have read
> about this in the listing before, others where also complaining
> about this.
>
> I started searching in the 2.2.2 source code and found that
> this is caused by the check for a "broken NT4 server" in the
> file smbd/password.c line 1182. Samba gives a incorrect
> username and password to the authentication server for guest
> account testing. The NT server gives you a 3 second delay
> for this incorrect username/password. After switching this
> test off login was fast again and everything worked fine
> without any problems.
BTW, in HEAD (3.0 alpha) there is a 'paranoid server security' option
you can use to control this.
> Switching off this test is a workaround that works for our
> company because our NT4 server is not suffering from the
> broken server bug.
>
> My suggestion for improving Samba is this:
>
> - Let only the Mother smbd process test the authentication
> server for this behavior and make this result available
> for all the Child processes. For example by an extra command
> line switch for smbd. Then only the Mother gets the 3 seconds
> penalty from the authentication server during system boot.
> And all the Child's login fast without any delay.
The main problem with this is that the decision to use the server level
security arrangements are only made much later, well after the fork. We
could certainly punt if it looks like 'security = server', but netbios
is a dynamic environment, and the server that was answering to that name
now might not be the one answering later. Likewise, we would have to
test all the possible servers.
If you are at all serious about using samba in an NT environment, then
use 'security = domain', its *much* nicer to work with and doesn't
have
this stupidity.
Andrew Bartlett
--
Andrew Bartlett abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet@samba.org
Student Network Administrator, Hawker College abartlet@hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net