Aaron Rummery wrote:>
> At present we have one user out of 400 or so constantly getting locked
> out of his NT account. The user is using a Windows 95 OSR version 2 PC
> connecting to a NT 4 Server to authenticate his password and receive
> his desktop.
>
> The NT4 Server's both PDC and BDC are running NT Services for Unix
> version 1, with the password authentication on NT conecting to our NIS
> master. Our Unix Servers are Sun Solaris 2.7 running Samba 2.0.7 or
> 2.0.6, with the exception of our NIS Server which isn't running Samba.
>
> Every morning at around 6:15 am the users account is locked out on NT,
> the Unix Server in question is running Samba 2.0.7 it has in the
> Security Option for password server set to "NT-PDC". The user
locking
> him out is "ANONYMOUS" on the Event log in NT.
I suggest an upgrade to the latest version of Samba, or switch to
'security = domain'. In earlier verions, we would use the user's
own
accout when testing for a bug (found in certain NT configurations) that
would cause any username/password to give a 'password ok' response. It
does this by sending an invalid password, which eventually causes a
lockout.
This has been corrected in recent Samba 2.2 releases (we don't use the
user's account any more, we make one up), but 'secuirty=domain' is
much
more reliable in any case.
(security=domain implies joining the domain with 'smbpasswd -r PDC -j'.
If using 2.2, then then add '-Uadministrator%password' to avoid needing
to 'add machine' on the PDC.
Andrew Bartlett
--
Andrew Bartlett abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet@samba.org
Student Network Administrator, Hawker College abartlet@hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net