On Sat, 2002-11-16 at 03:11, Benjamin Herbert wrote:>
> Hello,
>
> I am running Samba 2.2.5 (built from source) on a Linux 7.3 machine. I
> have samba setup to use domain authentication and everything is working
> fine. The security administrator did a scan on the Windows 2000 server
> being used for authentication. He found a vulnerability attributed to
> the fact that winbindd needs null sessions on the W2k machine to be
> enabled (since winbindd sends a null username and null password).
> Obviously we want to correct this situation. I thought I could correct
> it when I created the account for the samba server on the W2k box by
> selecting the account group to be "Pre-Windows 2000 Compatible
Access".
> For some reason this did not work. Does anyone know why this didn't
> work?
Samba cannot even connect to the server with this account, so giving it
extra privileges doesn't help. You need to give those privileges to the
anonymous user, add a 'user' account for the server or upgrade to Samba
3.0 (which supports this natively - an AD machine account can login and
gain the relevant info).
> Another way around this is to have winbindd send a legitimate username
> and password by running 'wbinfo -Ausername%password'. This method
> raises some questions. First, does winbindd send the username and
> password encrypted. Second do you have to run 'wbinfo -A..' every
time
> you restart winbindd or is it sufficient to run it only once?
This password is stored in a TDB, is much the same way that the machine
account password is, and is transferred over the network using the
normal challenge-response authentication methods.
Andrew Bartlett
--
Andrew Bartlett abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet@samba.org
Student Network Administrator, Hawker College abartlet@hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20021115/20e9d5c4/attachment.bin