> ... > BUT every time a connection is attemptesd I see the following messages > logged: > > negprot w/password server as 2625merou > requin.spc.org.nc rejected the session > requin.spc.org.nc not connected > > WHY is requin refusing the password verification connection from the > HP-UX box? How can I get the passwords verified by the WindowsNT > (requin) server so that I dont have to keep smbpasswd up to date? > Incidentally requin.spc.org.nc is a BDC - does that matter?The reason it is failing is that requin.spc.org.nc is not a netbios name. The NT box is refusing the Netbios session request because it doesn't know the name that it is being called. You could just use "password server = requin" instead, and possibly add requin to /etc/hosts if it can`t be resolved without the full name. You would be much better off upgrading to 1.9.17p4. I rewrote the password server code for p4 and one of the things I changed was to check for a . in the name and take the part before the first . as the netbios name. This is consistent with what smbclient does. The new code is also a lot cleaner and also fixes a potential security hole if your NT server is misconfigured (some NT servers were accepting session setup connections with any password on unknown usernames and not setting the guest bit in the reply). The new code does a full NetWkstaUserLogon to verify that the password server really meant yes when it said yes. Andrew
> Date: Wed, 22 Oct 1997 10:24:40 +1000 > From: Andrew Tridgell <samba-bugs@samba.anu.edu.au> > Subject: Re: password server (PR#1028) > > You would be much better off upgrading to 1.9.17p4. I rewrote the password > server code for p4 and one of the things I changed was to check for a . > in the name and take the part before the first . as the netbios name. This > is consistent with what smbclient does. > > The new code is also a lot cleaner and also fixes a potential security hole > if your NT server is misconfigured (some NT servers were accepting > session setup connections with any password on unknown usernames and not > setting the guest bit in the reply). The new code does a full > NetWkstaUserLogon to verify that the password server really meant yes > when it said yes. > > Andrew >Is it possible to give details of exactly what misconfiguration on the NT password server creates this problem (so it can be remedied if it exists ) ? Also, if samba has root in its invalid users list, does this guarantee that root access cannot be obtained on a pre-p4 samba server. Thanks, Mark Forster. ( m.forster@ic.ac.uk ) Centre for Computing Services, Mech. Eng. Building, Imperial College, Exhibition Road, London SW7 2BX, United Kingdom. Phone (+44) 0171-594 6918