> I have the following in my smb.conf for NT servers (3.51 and 4.0):
>
> security = server
> password server = %m
>
> This works fine for 1.9.17p3 and earlier, but doesn't work with
1.9.17p4,
> 1.9.17p5, or 1.9.18alpha14.
>
> Here is the error I'm getting:
>
> NetwkstaUserLogon gave error 59
> password server BUD failed NetWkstaUserLogon
>
> BTW, bud is the name of the NT client I'm trying to access samba from.
In 1.9.18 you can disable the NetWkstaUserLogon call at compile time
in local.h.
The password server behaviour changed because we discovered that bugs
in some NT servers allowed anyone to login with no password if they
chose an account name that did not exist on the password server. The
NT password server was saying "yes, it's OK to login" even when
the
account didn't exist at all! Adding the NetWkstaUserLogon call fixed
the problem, and follows the "recommended" method that MS have
recently documented for pass through authentication.
The problem now is that some NT servers (in particular NT
workstation?) don't support the NetWkstaUserLogon call. The call also
doesn't work for accounts in trust relationships.
The eventual solution for this will be to replace the password server
code in Samba with NT domain code as that is developed. For now you
have the choice of compiling Samba either with or without the
NetWkstaUserLogon call in the password server code.
In 1.9.18 you can enable/disable this call in local.h. In 1.9.17p5
you could apply the following patch. Applying this patch will make
the password server code behave like the code in earlier versions
of Samba. If you do this then please ensure that you test to see
that users are prevented from logging in if they give a bogus
username/password. You may have a NT server that is affected by the
bug that this code is designed to avoid.
--- password.c 1997/10/21 10:09:28 1.25.2.4
+++ password.c 1997/12/31 06:43:06
@@ -1619,6 +1619,7 @@
}
+#if 0
if (!cli_NetWkstaUserLogon(&cli,user,local_machine)) {
DEBUG(1,("password server %s failed NetWkstaUserLogon\n",
cli.desthost));
cli_tdis(&cli);
@@ -1638,6 +1639,7 @@
cli_tdis(&cli);
return False;
}
+#endif
DEBUG(3,("password server %s accepted the password\n",
cli.desthost));
Cheers, Andrew
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Andrew Tridgell Dept. of Computer Science
email: samba-bugs@samba.anu.edu.au Australian National University
Phone: +61 6 254 8209 Fax: 61 6 249 0010
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-