Marc Haber
1998-Dec-02 23:26 UTC
Net help analyzing logfiles: Printer permissions in Domain
Hi! I am trying to print from an NT machine to a simple samba printer. That NT machine is the PDC and the samba box is having logins authenticated by the NT box. When I try to access the printer with my own username, it works fine. As soon as I have the account that is destined to do the printing print, it can't log in. I have included my smb.conf file and two log excerpts - one successful, one not successful. I suspect that the account definetely needs to be present on the samba machine as well. Is any entry to /etc/smbpasswd enough or does the account also have to be present in /etc/passwd? Can I set this account's UNIX password to "*" preventing local login? Any hints will be appreciated. Greetings Marc |[global] | workgroup = BARTSCH | guest account = nobody | keep alive = 30 | os level = 2 | security = server | password server = bp-fs00 | load printers = no | log file = /var/log/samba | debug level = 3 | local master = no | preferred master = no | public = no | os level = 0 | server string = Internet-Gateway | bind interfaces only = true | wins support = no | wins server = bp-fs00 | interfaces = 192.168.10.10/255.255.255.0 | |[dasiPDruck] | comment = Protokoll-"Drucker" f?r Datensicherung | path = /var/spool/samba | read only = true | writeable = no | printable = true | public = no | browseable = yes | print command = cat %s | mail -s Druckausgabe mh | valid users = mh asback |Added interface ip=192.168.10.10 bcast=192.168.10.255 nmask=255.255.255.0 |1998/12/01 19:40:37 loaded services |1998/12/01 19:40:37 becoming a daemon |bind succeeded on port 139 |waiting for a connection |Initialised IPC area of size 102400 |1998/12/01 19:40:41 changed root to / |open_oplock_ipc: opening loopback UDP socket. |bind succeeded on port 0 |open_oplock ipc: pid = 598, oplock_port = 1849 |priming nmbd |sending a packet of len 1 to (127.0.0.1) on port 137 of type DGRAM |1998/12/01 19:40:41 Transaction 0 of length 72 |netbios connect: name1=PALANDT name2=BP-FS00 |Trying username bp-fs00 |1998/12/01 19:40:41 Transaction 1 of length 174 |switch message SMBnegprot (pid 598) |Requested protocol [PC NETWORK PROGRAM 1.0] |Requested protocol [XENIX CORE] |Requested protocol [MICROSOFT NETWORKS 1.03] |Requested protocol [LANMAN1.0] |Requested protocol [Windows for Workgroups 3.1a] |Requested protocol [LM1.2X002] |Requested protocol [LANMAN2.1] |Requested protocol [NT LM 0.12] |resolve_name: Attempting lmhosts lookup for name BP-FS00 |resolve_name: Attempting host lookup for name BP-FS00 |Connecting to 192.168.10.1 at port 139 |connected to password server bp-fs00 |got session |password server OK |using password server validation |Selected protocol NT LM 0.12 |1998/12/01 19:40:42 Transaction 2 of length 200 |switch message SMBsesssetupX (pid 598) |Domain=[BARTSCH] NativeOS=[Windows NT 1381] NativeLanMan=[] |sesssetupX:name=[asback] |Trying username asbacK |trying NetWkstaUserLogon with password server BP-FS00 |password server BP-FS00 accepted the password |Trying username asbacK |No such user asback - using guest account |nobody is in 1 groups |65534 |uid 65534 registered to name nobody |Clearing default real name |Chained message |switch message SMBtconX (pid 598) |Trying username dasipdrucK |1998/12/01 19:40:45 invalid username/password for dasipdruck |1998/12/01 19:40:45 error packet at line 171 cmd=117 (SMBtconX) eclass=2 ecode=2 |1998/12/01 19:40:45 Transaction 3 of length 43 |switch message SMBulogoffX (pid 598) |1998/12/01 19:40:45 ulogoffX vuid=100 |end of file from client |Closing connections |1998/12/01 19:40:45 Server exit (normal exit) |Initialised IPC area of size 102400 |1998/12/01 19:41:24 changed root to / |open_oplock_ipc: opening loopback UDP socket. |bind succeeded on port 0 |open_oplock ipc: pid = 600, oplock_port = 1855 |priming nmbd |sending a packet of len 1 to (127.0.0.1) on port 137 of type DGRAM |1998/12/01 19:41:24 Transaction 0 of length 72 |netbios connect: name1=PALANDT name2=BP-FS00 |Trying username bp-fs00 |1998/12/01 19:41:24 Transaction 1 of length 174 |switch message SMBnegprot (pid 600) |Requested protocol [PC NETWORK PROGRAM 1.0] |Requested protocol [XENIX CORE] |Requested protocol [MICROSOFT NETWORKS 1.03] |Requested protocol [LANMAN1.0] |Requested protocol [Windows for Workgroups 3.1a] |Requested protocol [LM1.2X002] |Requested protocol [LANMAN2.1] |Requested protocol [NT LM 0.12] |resolve_name: Attempting lmhosts lookup for name BP-FS00 |resolve_name: Attempting host lookup for name BP-FS00 |Connecting to 192.168.10.1 at port 139 |connected to password server bp-fs00 |got session |password server OK |using password server validation |Selected protocol NT LM 0.12 |1998/12/01 19:41:24 Transaction 2 of length 196 |switch message SMBsesssetupX (pid 600) |Domain=[BARTSCH] NativeOS=[Windows NT 1381] NativeLanMan=[] |sesssetupX:name=[mh] |trying NetWkstaUserLogon with password server BP-FS00 |password server BP-FS00 accepted the password |mh is in 7 groups |100 12 80 81 82 83 65533 |uid 501 registered to name mh |Clearing default real name |Chained message |switch message SMBtconX (pid 600) |Trying username dasipdrucK |ACCEPTED: validated uid ok as non-guest |found free connection number 28 |Connect path is /var/spool/samba |mh is in 7 groups |100 12 80 81 82 83 65533 |chdir to /var/spool/samba |chdir to /home/mh |1998/12/01 19:41:27 bp-fs00 (192.168.10.1) connect to service dasiPDruck as user mh (uid=501,gid=100) (pid 600) |1998/12/01 19:41:27 tconX service=dasipdruck user=mh cnum=28 |1998/12/01 19:42:31 Transaction 3 of length 39 |switch message SMBtdis (pid 600) |1998/12/01 19:42:31 bp-fs00 (192.168.10.1) closed connection to service dasiPDruck |Yielding connection to 28 dasiPDruck |Yielding connection to 28 STATUS. |Yield successful |1998/12/01 19:42:31 tdis cnum=28 |1998/12/01 19:42:31 Transaction 4 of length 43 |switch message SMBulogoffX (pid 600) |1998/12/01 19:42:31 ulogoffX vuid=100 |end of file from client |Closing connections |1998/12/01 19:42:31 Server exit (normal exit) -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29
Marc Haber
1998-Dec-15 14:02 UTC
Net help analyzing logfiles: Printer permissions in Domain
I tried to send this message about two weeks ago. Since no answers have arrived yet, it might have been lost. Any ideas? Hi! I am trying to print from an NT machine to a simple samba printer. That NT machine is the PDC and the samba box is having logins authenticated by the NT box. When I try to access the printer with my own username, it works fine. As soon as I have the account that is destined to do the printing print, it can't log in. I have included my smb.conf file and two log excerpts - one successful, one not successful. I suspect that the account definetely needs to be present on the samba machine as well. Is any entry to /etc/smbpasswd enough or does the account also have to be present in /etc/passwd? Can I set this account's UNIX password to "*" preventing local login? Any hints will be appreciated. Greetings Marc |[global] | workgroup = BARTSCH | guest account = nobody | keep alive = 30 | os level = 2 | security = server | password server = bp-fs00 | load printers = no | log file = /var/log/samba | debug level = 3 | local master = no | preferred master = no | public = no | os level = 0 | server string = Internet-Gateway | bind interfaces only = true | wins support = no | wins server = bp-fs00 | interfaces = 192.168.10.10/255.255.255.0 | |[dasiPDruck] | comment = Protokoll-"Drucker" f?r Datensicherung | path = /var/spool/samba | read only = true | writeable = no | printable = true | public = no | browseable = yes | print command = cat %s | mail -s Druckausgabe mh | valid users = mh asback |Added interface ip=192.168.10.10 bcast=192.168.10.255 nmask=255.255.255.0 |1998/12/01 19:40:37 loaded services |1998/12/01 19:40:37 becoming a daemon |bind succeeded on port 139 |waiting for a connection |Initialised IPC area of size 102400 |1998/12/01 19:40:41 changed root to / |open_oplock_ipc: opening loopback UDP socket. |bind succeeded on port 0 |open_oplock ipc: pid = 598, oplock_port = 1849 |priming nmbd |sending a packet of len 1 to (127.0.0.1) on port 137 of type DGRAM |1998/12/01 19:40:41 Transaction 0 of length 72 |netbios connect: name1=PALANDT name2=BP-FS00 |Trying username bp-fs00 |1998/12/01 19:40:41 Transaction 1 of length 174 |switch message SMBnegprot (pid 598) |Requested protocol [PC NETWORK PROGRAM 1.0] |Requested protocol [XENIX CORE] |Requested protocol [MICROSOFT NETWORKS 1.03] |Requested protocol [LANMAN1.0] |Requested protocol [Windows for Workgroups 3.1a] |Requested protocol [LM1.2X002] |Requested protocol [LANMAN2.1] |Requested protocol [NT LM 0.12] |resolve_name: Attempting lmhosts lookup for name BP-FS00 |resolve_name: Attempting host lookup for name BP-FS00 |Connecting to 192.168.10.1 at port 139 |connected to password server bp-fs00 |got session |password server OK |using password server validation |Selected protocol NT LM 0.12 |1998/12/01 19:40:42 Transaction 2 of length 200 |switch message SMBsesssetupX (pid 598) |Domain=[BARTSCH] NativeOS=[Windows NT 1381] NativeLanMan=[] |sesssetupX:name=[asback] |Trying username asbacK |trying NetWkstaUserLogon with password server BP-FS00 |password server BP-FS00 accepted the password |Trying username asbacK |No such user asback - using guest account |nobody is in 1 groups |65534 |uid 65534 registered to name nobody |Clearing default real name |Chained message |switch message SMBtconX (pid 598) |Trying username dasipdrucK |1998/12/01 19:40:45 invalid username/password for dasipdruck |1998/12/01 19:40:45 error packet at line 171 cmd=117 (SMBtconX) eclass=2 ecode=2 |1998/12/01 19:40:45 Transaction 3 of length 43 |switch message SMBulogoffX (pid 598) |1998/12/01 19:40:45 ulogoffX vuid=100 |end of file from client |Closing connections |1998/12/01 19:40:45 Server exit (normal exit) |Initialised IPC area of size 102400 |1998/12/01 19:41:24 changed root to / |open_oplock_ipc: opening loopback UDP socket. |bind succeeded on port 0 |open_oplock ipc: pid = 600, oplock_port = 1855 |priming nmbd |sending a packet of len 1 to (127.0.0.1) on port 137 of type DGRAM |1998/12/01 19:41:24 Transaction 0 of length 72 |netbios connect: name1=PALANDT name2=BP-FS00 |Trying username bp-fs00 |1998/12/01 19:41:24 Transaction 1 of length 174 |switch message SMBnegprot (pid 600) |Requested protocol [PC NETWORK PROGRAM 1.0] |Requested protocol [XENIX CORE] |Requested protocol [MICROSOFT NETWORKS 1.03] |Requested protocol [LANMAN1.0] |Requested protocol [Windows for Workgroups 3.1a] |Requested protocol [LM1.2X002] |Requested protocol [LANMAN2.1] |Requested protocol [NT LM 0.12] |resolve_name: Attempting lmhosts lookup for name BP-FS00 |resolve_name: Attempting host lookup for name BP-FS00 |Connecting to 192.168.10.1 at port 139 |connected to password server bp-fs00 |got session |password server OK |using password server validation |Selected protocol NT LM 0.12 |1998/12/01 19:41:24 Transaction 2 of length 196 |switch message SMBsesssetupX (pid 600) |Domain=[BARTSCH] NativeOS=[Windows NT 1381] NativeLanMan=[] |sesssetupX:name=[mh] |trying NetWkstaUserLogon with password server BP-FS00 |password server BP-FS00 accepted the password |mh is in 7 groups |100 12 80 81 82 83 65533 |uid 501 registered to name mh |Clearing default real name |Chained message |switch message SMBtconX (pid 600) |Trying username dasipdrucK |ACCEPTED: validated uid ok as non-guest |found free connection number 28 |Connect path is /var/spool/samba |mh is in 7 groups |100 12 80 81 82 83 65533 |chdir to /var/spool/samba |chdir to /home/mh |1998/12/01 19:41:27 bp-fs00 (192.168.10.1) connect to service dasiPDruck as user mh (uid=501,gid=100) (pid 600) |1998/12/01 19:41:27 tconX service=dasipdruck user=mh cnum=28 |1998/12/01 19:42:31 Transaction 3 of length 39 |switch message SMBtdis (pid 600) |1998/12/01 19:42:31 bp-fs00 (192.168.10.1) closed connection to service dasiPDruck |Yielding connection to 28 dasiPDruck |Yielding connection to 28 STATUS. |Yield successful |1998/12/01 19:42:31 tdis cnum=28 |1998/12/01 19:42:31 Transaction 4 of length 43 |switch message SMBulogoffX (pid 600) |1998/12/01 19:42:31 ulogoffX vuid=100 |end of file from client |Closing connections |1998/12/01 19:42:31 Server exit (normal exit) -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29
Robert Dahlem
1998-Dec-16 00:43 UTC
Net help analyzing logfiles: Printer permissions in Domain
Marc, On Wed, 16 Dec 1998 01:03:19 +1100, Marc Haber wrote:>When I try to access the printer with my own username, it works fine. >As soon as I have the account that is destined to do the printing >print, it can't log in.I'm not quite sure if this opens a security hole: Did you try to setup your share with "public = yes"? Your logs show that samba changes the account to the guest account ("nobody") when it does not find the user validated by the password server in its local /etc/passwd. It might be worth checking if "valid users" is checked before or after "public = yes" or if this opens the share to everyone. Hasta la vista, Robert -- --------------------------------------------------------------- Robert.Dahlem@frankfurt.netsurf.de Radio Bornheim - 2:2461/332@fidonet +49-69-4930830 (ZyX, V34) 2:2461/326@fidonet +49-69-94414444 (ISDN X.75) ---------------------------------------------------------------
Robert Dahlem
1998-Dec-18 01:16 UTC
Net help analyzing logfiles: Printer permissions in Domain
Marc, On Thu, 17 Dec 1998 09:54:43 +1100, Marc Haber wrote:>>>When I try to access the printer with my own username, it works fine. >>>As soon as I have the account that is destined to do the printing >>>print, it can't log in.>>I'm not quite sure if this opens a security hole: Did you try to setup yourshare>>with "public = yes"?>>Your logs show that samba changes the account to the guest account ("nobody") >>when it does not find the user validated by the password server in its local >>/etc/passwd.>I have come to that conclusion too.>mh is my account. This account is present in the NT domain, in >/etc/passwd and smbpasswd. asback is the user that should do the >printing in production service; this account currently is only present >in the NT domain.So what else should samba do with asback than "mapping" it to the guest account? There is no other way for samba to map it to a user id.>I have thought that the whole concept of integrating >a samba box into an NT domain is about not having to enter every NT >account into /etc/passwd manually.Think about the implications: As which unix user should do samba the file and print operations?>>It might be worth checking if "valid users" is checked before or after "public = >>yes" or if this opens the share to everyone.>How do I do that?Configure "public = yes" and remark "valid users". Try to connect to your printer share as user asback. If it doesn't work my tip was worthless and you better forget about it. If it works, you have to investigate further: Remove asback from the "valid users" list, reboot your client box and try again. If it still works, you have a security hole. If it doesn't work, your problem is solved. Hasta la vista, Robert -- --------------------------------------------------------------- Robert.Dahlem@frankfurt.netsurf.de Radio Bornheim - 2:2461/332@fidonet +49-69-4930830 (ZyX, V34) 2:2461/326@fidonet +49-69-94414444 (ISDN X.75) ---------------------------------------------------------------
Robert Dahlem
1998-Dec-21 20:03 UTC
Net help analyzing logfiles: Printer permissions in Domain
Marc, On Mon, 21 Dec 1998 22:46:38 +1100, Marc Haber wrote:>>Configure "public = yes" and remark "valid users". Try to connect to your >>printer share as user asback. If it doesn't work my tip was worthless and you >>better forget about it.>>If it works, you have to investigate further: Remove asback from the "valid >>users" list, reboot your client box and try again. If it still works, you have a >>security hole. If it doesn't work, your problem is solved.>- public=yes, valid-users=mh : rejected >- public=yes, valid-users=mh asback : rejected >- public=yes, valid-users=commented out : works>I suspect that samba first checks for a local account. If this >does not exist, it is mapped to the nobody user, thus the rights >of the nobody user apply. I think this is broken because in this >case, the username has been verified by the domain logon.Looks so. Perhaps you should try to write some comprehensive article on that and report to samba-bugs. This has gotten more responsive. [Ugghh! Jeremy, I know I owe you a level 10 debug. :-) Lots of none-samba-related topics to get rid of in the company] Hasta la vista, Robert -- --------------------------------------------------------------- Robert.Dahlem@frankfurt.netsurf.de Radio Bornheim - 2:2461/332@fidonet +49-69-4930830 (ZyX, V34) 2:2461/326@fidonet +49-69-94414444 (ISDN X.75) ---------------------------------------------------------------