Hi y'all, I have a little problem with Samba which I hope you can help me with. We are running Samba 2.0.4 on a Sun Enterprise 4500 with Solaris 7. Clients are mostly Win 9x and a few NT workstations (and one NT Terminal Server). I have security = server (password server is the NT Terminal Server). What happens is occasionally Samba will not let a certain user connect, saying the password is incorrect (even though it is correct). We run Samba as a daemon (-D option). When this happens, if I can isolate the smbd process the user is using, I can kill it and then the user can log on. If I can't, I kill all of the ones owned by root (but not the parent process) and that works. I get the following error message in my log.smb when this happens (IP address below is fake): [2000/04/03 12:09:22, 0] smbd/password.c:(1118) server_validate: [1] password server 123.45.67.89 allows users as non-guest with a bad password. [2000/04/03 12:09:22, 0] smbd/password.c:(1120) server_validate: [1] This is broken (and insecure) behaviour. Please do not use this machine as the password server. Other folks have suggested using domain security, but that is not an option right now. Is there a way to fix this? ******************* Michael R Smith Senior Programmer/Analyst Maine DEP GIS Unit michael.smith@state.me.us -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 2691 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20000403/87862a0f/attachment.bin
David Collier-Brown - Sun Canada
2000-Apr-03 17:23 UTC
server allows users as non-guest with bad password
Michael wrote: | occasionally Samba will not let a certain user connect, saying | the password is incorrect (even though it is correct). [...] | I get the following error message in my log.smb when this happens | (IP address below is fake): | | [2000/04/03 12:09:22, 0] smbd/password.c:(1118) | server_validate: [1] password server 123.45.67.89 allows users as | non-guest with a bad password. | [2000/04/03 12:09:22, 0] smbd/password.c:(1120) | server_validate: [1] This is broken (and insecure) behaviour. Please do | not use this machine as the password server. Oy veh! My leaky memory says this is a problem from a while ago in which NT returns a "success" indication despite the user mistyping their password. This is A Bad Thing, and Samba would prefer to authenticate with servers who don't do that. If the user's passwords are actually correct (eg, they come straight from a .pwl file), then NT is befuddled. If not, NT is trying to befuddle Samba (;-)) In either case, snooping the packets may tell us what to do about it... In the meantime, do you have any other machine to play authentication server? --dave -- David Collier-Brown in Boston Phone: (781) 442-0734, Room BUR03-3632