samba - May 2002 - Linux server, Win2k client: Almost works, what am I missing?

Hello all.

A couple of days back I posted a question about how I could get a Win2K
client to mount a share from my linux Samba server.  I was getting the
familiar "account is not authorized to log in from this station" error
on the Win2K box, despite a set-up that supposedly allowed guest logins
*and* implemented the registry hack for clear-text passwords on the
Win2k box.

While I didn't find a direct solution, Herb Lewis in particular was very
helpful in offering suggestions.  I decided to abandon the RPM approach
and install from the source package instead, if only to have better
control over what extra features were enabled (bye-bye, PAM!).

I've made some progress since then.  I am certain that the stumbling
block I'm facing now is a real stupid one, but I'm brain-dead on finding
the solution.

My set up:  Red Hat Linux 7.1 (kernel 2.4.9) running Samba 2.2.4.  I
compiled and installed using all the defaults, with one exception:  I
enabled the smbmount feature.

My configuration is pretty basic at the moment.  This is my smb.conf
file:

   [global]
      workgroup = DEVGROUP
      security = user
      netbios name = skunkworx
   [test]
      comment = test share
      path = /export/samba/test
      read only = no
      guest ok = yes

/export/samba/test does exist, and has 777 permissions.

At first, this is the only configuration of any kind that I did; I
didn't even use smbpasswd to set up any Samba-specific user passwords.

Once I fired up Samba, I tried to access it from a Win2k box, on which
I'm logged in as DEVGROUP/skunk (user "skunk" also exists on the
linux
box, and the passwords are the same in both environments).  This failed
with the usual "account is not authorized to log in from this station"
error (clear text passwords are enabled on the Win2K box), and I only
saw this in Samba's logs (level 2):

   [2002/05/15 19:17:57, 2] smbd/reply.c:reply_special(91)
     netbios connect: name1=SKUNKWORX        name2=WIN2KBOX        
   [2002/05/15 19:17:57, 2] smbd/reply.c:reply_special(110)
     netbios connect: local=skunkworx remote=nfstest

However, when I used the "net use" CLI command to log in with user
"nobody", supplying "nobody"'s password, it worked!  The
share was
successfully mounted, and I saw these entries in the Samba log:

   [2002/05/15 19:18:29, 2] smbd/reply.c:reply_sesssetup_and_X(973)
     Defaulting to Lanman password for nobody
   [2002/05/15 19:18:29, 1] smbd/service.c:make_connection(651)
     nfstest (172.16.4.100) connect to service test as user nobody
       (uid=99, gid=99) (pid 15247)


I then tried putting "skunk" into Samba's user database using this
command:

   smbpasswd -a skunk <skunk's password>

I still couldn't access the share as user "skunk", though; I got
the
same error message on the Win2K side and the same Samba log entries on
the linux side.

I should note that when I use smbclient, I can access the test share
just fine as user "skunk" on the linux box.

So, what obvious thing am I missing?  What allows user "nobody" to
access the share from a Win2k box, but then denies all other users? 
There is no Win2k user "nobody" within the DEVGROUP domain, if that
provides any clue.

Please let me know if more information is needed.  Any and all help is
greatly appreciated!

---Kris Kelley

I don't use NT or win2000, but, this sounds like you are failing Test #10 in
DIAGNOSIS.txt in the source documents.
It suggests you enable encrypted passwords on the samba server.
Maybe you didn't do the hack properly. I would look at tcpdump during the
log on to see if you are really sending passwords in the clear. (BTW, I have
never tried this particular trick, but, it sounds easy.)

Joel

On Wed, May 15, 2002 at 07:35:32PM -0500, Kris Kelley
wrote:
> Hello all.
> 
> A couple of days back I posted a question about how I could get a Win2K
> client to mount a share from my linux Samba server.  I was getting the
> familiar "account is not authorized to log in from this station"
error
> on the Win2K box, despite a set-up that supposedly allowed guest logins
> *and* implemented the registry hack for clear-text passwords on the
> Win2k box.
> 
> While I didn't find a direct solution, Herb Lewis in particular was
very
> helpful in offering suggestions.  I decided to abandon the RPM approach
> and install from the source package instead, if only to have better
> control over what extra features were enabled (bye-bye, PAM!).
> 
> I've made some progress since then.  I am certain that the stumbling
> block I'm facing now is a real stupid one, but I'm brain-dead on
finding
> the solution.
> 
> My set up:  Red Hat Linux 7.1 (kernel 2.4.9) running Samba 2.2.4.  I
> compiled and installed using all the defaults, with one exception:  I
> enabled the smbmount feature.
> 
> My configuration is pretty basic at the moment.  This is my smb.conf
> file:
> 
>    [global]
>       workgroup = DEVGROUP
>       security = user
>       netbios name = skunkworx
>    [test]
>       comment = test share
>       path = /export/samba/test
>       read only = no
>       guest ok = yes
> 
> /export/samba/test does exist, and has 777 permissions.
> 
> At first, this is the only configuration of any kind that I did; I
> didn't even use smbpasswd to set up any Samba-specific user passwords.
> 
> Once I fired up Samba, I tried to access it from a Win2k box, on which
> I'm logged in as DEVGROUP/skunk (user "skunk" also exists on
the linux
> box, and the passwords are the same in both environments).  This failed
> with the usual "account is not authorized to log in from this
station"
> error (clear text passwords are enabled on the Win2K box), and I only
> saw this in Samba's logs (level 2):
> 
>    [2002/05/15 19:17:57, 2] smbd/reply.c:reply_special(91)
>      netbios connect: name1=SKUNKWORX        name2=WIN2KBOX        
>    [2002/05/15 19:17:57, 2] smbd/reply.c:reply_special(110)
>      netbios connect: local=skunkworx remote=nfstest
> 
> However, when I used the "net use" CLI command to log in with
user
> "nobody", supplying "nobody"'s password, it worked!
The share was
> successfully mounted, and I saw these entries in the Samba log:
> 
>    [2002/05/15 19:18:29, 2] smbd/reply.c:reply_sesssetup_and_X(973)
>      Defaulting to Lanman password for nobody
>    [2002/05/15 19:18:29, 1] smbd/service.c:make_connection(651)
>      nfstest (172.16.4.100) connect to service test as user nobody
>        (uid=99, gid=99) (pid 15247)
> 
> 
> I then tried putting "skunk" into Samba's user database using
this
> command:
> 
>    smbpasswd -a skunk <skunk's password>
> 
> I still couldn't access the share as user "skunk", though; I
got the
> same error message on the Win2K side and the same Samba log entries on
> the linux side.
> 
> I should note that when I use smbclient, I can access the test share
> just fine as user "skunk" on the linux box.
> 
> So, what obvious thing am I missing?  What allows user "nobody"
to
> access the share from a Win2k box, but then denies all other users? 
> There is no Win2k user "nobody" within the DEVGROUP domain, if
that
> provides any clue.
> 
> Please let me know if more information is needed.  Any and all help is
> greatly appreciated!
> 
> ---Kris Kelley
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

Kris Kelley wrote:
> 
> 
> Once I fired up Samba, I tried to access it from a Win2k box, on which
> I'm logged in as DEVGROUP/skunk (user "skunk" also exists on
the linux
> box, and the passwords are the same in both environments).  This failed
> with the usual "account is not authorized to log in from this
station"
> error (clear text passwords are enabled on the Win2K box), and I only
> saw this in Samba's logs (level 2):
> 
>    [2002/05/15 19:17:57, 2] smbd/reply.c:reply_special(91)
>      netbios connect: name1=SKUNKWORX        name2=WIN2KBOX
>    [2002/05/15 19:17:57, 2] smbd/reply.c:reply_special(110)
>      netbios connect: local=skunkworx remote=nfstest
> 
> However, when I used the "net use" CLI command to log in with
user
> "nobody", supplying "nobody"'s password, it worked!
The share was
> successfully mounted, and I saw these entries in the Samba log:
> 
>    [2002/05/15 19:18:29, 2] smbd/reply.c:reply_sesssetup_and_X(973)
>      Defaulting to Lanman password for nobody
>    [2002/05/15 19:18:29, 1] smbd/service.c:make_connection(651)
>      nfstest (172.16.4.100) connect to service test as user nobody
>        (uid=99, gid=99) (pid 15247)
> 
Kris, I had a *very* similar problem, which your postings helped me
solve just now.  I, too, couldn't map Samba shares from a Win2K box. 
Your posting gave me the idea of trying to map a drive specifying a user
that didn't exist on the Win2K box.  Sure enough, that worked.

I had another piece of information, though.  I knew that my problems had
started when I screwed around with Win2K Kerberos authentication from
the Linux box using this article as a guide:

http://www.networkcomputing.com/1305/1305ws1.html

This is an extremely useful article, by the way.

I tried undoing everything I had done on my Linux box (deinstalling
libpam-smb and libpam-krb5, for starters).  Nothing worked.

However, I realized that back when I made Kerberos authentication work,
I had had to create a user on Win2K with the same name as my Linux box'
DNS host name.  (As described in the article).

Once I deleted that user from Win2K, everything worked right again.  :-)

I'm not at all sure why this happens.  I may mess with it a bit to find
out more.

I suggest you look for a username on your Win2K box that is the same as
the Linux host name you are trying to access.  Delete that bad boy, or
something less drastic that works...

Hope that helps.