samba - Jan 2003 - security = server "random" failures

I have a Windows 2K SP2 terminal server and a Samba 2.2.7a 
server. The Samba server uses security=server with the 2K 
terminal server as the password server. Users log in to the 
terminal server and attempt to access (always the same) 
share on the Samba box. When there are no sessions open to 
the Samba server the connection from the terminal server 
always works; subsequent connections (with the first one 
open) fail about 70% of the time.

Log snippets (one success, followed by one failure, log 
level 1).

[2003/01/15 15:57:55, 1] smbd/service.c:make_connection(636)
   tyr (192.168.2.6) connect to service LEGAL as user test2 
(uid=1014, gid=103) (
pid 529)
[2003/01/15 15:57:56, 1] smbd/password.c:server_validate(1175)
   password server TYR.IMAGE.COM rejected the password

I found in the mailing list archives the following tidbit 
from Andrew Bartlett, dated 13 Aug 2002:
"Don't use 'security=server' when you have a real PDC. 
That's what security=domain is for.  Furthermore, due to 
bugs only (possilby) corrected in Win2k SP3 you must use 
Samba 2.2.5 or above, as the PDC will otherwise randomly 
refuse authenticaion."

Does this statement still apply to 2.2.7a? I'm loathe to 
install SP3 because of EULA concerns and, of course, 
throwing big chunks of patches into a production server.

Anything else that might make this work?

--Jon Niehof, Paladigm Inc.

On Thu, 2003-01-16 at 08:58, Jon Niehof wrote:
> I have a Windows 2K SP2 terminal server and a Samba 2.2.7a 
> server. The Samba server uses security=server with the 2K 
> terminal server as the password server. Users log in to the 
> terminal server and attempt to access (always the same) 
> share on the Samba box. When there are no sessions open to 
> the Samba server the connection from the terminal server 
> always works; subsequent connections (with the first one 
> open) fail about 70% of the time.
Sounds about standard for security=server.  It's not a nice hack.  Make
sure nothing is timing out the connection.
> Log snippets (one success, followed by one failure, log 
> level 1).
> 
> [2003/01/15 15:57:55, 1] smbd/service.c:make_connection(636)
>    tyr (192.168.2.6) connect to service LEGAL as user test2 
> (uid=1014, gid=103) (
> pid 529)
> [2003/01/15 15:57:56, 1] smbd/password.c:server_validate(1175)
>    password server TYR.IMAGE.COM rejected the password
> 
> I found in the mailing list archives the following tidbit 
> from Andrew Bartlett, dated 13 Aug 2002:
> "Don't use 'security=server' when you have a real PDC. 
> That's what security=domain is for.  Furthermore, due to 
> bugs only (possilby) corrected in Win2k SP3 you must use 
> Samba 2.2.5 or above, as the PDC will otherwise randomly 
> refuse authenticaion."
> 
> Does this statement still apply to 2.2.7a? I'm loathe to 
> install SP3 because of EULA concerns and, of course, 
> throwing big chunks of patches into a production server.
> 
> Anything else that might make this work?
Samba 3.0 includes more protections for security=server, but it is still
fundamentally flawed.  Why can't you use 'security=domain'?

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20030116/17206fa3/attachment.bin