Hi, security.
I am install Debian woody and Samba 2.2.3a-13,
but this bugs Is present in Samba 3.0.
I am add two users in system:
"user1 psw1"
"user2 psw2"
At Samba the same passwords.
(Both users are included into group "mtobackup" (on a folder
"/home/MTOBackUp/122"
It is established g+s i.e.: Mode 42770 group-mtobackup))
Sequence actions:
1. We enter in Windows 2000 AS SP4 under "user1 psw1"
2. "net use k: \\ monster\mtobackup122 psw2 user1" - speaks not The
correct password
3. "net use k: \\ monster\mtobackup122 psw1 user1" - speaks a disk It
is successfully connected
4. We disconnect disk "k"
5. On desktop on a label " My Computer " we press the right button of
a mousy and
We press "Explorer" we look through a network, the domain
"mto", in it{him} we search for a computer
"monster", we look through to a sharing
"/home/MTOBackUp/122". We close Explorer.
6. "net use k: \\ monster\mtobackup122 psw2 user1" Speaks a disk it
is successfully connected
7. "net use l: \\ monster\mtobackup122 psw1 user1" Speaks a disk it is
successfully connected
If item{point} 5. to not do{make} - All perfectly works!!!!!!!!!!!
Problems:
There is an opportunity of connection of the user under different passwords
If operational system Windows 95(not Windows 2000), that item{point} 5 to
do{make} it is not necessary at all
(the opportunity of connection of the user under different passwords
works without item{point} 5).
I WAIT FOR THE ANSWER :)
--
wimax mailto:wimax@yandex.ru
From bugzilla.samba.org... >> This is NOT for reporting any security issues. If you have found what you believe to be a security hole in Samba, please send mail directly to security@samba.org. << You might try their request... -- Michael Lueck Lueck Data Systems Remove the upper case letters NOSPAM to contact me directly.
Sounds to me as though Windows is simply caching a successful password, and gives it a try. Not a Samba security hole at all. On Tue, Aug 24, 2004 at 10:44:21AM +0300, wimax wrote: > Hi, security.> > I am install Debian woody and Samba 2.2.3a-13, > but this bugs Ispresent in Samba 3.0. > > I am add two users in system: > > "user1 psw1" > "user2 psw2" > At Samba the same passwords. > (Both users are included into group "mtobackup" (on a folder > "/home/MTOBackUp/122" > It is established g+s i.e.: Mode 42770 group-mtobackup)) > > Sequence actions: > 1. We enter in Windows 2000 AS SP4 under "user1 psw1" > 2. "net use k: \\ monster\mtobackup122 psw2 user1" - speaks not The correct password > 3. "net use k: \\ monster\mtobackup122 psw1 user1" - speaks a disk It is successfully connected > 4. We disconnect disk "k" > 5. On desktop on a label " My Computer " we press the right button of a mousy and > We press "Explorer" we look through a network, the domain "mto", in it{him} we search for a computer > "monster", we look through to a sharing "/home/MTOBackUp/122". We close Explorer. >> 6. "net use k: \\ monster\mtobackup122 psw2 user1" Speaks a disk itis successfully connected > 7. "net use l: \\ monster\mtobackup122 psw1 user1" Speaks a disk it is successfully connected > > > If item{point} 5. to not do{make} - All perfectly works!!!!!!!!!!! > > Problems: > There is an opportunity of connection of the user under different passwords > > If operational system Windows 95(not Windows 2000), that item{point} 5 to do{make} it is not necessary at all > (the opportunity of connection of the user under different passwords > works without item{point} 5). > > > I WAIT FOR THE ANSWER :) > > > > -- > wimax mailto:wimax@yandex.ru > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
wimax wrote:
| Sequence actions:
| 1. We enter in Windows 2000 AS SP4 under "user1 psw1"
| 2. "net use k: \\ monster\mtobackup122 psw2 user1"
| - speaks not The correct password
| 3. "net use k: \\ monster\mtobackup122 psw1 user1"
| - speaks a disk It is successfully connected
| 4. We disconnect disk "k"
| 5. On desktop on a label " My Computer " we press the
| right button of a mousy and We press "Explorer" we
| look through a network, the domain "mto", in it{him}
| we search for a computer "monster", we
| look through to a sharing "/home/MTOBackUp/122".
| We close Explorer.
At this point you have reconnected to the server
using the crddentials you logged onto the console
with (user1/psw1).
| 6. "net use k: \\ monster\mtobackup122 psw2 user1"
| Speaks a disk it is successfully connected
| 7. "net use l: \\ monster\mtobackup122 psw1 user1"
| Speaks a disk it is successfully connected
|
| If item{point} 5. to not do{make} - All perfectly
| works!!!!!!!!!!!
I have reproduced your behavior somewhat, but the problem is
that the Windows client network redirector is usingyour
cached credentials from step #5 when you connected and
ignores the password you entered in step #6.
In fact, if you look at teh network traffic there is no
SMBsessetup&X call for the 'net use' issued in step #6
because Windows knows it already has an established session
to the server.
So while this may be confusing, it is Window's designed
behavior.
cheers, jerry
- ---------------------------------------------------------------------
Alleviating the pain of Windows(tm) ------- http://www.samba.org
GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc
"If we're adding to the noise, turn off this song"--Switchfoot
(2003)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFBK1ctIR7qMdg1EfYRAlekAKDntRejb9Pw3u8YVb43X5b+XXq4KQCgoHKF
3GpW7EROoPtlgcmwOthg8cs=4z4R
-----END PGP SIGNATURE-----