samba - Feb 2005 - Problems with Samba and security hardened WinXP SP2 clients

We're running Fedora Core and Samba-3.0.8-0.pre1.3 and we're
authenticating
our Windows XP users against Active Directory running on Windows 2003.
Everything works fine!

But now we're trying to secure and harden our WinXP machines and now when
any user logged into a secured WinXP they get the errormessage "The account
is not authorized to log in from this station". I browsed the net and most
solutions tell me to change the smb.conf to:
encrypt passwords = yes

However, this didn't work (later, it turned out it worked without this
setting anyway). But since it did work before securing the WinXP I started
looking into the policysettings of the client. I found that the following
GPO-setting was the reason why it stopped working:
Microsoft network client: Digitally sign communications (always)
If we set this to Disabled it works again.

This security option setting determines whether packet signing is required
by the SMB client component. Enabling this setting prevents the Microsoft
network client from communicating with a server unless that server agrees to
perform SMB packet signing. You risk gettings your sessions hijcaked
otherwise.

Doesn't Samba support this?

We use the Windows Server 2003 Security Guide and the Windows XP Security
Guide to harden our servers and clients:
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg
/sgch00.mspx
<http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003h
g/sgch00.mspx> 
http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch
01.mspx
<http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgc
h01.mspx>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

jonas.back@ppm.nu wrote:

| Microsoft network client: Digitally sign
| communications (always) If we set this to Disabled
| it works again.
|
...
| Doesn't Samba support this?

Yes.  It should work.  Please retest against 3.0.11 and
open a bug report at https://bugzilla.samba.org/ if you can
still reproduce the issue.  You should also check that both
'client signing' and 'server signing' are set appropriately
in smb.conf.





cheers, jerry
====================================================================Alleviating
the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCGy8sIR7qMdg1EfYRApy8AJ48ebaiAxcTPKmxaIWKkYj/wFhMaACg8Txl
XRRSdJcZLBYyje+EB5E7AYE=/mpu
-----END PGP SIGNATURE-----

> We're running Fedora Core and Samba-3.0.8-0.pre1.3 and we're
authenticating
> our Windows XP users against Active Directory running on Windows 2003.
> Everything works fine!
>
> But now we're trying to secure and harden our WinXP machines and now
when
> any user logged into a secured WinXP they get the errormessage "The
account
> is not authorized to log in from this station". I browsed the net and
most
> solutions tell me to change the smb.conf to:
> encrypt passwords = yes
>
> However, this didn't work (later, it turned out it worked without this
> setting anyway). But since it did work before securing the WinXP I
started
> looking into the policysettings of the client. I found that the following
> GPO-setting was the reason why it stopped working:
> Microsoft network client: Digitally sign communications (always)
> If we set this to Disabled it works again.
>
> This security option setting determines whether packet signing is
required
> by the SMB client component. Enabling this setting prevents the Microsoft
> network client from communicating with a server unless that server agrees
to
> perform SMB packet signing. You risk gettings your sessions hijcaked
> otherwise.
>
> Doesn't Samba support this?
Try spnego = yes

Steve