samba - Jan 2008 - Standalone Server with Wins -- Password Not Required on Win/XP

Hi There,

I created a standalone server on CentOS 5.1 with samba at 25b on an x86_64
system. The shares defined below are available to the windows xp clients on
the 10.43.10.x/24 subnet.  Samba also provides win server support to this
subnet.

We are having problems we password protection associated with the shares.
The first access to the samba server requests a userid -- this likely allows
samba to understand which home share should be displayed.  At this point,
the client can access both the 'homes' share and the 'orr' share
without
ever entering a password -- this is a security issue for us.

We need to figure out how to configure samba to enforce userid & password
protection prior to allowing access to a share. Below is a copy of the
smb.conf file that we are using for testing.

  [global]
	
	# workgroup and server identification
	workgroup = ORRRANCH
	server string 	netbios name = ORR00

	interfaces = 10.43.10.0/24 lo
	bind interfaces only = yes
	hosts allow = 10.43.10. 127.0.0.

	# logs split per machine; max 50KB per log file, then rotate
	log file = /var/log/samba/%m.log
	max log size = 50

	# default user security, encrypted passwords and tdbsam
	security = user	
	encrypt passwords = yes
	passdb backend = tdbsam

	# allow samba to be the domain master browser if possible
	local master = yes
	os level = 33
	preferred master = yes
	domain master = yes

	# samba is a wins server for the system; use wins first
	wins support =yes
	name resolve order = wins hosts bcast
	
  [homes]
	comment = Home Directories
	browseable = no
	writable = yes
	valid users = %S
	path = /samba/home/%S

  [orr]
	comment = Orr Ranch Share
	path = /samba/orr
	valid users = greg catherine sarah brandon
	guest ok = no
	writable = yes
	printable = no
	create mask = 0765


Each of the 'valid users' have ids on the system and have used smbpasswd
to
create samba passwords. Nsswitch.conf has been modified to add 'wins' to
the
'hosts' line to assist with names resolution.

Any assistance would be appreciated!!  Thanks, Greg

Hi All,

 

We posted the following over the weekend and have not received any feedback
to help us move forward.  There seems to be much more activity during the
week so I thought I would re-post the original email.  Perhaps we're seeing
a defect in this level of the code - if this is the case, what action should
we take next.  Thanks!

 

I created a standalone server on CentOS 5.1 with samba at 25b on an x86_64
system. The shares defined below are available to the windows xp clients on
the 10.43.10.x/24 subnet.  Samba also provides win server support to this
subnet.

 

We are having problems with password protection associated with the shares.
The first access to the samba server requests a userid -- this likely allows
samba to understand which home share should be displayed.  At this point,
the client can access both the 'homes' share and the 'orr' share
without
ever entering a password -- this is a security issue for us.

 

We need to figure out how to configure samba to enforce userid & password
protection prior to allowing access to a share. Below is a copy of the
smb.conf file that we are using for testing.

 

  [global]

     

     # workgroup and server identification

     workgroup = ORRRANCH

     server string 
     netbios name = ORR00

 

     interfaces = 10.43.10.0/24 lo

     bind interfaces only = yes

     hosts allow = 10.43.10. 127.0.0.

 

     # logs split per machine; max 50KB per log file, then rotate

     log file = /var/log/samba/%m.log

     max log size = 50

 

     # default user security, encrypted passwords and tdbsam

     security = user    

     encrypt passwords = yes

     passdb backend = tdbsam

 

     # allow samba to be the domain master browser if possible

     local master = yes

     os level = 33

     preferred master = yes

     domain master = yes

 

     # samba is a wins server for the system; use wins first

     wins support =yes

     name resolve order = wins hosts bcast

     

  [homes]

     comment = Home Directories

     browseable = no

     writable = yes

     valid users = %S

     path = /samba/home/%S

 

  [orr]

     comment = Orr Ranch Share

     path = /samba/orr

     valid users = greg catherine sarah brandon

     guest ok = no

     writable = yes

     printable = no

     create mask = 0765

 

 

Each of the 'valid users' have ids on the system and have used smbpasswd
to
create samba passwords. Nsswitch.conf has been modified to add 'wins' to
the
'hosts' line to assist with names resolution.

 

Any assistance would be appreciated!!  Thanks, Greg

All,

This incorrect behavior is caused as a result of "preferred master =
yes" in
the smb.conf file.  If I comment this line out in smb.conf, everything works
fine.  My thanks to Chris Smith for the offline help getting this resolved!

Thanks! Greg

-----Original Message-----
From: Chris Smith [mailto:chris@realcomputerguy.com] 
Sent: Wednesday, January 16, 2008 12:50 PM
To: Greg Sims
Subject: Re: [Samba] Standalone Server with Wins -- Password Not Required
onWin/XP

On Wednesday 16 January 2008, you wrote:
> This is an offline email with respect to this issue. ?What makes you
> believe that I have created a domain controller -- this was clearly
> not my intent. Would it be possible to discuss this by telephone for
> 5 minutes?
I saw the domain master line, but I guess you need domain logons enabled 
as well to make it a PDC. Sorry, my mistake.

-- 
Chris Smith
The Computer Guy
586-435-3135
http://www.realcomputerguy.com/

>> If I enter userid Only, I gain full access to the share without
>> Ever entering a password
>
> This incorrect behavior is caused as a result of
> "preferred master = yes" in the smb.conf file.
> If I comment this line out in smb.conf, everything
> works fine.
What has "preferred master" to do with this passwords?
I'm really puzzled, especially because I set my PDC as
"preferred master", even though it would probably by
default ("auto") chose to be one.