[Techtalk] samba problem

Rudy L. Zijlstra rudy at edsons.demon.nl
Mon Dec 1 17:13:47 EST 2003

I am missing the password server setting.

 From the documentation of samba 2.2.8a:

password server (G)

    By specifying the name of another SMB server (such as a WinNT box)
    with this option, and using *security = domain * or *security =
    server* you can get Samba to do all its username/password validation
    via a remote server.

    This option sets the name of the password server to use. It must be
    a NetBIOS name, so if the machine's NetBIOS name is different from
    its Internet name then you may have to add its NetBIOS name to the
    lmhosts file which is stored in the same directory as the smb.conf file.

    The name of the password server is looked up using the parameter
    /name resolve order/ <cid:part1.03010302.05050106 at edsons.demon.nl>
    and so may resolved by any method and order described in that parameter.

    The password server much be a machine capable of using the
    "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in user
    level security mode.

    /NOTE:/ Using a password server means your UNIX box (running Samba)
    is only as secure as your password server. /DO NOT CHOOSE A PASSWORD

    Never point a Samba server at itself for password serving. This will
    cause a loop and could lock up your Samba server!

    The name of the password server takes the standard substitutions,
    but probably the only useful one is /%m /, which means the Samba
    server will use the incoming client as the password server. If you
    use this then you better trust your clients, and you had better
    restrict them with hosts allow!

    If the /security/ parameter is set to domain, then the list of
    machines in this option must be a list of Primary or Backup Domain
    controllers for the Domain or the character '*', as the Samba server
    is effectively in that domain, and will use cryptographically
    authenticated RPC calls to authenticate the user logging on. The
    advantage of using * security = domain* is that if you list several
    hosts in the /password server/ option then *smbd * will try each in
    turn till it finds one that responds. This is useful in case your
    primary server goes down.

    If the /password server/ option is set to the character '*', then
    Samba will attempt to auto-locate the Primary or Backup Domain
    controllers to authenticate against by doing a query for the name
    WORKGROUP<1C> and then contacting each server returned in the list
    of IP addresses from the name resolution source.

    If the /security/ parameter is set to server, then there are
    different restrictions that *security = domain* doesn't suffer from:


          You may list several password servers in the /password server/
          parameter, however if an *smbd* makes a connection to a
          password server, and then the password server fails, no more
          users will be able to be authenticated from this *smbd*. This
          is a restriction of the SMB/CIFS protocol when in *security =
          server * mode and cannot be fixed in Samba.


          If you are using a Windows NT server as your password server
          then you will have to ensure that your users are able to login
          from the Samba server, as when in * security = server* mode
          the network logon will appear to come from there rather than
          from the users workstation.

    See also the /security /
    <cid:part2.01070406.01020903 at edsons.demon.nl> parameter.

    Default: *password server = <empty string>*

    Example: *password server = NT-PDC, NT-BDC1, NT-BDC2 *

    Example: *password server = **

 From the version numbers you are quoting i guess you are running either 
RedHat or Suse?



Chantal Rosmuller wrote:

>here's the rest of the info:
>encrypt passwords=yes
>domain admin group empty
>logon script empty
>logon path \\%N\%U\profile
>logon drive empty 
>domain logons=no
>os level=20
>preferred master=auto
>domain master=auto
>local master=yes
>wins support=no
>On Mon, 2003-12-01 at 14:37, Rudy L. Zijlstra wrote:
>>We'd need a bit more information. The authentication section of the 
>>config files that is.
>>What are the settings of:
>>        encrypt passwords
>>        security
>>        domain admin group
>>        logon script
>>        logon path
>>        logon drive
>>        domain logons
>>        os level
>>        preferred master
>>        domain master
>>        local master
>>        wins support
>>as far as you are using them and possibly some others. Considering the 
>>win2k domain controller i do not expect the logon related settings to be 
>>>Hi everyone, is there anyone out there who can help me with the
>>>following problem?
>>>I want to make shares on two of our linuxservers with samba, but it is
>>>not working on one of them, the configuration is exactly the same for
>>>both, except for the path
>>>  comment = backup share
>>>  path = /home/databases
>>>  valid users = crosmuller
>>>  public = no
>>>  writable = no
>>>  printable = no
>>>we have a windows 2000 domain controller, both linuxservers can ping it.
>>>when I try to access the "not-working" share it asks for a password,
>>>after typing the correct password it asks for the password again.
>>>On the working samba server I use version 2.2.7-3.7.3, on the not workin
>>>one 2.2.7a-8.9.0, but I dont think it has anything to do with the
>>>Techtalk mailing list
>>>Techtalk at linuxchix.org
>Techtalk mailing list
>Techtalk at linuxchix.org

More information about the Techtalk mailing list