[Techtalk] samba problem
Rudy L. Zijlstra
rudy at edsons.demon.nl
Mon Dec 1 17:13:47 EST 2003
I am missing the password server setting.
From the documentation of samba 2.2.8a:
password server (G)
By specifying the name of another SMB server (such as a WinNT box)
with this option, and using *security = domain * or *security =
server* you can get Samba to do all its username/password validation
via a remote server.
This option sets the name of the password server to use. It must be
a NetBIOS name, so if the machine's NetBIOS name is different from
its Internet name then you may have to add its NetBIOS name to the
lmhosts file which is stored in the same directory as the smb.conf file.
The name of the password server is looked up using the parameter
/name resolve order/ <cid:part1.03010302.05050106 at edsons.demon.nl>
and so may resolved by any method and order described in that parameter.
The password server much be a machine capable of using the
"LM1.2X002" or the "NT LM 0.12" protocol, and it must be in user
level security mode.
/NOTE:/ Using a password server means your UNIX box (running Samba)
is only as secure as your password server. /DO NOT CHOOSE A PASSWORD
SERVER THAT YOU DON'T COMPLETELY TRUST/.
Never point a Samba server at itself for password serving. This will
cause a loop and could lock up your Samba server!
The name of the password server takes the standard substitutions,
but probably the only useful one is /%m /, which means the Samba
server will use the incoming client as the password server. If you
use this then you better trust your clients, and you had better
restrict them with hosts allow!
If the /security/ parameter is set to domain, then the list of
machines in this option must be a list of Primary or Backup Domain
controllers for the Domain or the character '*', as the Samba server
is effectively in that domain, and will use cryptographically
authenticated RPC calls to authenticate the user logging on. The
advantage of using * security = domain* is that if you list several
hosts in the /password server/ option then *smbd * will try each in
turn till it finds one that responds. This is useful in case your
primary server goes down.
If the /password server/ option is set to the character '*', then
Samba will attempt to auto-locate the Primary or Backup Domain
controllers to authenticate against by doing a query for the name
WORKGROUP<1C> and then contacting each server returned in the list
of IP addresses from the name resolution source.
If the /security/ parameter is set to server, then there are
different restrictions that *security = domain* doesn't suffer from:
*
You may list several password servers in the /password server/
parameter, however if an *smbd* makes a connection to a
password server, and then the password server fails, no more
users will be able to be authenticated from this *smbd*. This
is a restriction of the SMB/CIFS protocol when in *security =
server * mode and cannot be fixed in Samba.
*
If you are using a Windows NT server as your password server
then you will have to ensure that your users are able to login
from the Samba server, as when in * security = server* mode
the network logon will appear to come from there rather than
from the users workstation.
See also the /security /
<cid:part2.01070406.01020903 at edsons.demon.nl> parameter.
Default: *password server = <empty string>*
Example: *password server = NT-PDC, NT-BDC1, NT-BDC2 *
Example: *password server = **
From the version numbers you are quoting i guess you are running either
RedHat or Suse?
Cheers,
Rudy
Chantal Rosmuller wrote:
>Hi,
>here's the rest of the info:
>
>encrypt passwords=yes
>security=server
>domain admin group empty
>logon script empty
>logon path \\%N\%U\profile
>logon drive empty
>domain logons=no
>os level=20
>preferred master=auto
>domain master=auto
>local master=yes
>wins support=no
>
>
>On Mon, 2003-12-01 at 14:37, Rudy L. Zijlstra wrote:
>
>
>>We'd need a bit more information. The authentication section of the
>>config files that is.
>>What are the settings of:
>>
>> encrypt passwords
>> security
>> domain admin group
>> logon script
>> logon path
>> logon drive
>> domain logons
>> os level
>> preferred master
>> domain master
>> local master
>> wins support
>>
>>as far as you are using them and possibly some others. Considering the
>>win2k domain controller i do not expect the logon related settings to be
>>present.
>>
>>Rudy
>>
>>
>>
>>>Hi everyone, is there anyone out there who can help me with the
>>>following problem?
>>>I want to make shares on two of our linuxservers with samba, but it is
>>>not working on one of them, the configuration is exactly the same for
>>>both, except for the path
>>>
>>>[backup]
>>> comment = backup share
>>> path = /home/databases
>>> valid users = crosmuller
>>> public = no
>>> writable = no
>>> printable = no
>>>
>>>we have a windows 2000 domain controller, both linuxservers can ping it.
>>>when I try to access the "not-working" share it asks for a password,
>>>after typing the correct password it asks for the password again.
>>>
>>>On the working samba server I use version 2.2.7-3.7.3, on the not workin
>>>one 2.2.7a-8.9.0, but I dont think it has anything to do with the
>>>problem.
>>>
>>>
>>>Chantal
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>_______________________________________________
>>>Techtalk mailing list
>>>Techtalk at linuxchix.org
>>>http://mailman.linuxchix.org/mailman/listinfo/techtalk
>>>
>>>
>>>
>>>
>>
>>
>
>
>_______________________________________________
>Techtalk mailing list
>Techtalk at linuxchix.org
>http://mailman.linuxchix.org/mailman/listinfo/techtalk
>
>
More information about the Techtalk
mailing list