Operating System - HP-UX
1830233 Members
2103 Online
109999 Solutions
New Discussion

Re: Samba DOMAIN Security Problems

 
Ty Roberts
Frequent Advisor

Samba DOMAIN Security Problems

Using Samba 3.0.1 with DOMAIN level security is giving us some problems in our DR environment. The MAJOR problems we are facing now are this:

1.) Unless your WINDOWS user is the same as a defined HPUX user, it won't even let you browse the listing of shares for the server and prompts you for a username / password. I thought that no matter what, anyone should be able to go to \\servername and view all of the shares.

2.) WE are constantly getting this error in our log.smbd file, and I know that in the past just rejoining the domain will fix this. But currently this is not the case.

[2006/01/10 09:38:49, 0] auth/auth_util.c:make_server_info_info3(1080)
make_server_info_info3: pdb_init_sam failed!

3.) When we join the domain (which is running on NT4) if you double click the server name in server manager on the PDC is comes back and says "Permission Denied". The NT guys have no clue on this either.

This has been driving me nuts for 4 days and I am in desperate need of some help! I have narrowed down our smb.conf file to try to just get ONE share without any security set to work. That is attached to this posting.

Thanks!
21 REPLIES 21
Alzhy
Honored Contributor

Re: Samba DOMAIN Security Problems

TY,

I suppose your DR environment is totally detached from your production environment. Over at DR, when you established your Samba service did you do as follows:

1. Have the NT administrator create a "machine account" on the Domain's PDC?

2. On the HP-UX server end, after configuring the smb.conf , did you do a "join"?

net rpc oldjoin

Using the above steps, you should have joined your SAMBA service to the domain.

Some things to note with security=domain.

1. Your users will not be able to access the samba service if they will not have a corresponding UNIX account.

2. If you do not want to establish UNIX accounts for every NT account .. you can employ username maps.

HTH.
Hakuna Matata.
Geoff Wild
Honored Contributor

Re: Samba DOMAIN Security Problems

1) add this to the bottom of smb.conf:

[IPC$]
path = /tmp
valid users = user1, user2, etc


2) Are you using winbind? you should with security=DOMAIN

password server = PDC1, PDC2, etc
local master = No
domain master = No
wins server = PDC1, PDC2, etc
idmap uid = 10000-30000
idmap gid = 10000-30000
template primary group = users
winbind separator = +
winbind enum users = No
winbind enum groups = No


In nsswitch.conf,

passwd: files winbind
group: files winbind

In /etc/rc.config.d/samba
RUN_SAMBA=1
RUN_WINBIND=1

Course, your user list for access/shares should be:

YOURNTDOMAIN+user1, YOURNTDOMAIN+user2, etc

Re-join the domian from the Unix server (need nt admin) - remove from domain from server manager first, then:

/opt/samba/bin/net rpc join -U ntadminid

This is a good doc:

http://www.docs.hp.com/en/B8725-90079/B8725-90079.pdf

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Alzhy
Honored Contributor

Re: Samba DOMAIN Security Problems

Your situation where you are simply running NT 4.0 is actually easier. If you do not need WINBIND just take it out of the config.

Your SWAT pages (http://yoursambaserver:901 root/rootpas to access) have tons of documentation to guide you in the most common SAMBA configurations. It even offers "recipes" for SAMBA usage in a small 2-3 office setup to an enterprise with thousands of users.
Hakuna Matata.
Ty Roberts
Frequent Advisor

Re: Samba DOMAIN Security Problems

Thanks for your input guys, but let me explain a few things. The setup at our DR site (from the Samba point of view) is exactly how it is setup in our regular Production env. We use WINDBIND and authenticate the THOUSANDS of users who use samba through the domain using winbind. With SECURITY=DOMAIN using winbind you do not need a UNIX user for each Samba User.. our USER security (DOMAIN+UserName) is setup properly. I can run a wbinfo -t and wbinfo -p and that comes back properly. I can run a "nsquery passwd DOMAIN+User" and it comes back with the proper information.

Changing things in the SHARE section of our smb.conf file as of now is pointless due to the fact that you can't even get to the BASE of the shares. Trying to get to \\server\work is pointless cause I can't even get to \\server without getting asked for a username and password.

I join the domain with net join and the proper user and it comes back succesfully.

Suggestions???
Alzhy
Honored Contributor

Re: Samba DOMAIN Security Problems

Hmm.. in that case, are you sure WINBIND daemon is running? If it is - are you even sure it is config'd correctly. If it is, then do a test to verify the domain membership is there by removing winbind out of the picture, establish a UNIX account or username map equivalency and test access. On a windows client/domain member or the PDC see if the netbios service is registered in the domain "nbtstat -a sambaservicename"
Hakuna Matata.
Alzhy
Honored Contributor

Re: Samba DOMAIN Security Problems

Or redo the entire domin membership process:

remove machine account
stop samba service
remove the private file (/var/opt/samba/private/secrets.tdb)
have the machine account re-added on the domain.
start samba
do the join
Hakuna Matata.
Ty Roberts
Frequent Advisor

Re: Samba DOMAIN Security Problems

The winbind is running (I can tell through just the PS command and also running /usr/local/samba/bin/wbinfo -p which tests the winbindd to make sure it is alive. If I do have a UNIX user that matches the WINDOWS user then I can get into everything. I will run the nbstat test and the complete re-join here shortly. I have done the rejoin command previously (minus removing the secrets file).
Geoff Wild
Honored Contributor

Re: Samba DOMAIN Security Problems

What do you have for these settings:

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
keepalive = 0

Also - did you look at the doc I posted?
Chapter 7 is all about windbind...

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Ty Roberts
Frequent Advisor

Re: Samba DOMAIN Security Problems

A complete remove and re-add of the server produces the same results. The pdb_init_sam failed error still shows up in the log.smbd and this is what is returned from the nbtstat -a command

G:\>nbtstat -a wpkgprd02

Broadcom NetXtreme Gigabit Ethernet Adapter - Onboard - Link A:
Node IpAddress: [10.10.1.10] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
WPKGPRD01 <00> UNIQUE Registered
WPKGPRD01 <03> UNIQUE Registered
WPKGPRD01 <20> UNIQUE Registered
WARPSPEED <00> GROUP Registered
WARPSPEED <1E> GROUP Registered
WPKGPRD02 <00> UNIQUE Registered
WPKGPRD02 <03> UNIQUE Registered
WPKGPRD02 <20> UNIQUE Registered

MAC Address = 00-00-00-00-00-00


\Device\NetBT_Tcpip_{DF32D56C-D5E7-4387-952C-5FCF466B2AB2}:
Node IpAddress: [192.168.234.235] Scope Id: []

Host not found
Luk Vandenbussche
Honored Contributor

Re: Samba DOMAIN Security Problems

Hi,

Do you have this info in /etc/nsswitch.conf

passwd: files winbind
group: files winbind
Ty Roberts
Frequent Advisor

Re: Samba DOMAIN Security Problems

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
keepalive = 0

Geoff,
For the settings in question we have the following
socket_options = TCP_NODELAY
keepalive=300

I did read the doc and that does explain ecerything about winbind setup. We have winbindd setup in our DR site exactly how we have it setup in our Prod site that is working properly.

I just set the "map to guest" option to "Bad User" and it will let us in to the main share listing.

I thought that no matter what, anyone could look at the listing of shares that a server has. Right? Wrong? Anyone should be able to go to \\servername as long as that server is on the network and has some sort of SMB / CIFS protocal running?

is that a correct statement?
Ty Roberts
Frequent Advisor

Re: Samba DOMAIN Security Problems

the /etc/nsswitch.conf file is setup with "files winbind" for passwd and group.
Geoff Wild
Honored Contributor

Re: Samba DOMAIN Security Problems

No - that is incorrect - in Samba 3 - you need to define the IPC share in order to go to \\servername.

[IPC$]
path = /tmp
valid users = bb, MYDOMAIN+gwild, MYDOMAIN+user1, $PCA+sapadm

Add to the bottom of smb.conf.

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Geoff Wild
Honored Contributor

Re: Samba DOMAIN Security Problems

Actually - check you logs in /var/opt/samba - you will see something like:

[2006/01/10 14:33:03, 2] auth/auth.c:check_ntlm_password(300)
check_ntlm_password: authentication for user [USER1] -> [USER1] -> [MYDOMAIN+USER1] succeeded
[2006/01/10 14:33:03, 2] smbd/uid.c:change_to_user(201)
change_to_user: SMB user (unix user smbnull, vuid 101) not permitted access to share IPC$.
[2006/01/10 14:33:03, 0] smbd/service.c:make_connection_snum(570)
Can't become connected user!


Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Ty Roberts
Frequent Advisor

Re: Samba DOMAIN Security Problems

Geoff,
I hate to disagree but on the 25 servers in our prod ENV we do not have a IPC$ share listed and everyone can browse the shares on the server...
Alzhy
Honored Contributor

Re: Samba DOMAIN Security Problems

You should always have an IPC$ share... do a "smbstatus" after you've done a nwt view or browse on any SAMBA server.

Your woes has got something to do with those SAM messages...
Hakuna Matata.
Geoff Wild
Honored Contributor

Re: Samba DOMAIN Security Problems

From samba docs:

"Using a IPC$ share deny
-----------------------

you could also
place a more specific deny on the IPC$ share that is used in
the recently discovered security hole. This allows you to
offer access to other shares while denying access to IPC$
from potentially untrustworthy hosts.

To do that you could use:

[ipc$]
hosts allow = 192.168.115.0/24 127.0.0.1
hosts deny = 0.0.0.0/0

this would tell Samba that IPC$ connections are not allowed
from anywhere but the two listed places (localhost and a
local subnet). Connections to other shares would still be
allowed. As the IPC$ share is the only share that is always
accessible anonymously this provides some level of protection
against attackers that do not know a username/password for
your host.


If you use this method then clients will be given a 'access
denied' reply when they try to access the IPC$ share. That
means that those clients will not be able to browse shares,
and may also be unable to access some other resources."


Now that I think about it - I don't know what the default behaviour is in samba 3...all I know is since 2.2 I have always used IPC share...


One other thing - do you have a hosts allow and/or hosts deny statement in the globals section?

Rgds...Geoff

Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Ty Roberts
Frequent Advisor

Re: Samba DOMAIN Security Problems

Here is the globals section of my smb.conf file

# Global parameters
[global]
workgroup = WARPSPEED
netbios name = WPKGPRD01
netbios aliases = WPKGPRD02
interfaces = lan1
security = DOMAIN
map to guest = Bad User
guest account = smbguest
max log size = 0
deadtime = 15
preferred master = No
local master = No
domain master = No
wins server = 10.10.0.19, 10.10.0.14
ldap ssl = no
idmap uid = 1000-99999
idmap gid = 1000-99999
template homedir = /tmp
template shell = /usr/bin/false
winbind separator = +
create mask = 0660
directory mask = 0770

I agree that is one of the HUGE problems. I am just baffeled. In our prod env I logged into my PC locally (ie no domain authentication) and I can browse shares on all my samba servers with no problem. I almost thing that is is a problem with the DOMAIN / SAM at our DR site. Liek I said in the first post. If they go to manage the server in server manager they get an access denied message. Any clue what this could be?

I am going to "re-insatll" the binaries in /usr/local/lib and /usr/lib and see if that does ANYTHING. At this point I am just trying to stay afloat..
Alzhy
Honored Contributor

Re: Samba DOMAIN Security Problems

Wwwait.. do you mean you're not using HP's fully supported SAMBA build? Which is HP CIFS Server?

I think you really need to just go with the HP release.. there's is now at 3.0.14d (I think).

Hakuna Matata.
Geoff Wild
Honored Contributor

Re: Samba DOMAIN Security Problems

I second the motion - use HP's CIF Server instead..

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B8725AA

Also, set:

max log size = 10000
keepalive = 0



Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Alzhy
Honored Contributor

Re: Samba DOMAIN Security Problems

And you can ask for help from them.
Hakuna Matata.