- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Samba DOMAIN Security Problems
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2006 01:01 AM
01-11-2006 01:01 AM
Samba DOMAIN Security Problems
1.) Unless your WINDOWS user is the same as a defined HPUX user, it won't even let you browse the listing of shares for the server and prompts you for a username / password. I thought that no matter what, anyone should be able to go to \\servername and view all of the shares.
2.) WE are constantly getting this error in our log.smbd file, and I know that in the past just rejoining the domain will fix this. But currently this is not the case.
[2006/01/10 09:38:49, 0] auth/auth_util.c:make_server_info_info3(1080)
make_server_info_info3: pdb_init_sam failed!
3.) When we join the domain (which is running on NT4) if you double click the server name in server manager on the PDC is comes back and says "Permission Denied". The NT guys have no clue on this either.
This has been driving me nuts for 4 days and I am in desperate need of some help! I have narrowed down our smb.conf file to try to just get ONE share without any security set to work. That is attached to this posting.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2006 01:09 AM
01-11-2006 01:09 AM
Re: Samba DOMAIN Security Problems
I suppose your DR environment is totally detached from your production environment. Over at DR, when you established your Samba service did you do as follows:
1. Have the NT administrator create a "machine account" on the Domain's PDC?
2. On the HP-UX server end, after configuring the smb.conf , did you do a "join"?
net rpc oldjoin
Using the above steps, you should have joined your SAMBA service to the domain.
Some things to note with security=domain.
1. Your users will not be able to access the samba service if they will not have a corresponding UNIX account.
2. If you do not want to establish UNIX accounts for every NT account .. you can employ username maps.
HTH.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2006 01:12 AM
01-11-2006 01:12 AM
Re: Samba DOMAIN Security Problems
[IPC$]
path = /tmp
valid users = user1, user2, etc
2) Are you using winbind? you should with security=DOMAIN
password server = PDC1, PDC2, etc
local master = No
domain master = No
wins server = PDC1, PDC2, etc
idmap uid = 10000-30000
idmap gid = 10000-30000
template primary group = users
winbind separator = +
winbind enum users = No
winbind enum groups = No
In nsswitch.conf,
passwd: files winbind
group: files winbind
In /etc/rc.config.d/samba
RUN_SAMBA=1
RUN_WINBIND=1
Course, your user list for access/shares should be:
YOURNTDOMAIN+user1, YOURNTDOMAIN+user2, etc
Re-join the domian from the Unix server (need nt admin) - remove from domain from server manager first, then:
/opt/samba/bin/net rpc join -U ntadminid
This is a good doc:
http://www.docs.hp.com/en/B8725-90079/B8725-90079.pdf
Rgds...Geoff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2006 01:18 AM
01-11-2006 01:18 AM
Re: Samba DOMAIN Security Problems
Your SWAT pages (http://yoursambaserver:901 root/rootpas to access) have tons of documentation to guide you in the most common SAMBA configurations. It even offers "recipes" for SAMBA usage in a small 2-3 office setup to an enterprise with thousands of users.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2006 01:26 AM
01-11-2006 01:26 AM
Re: Samba DOMAIN Security Problems
Changing things in the SHARE section of our smb.conf file as of now is pointless due to the fact that you can't even get to the BASE of the shares. Trying to get to \\server\work is pointless cause I can't even get to \\server without getting asked for a username and password.
I join the domain with net join and the proper user and it comes back succesfully.
Suggestions???
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2006 01:33 AM
01-11-2006 01:33 AM
Re: Samba DOMAIN Security Problems
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2006 01:35 AM
01-11-2006 01:35 AM
Re: Samba DOMAIN Security Problems
remove machine account
stop samba service
remove the private file (/var/opt/samba/private/secrets.tdb)
have the machine account re-added on the domain.
start samba
do the join
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2006 01:40 AM
01-11-2006 01:40 AM
Re: Samba DOMAIN Security Problems
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2006 01:53 AM
01-11-2006 01:53 AM
Re: Samba DOMAIN Security Problems
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
keepalive = 0
Also - did you look at the doc I posted?
Chapter 7 is all about windbind...
Rgds...Geoff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2006 01:54 AM
01-11-2006 01:54 AM
Re: Samba DOMAIN Security Problems
G:\>nbtstat -a wpkgprd02
Broadcom NetXtreme Gigabit Ethernet Adapter - Onboard - Link A:
Node IpAddress: [10.10.1.10] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
WPKGPRD01 <00> UNIQUE Registered
WPKGPRD01 <03> UNIQUE Registered
WPKGPRD01 <20> UNIQUE Registered
WARPSPEED <00> GROUP Registered
WARPSPEED <1E> GROUP Registered
WPKGPRD02 <00> UNIQUE Registered
WPKGPRD02 <03> UNIQUE Registered
WPKGPRD02 <20> UNIQUE Registered
MAC Address = 00-00-00-00-00-00
\Device\NetBT_Tcpip_{DF32D56C-D5E7-4387-952C-5FCF466B2AB2}:
Node IpAddress: [192.168.234.235] Scope Id: []
Host not found
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2006 01:58 AM
01-11-2006 01:58 AM
Re: Samba DOMAIN Security Problems
Do you have this info in /etc/nsswitch.conf
passwd: files winbind
group: files winbind
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2006 02:04 AM
01-11-2006 02:04 AM
Re: Samba DOMAIN Security Problems
keepalive = 0
Geoff,
For the settings in question we have the following
socket_options = TCP_NODELAY
keepalive=300
I did read the doc and that does explain ecerything about winbind setup. We have winbindd setup in our DR site exactly how we have it setup in our Prod site that is working properly.
I just set the "map to guest" option to "Bad User" and it will let us in to the main share listing.
I thought that no matter what, anyone could look at the listing of shares that a server has. Right? Wrong? Anyone should be able to go to \\servername as long as that server is on the network and has some sort of SMB / CIFS protocal running?
is that a correct statement?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2006 02:06 AM
01-11-2006 02:06 AM
Re: Samba DOMAIN Security Problems
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2006 02:22 AM
01-11-2006 02:22 AM
Re: Samba DOMAIN Security Problems
[IPC$]
path = /tmp
valid users = bb, MYDOMAIN+gwild, MYDOMAIN+user1, $PCA+sapadm
Add to the bottom of smb.conf.
Rgds...Geoff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2006 02:24 AM
01-11-2006 02:24 AM
Re: Samba DOMAIN Security Problems
[2006/01/10 14:33:03, 2] auth/auth.c:check_ntlm_password(300)
check_ntlm_password: authentication for user [USER1] -> [USER1] -> [MYDOMAIN+USER1] succeeded
[2006/01/10 14:33:03, 2] smbd/uid.c:change_to_user(201)
change_to_user: SMB user (unix user smbnull, vuid 101) not permitted access to share IPC$.
[2006/01/10 14:33:03, 0] smbd/service.c:make_connection_snum(570)
Can't become connected user!
Rgds...Geoff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2006 02:28 AM
01-11-2006 02:28 AM
Re: Samba DOMAIN Security Problems
I hate to disagree but on the 25 servers in our prod ENV we do not have a IPC$ share listed and everyone can browse the shares on the server...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2006 02:32 AM
01-11-2006 02:32 AM
Re: Samba DOMAIN Security Problems
Your woes has got something to do with those SAM messages...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2006 02:41 AM
01-11-2006 02:41 AM
Re: Samba DOMAIN Security Problems
"Using a IPC$ share deny
-----------------------
you could also
place a more specific deny on the IPC$ share that is used in
the recently discovered security hole. This allows you to
offer access to other shares while denying access to IPC$
from potentially untrustworthy hosts.
To do that you could use:
[ipc$]
hosts allow = 192.168.115.0/24 127.0.0.1
hosts deny = 0.0.0.0/0
this would tell Samba that IPC$ connections are not allowed
from anywhere but the two listed places (localhost and a
local subnet). Connections to other shares would still be
allowed. As the IPC$ share is the only share that is always
accessible anonymously this provides some level of protection
against attackers that do not know a username/password for
your host.
If you use this method then clients will be given a 'access
denied' reply when they try to access the IPC$ share. That
means that those clients will not be able to browse shares,
and may also be unable to access some other resources."
Now that I think about it - I don't know what the default behaviour is in samba 3...all I know is since 2.2 I have always used IPC share...
One other thing - do you have a hosts allow and/or hosts deny statement in the globals section?
Rgds...Geoff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2006 02:48 AM
01-11-2006 02:48 AM
Re: Samba DOMAIN Security Problems
# Global parameters
[global]
workgroup = WARPSPEED
netbios name = WPKGPRD01
netbios aliases = WPKGPRD02
interfaces = lan1
security = DOMAIN
map to guest = Bad User
guest account = smbguest
max log size = 0
deadtime = 15
preferred master = No
local master = No
domain master = No
wins server = 10.10.0.19, 10.10.0.14
ldap ssl = no
idmap uid = 1000-99999
idmap gid = 1000-99999
template homedir = /tmp
template shell = /usr/bin/false
winbind separator = +
create mask = 0660
directory mask = 0770
I agree that is one of the HUGE problems. I am just baffeled. In our prod env I logged into my PC locally (ie no domain authentication) and I can browse shares on all my samba servers with no problem. I almost thing that is is a problem with the DOMAIN / SAM at our DR site. Liek I said in the first post. If they go to manage the server in server manager they get an access denied message. Any clue what this could be?
I am going to "re-insatll" the binaries in /usr/local/lib and /usr/lib and see if that does ANYTHING. At this point I am just trying to stay afloat..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2006 02:51 AM
01-11-2006 02:51 AM
Re: Samba DOMAIN Security Problems
I think you really need to just go with the HP release.. there's is now at 3.0.14d (I think).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2006 02:58 AM
01-11-2006 02:58 AM
Re: Samba DOMAIN Security Problems
http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B8725AA
Also, set:
max log size = 10000
keepalive = 0
Rgds...Geoff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2006 02:59 AM
01-11-2006 02:59 AM