Samba + W2K question

bscott at ntisys.com bscott at ntisys.com
Wed Jul 2 17:00:46 EDT 2003


On 2 Jul 2003, at 4:16pm, cole at tuininga.org wrote:
> Anyhow, the server in question is a debian box.  The version of samba
> from "stable" is 2.2.3a which is a little old. 

  There's a nasty security hole (a remote root exploit) in versions of Samba
prior to 2.2.8a.  Unless your 2.2.3a contains a back-ported fix, you will
want to upgrade.

> ... I was hoping to be able to just stick with the .deb packages for the
> sake of ... well ... mostly laziness I suppose.  Much easier to upgrade
> that way I guess.

  Apparently it's not easier to upgrade Samba that way.  :-)

> I understand that NT/2K(/XP?) systems need to have a "machine account" set
> up for them.  No problem.  The host in question has the system name of
> "gary".  I created a gary$ user ...

  Easiest way to do this is to just use the

	add user script

directive in smb.conf and have Samba add the users.  Samba needs to have the
machine trust accounts configured by a "root" user anyway.  Then all you
have to do is run through the "join this computer to a domain" routine on
the Windoze box and you're done.

> When I try to convince the 2K box to connect to the domain, it requests a
> username and password for "an account that's authorized to add the
> system".

  Yah.  In NT, you can assign that right with a fair degree of granularity.  
The way Samba does things, you need to be "root".

> Reading samba docs (specifically
> http://hr.uoregon.edu/davidrl/samba/samba-pdc.html) leads me to believe
> that the correct username/password comba is that of root, which I had to
> add into the smbpasswd file.

  Yup.

	smbpasswd -a root

and enter in the password.  It does not have to be the same as the Unix
password for "root".  In fact, keeping them different might be a good idea,
for security reasons, but I leave that up to you.

> However, when I enter root/passwd on the NT box, the connection fails ...

  Can you do this?

	smbclient //linuxserver/anyshare -U root

  You might also try turning up the "debug level" in "smb.conf".

-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.              |




More information about the gnhlug-discuss mailing list