On Mon, 30 Apr 2001, Gareth Jones wrote: > New silly question: I'm trying to allow people to connect to my > machine when I'm running linux the same as when I'mm running NT - so > they can't tell the difference. Ideally I want to use the user > database on the NT Server (Primary Domain Controller) but failing that > allow anyone on the local subnet (10.0.0.0 NM:255.255.255.0) no matter > who they are or how ugly they are. What have I done wrong in my > config files (attached) that it don't work? I can smbmount myself > from my linux box (much point there is in that!) so it must work to > some extent. Hmmm. Number one, encrypt passwords. Bugger the docs, all they say is a long-winded "if you want to talk to anything except 3.11 and 95 original release, encrypt passwords". MS hasn't sent passwords in SMB/NMB /en clair/ over the network since 95 original version. Nowdays, they're just slightly encrypted. We're thinking "obfuscated", not "encrypted", here. Actually, that's not fair. Here's why NT passwords are so easy to crack: First off, there's something called "NTLM" which is short for "NT lanman" Basically, MS saw that the LanMan authentication part of the nmb/smb protocols was really crap. Easily-crackable-with-consumer-PCs kind of crap. So they added another hash into the equation, which is an "NT" one. It's harder to crack than the normal LanMan one, but it's still pretty dire if you just throw some computing power at it. Good. Now, a man called L0pht came along [anyone recognise this story yet?], and discovered this. Basically, that while there's a lovely secure hash in the packet, there's also the crappy lanman one. After writing to MS several times saying "either you fix it, or I tell people about it", he got no response, and told people about it. Hence, l0phtcrack. There _are_ fixes for this from MS [essentially, disabling the lanman bit in your registry], but almost nobody does this. Anyway. I wouldn't bother using the hosts allow bit. use tcpwrapper's /etc/hosts.{allow,deny} instead, if you must do that whole "hosts allow" thing. If you don't, forget it. If you firewall/router is forwarding packets, especially broadcasts on port 13{7,8} then you've got bigger problems than samba not working. Most noticably, easily crackable passwords getting broadcasted on the internet. You probably want to enable the guest account. depending on the windows machines. 9x boxes don't forward credentials. If all your clients are NT, then you needn't bother; only 9x needs guest stuff. NT will just tell you "nope. tell me who you really are". In order to do that whole security=domain thing you have to join the domain. Else it very much ain't gonna work. To do that, it's something along the lines of smbpasswd -j DOMAIN -r NTPASSWDSERVER. That'll bake your machine a SID. If you don't know about SIDs, then you probably shouldn't be allowed to admin an NT box. Make sure that the "private" directory exists before you do this. You'll also need to find yourself a friendly NT domain admin who can add your hostname to the domain [I think the tool is called "server manager", but don't hold me to that; I'm not an NT guru]. If you're dual-booting betwixt NT and linux, and your NT is reading files correctly over the network, you needn't bother with that step, as the PDC is already aware of your machine. In fact, quote from a random NT guru [the guy this e-mail was originally written to]: "It is "Server Manager" and you need to click "Add to Domain" from the menu and enter the NetBios name of the linux box. You are asked to select Server/Workstation or Backup Domain Controller. In theory, the BDC gets sent a copy of the SAM (Security Access Database or some such, ie. list of usernames and passwords) so that may be necessary if you want Linux to authenticate users logons but I don't need to so I said server/workstation (as in stand-alone ish)" And just to clarify, he's e-mailed me again: "Under Windows 2000 Server it's a little different. You have to use the tool called "Active Directory Users and computers" (Nice simple name there, just rolls off the tongue - nice one Microsoft!). From that tool you need to right click on "Domain Controllers" within your Active Directory and select New > Computer. Then give the NetBios name of your Linux box and tick the box labelled "Allow Pre- Windows 2000 computers to use this account"" On someone else's head be it. Ignore remote browse sync thingies. They're tweaks that're rarely needed. Set your os level to 0. And make {local,domain,preferred} master set to no. Unless you Like DoSsing you PDC. OK. Some hacks for transparency [assuming you're dual-booting NT and linux]. Mount your NT {C,D,etc} drives in /mnt/{c,d,etc} or similar. Share out those puppies as C$, d$, etc. Any NT guy who can tell you're not actually running an NT box, especially after joining the domain, _deserves_ to be allowed to know what you're doing. Touch smbusers and smbpasswd, don't put anything in them. If you're using security=domain, then the NT passwd server will take responsiblity for it all. Hmmm. Go and play, and come back if you get any probs. Gary (-; Addendum, added 2001-12-10 A whole bunch of people have been asking me about setting up a samba box as a domain server, instead of just a client authenticating against the domain. I don't know much about this, but there's one important gem that seems to be the main stumbling block: You need an account in smbpasswd called "root". Not a very good thing, IMHO, but a necessary one. Without that, your machines trying to join the domain won't be allowed to. Don't know if that was any help, but anyways. Gary (-; Addendum, added 2002-07-16 This is an e-mail from Beardy Paul, who has to deal with 98 boxes as well as other stuff... just for reference... windows 98 client was attempting to access my samba shtuff. On the samba server, it had been told to use the user 'guest', and a guest account had been added to /etc/passwd (with a f'n long password and shell /bin/barredsh), and to the smbpasswd file with a slightly more sensible password. Samba had also been told to encrypt passwords, and let guests see /tmp linux pc can see and smb browse the 98 pc. 98 pc can see the linux pc's workgroup, can see an icon for the machine. attempt to access causes a challenge for password only (and I presumed here that it would assume user=guest or something else werbly, as I've experienced before at home on my little network). Attempting to log in with the password was denied.... Upon meditating, and making sacrifices to the daemons, I was struck by inspiration... The windows 98 pc has joined the domain, as he is many-favoured by the PDC. My linux box as not, as he has been cast out where there is wailing and gnashing of teeth (or rather I haven't got round to asking the sysadmin to add my netbios name to the database). Hence, the windows 98 pc thinks he knows who he is, and thinks that he doesn't have to be a guest any more... So, establishing that the name that had been used to log into the domain was, say "Beelzebub", I create an account on linux pc for it, and then make an smb passwd yatter yatter. hey presto, it works. Since I don't want an account on my linux pc for everyone who's likely to connect to my smb stuff, I guess I'd better join the domain.... Gary (-;