SAMBA Problmes

Matt G. Ellis mge@internetsyndicate.com
Tue, 6 Feb 2001 20:09:40 -0700 

Hello All.

I'm having a problem setting SAMBA up to be used for domain logons within a
Windows 98 Network.

The NetBIOS name of the SAMBA server is SERVER, and the WORKGROUP is named
FOOTHILL.  I have set SAMBA up to authenticate domain logons and have
confugured it as a WINS Server.  All Clients are sending cleartext
passwords, and are set to use the SAMBA machine as a WINS server (the ip of
the SAMBA Machine is 10.1.1.1, the rest of the machines are 10.1.1.X,
netmask is configured as 255.255.255.0)

When the domain is specified as FOOTHILL on a Windows 98 Client, connections
work flawlessly, the user is authenticated, and loged on to the system.
Since I want to require this to happen, I have used the Windows 98 Policy
Editor to Require authorization from a Domain server, hitting cancel at the
logon box produces an error to the effect of: You must log on to the system.

However, users have found a way to bypass this requirment.  If they change
the domain from FOOTHILL to anything else (for example: FAKE) and then
attempt a logon, the process takes considerbly longer (I *think* windows is
trying to map the name FAKE to an IP Address, and then fails) and then the
default Windows Logon Box comes up (just a username and password), from this
box a user can hit cancel and have access to the system.

What I'm trying to do is to require a user to be authenticaed by the Domain
Logon process, and have windows ERROR if a user changes the DOMAIN to a
non-existant one.

Below are my smb.conf, log.smb, log.nmb, and wins.dat files.  To cut out the
clutter of the log.smb and log.nmb files I stoped samba, removed both log
files, the restarted samba.  I then loged on once to the correct domain
(FOOTHILL), loged out, then tried to log on to a fake domain (FAKE), then
loged out, then back on to the real domain (FOOTHILL).  The only thing I saw
that may be of some help is these lines in log.nmb:

[2001/02/06 14:30:02, 1] nmbd/nmbd_processlogon.c:process_logon_packet(69)
  process_logon_packet: Logon from 10.1.1.12: code = 0
[2001/02/06 14:30:09, 1] nmbd/nmbd_processlogon.c:process_logon_packet(69)
  process_logon_packet: Logon from 10.1.1.12: code = 7
[2001/02/06 14:33:12, 1] nmbd/nmbd_processlogon.c:process_logon_packet(69)
  process_logon_packet: Logon from 10.1.1.12: code = 0

It is my theory that whenever we generate a code 7, it is from a Domain that
doesn't exist, and code 0 is from one that does.  I may be wrong.

Any help is appreciated.

Thanks All.

---log.smb---
[2001/02/06 14:27:24, 1] smbd/server.c:main(628)
  smbd version 2.0.5a started.
  Copyright Andrew Tridgell 1992-1998
[2001/02/06 14:27:24, 1] smbd/files.c:file_init(216)
  file_init: Information only: requested 10000 open files, 1014 are
available.

---log.nmb---
[2001/02/06 14:27:25, 1] nmbd/nmbd.c:main(684)
  Netbios nameserver version 2.0.5a started.
  Copyright Andrew Tridgell 1994-1998
[2001/02/06 14:27:25, 0] nmbd/asyncdns.c:start_async_dns(150)
  started asyncdns process 711
[2001/02/06 14:27:25, 0] nmbd/nmbd_logonnames.c:add_logon_names(159)
  add_domain_logon_names:
  Attempting to become logon server for workgroup FOOTHILL on subnet
10.1.1.1
[2001/02/06 14:27:25, 0] nmbd/nmbd_logonnames.c:add_logon_names(159)
  add_domain_logon_names:
  Attempting to become logon server for workgroup FOOTHILL on subnet
UNICAST_SUBNET
[2001/02/06 14:27:25, 0]
nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(342)
  become_domain_master_browser_wins:
  Attempting to become domain master browser on workgroup FOOTHILL, subnet
UNICAST_SUBNET.
[2001/02/06 14:27:25, 0]
nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(357)
  become_domain_master_browser_wins: querying WINS server at IP 10.1.1.1 for
domain master browser name FOOTHILL<1b> on workgroup FOOTHILL
[2001/02/06 14:27:25, 0]
nmbd/nmbd_logonnames.c:become_logon_server_success(118)
  become_logon_server_success: Samba is now a logon server for workgroup
FOOTHILL on subnet UNICAST_SUBNET
[2001/02/06 14:27:25, 0]
nmbd/nmbd_become_dmb.c:become_domain_master_stage2(118)
  *****

  Samba server SERVER is now a domain master browser for workgroup FOOTHILL
on subnet UNICAST_SUBNET

  *****
[2001/02/06 14:27:25, 0]
nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(294)
  become_domain_master_browser_bcast:
  Attempting to become domain master browser on workgroup FOOTHILL on subnet
10.1.1.1
[2001/02/06 14:27:25, 0]
nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(308)
  become_domain_master_browser_bcast: querying subnet 10.1.1.1 for domain
master browser on workgroup FOOTHILL
[2001/02/06 14:27:29, 0]
nmbd/nmbd_logonnames.c:become_logon_server_success(118)
  become_logon_server_success: Samba is now a logon server for workgroup
FOOTHILL on subnet 10.1.1.1
[2001/02/06 14:27:33, 0]
nmbd/nmbd_become_dmb.c:become_domain_master_stage2(118)
  *****

  Samba server SERVER is now a domain master browser for workgroup FOOTHILL
on subnet 10.1.1.1

  *****
[2001/02/06 14:30:02, 1] nmbd/nmbd_processlogon.c:process_logon_packet(69)
  process_logon_packet: Logon from 10.1.1.12: code = 0
[2001/02/06 14:30:09, 1] nmbd/nmbd_processlogon.c:process_logon_packet(69)
  process_logon_packet: Logon from 10.1.1.12: code = 7
[2001/02/06 14:33:12, 1] nmbd/nmbd_processlogon.c:process_logon_packet(69)
  process_logon_packet: Logon from 10.1.1.12: code = 0

---smb.conf---
# Samba config file created using SWAT
# from 12.foothills.com (10.1.1.12)
# Date: 2001/02/06 14:27:11

# Global parameters
[global]
    workgroup = FOOTHILL
    netbios name = SERVER
    server string = Samba Server
    interfaces = 10.1.1.1/24
    log file = /var/log/samba/log.%m
    max log size = 50
    name resolve order = wins lmhosts host
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    logon script = logon.bat
    domain logons = Yes
    local master = No
    domain master = Yes
    dns proxy = No
    wins support = Yes
    remote announce = 10.1.1.255
    remote browse sync = 10.1.1.255

[home]
    comment = Home Directories
    path = /home/%U
    read only = No

[def]
    comment = Default Share
    path = /home/default
    browseable = No

[netlogon]
    comment = Network Logon Service
    path = /home/netlogon
    guest ok = Yes
    browseable = No
    share modes = No

[printers]
    comment = All Printers
    path = /var/spool/samba
    print ok = Yes
    browseable = No

---wins.dat---
VERSION 1 180813
"12#00" 982013333 10.1.1.12  4R
"12#03" 982013331 10.1.1.12  4R
"ADMIN#03" 982013592 10.1.1.12  4R
"FOOTHILL#00" 982013333 255.255.255.255 c4R
"FOOTHILL#1b" 982013245 10.1.1.1 44R
"FOOTHILL#1c" 982013245 10.1.1.1 c4R
"FOOTHILL#1e" 982013245 255.255.255.255 c4R
"SERVER#00" 982013245 10.1.1.1 46R
"SERVER#03" 982013245 10.1.1.1 46R
"SERVER#20" 982013245 10.1.1.1 46R