On Thu, Oct 31, 2002 at 12:20:25PM +0100, Ignacio Coupeau wrote: > Andrew Bartlett wrote: > > On Thu, Oct 31, 2002 at 11:33:15AM +0100, Ignacio Coupeau wrote: > > > >>We have several samba printservers and fileservers with > >>"security=server" validating against several PDC with ldap (samba 2.2.6). > >> > >>I found a lot of ldap request like: > >> (uid=SAMBATESTPSERVER04) > >>beating the ldap servers: one before *each* validation in every print > >>job or share session. > >> > >>I found this is related with a security issue as Jeremy says in the > >>server_validate() function. > >> > >>To avoid this I tried to use security=domain because server_validate() > >>is called by check_server_security(), but our servers joined to the > >>domain-asigned likes very much ask to the neighborn PDC as > >>"security=server" than their domain-asigned-server (perhaps the > >>subneting, or so... is a big and complex network). > >> > >>The question is if I can skip the code around > >>"if(!tested_password_server) {" > >>to avoid the calls to ldap and if it is safe. > >> > >>We are using only samba servers. > > > > > > You could, but you really don't want to. Security=server > > is really nasty. Fix whatever is causing Samba to pick the > > wrong DC for secruity=domain. You can still specify the > > server to use. > > I'm tracking it, but is amazing... > for example > ../bin/smbpasswd -r ENIGMA -j CTI-SMB-2 > joins the pserver01 to ENIGMA perfectly. > > pserver01 has "security server=enigma", but resolve in every PDC (of > course the ldap base is te same), like "security server=*" but in server > mode (for example in the PDC3 or PDC1) instead domain mode in ENIGMA... > it looks like if a broadcast is performed and the winner is the nearest > PDC because the trusted pdc (ENIGMA) is in other subnet... amazing!
Try running 'testparm' - you want 'password server', not 'security server'... Andrew Bartlett