On Sat, 2002-11-16 at 03:11, Benjamin Herbert wrote: > > Hello, > > I am running Samba 2.2.5 (built from source) on a Linux 7.3 machine. I > have samba setup to use domain authentication and everything is working > fine. The security administrator did a scan on the Windows 2000 server > being used for authentication. He found a vulnerability attributed to > the fact that winbindd needs null sessions on the W2k machine to be > enabled (since winbindd sends a null username and null password). > Obviously we want to correct this situation. I thought I could correct > it when I created the account for the samba server on the W2k box by > selecting the account group to be "Pre-Windows 2000 Compatible Access". > For some reason this did not work. Does anyone know why this didn't > work?
Samba cannot even connect to the server with this account, so giving it extra privileges doesn't help. You need to give those privileges to the anonymous user, add a 'user' account for the server or upgrade to Samba 3.0 (which supports this natively - an AD machine account can login and gain the relevant info). > Another way around this is to have winbindd send a legitimate username > and password by running 'wbinfo -Ausername%password'. This method > raises some questions. First, does winbindd send the username and > password encrypted. Second do you have to run 'wbinfo -A..' every time > you restart winbindd or is it sufficient to run it only once? This password is stored in a TDB, is much the same way that the machine account password is, and is transferred over the network using the normal challenge-response authentication methods. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
