We're running Fedora Core and Samba-3.0.8-0.pre1.3 and we're authenticating our Windows XP users against Active Directory running on Windows 2003. Everything works fine!
But now we're trying to secure and harden our WinXP machines and now when any user logged into a secured WinXP they get the errormessage "The account is not authorized to log in from this station". I browsed the net and most solutions tell me to change the smb.conf to: encrypt passwords = yes However, this didn't work (later, it turned out it worked without this setting anyway). But since it did work before securing the WinXP I started looking into the policysettings of the client. I found that the following GPO-setting was the reason why it stopped working: Microsoft network client: Digitally sign communications (always) If we set this to Disabled it works again. This security option setting determines whether packet signing is required by the SMB client component. Enabling this setting prevents the Microsoft network client from communicating with a server unless that server agrees to perform SMB packet signing. You risk gettings your sessions hijcaked otherwise. Doesn't Samba support this? We use the Windows Server 2003 Security Guide and the Windows XP Security Guide to harden our servers and clients: http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg /sgch00.mspx <http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003h g/sgch00.mspx> http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch 01.mspx <http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgc h01.mspx> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
