Re: [Samba] SAMBA and 2 form factor auth

Tue, 26 Sep 2006 08:52:46 -0700 

Thanks Gerald,
Finally, the other kicker of the problem is when I mount the samba share on the system locally, SAMBA constantly attempts to reauthenticate with the RADIUS server, which in turn constantly fails the connection as the password has indeed changed (they're one time passwords) 


08:52:35.554507 IP 192.168.0.200.8294 > crypto.radius: RADIUS, Access 
Request (1), id: 0x91 length: 90
08:52:35.848306 IP crypto.radius > 192.168.0.200.8294: RADIUS, Access 
Reject (3), id: 0x91 length: 20
08:52:43.024629 IP 192.168.0.200.8295 > crypto.radius: RADIUS, Access 
Request (1), id: 0xc3 length: 90
08:52:43.388771 IP crypto.radius > 192.168.0.200.8295: RADIUS, Access 
Reject (3), id: 0xc3 length: 20



Maybe I should look into making a RADIUS server that cache's last used 
passwords? Or is there a way to have SAMBA just accept the session as 
being previously authenticated and never re authenticating?


r


Gerald (Jerry) Carter wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Russell Handorf wrote:

  

fileserver:~# smbclient -U rhandorf -L \\\\localhost
Password:
Domain=[<snip>] OS=[Unix] Server=[Samba 3.0.14a-Debian]

       Sharename       Type      Comment
       ---------       ----      -------
       netlogon        Disk      Network Logon Service
       public          Disk             IPC$            IPC       IPC
Service (samba file services)
       ADMIN$          IPC       IPC Service (samba file services)
       rhandorf        Disk      Home directory of rhandorf
session setup failed: NT_STATUS_LOGON_FAILURE
NetBIOS over TCP disabled -- no workgroup available

======


So, why does it auth twice? Why doesnt SAMBA keep 
the first auth session as a success, and of course fail

on the second when my token has changed?

    


Restrict the connection to port 139 (-p 139)
and smbclient will resuse the first connection.
The problem is that the first one uses port 445 by default
but you can only get browse lists over port 139.  So it
has to retry.






cheers, jerry
=====================================================================
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFGUFpIR7qMdg1EfYRAj1pAKCiSoGjsNLVBbwrsH/9J6Sg2CNd8gCg3qN3
Uf5kW0g+mf5UQOCbdfrsMKI=
=IdZ1
-----END PGP SIGNATURE-----

  

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba






















					Reply via email to