[ale] Weird Samba w2k scenario

Jeff T ale at jeffx.com
Tue Mar 20 10:01:26 EST 2001 

Greetings,
Got a situation here that I can't figure out.  A bit of the problem 
is that the external IS organization may not be telling me the entire 
truth.  I will try to explain this as clear as possible but it is 
sort of a strange environment.  

I support the R&D group of my company.  My UNIX environment is running 
well and with no problems.  However, we have to keep our PCs connected 
to the parent organization for day to day activities.  The parent 
organization was running NT 4.0 so I used Samba to allow the PC users 
to have access to their home directories.  Because the login information 
for the UNIX systems and the NT domain were different I setup a username 
map and set the password server to the PDC of the parent organization 
NT domain.  Everything has been working fine.  

Just found out the parent organization is moving to Windows 2000.
The actually authentication process is still a month or so away 
but if I have to change configurations I want to be ready before 
it happens.  The 2000 Active Directory Server (PDC) is set up and 
running.  I have a LINUX server that I can test Samba without interfering 
with my users.  Well when I changed the password server from the 
old NT 4.0 Domain to the new W2k server I got a result I wasn't expecting! 
I was expecting to not be able to authenticate but I was still authenticated,
even with incorrect passwords!  I thought maybe it had something 
to do with smb tokens so I set revalidate to yes and even restarted 
my Windows PC.  I have permissions as before even with a different 
login.  

The username for the new (w2k) setup is the same as it was for the 
old NT 4.0 domain but the password is different.  The client machine 
is Windows 98SE.  

The smb.conf file has:
	security = server
	password server = atlanta20
	# stored in /etc/hosts
	encrypt passwords = Yes
	username map = /usr/samba/lib/usernames
	
I was expecting something in the form of the encryption not being 
correct but that didn't happen.  Everything I have found on the web 
talks about sending passwords in plain text but that wouldn't change 
the problem I am seeing.  

Anyone have an idea as to what might be causing something like this? 
I will have the parent company's IS people to work with me this 
afternoon but as they don't really know what is going on, I have 
the feeling I am going to be on my own for this one.  

Thanks for any input,
Jeff






--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list