[Pkg-samba-maint] Bug#385372: This

Tue Jul 24 07:12:41 UTC 2007

On Tue, Jul 24, 2007 at 02:11:01PM +0800, Joe C. K. Yau wrote:
> I have finally get it working, without knowing exactly why what I did
> before didn't work.  It seems to be a configuration problem, which
> fuzzles me a lot.  Basically, my config is as follows:

> <=========================v=v=v= Config =v=v=v=========================>

>  1>>    [global]
>  2>>      workgroup = AlwaysBIG
>  3>>      encrypt passwords = false
>  4>>      root preexec = /bin/echo %T: CONNECT: service:%S path:%P by %U@%m >> /var/log/samba/log.connection
>  5>>      root postexec = /bin/echo %T: DISCONNECT: service:%S path:%P by %U@%m >> /var/log/samba/log.connection
>  6>> 
>  7>>   [homes]
>  8>>     comment = Home Directories
>  9>>     browseable = no
> 10>>     writable = yes
> 11>>     create mask = 0700
> 12>>     directory mask = 0700
> 13>>     valid users = %S

> <=========================^=^=^= Config =^=^=^=========================>

> The situation is like this:  I have winbindd running, and I have a
> smb.conf like the above.  If I keep line 13 ("valid users = %S"),
> I wouldn't be able to connect to my home directory.  But if I comment
> it out, it will just work fine.  Please note that I am using plaintext
> password here.  Is that the cause??

I'm not sure why plaintext passwords should affect the use of 'valid users =
%S'; that should not change how the username is resolved.

But why do you have winbind running on a system where you're trying to use
plaintext passwords?  Or put differently, why are you using plaintext
passwords on a system that has winbind?

winbind is for NT domain integration.  If you have an NT domain, you
shouldn't need to resort to plaintext passwords; and indeed, I would expect
that 'encrypt passwords = false' would cause problems for the domain
operation.

> Please also note that line 4 and 5 above are just for some extra
> logging.  I had this in my configuration with older version of
> Samba and it worked fine.  But now, nothing is logged down.
> Any clue??

Recent versions of samba fixed a security hole in the parsing of
preexec/postexec commands by trimming all shell special characters.  I
believe this includes '>'.  You would need to create a short script to
handle the redirection to the named logfile.

> Also, whenever, I do "wbinfo -t", I get the following error message
> (with or without the "valid users" line in smb.conf):

>   checking the trust secret via RPC calls failed
>   error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
>   Could not check secret

So you have joined your samba system to a domain?  Your smb.conf above
doesn't reflect that.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at debian.org                                   http://www.debian.org/