1 Contributor: Samba-bugs@samba.anu.edu.au
5 =============================================================================
6 Subject: Recent FAQ answers to common questions / problems
7 =============================================================================
8 Contents: NetWkstaUserLogon
9 Not listening for calling name
13 Using NT to Browse Samba Shares
14 setup.exe and 16 bit programs
19 FAQ answer about the new password server code:
21 In 1.9.18 you can disable the NetWkstaUserLogon call at compile time
22 in local.h and from 1.9.18p3 you can now disable it from an option in
25 The password server behaviour changed because we discovered that bugs
26 in some NT servers allowed anyone to login with no password if they
27 chose an account name that did not exist on the password server. The
28 NT password server was saying "yes, it's OK to login" even when the
29 account didn't exist at all! Adding the NetWkstaUserLogon call fixed
30 the problem, and follows the "recommended" method that MS have
31 recently documented for pass through authentication.
33 The problem now is that some NT servers (in particular NT
34 workstation?) don't support the NetWkstaUserLogon call. The call also
35 doesn't work for accounts in trust relationships.
37 The eventual solution for this will be to replace the password server
38 code in Samba with NT domain code as that is developed. For now you
39 have the choice of compiling Samba either with or without the
40 NetWkstaUserLogon call in the password server code.
42 In 1.9.18p3 the following was added (copied from the 1.9.18p3 release
45 In the [global] section of smb.conf :
47 networkstation user login
49 This code (submitted by Rob Nielsen) allows the code many people
50 were having problems with that queries an NT password server to
51 be turned off at runtime rather than compile time. Please see the
52 documentation in the smb.conf manual page for details. This is a
53 security option - it must only be turned off after checks have been
54 made to ensure that your NT password server does not suffer from the
55 bug this code was meant to protect against !
57 In 1.9.18 you can enable/disable this call in local.h. In 1.9.17p5
58 you could apply the following patch. Applying this patch will make
59 the password server code behave like the code in earlier versions
60 of Samba. If you do this then please ensure that you test to see
61 that users are prevented from logging in if they give a bogus
62 username/password. You may have a NT server that is affected by the
63 bug that this code is designed to avoid.
66 --- password.c 1997/10/21 10:09:28 1.25.2.4
67 +++ password.c 1997/12/31 06:43:06
73 if (!cli_NetWkstaUserLogon(&cli,user,local_machine)) {
74 DEBUG(1,("password server %s failed NetWkstaUserLogon\n", cli.desthost));
82 DEBUG(3,("password server %s accepted the password\n", cli.desthost));
83 ===============================================================================
85 Not listening for calling name
86 ==============================
88 > Session request failed (131,129) with myname=HOBBES destname=CALVIN
89 > Not listening for calling name
91 If you get this when talking to a Samba box then it means that your
92 global "hosts allow" or "hosts deny" settings are causing the Samba
93 server to refuse the connection.
95 Look carefully at your "hosts allow" and "hosts deny" lines in the
96 global section of smb.conf.
98 It can also be a problem with reverse DNS lookups not functioning
99 correctly, leading to the remote host identity not being able to
100 be confirmed, but that is less likely.
101 ===============================================================================
105 System error 1240 means that the client is refusing to talk
106 to a non-encrypting server. Microsoft changed WinNT in service
107 pack 3 to refuse to connect to servers that do not support
108 SMB password encryption.
110 There are two main solutions:
112 1) enable SMB password encryption in Samba. See ENCRYPTION.txt in the
115 2) disable this new behaviour in NT. See WinNT.txt in the
117 ===============================================================================
121 > Log message "you appear to have a trapdoor uid system"
123 This can have several causes. It might be because you are using a uid
124 or gid of 65535 or -1. This is a VERY bad idea, and is a big security
125 hole. Check carefully in your /etc/passwd file and make sure that no
126 user has uid 65535 or -1. Especially check the "nobody" user, as many
127 broken systems are shipped with nobody setup with a uid of 65535.
129 It might also mean that your OS has a trapdoor uid/gid system :-)
131 This means that once a process changes effective uid from root to
132 another user it can't go back to root. Unfortunately Samba relies on
133 being able to change effective uid from root to non-root and back
134 again to implement its security policy. If your OS has a trapdoor uid
135 system this won't work, and several things in Samba may break. Less
136 things will break if you use user or server level security instead of
137 the default share level security, but you may still strike
140 The problems don't give rise to any security holes, so don't panic,
141 but it does mean some of Samba's capabilities will be unavailable.
142 In particular you will not be able to connect to the Samba server as
143 two different uids at once. This may happen if you try to print as a
144 "guest" while accessing a share as a normal user. It may also affect
145 your ability to list the available shares as this is normally done as
148 Complain to your OS vendor and ask them to fix their system.
150 Note: the reason why 65535 is a VERY bad choice of uid and gid is that
151 it casts to -1 as a uid, and the setreuid() system call ignores (with
152 no error) uid changes to -1. This means any daemon attempting to run
153 as uid 65535 will actually run as root. This is not good!
154 ===============================================================================
158 > In windows when i set up a share in "user mode" i get the message:
159 > "You cannot view the list of users at this time. Please try again later."
161 > I know you have lists of users for access and aliasing purposes, but i
162 > have read nothing to support the idea that these lists control the Domain
165 Samba does NOT at this time support user mode access control for Window 9x
166 of for NT. This is a priority item and requires full implementation of the NT SMB
167 protocol calls. Samba-1.9.19 will go into alpha in about 2 months time and will
168 have a more full implementation of the NT SMB protocols to support Domain Client
169 interoperability. When we can see that this has been succesful we wil then implement
170 the NT SMB Server components. This will probably be released as Samba-2.0
172 Samba-1.9.18p5 is scheduled to go out within 14 days. This will close off the 1.9.18
173 branch and then opens the way to progress 1.9.19.
175 I hope this answers your concerns adequately.
176 ===============================================================================
178 Using NT to Browse Samba Shares
179 ===============================
180 > WIN-NT workstations (nt4.0, service pack 3)
183 > encrypt passwords = yes
184 > guest account = guest
186 > start the explorer on a win-nt workstation and select network. I find
187 > my unix server running samba, but I can not see the list of shares
188 > unless I am a user, who is known in the smbpasswd of the unix machine.
189 > The guest account "guest" exists on my unix machine. For testing I even
190 > made him a regular user with a password.
192 > With my network monitor I can see, that the win-nt workstation uses the
193 > current login, to connect to IPC$ on the samba server
194 > (for example "administrator"), not the guest account.
196 This is exactly how Windows NT works. You MUST have a valid account on the Windows
197 NT box you are trying to see the resource list on. If your currently logged in
198 account details do NOT match an account on the NT machine you are trying to access
199 then you will be presented with a logon box for that machine. When you enter the
200 name of an account on that machine / domain, together with a valid password then
201 the resource list is made available. If the account details are not correct then
202 no resource list is shown.
204 Samba follows the behaviour of Windows NT exactly.
206 Warning:Warning:Warning:
207 ========================
208 Samba can be compiled with the GUEST_SESSION_SETUP option at 0,1 or 2.
209 The default is 0. If this is set to 1 or 2 then Windows NT machines that DO NOT
210 have an account on the Samba server will see the resource list. The down side of this
211 is that legitimate users may then be refused access to their legitimate resources.
212 Setting this option creates serious security holes. DO NOT DO IT. Samba has the
213 value of this option set at 0 - NOT WITHOUT REASON!!!!
215 ******> Warning:Warning:Warning: ****> Do not tamper with this setting!!!
216 ===============================================================================
218 setup.exe and 16 bit programs
219 =============================
220 Running 16 bit programs from Windows NT on a Samba mapped drive
221 ---------------------------------------------------------------
223 The Windows NT redirector has a bug when running against a
224 Samba or Windows 95 mapped drive and attempting to run a
227 The problem occurs when the pathname to a 16 bit executable
228 contains a non 8.3 filename complient directory component,
229 Windows NT will fail to load the program and complain it
230 cannot find the path to the program.
232 It can be verified that this is a bug in Windows NT and
233 not Samba as the same problem can be reproduced exactly
234 when attempting to run the same program with the same
235 pathname from a Windows 95 server (ie. the problem still
236 exists even with no Samba server involved).
238 Microsoft have been made aware of this problem, it is
239 unknown if they regard it as serious enough to provide
242 One of the reasons this problem is reported frequently
243 is that InstallShield setup.exe executables are frequently
244 written as 16 bit programs, and so hit this problem.
246 As a workaround, you may create (on a Samba server at
247 least) a symbolic link with an 8.3 complient name to
248 the non 8.3 complient directory name, and then the 16
249 bit program will run. Alternatively, use the 8.3
250 complient mangled name to specify the path to run
253 This will be fixed when Samba adds the NT-specific
254 SMB calls (currently targeted for the next major
255 Samba release), as once the NT SMB calls are used
256 this problem no longer occurs (which is why the
257 problem doesn't occur when running against a drive
258 mapped to a Windows NT server).
264 ===============================================================================
268 > When getting the list of shares available on a host using the command
269 > smbclient -N -L <server>
270 > the program always prompts for the password if the server is a Samba server.
271 > It also ignores the "-N" argument when querying some (but not all) of our
274 No, it does not ignore -N, it is just that your server rejected the
275 null password in the connection, so smbclient prompts for a password
278 To get the behaviour that you probably want use
279 smbclient -L host -U%
281 this will set both the username and password to null, which is
282 an anonymous login for SMB. Using -N would only set the password
283 to null, and this is not accepted as an anonymous login for most
285 ===============================================================================