Title: Windows 2000 Domain Controller Security Setting
I sent an email last night regarding a security issue we were having with our Windows 2000 domain controllers and Samba's interaction with them.
It turns out part of the issue is that security settings don't propagate to the domain controllers without rebooting them all.
But, slightly contrary to my previous email:
The application to view these settings is (on a domain controller):
"Start" -> "Program Files" -> "Administrative Tools" ->
"Domain Controller Security Policy"
The settings in question are:
(1) "Windows Settings" - "Security Settings" - "Account Policies" -
"Kerberos Policy" -> "Enforce user logon restrictions"
and
(2) "Windows Settings" - "Security Settings" - "Local Policies" -
"Security Options" ->
"Additional restrictions for anonymous connections"
Now, contrary to my previous email, (1) actually appears to have *nothing* to do with the issues (drives not wanting to be mapped from a Samba server).
(2) However, appears to be the key. There are three possible settings for this:
(A) "None. Rely on default permissions"
(B) "Do not allow enumeration of SAM accounts and shares"
(C) "No access without explicit anonymous permissions"
In our testing this morning (because the problem reoccured), we've discovered that (A) and (B) don't cause a problem (though I've heard that there is evidence that (B) doesn't do what it says it does). When (C) is selected (and the domain controllers are rebooted to put it into effect), Samba servers using "security = domain" will not be able to pass through the authentication, and hence, won't allow shares to be accessed.
However, in Samba's defense on this issue, Windows NT 4.0 Workstations don't even let people log on with (C) set. And yes, we still run a few of those.
So, in summary:
(C) is a desired setting for (2), to stop people from getting a list of Domain usernames from Domain Controllers. Once that list is obtained, some tools apparently throw the dictionary at accounts. If account lockout policies have been defined, accounts start getting locked out when the dictionary attacks are attempted. However, with these settings, NT 4.0 Workstations cannot be logged in (not your problem), and Samba servers will not allow shares to be mapped when "security = domain" (not really a problem I guess, but if it's fixable, it would be a big "plus" in Samba's court).
Unless you know of some way to tell 2000 DC's to explicitly allow Samba servers to have anonymous access, this is an (admittedly minor) issue that might be worth looking at.
Eric Stewart - Network Admin, USF Tampa Campus Library - [EMAIL PROTECTED]
Sysadmins are like epic heroes invested with supreme powers and arcane
lore, duty-bound to protect their users from villains, fires, and
themselves. - Feen, Benjy: Origin of Sysadmins,
http://www.monkeybagel.com/sysadmin.html
