> [mailto:fedora-list-admin@xxxxxxxxxx]On Behalf Of Bevan C. Bennett > Sent: Friday, January 09, 2004 4:01 PM > To: fedora-list@xxxxxxxxxx > Subject: Re: Blank password works for root > > > Bill Beeman wrote: > > > > Comes from pam_smb-1.1.7-2 > > Ah! I'd missed that one. > > >>* What changes if you remove the pam_smb_auth line? Do you > still have > >>null access? Do you still have access using the password? > >> > > > > Commenting out the pam_smb_auth line fixes the immediate > problem. No > > null access, and can log in with the root password. So perhaps > > somewhere in the Samba system? I'm a relative newbie here and don't > > quite know where to look next. The offending machine is an > upgrade from > > RH9. The samba server is still an RH9 box, and is running > Samba 2.2.8a. > > There's a lot of scary sounding stuff in > /usr/share/doc/pam_smb-1.1.7/README, particularly regarding > the use of > 'nolocal' to turn off local password file checks. I suspect that your > samba server is somehow offering an unpassworded 'root' account. > > > I really appreciate the help. > > No problem. When things slow down it's been good to keep my debugging > skills fired up. :) > Success! I couldn't find anything in the setup on the samba server that seemed obvious, recall that the server was a RH9 box running Samba 2.28a, while the FC1 box was running Samba-common and Samba-client 3.0.0-15. I decided to upgrade the server to 3.0.1-2, and the problem vanished. So there was something between the versions. I am almost positive that the security hold did not exist before the FC1 upgrade to the client. Many thanks to Bevan, and to all the rest that offered suggestions. Bill
