[Samba] Dispelling Myths About Samba Encrypted passwords, NT_STATUS_LOGON _FAILURE and XP

abartlet at samba.org abartlet at samba.org
Sun May 12 18:39:02 GMT 2002 

On Mon, May 13, 2002 at 10:46:53AM +1000, David Balnaves wrote:
> Hi,
> 
> I've been using samba for a while now with relatively simple configurations.
> I do however have a few questions:
> 
> * When using encrypted passwords with samba, is it possible to authenticate
> users using the Unix user password(/etc/passwd)?

No.
 
> * When using smbclient I get the error NT_STATUS_LOGON_FAILURE:
> 
> added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
> Password:
> session setup failed: NT_STATUS_LOGON_FAILURE
> david at Wintermute:~$ smbclient -L wintermute -U david
> added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
> Password:
> session setup failed: NT_STATUS_LOGON_FAILURE
> david at Wintermute:~$ smbclient -L wintermute -U root
> added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
> Password:
> session setup failed: NT_STATUS_LOGON_FAILURE
> 
> When nothing is entered in the password prompt:
> 
> david at Wintermute:~$ smbclient -L wintermute
> added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
> Password:
> Anonymous login successful

> * What does this error mean?  (What's it caused by?) And how can I fix it?

NT_STATUS_LOGON_FAILURE means that the password you entered was incorrect, or
the user doesn't exist.  For a samba server, this also includes the case
that the user has no encrypted password stored on the system.

smbclient will attempt an anonymous logon if you don't specify a password, 
and some information (the share listing in this case) is available anonymously.

> * Does definition of WorkGroups change across different Windows versions?

Not particularly, but people usually move up to a domain when dealing with NT.

> * Lastly, is there any tricks involved in getting samba to work with Windows
> XP?  I want it so it uses the unix user authentication if possible.  I've
> loaded the WinXP_SignOrSeal.reg patch on XP.  I also loaded the
> Win2000_PlainPassword.reg in the hope I could access my shares from my XP
> box.

The SignOrSeal should not be required - as you are not a PDC.  Using plaintext
passwords will cause Windows > NT4 SP3 and > Win95OSR1 to always prompt for a 
password (as a 'do you really wan to do this' measure).  They won't even
go past a negprot (not authorised to log in from this workstation) without 
the registry hack.

This is why Samba 3.0 will default to 'encryupt passwords = yes' and why
this has been the default in most distribution's smb.conf files for a
long time.

Andrew Bartlett

More information about the samba mailing list