[Samba] Re: samba-3.0.23d, smbpasswd, and "NO PASSWORD" behaviour
Todd Pfaff
pfaff at rhpcs.mcmaster.ca
Wed Feb 6 02:26:45 GMT 2008
In case it can help someone diagnose this problem, here's output from:
smbpasswd -D 10
when trying to change the password for this user:
testuser:10151:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NU ]:LCT-00000000:Test User:
Netbios name list:-
my_netbios_names[0]="RHPCSERV"
added interface ip=192.168.12.34 bcast=192.168.255.255 nmask=255.255.0.0
Connecting to 127.0.0.1 at port 445
socket option SO_KEEPALIVE = 0
socket option SO_REUSEADDR = 0
socket option SO_BROADCAST = 0
socket option TCP_NODELAY = 1
socket option TCP_KEEPCNT = 9
socket option TCP_KEEPIDLE = 7200
socket option TCP_KEEPINTVL = 75
socket option IPTOS_LOWDELAY = 0
socket option IPTOS_THROUGHPUT = 0
socket option SO_SNDBUF = 50748
socket option SO_RCVBUF = 87584
socket option SO_SNDLOWAT = 1
socket option SO_RCVLOWAT = 1
socket option SO_SNDTIMEO = 0
socket option SO_RCVTIMEO = 0
write_socket(3,183)
write_socket(3,183) wrote 183
got smb length of 127
size=127
smb_com=0x72
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=2159
smb_uid=0
smb_mid=1
smt_wct=17
smb_vwv[ 0]= 7 (0x7)
smb_vwv[ 1]=12803 (0x3203)
smb_vwv[ 2]= 256 (0x100)
smb_vwv[ 3]= 1024 (0x400)
smb_vwv[ 4]= 65 (0x41)
smb_vwv[ 5]= 0 (0x0)
smb_vwv[ 6]= 256 (0x100)
smb_vwv[ 7]=28928 (0x7100)
smb_vwv[ 8]= 8 (0x8)
smb_vwv[ 9]=64768 (0xFD00)
smb_vwv[10]=33011 (0x80F3)
smb_vwv[11]= 128 (0x80)
smb_vwv[12]=33385 (0x8269)
smb_vwv[13]=20975 (0x51EF)
smb_vwv[14]=51304 (0xC868)
smb_vwv[15]=11265 (0x2C01)
smb_vwv[16]= 1 (0x1)
smb_bcc=58
[000] 72 68 70 63 73 65 72 76 00 00 00 00 00 00 00 00 rhpcserv ........
[010] 60 28 06 06 2B 06 01 05 05 02 A0 1E 30 1C A0 0E `(..+... ....0...
[020] 30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A A3 0A 0...+... ..7.....
[030] 30 08 A0 06 1B 04 4E 4F 4E 45 0.....NO NE
size=127
smb_com=0x72
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=2159
smb_uid=0
smb_mid=1
smt_wct=17
smb_vwv[ 0]= 7 (0x7)
smb_vwv[ 1]=12803 (0x3203)
smb_vwv[ 2]= 256 (0x100)
smb_vwv[ 3]= 1024 (0x400)
smb_vwv[ 4]= 65 (0x41)
smb_vwv[ 5]= 0 (0x0)
smb_vwv[ 6]= 256 (0x100)
smb_vwv[ 7]=28928 (0x7100)
smb_vwv[ 8]= 8 (0x8)
smb_vwv[ 9]=64768 (0xFD00)
smb_vwv[10]=33011 (0x80F3)
smb_vwv[11]= 128 (0x80)
smb_vwv[12]=33385 (0x8269)
smb_vwv[13]=20975 (0x51EF)
smb_vwv[14]=51304 (0xC868)
smb_vwv[15]=11265 (0x2C01)
smb_vwv[16]= 1 (0x1)
smb_bcc=58
[000] 72 68 70 63 73 65 72 76 00 00 00 00 00 00 00 00 rhpcserv ........
[010] 60 28 06 06 2B 06 01 05 05 02 A0 1E 30 1C A0 0E `(..+... ....0...
[020] 30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A A3 0A 0...+... ..7.....
[030] 30 08 A0 06 1B 04 4E 4F 4E 45 0.....NO NE
Doing spnego session setup (blob length=58)
got OID=1 3 6 1 4 1 311 2 2 10
got principal=NONE
write_socket(3,164)
write_socket(3,164) wrote 164
got smb length of 254
size=254
smb_com=0x73
smb_rcls=22
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=2159
smb_uid=100
smb_mid=2
smt_wct=4
smb_vwv[ 0]= 255 (0xFF)
smb_vwv[ 1]= 0 (0x0)
smb_vwv[ 2]= 0 (0x0)
smb_vwv[ 3]= 163 (0xA3)
smb_bcc=211
[000] A1 81 A0 30 81 9D A0 03 0A 01 01 A1 0C 06 0A 2B ...0.... .......+
[010] 06 01 04 01 82 37 02 02 0A A2 81 87 04 81 84 4E .....7.. .......N
[020] 54 4C 4D 53 53 50 00 02 00 00 00 10 00 10 00 30 TLMSSP.. .......0
[030] 00 00 00 15 02 8A 60 E4 DF 85 5B 94 A3 B6 5A 00 ......`. ..[...Z.
[040] 00 00 00 00 00 00 00 44 00 44 00 40 00 00 00 52 .......D .D. at ...R
[050] 00 48 00 50 00 43 00 53 00 45 00 52 00 56 00 02 .H.P.C.S .E.R.V..
[060] 00 10 00 52 00 48 00 50 00 43 00 53 00 45 00 52 ...R.H.P .C.S.E.R
[070] 00 56 00 01 00 10 00 52 00 48 00 50 00 43 00 53 .V.....R .H.P.C.S
[080] 00 45 00 52 00 56 00 04 00 00 00 03 00 10 00 72 .E.R.V.. .......r
[090] 00 68 00 70 00 63 00 73 00 65 00 72 00 76 00 00 .h.p.c.s .e.r.v..
[0A0] 00 00 00 55 00 6E 00 69 00 78 00 00 00 53 00 61 ...U.n.i .x...S.a
[0B0] 00 6D 00 62 00 61 00 20 00 33 00 2E 00 30 00 2E .m.b.a. .3...0..
[0C0] 00 32 00 34 00 00 00 52 00 48 00 50 00 43 00 53 .2.4...R .H.P.C.S
[0D0] 00 00 00 ...
size=254
smb_com=0x73
smb_rcls=22
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=2159
smb_uid=100
smb_mid=2
smt_wct=4
smb_vwv[ 0]= 255 (0xFF)
smb_vwv[ 1]= 0 (0x0)
smb_vwv[ 2]= 0 (0x0)
smb_vwv[ 3]= 163 (0xA3)
smb_bcc=211
[000] A1 81 A0 30 81 9D A0 03 0A 01 01 A1 0C 06 0A 2B ...0.... .......+
[010] 06 01 04 01 82 37 02 02 0A A2 81 87 04 81 84 4E .....7.. .......N
[020] 54 4C 4D 53 53 50 00 02 00 00 00 10 00 10 00 30 TLMSSP.. .......0
[030] 00 00 00 15 02 8A 60 E4 DF 85 5B 94 A3 B6 5A 00 ......`. ..[...Z.
[040] 00 00 00 00 00 00 00 44 00 44 00 40 00 00 00 52 .......D .D. at ...R
[050] 00 48 00 50 00 43 00 53 00 45 00 52 00 56 00 02 .H.P.C.S .E.R.V..
[060] 00 10 00 52 00 48 00 50 00 43 00 53 00 45 00 52 ...R.H.P .C.S.E.R
[070] 00 56 00 01 00 10 00 52 00 48 00 50 00 43 00 53 .V.....R .H.P.C.S
[080] 00 45 00 52 00 56 00 04 00 00 00 03 00 10 00 72 .E.R.V.. .......r
[090] 00 68 00 70 00 63 00 73 00 65 00 72 00 76 00 00 .h.p.c.s .e.r.v..
[0A0] 00 00 00 55 00 6E 00 69 00 78 00 00 00 53 00 61 ...U.n.i .x...S.a
[0B0] 00 6D 00 62 00 61 00 20 00 33 00 2E 00 30 00 2E .m.b.a. .3...0..
[0C0] 00 32 00 34 00 00 00 52 00 48 00 50 00 43 00 53 .2.4...R .H.P.C.S
[0D0] 00 00 00 ...
Got challenge flags:
Got NTLMSSP neg_flags=0x608a0215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_CHAL_ACCEPT_RESPONSE
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_CHAL_TARGET_INFO
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60080215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP challenge set by NTLM2
challenge is:
[000] 60 BC A1 67 71 0D 14 9C `..gq...
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60080215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
write_socket(3,258)
write_socket(3,258) wrote 258
got smb length of 35
size=35
smb_com=0x73
smb_rcls=109
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=2159
smb_uid=100
smb_mid=3
smt_wct=0
smb_bcc=0
size=35
smb_com=0x73
smb_rcls=109
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=2159
smb_uid=100
smb_mid=3
smt_wct=0
smb_bcc=0
SPNEGO login failed: Logon failure
Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE
Failed to change password for testuser
On Tue, 5 Feb 2008, Todd Pfaff wrote:
> Help! (pretty please :)
>
> I'm still having the problem described below with samba-3.0.24.
>
> Here's an excerpt from the smbpasswd man page:
>
> When run by an ordinary user with no options, smbpasswd will prompt
> them for their old SMB password and then ask them for their new pass
> word twice, to ensure that the new password was typed correctly. No
> passwords will be echoed on the screen whilst being typed. If you have
> a blank SMB password (specified by the string "NO PASSWORD" in the smb
> passwd file) then just press the <Enter> key when asked for your old
> password.
>
> Is this samba documentation incorrect?
> Or am I doing something incorrectly?
>
> cheers,
> Todd
>
>> Date: Mon, 26 Feb 2007 15:59:44 -0500 (EST)
>> From: Todd Pfaff <pfaff at rhpcs.mcmaster.ca>
>> Cc: samba at lists.samba.org
>> Subject: Re: [Samba] Re: samba-3.0.23d, smbpasswd, and "NO PASSWORD"
>> behaviour
>>
>> The way it's documented to work in the smbpasswd man page, and the way it
>> used to work for us with older samba releases is: when a user has a null
>> password, and smb.conf "null passwords = no", the user can _not_ make an
>> smb connection, but they _can_ set their samba password to something
>> non-null by running smbpasswd and entering an empty old password.
>> In order to run smbpasswd the user must login to their linux account with
>> ssh, and that _does_ require a password.
>>
>> So in fact this may be considered even more secure than what you're
>> suggesting because a new user has no ability to make smb connections to the
>> server until they have logged in to their linux account with a password and
>> run smbpasswd to set a samba password.
>>
>> I realize that I could set an initial smb password for every user, but
>> there are situations where that is inconvenient, and since this null
>> password method did work perfectly well in the past without being a
>> significant security risk, it's now inconvenient that it no longer works as
>> it did in the past.
>>
>> I'm trying to determine why the behaviour changed, or if it really didn't
>> change but I'm now doing something incorrectly on my samba server.
>> And if it really did change then someone should fix the smbpasswd man page
>> accordingly, and maybe mention something in the release notes.
>>
>> Regards,
>> Todd
>>
>> On Mon, 26 Feb 2007, Gary Dale wrote:
>>
>>> The obvious question is, why would you want a null password to begin with?
>>> This seems to me to be a serious security problem.
>>>
>>> If it's for new users, give them a temporary password through a secure
>>> channel and require them to change it the first time they log on.
>>>
>>>
>>> Todd Pfaff wrote:
>>>> I've had no responses to this question yet, and I'm still stuck with this
>>>> problem. Can anybody help, please?
>>>>
>>>> Is this a capability of samba that not many people take advantage of?
>>>>
>>>> Or am I trying to do something that just isn't possible anymore?
>>>>
>>>> Picking through a the level 10 debug log of smbd, I see this:
>>>>
>>>> [2007/02/26 11:49:36, 3] auth/auth_sam.c:sam_password_ok(51)
>>>> Account for user 'testuser' has no password and null passwords are NOT
>>>> allowed.
>>>> [2007/02/26 11:49:36, 9]
>>>> passdb/passdb.c:pdb_update_bad_password_count(1373)
>>>> No bad password attempts.
>>>> [2007/02/26 11:49:36, 5] auth/auth.c:check_ntlm_password(273)
>>>> check_ntlm_password: sam authentication for user [testuser] FAILED with
>>>> error NT_STATUS_LOGON_FAILURE
>>>>
>>>>
>>>> Is it no longer possible for a user to change their own samba password
>>>> from null "NO PASSWORD" using the smbpasswd command?
>>>>
>>>> --
>>>> Todd Pfaff <pfaff at mcmaster.ca>
>>>> Research & High-Performance Computing Support
>>>> McMaster University, Hamilton, Ontario, Canada
>>>> http://www.rhpcs.mcmaster.ca/~pfaff
>>>>
>>>> On Thu, 22 Feb 2007, Todd Pfaff wrote:
>>>>
>>>>> We've recently started using samba-3.0.23d on Mandriva 2007.0 linux
>>>>> systems and we've noticed a change in behaviour of smbpasswd when a
>>>>> non-root user tries to change their password from "NO PASSWORD".
>>>>>
>>>>> Here's an example smbpasswd entry (all one line):
>>>>>
>>>>> testuser:12345:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:
>>>>> NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NU ]:LCT-00000000:
>>>>>
>>>>>
>>>>> The possibly related settings in our smb.conf are:
>>>>>
>>>>> encrypt passwords = yes
>>>>> security = user
>>>>> unix password sync = yes
>>>>> passwd program = /usr/bin/passwd %u
>>>>> passwd chat = *password:* %n\n *password* %n\n *successfully*
>>>>> null passwords = no
>>>>>
>>>>>
>>>>> Since "null passwords = no" a user with "NO PASSWORD" should not be able
>>>>> to login to the samba account. That's working as expected.
>>>>>
>>>>> In past versions of samba, testuser could login to the linux account,
>>>>> run smbpasswd, enter an empty old password, and set a new password.
>>>>>
>>>>> Now when we try this we get this failure:
>>>>>
>>>>> [testuser at localhost ~]$ smbpasswd
>>>>> Old SMB password:
>>>>> New SMB password:
>>>>> Retype new SMB password:
>>>>> Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE
>>>>> Failed to change password for testuser
>>>>>
>>>>>
>>>>> Does anyone know why this failure is happening now?
>>>>>
>>>>> Was the behaviour of smbpasswd changed intentionally?
>>>>> If so, in what samba version did this change happen?
>>>>>
>>>>> Is there an alternative way to achieve the smbpasswd
>>>>> behaviour that we had in the past?
>>>>>
>>>>>
>>>>> Thanks,
>>>>> --
>>>>> Todd Pfaff <pfaff at mcmaster.ca>
>>>>> Research & High-Performance Computing Support
>>>>> McMaster University, Hamilton, Ontario, Canada
>>>>> http://www.rhpcs.mcmaster.ca/~pfaff
>>>>>
>>>
>
More information about the samba
mailing list