[Samba] Re: samba-3.0.23d, smbpasswd, and "NO PASSWORD" behaviour
Todd Pfaff
pfaff at rhpcs.mcmaster.ca
Wed Feb 6 21:50:12 GMT 2008
Stuart,
Thanks very much for trying. I think you've proven what I suspected.
The smbpasswd "NO PASSWORD" behaviour has changed and the documentation
no longer agrees with the behaviour. The samba smbpasswd man page, at
least as of samba-3.0.24, clearly indicates that this should work. It
used to work for us in the past. But maybe that was pre-samba-3.0.
Todd
On Wed, 6 Feb 2008, Stuart Gall wrote:
>
> On 6 Feb 2008, at 04:43, Todd Pfaff wrote:
>
>> Good point. I've now sent the output from 'smbpasswd -D 10' to the samba
>> mailing list.
>>
>> Have you tried setting a user's samba password to "NO PASSWORD" and then
>> changing it in recent samba versions? If you haven't, and if you don't
>> mind trying, please do something like this:
>>
>> root> smbpasswd -n someuser
>> root> su - someuser
>> someuser> smbpasswd
>> - just press enter for old password
>> - enter new password
>>
>> Does it work for you, or do you get the error message I reported?
>>
>
> Version 3.0.7 (Domain member + NIS)
>
> Thats smbpasswd -a someuser -n right ?
>
> [root at iridium root]# smbpasswd -a xyz -n
> Added user xyz.
> [root at iridium root]# su - xyz
> [xyz at iridium stuartl]$ smbpasswd
> Old SMB password:
> New SMB password:
> Retype new SMB password:
>
> machine 127.0.0.1 rejected the session setup. Error was : Call timed out:
> server did not respond after 20000 milliseconds.
> Failed to change password for xyz
>
>
>
> Version 3.0.28 (Stand alone)
> slowcoach:~# /usr/local/samba/bin/smbpasswd -a xyz -n
> Added user xyz.
> slowcoach:~# su - xyz
> xyz at slowcoach:~$
> xyz at slowcoach:~$ /usr/local/samba/bin/smbpasswd
> Old SMB password:
> New SMB password:
> Retype new SMB password:
> cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR
> received from remote machine 127.0.0.1 pipe \samr fnum 0x7528!
> machine 127.0.0.1 rejected the password change: Error was : NT code
> 0x1c010002.
> Failed to change password for xyz
>
>
>
> ANOTHER 3.0.28 system (stand alone)
> [root at Server root]# smbpasswd -a xyz -n
> Added user xyz.
> [root at Server root]# su - xyz
> [xyz at Server xyz]$ smbpasswd
> Old SMB password:
> New SMB password:
> Retype new SMB password:
> Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE
> Failed to change password for xyz
> [xyz at Server xyz]$ logout
>
>
> Version 3.0.24
>
> Raid:~# su - xyz
> xyz at Raid:~$ smbpasswd
> Old SMB password:
> New SMB password:
> Retype new SMB password:
> Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE
> Failed to change password for xyz
>
> This is odd
>
> Raid:~# smbpasswd -a xyz -n
> Added user xyz.
> Raid:~# smbpasswd -a xyz -n
> User xyz password set to none.
> Raid:~# su - xyz
> xyz at Raid:~$ smbpasswd
> Old SMB password:
> New SMB password:
> Retype new SMB password:
> Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE
> Failed to change password for xyz
>
>
> FINALLY 3.0.24 with password encryption set to false (just an idea)
>
> Raid:~# smbpasswd -x xyz
> Deleted user xyz.
> Raid:~# smbpasswd -a xyz -n
> Added user xyz.
> Raid:~# smbpasswd -a xyz -n
> User xyz password set to none.
> Raid:~# su - xyz
> xyz at Raid:~$ smbpasswd
> Old SMB password:
> New SMB password:
> Retype new SMB password:
> Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE
> Failed to change password for xyz
>
>
>
> SO DAMN!
> I DONT KNOW MATE - Sorry
>
>
>
>
>> Thanks,
>> Todd
>>
>> On Wed, 6 Feb 2008, Stuart Gall wrote:
>>
>>> Just an idea ... have you tried
>>>
>>> smbpasswd -D 10
>>>
>>> And checked the logs ?
>>>
>>> On 5 Feb 2008, at 18:33, Todd Pfaff wrote:
>>>
>>>> Help! (pretty please :)
>>>> I'm still having the problem described below with samba-3.0.24.
>>>> Here's an excerpt from the smbpasswd man page:
>>>>
>>>> When run by an ordinary user with no options, smbpasswd will prompt
>>>> them for their old SMB password and then ask them for their new pass
>>>> word twice, to ensure that the new password was typed correctly. No
>>>> passwords will be echoed on the screen whilst being typed. If you have
>>>> a blank SMB password (specified by the string "NO PASSWORD" in the smb
>>>> passwd file) then just press the <Enter> key when asked for your old
>>>> password.
>>>> Is this samba documentation incorrect?
>>>> Or am I doing something incorrectly?
>>>> cheers,
>>>> Todd
>>>>> Date: Mon, 26 Feb 2007 15:59:44 -0500 (EST)
>>>>> From: Todd Pfaff <pfaff at rhpcs.mcmaster.ca>
>>>>> Cc: samba at lists.samba.org
>>>>> Subject: Re: [Samba] Re: samba-3.0.23d, smbpasswd, and "NO PASSWORD"
>>>>> behaviour
>>>>> The way it's documented to work in the smbpasswd man page, and the way
>>>>> it used to work for us with older samba releases is: when a user has a
>>>>> null password, and smb.conf "null passwords = no", the user can _not_
>>>>> make an smb connection, but they _can_ set their samba password to
>>>>> something non-null by running smbpasswd and entering an empty old
>>>>> password.
>>>>> In order to run smbpasswd the user must login to their linux account
>>>>> with ssh, and that _does_ require a password.
>>>>> So in fact this may be considered even more secure than what you're
>>>>> suggesting because a new user has no ability to make smb connections to
>>>>> the server until they have logged in to their linux account with a
>>>>> password and run smbpasswd to set a samba password.
>>>>> I realize that I could set an initial smb password for every user, but
>>>>> there are situations where that is inconvenient, and since this null
>>>>> password method did work perfectly well in the past without being a
>>>>> significant security risk, it's now inconvenient that it no longer works
>>>>> as it did in the past.
>>>>> I'm trying to determine why the behaviour changed, or if it really
>>>>> didn't change but I'm now doing something incorrectly on my samba
>>>>> server.
>>>>> And if it really did change then someone should fix the smbpasswd man
>>>>> page accordingly, and maybe mention something in the release notes.
>>>>> Regards,
>>>>> Todd
>>>>> On Mon, 26 Feb 2007, Gary Dale wrote:
>>>>>> The obvious question is, why would you want a null password to begin
>>>>>> with? This seems to me to be a serious security problem.
>>>>>> If it's for new users, give them a temporary password through a secure
>>>>>> channel and require them to change it the first time they log on.
>>>>>> Todd Pfaff wrote:
>>>>>>> I've had no responses to this question yet, and I'm still stuck with
>>>>>>> this problem. Can anybody help, please?
>>>>>>> Is this a capability of samba that not many people take advantage of?
>>>>>>> Or am I trying to do something that just isn't possible anymore?
>>>>>>> Picking through a the level 10 debug log of smbd, I see this:
>>>>>>>
>>>>>>> [2007/02/26 11:49:36, 3] auth/auth_sam.c:sam_password_ok(51)
>>>>>>> Account for user 'testuser' has no password and null passwords are NOT
>>>>>>> allowed.
>>>>>>> [2007/02/26 11:49:36, 9]
>>>>>>> passdb/passdb.c:pdb_update_bad_password_count(1373)
>>>>>>> No bad password attempts.
>>>>>>> [2007/02/26 11:49:36, 5] auth/auth.c:check_ntlm_password(273)
>>>>>>> check_ntlm_password: sam authentication for user [testuser] FAILED
>>>>>>> with
>>>>>>> error NT_STATUS_LOGON_FAILURE
>>>>>>> Is it no longer possible for a user to change their own samba password
>>>>>>> from null "NO PASSWORD" using the smbpasswd command?
>>>>>>> --
>>>>>>> Todd Pfaff <pfaff at mcmaster.ca>
>>>>>>> Research & High-Performance Computing Support
>>>>>>> McMaster University, Hamilton, Ontario, Canada
>>>>>>> http://www.rhpcs.mcmaster.ca/~pfaff
>>>>>>> On Thu, 22 Feb 2007, Todd Pfaff wrote:
>>>>>>>> We've recently started using samba-3.0.23d on Mandriva 2007.0 linux
>>>>>>>> systems and we've noticed a change in behaviour of smbpasswd when a
>>>>>>>> non-root user tries to change their password from "NO PASSWORD".
>>>>>>>> Here's an example smbpasswd entry (all one line):
>>>>>>>> testuser:12345:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:
>>>>>>>> NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NU ]:LCT-00000000:
>>>>>>>> The possibly related settings in our smb.conf are:
>>>>>>>> encrypt passwords = yes
>>>>>>>> security = user
>>>>>>>> unix password sync = yes
>>>>>>>> passwd program = /usr/bin/passwd %u
>>>>>>>> passwd chat = *password:* %n\n *password* %n\n *successfully*
>>>>>>>> null passwords = no
>>>>>>>> Since "null passwords = no" a user with "NO PASSWORD" should not be
>>>>>>>> able to login to the samba account. That's working as expected.
>>>>>>>> In past versions of samba, testuser could login to the linux account,
>>>>>>>> run smbpasswd, enter an empty old password, and set a new password.
>>>>>>>> Now when we try this we get this failure:
>>>>>>>> [testuser at localhost ~]$ smbpasswd
>>>>>>>> Old SMB password:
>>>>>>>> New SMB password:
>>>>>>>> Retype new SMB password:
>>>>>>>> Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE
>>>>>>>> Failed to change password for testuser
>>>>>>>> Does anyone know why this failure is happening now?
>>>>>>>> Was the behaviour of smbpasswd changed intentionally?
>>>>>>>> If so, in what samba version did this change happen?
>>>>>>>> Is there an alternative way to achieve the smbpasswd
>>>>>>>> behaviour that we had in the past?
>>>>>>>> Thanks,
>>>>>>>> --
>>>>>>>> Todd Pfaff <pfaff at mcmaster.ca>
>>>>>>>> Research & High-Performance Computing Support
>>>>>>>> McMaster University, Hamilton, Ontario, Canada
>>>>>>>> http://www.rhpcs.mcmaster.ca/~pfaff
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/listinfo/samba
>>>
>>> --
>>> Stuart Gall
>>> ----------------------------------------------
>>> All of your mail are belong to us
>>>
>>>
>>>
>>>
>>
>
> --
> Stuart Gall
> ----------------------------------------------
> All of your mail are belong to us
>
>
>
>
More information about the samba
mailing list