[Samba] Security = share changed in Samba 3+ ?

Danilo Godec danilo.godec at agenda.si
Wed Jun 17 10:24:30 GMT 2009 

Hi,

I have several servers in separate networks currently running samba
2.2.5. Each server can have aliases and I'm using the %L macro in share
path, so that each appear as a separate 'virtual' server  - depending on
how the client calls it. There is at least one SMB users defined in
'smbpasswd' file.

Here is the current config:

> [global]
>         workgroup = MYGROUP
>         netbios name = server1
>         netbios aliases = server2 server3 server4
>         server string = Linux SMB Server
>         interfaces = eth1
>         bind interfaces only = yes
>         encrypt passwords = Yes
>         password level = 8
>         security = share
>         username level = 8
>         username map = /etc/samba.d/smbusers
>         max log size = 200
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         dns proxy = No
>         log file = /var/log/samba.d/smb.%m
>         log level = 2
>         mangle case = yes
>         preserve case = no
>         short preserve case = no
>         default case = lower
>         oplocks = no
>         level2 oplocks = no
>         strict locking = yes
>         stat cache = no
>         load printers = no
>         local master = no
>
> [myshare]
>         comment = My Virtual Shares
>         browseable = no
>         writeable = yes
>         path = /opt/myshare/vhosts/%L

With this I can use 'smbclient' to connect to '//serverX/myshare' (where
X is 1-4) using the same user (myuser) and I can just 'browse' the share.

I need to upgrade all servers to a newer distro - OpenSuSE 11.1 that
comes with Samba 3.2.7. Because there are some automated procedures
running on clients I need to make sure Samba works pretty much the same
as it does on the current production servers.

I had to change some obvious options in 'smb.conf' - paths (OpenSuSE is
using 'samba' instead 'samba.d'), 'mangle case' is no longer a valid
option and I had to add 'client lanman auth = yes' option.

However, that alone is not enough - whenever I use 'smblcient', I get an
error:

> # smbclient //server1/myshare -U myuser
> Enter myuser's password:
> Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.2.7-11.2.1-2080-SUSE-CODE11]
> Server not using user level security and no password supplied.
> tree connect failed: NT_STATUS_WRONG_PASSWORD

I checked the obvious stuff - the username is OK, it exists in both
/etc/passwd and /etc/samba/smbpasswd and the path for the share also exists.

I then tried adding some options, but these didn't help:

>         passdb backend = smbpasswd
>         lanman auth = yes
>         ntlm auth = yes
>         smb encrypt = no
>
>         client lanman auth = yes
>         client plaintext auth = yes
>

The log shows this:

> ==> smb.172.16.0.123 <==
> [2009/06/17 12:19:37,  2] auth/auth.c:check_ntlm_password(318)
>   check_ntlm_password:  Authentication for user [myuser] -> [myuser]
> FAILED with error NT_STATUS_WRONG_PASSWORD
> [2009/06/17 12:19:37,  2] auth/auth.c:check_ntlm_password(318)
>   check_ntlm_password:  Authentication for user [myuser] -> [myuser]
> FAILED with error NT_STATUS_WRONG_PASSWORD
> [2009/06/17 12:19:37,  2] auth/auth.c:check_ntlm_password(318)
>   check_ntlm_password:  Authentication for user [myuser] -> [myuser]
> FAILED with error NT_STATUS_WRONG_PASSWORD
> [2009/06/17 12:19:37,  2] auth/auth.c:check_ntlm_password(318)
>   check_ntlm_password:  Authentication for user [myuser] -> [myuser]
> FAILED with error NT_STATUS_WRONG_PASSWORD
> [2009/06/17 12:19:37,  2] auth/auth.c:check_ntlm_password(318)
>   Invalid username/password for [myshare]

Did 'security = share' change from Samba 2 to Samba 3?

What do I need to change to make Samba 3 behave like Samba 2 did - with
'security = share'?

 Thanks, Danilo

More information about the samba mailing list