[Samba] Login Attempt Resets Password in smbpasswd
TAKAHASHI Motonobu
monyo at monyo.com
Fri May 4 10:57:50 MDT 2012
From: Andrew Martin <amartin at xes-inc.com>
Date: Wed, 02 May 2012 13:23:47 -0500 (CDT)
> I am running Samba 3.4.7 on Ubuntu 10.04 amd64. Due to legacy
> support, I am using a smbpasswd file (chmod 600) instead of the
> newer tdbsam database.
(snip)
> Samba is not a PDC, however the Windows accounts on client machines
> have the same credentials as are stored in smbpasswd, so the share
> is automatically authenticated. I have observed that if a user is
> required to enter their password, e.g. their Windows password is not
> the same as in smbpasswd, then their password in smbpasswd gets
> reset. For example, before attempting to connect, user1's entry in
> smbpasswd looks like this (password hashes randomized in example
> below):
>
> user1:111: f0faf5d8955e92206354485d29a1b15e : e580c2260de48ababdd67d6ed063a641 :[UX ]:LCT-4E985F55:
>
> After the user attempts to connect, and enters the wrong credentials,
> user1:111: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX : e580c2260de48ababdd67d6ed063a641 :[UX ]:LCT-4E985F55:
>
> Thus if the user then tries a second time with the correct password,
> they are unable to login. If the correct password is supplied the
> first time, then no change is made to smbpasswd. Sometimes the
> password gets changed to XXXXX... even after a successful
> login. When this error occurs, nothing is logged in /var/log or
> /var/log/samba. An strace of the parent smbd process reveals only
> the following:
>
(snip)
>
> Do you have any ideas on why the smbpasswd file is being changed,
> and how to correct this behavior so the smbpasswd file is not
> changed?
This behavior (changing the former password string changes XXXXX...)
is expected unless you explicitly enable "lanman auth = yes".
In smb.conf(5):
-----
When this parameter is set to no this will also result in
sambaLMPassword in Samba's passdb being blanked after the next
password change. As a result of that lanman clients won't be able
to authenticate, even if lanman auth is reenabled later on.
-----
The former part, LANMAN hash is no longer used unless if you
connect to Samba from Windows 9x.
> Thus if the user then tries a second time with the correct password,
> they are unable to login.
As far as I examined, users can login...
Could you examine to reboot the client and try to connect to the Samba
server after changing password string to XXXXX...
Why I say "reboot" is that it is the easiest way to clear
authentication cache. Basically "reboot" is not required.
---
TAKAHASHI Motonobu <monyo at monyo.com>
More information about the samba
mailing list