[Samba] ntlm_auth not returning "STATUS_OK"

Mark Foley mfoley at novatec-inc.com
Tue Jan 23 22:07:35 UTC 2024 

On Mon Jan 22 11:00:59 2024 Mark Foley via samba <samba at lists.samba.org> wrote:
>
> I have scripts that runs ntlm_auth. Before upgrading my DC to 4.18.9 I would
> get text string output from the ntlm_auth command. For example:
>
> STATUS_NO_SUCH_USER
> NT_STATUS_WRONG_PASSWORD
> STATUS_OK
>
> My script(s) look for these strings. 
>
> Now with the new Samba, the first two strings are output as usual in the case of
> non-existant user and invalid password, respectively, but if the user/pw is OK
> it now returns the string: ":  (0x0)", which, I suppose, is the exit status of
> the ntlm_auth command meaning OK.
>
> Is there an option to change this back to the string "STATUS_OK"? If not, I'll
> change my programs, but I'd rather not do that.

After more investigation, I find that on another system running Samba 4.15.13 and
ntlm_auth version 4.15.13 it continues to print "NT_STATUS_OK: The operation
completed successfully. (0x0)" when 'ntlm_auth --username user --password pw' 
is run. 

So, Samba/ntlm_auth version 4.18.9 changes that to print ": (0x0)".

I have never been in favor of developers changing the behavoir of programs when
"new features" come out, expecially programs that might be used in scripts that
rely on responses.  I think it's naughty when developers do that.  If behavoir
is different from a previous version, then the new version ought to have a
different name or a switch enabling the new/changed feature. 

Since the 4.18.9 ntlm_auth output has an oddly placed colon (:) in the string,
as if some text was supposed to come before that, I'll assume this was an
inadvertant omission and not a deliberate change to the output response of this
program, espcially given that the other responses (full text):

NT_STATUS_NO_SUCH_USER: The specified account does not exist. (0xc0000064)
NT_STATUS_WRONG_PASSWORD: When trying to update a password, this return status indicates that the value provided as the current password is not correct. (0xc000006a)

are unchanged. The Samba developers are certainly too seasoned to do that
deliberately.

Meanwhile, I'll change my programs to look for "(0x0)" as both versions have
that, and maybe I'll just look for the 0x codes for all.

--Mark

More information about the samba mailing list