[Samba] Cannot Get Samba to Work Without Encrypted Password with Legacy Client

Andrew Bartlett abartlet at samba.org
Sun Mar 10 20:29:02 UTC 2024 

The logs below still look like Samba is configured for encrypted
passwords.
As to your other mail, please, please use a more recent version than
Samba 4.9
Andrew Bartlett
On Sat, 2024-03-09 at 15:37 -0500, Tygre via samba wrote:
> 	Hi there,
> 	Sorry to come back to that, I tried to follow the code at 
> https://github.com/samba-team/samba/blob/master/source3/auth/auth.c#L214
> (and below) but I still can't understand why one Samba client can
> connect, but the other can't.
> 	I can't understand why, with one client, the code would go into
> "check_samsec.c:183" (and return "sam_account_ok") while, with the
> other client, the code would go immediately into "auth.c:251" (and
> fail to login).
> 	Could you help me understand, which could maybe give me an idea
> on configuring Samba for both client to work?
> 	Thanks in advance,	Yann
> PS. I'm running
> *** CAN CONNECT:
> [2024/03/09 15:16:09.376816, 10, pid=5930, effective(0, 0), real(0,
> 0), class=auth]
> ../source3/auth/auth.c:237(auth_check_ntlm_password)   auth_check_ntl
> m_password: anonymous had nothing to say[2024/03/09
> 15:16:09.383493,  4, pid=5930, effective(0, 0), real(0, 0),
> class=auth]
> ../source3/auth/check_samsec.c:183(sam_account_ok)   sam_account_ok:
> Checking SMB password for user smbuser[2024/03/09
> 15:16:09.386622,  5, pid=5930, effective(0, 0), real(0, 0),
> class=auth]
> ../source3/auth/check_samsec.c:165(logon_hours_ok)   logon_hours_ok:
> user smbuser allowed to logon at this time (Sat Mar  9 20:16:09
> 2024   )[2024/03/09 15:16:09.393510,  5, pid=5930, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/server_info_sam.c:122(make_server_info_sam)   make_se
> rver_info_sam: made server info for user smbuser ->
> smbuser[2024/03/09 15:16:09.397225,  3, pid=5930, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth.c:256(auth_check_ntlm_password)   auth_check_ntl
> m_password: sam_ignoredomain authentication for user [SMBUSER]
> succeeded
> *** CANNOT CONNECT:
> [2024/03/09 15:16:15.178909, 10, pid=5931, effective(0, 0), real(0,
> 0), class=auth]
> ../source3/auth/auth.c:237(auth_check_ntlm_password)   auth_check_ntl
> m_password: anonymous had nothing to say[2024/03/09
> 15:16:15.187847,  5, pid=5931, effective(0, 0), real(0, 0),
> class=auth]
> ../source3/auth/auth.c:251(auth_check_ntlm_password)   auth_check_ntl
> m_password: sam_ignoredomain authentication for user [SMBUSER] FAILED
> with error NT_STATUS_WRONG_PASSWORD, authoritative=1
> On 2024-03-04 20:24, Andrew Bartlett wrote:
> > On Mon, 2024-03-04 at 20:10 -0500, Tygre via samba wrote:
> > > 	Hi there,
> > > 	I have looked for a solution to my problem on the Internet (and
> > > in particular this mailing list), but couldn't find one, probably
> > > due to searching for the wrong thing :-)
> > > 	I have an RPI running Samba version 4.9.5-Debian. "pdbedit -L"
> > > shows that the user "smbuser" exists. I used "smbpassword" to set
> > > the password of "smbuser". I also have several "old" computers
> > > that I want to connect to this RPI using Samba. I managed to get
> > > an Amiga connected to the Samba server, by adding the directive
> > > "ntlm auth = yes" to "smb.conf".
> > > 	But, I cannot get a NeXTstation to connect to the server. It
> > > seems to me that, because the client on the NeXTstation only
> > > deals with unencrypted passwords, the server is unable to verify
> > > the username/password. I tried using the directive "encrypt
> > > passwords = no", but then neither the Amiga nor the NeXTstation
> > > can connect, with the error: "FAILED with error
> > > NT_STATUS_LOGON_FAILURE".
> > > 	I don't understand why, by forcing unencrypted passwords, the
> > > server cannot find the username/password (anymore). I must be
> > > missing to allow the Samba server to work with unencrypted
> > > password. Could anyone help?
> > > 	Thanks in advance!	Tygre
> > > PS. I do know that unencrypted passwords are unsecure and a bad
> > > idea but, right now, I'd like both my Amiga and NeXTstation to
> > > connect, before "hardening" the server.PPS. I join my "smb.conf",
> > > working with the Amiga (not the NeXTstation) and the log when
> > > trying to connect from the NeXTstation.
> > 
> > You would be best to just use guest access and IP restrictions, but
> > if you want a password it will be checking it against PAM, not the
> > smbpasswd file.
> > 
> > Andrew Bartlett
> > 
> > -- 
> > Andrew Bartlett (he/him) https://samba.org/~abartlet/ <
> > https://samba.org/~abartlet/>Samba Team Member (since 2001) 
> > https://samba.org <https://samba.org>Samba Team Lead 
> > https://catalyst.net.nz/services/samba <
> > https://catalyst.net.nz/services/samba>Catalyst.Net Ltd
> > Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
> > company
> > Samba Development and Support: 
> > https://catalyst.net.nz/services/samba <
> > https://catalyst.net.nz/services/samba>
> > Catalyst IT - Expert Open Source Solutions
> > 
> 
> -- -----------------------------------------      Scientific Progress
> Goes Boing!        http://www.chingu.asia/wiki
> -----------------------------------------
> 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd


Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list