[Samba] Cannot Get Samba to Work Without Encrypted Password with Legacy Client

Tygre tygre.chingu at gmail.com
Mon May 13 02:15:14 UTC 2024 

	Hi Andrew and thank you for your advice, it pointed at the right direction.

	I was in a catch-22, to use rumba (the NeXT Samba client), I needed non-encrypted passwords, but to use smbfs (the Amiga Samba client), I needed encrypted passwords (as with my other Windows computers, anyway).

	So the "next best thing", is to configure my Samba server with "map to guest" and allow "guests" on certain shares.

	Best!
	Tygre


PS. For the record, my smb.conf looks like:

[global]
    # Definition of the server
    server role  = standalone server
    workgroup    = GIB
    dos charset  = CP850
    unix charset = UTF-8

    # Security settings of the server
    # For Amiga SMBFS clients:
    ntlm auth     = ntlmv1-permitted
    # For NeXT Station client:
    # (In short, the authentication with "rumba" always fails,
    # the "bad user" is logged in as "smbuser" to access shares.
    map to guest  = bad user
    guest account = smbuser

[Music]
    path           = /media/WWW/Music
    writeable      = yes
    create mask    = 0777
    directory mask = 0777

[MusicRO]
    # Needed for the NeXT Station
    guest ok       = yes
    writeable      = no
    path           = /media/WWW/Music

On 2024-03-10 16:29, Andrew Bartlett wrote:
> The logs below still look like Samba is configured for encrypted passwords.
> 
> As to your other mail, please, please use a more recent version than Samba 4.9
> 
> Andrew Bartlett
> 
> On Sat, 2024-03-09 at 15:37 -0500, Tygre via samba wrote:
>> 	Hi there,
>>
>> 	Sorry to come back to that, I tried to follow the code at
>> https://github.com/samba-team/samba/blob/master/source3/auth/auth.c#L214
>>  <https://github.com/samba-team/samba/blob/master/source3/auth/auth.c#L214>
>>   (and below) but I still can't understand why one Samba client can connect, but the other can't.
>>
>> 	I can't understand why, with one client, the code would go into "check_samsec.c:183" (and return "sam_account_ok") while, with the other client, the code would go immediately into "auth.c:251" (and fail to login).
>>
>> 	Could you help me understand, which could maybe give me an idea on configuring Samba for both client to work?
>>
>> 	Thanks in advance,
>> 	Yann
>>
>> PS. I'm running
>>
>> *** CAN CONNECT:
>>
>> [2024/03/09 15:16:09.376816, 10, pid=5930, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:237(auth_check_ntlm_password)
>>     auth_check_ntlm_password: anonymous had nothing to say
>> [2024/03/09 15:16:09.383493,  4, pid=5930, effective(0, 0), real(0, 0), class=auth] ../source3/auth/check_samsec.c:183(sam_account_ok)
>>     sam_account_ok: Checking SMB password for user smbuser
>> [2024/03/09 15:16:09.386622,  5, pid=5930, effective(0, 0), real(0, 0), class=auth] ../source3/auth/check_samsec.c:165(logon_hours_ok)
>>     logon_hours_ok: user smbuser allowed to logon at this time (Sat Mar  9 20:16:09 2024
>>     )
>> [2024/03/09 15:16:09.393510,  5, pid=5930, effective(0, 0), real(0, 0), class=auth] ../source3/auth/server_info_sam.c:122(make_server_info_sam)
>>     make_server_info_sam: made server info for user smbuser -> smbuser
>> [2024/03/09 15:16:09.397225,  3, pid=5930, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:256(auth_check_ntlm_password)
>>     auth_check_ntlm_password: sam_ignoredomain authentication for user [SMBUSER] succeeded
>>
>> *** CANNOT CONNECT:
>>
>> [2024/03/09 15:16:15.178909, 10, pid=5931, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:237(auth_check_ntlm_password)
>>     auth_check_ntlm_password: anonymous had nothing to say
>> [2024/03/09 15:16:15.187847,  5, pid=5931, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:251(auth_check_ntlm_password)
>>     auth_check_ntlm_password: sam_ignoredomain authentication for user [SMBUSER] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
>>
>> On 2024-03-04 20:24, Andrew Bartlett wrote:
>>> On Mon, 2024-03-04 at 20:10 -0500, Tygre via samba wrote:
>>>> 	Hi there,
>>>>
>>>> 	I have looked for a solution to my problem on the Internet (and in particular this mailing list), but couldn't find one, probably due to searching for the wrong thing :-)
>>>>
>>>> 	I have an RPI running Samba version 4.9.5-Debian. "pdbedit -L" shows that the user "smbuser" exists. I used "smbpassword" to set the password of "smbuser". I also have several "old" computers that I want to connect to this RPI using Samba. I managed to get an Amiga connected to the Samba server, by adding the directive "ntlm auth = yes" to "smb.conf".
>>>>
>>>> 	But, I cannot get a NeXTstation to connect to the server. It seems to me that, because the client on the NeXTstation only deals with unencrypted passwords, the server is unable to verify the username/password. I tried using the directive "encrypt passwords = no", but then neither the Amiga nor the NeXTstation can connect, with the error: "FAILED with error NT_STATUS_LOGON_FAILURE".
>>>>
>>>> 	I don't understand why, by forcing unencrypted passwords, the server cannot find the username/password (anymore). I must be missing to allow the Samba server to work with unencrypted password. Could anyone help?
>>>>
>>>> 	Thanks in advance!
>>>> 	Tygre
>>>>
>>>> PS. I do know that unencrypted passwords are unsecure and a bad idea but, right now, I'd like both my Amiga and NeXTstation to connect, before "hardening" the server.
>>>> PPS. I join my "smb.conf", working with the Amiga (not the NeXTstation) and the log when trying to connect from the NeXTstation.
>>>
>>> You would be best to just use guest access and IP restrictions, but if you want a password it will be checking it against PAM, not the smbpasswd file.
>>>
>>>
>>> Andrew Bartlett
>>>
>>>
>>> -- 
>>>
>>> Andrew Bartlett (he/him)
>>> https://samba.org/~abartlet/
>>>  <https://samba.org/~abartlet/>
>>>   <
>>> https://samba.org/~abartlet/
>>>  <https://samba.org/~abartlet/>
>>> >
>>> Samba Team Member (since 2001)
>>> https://samba.org
>>>  <https://samba.org>
>>>   <
>>> https://samba.org
>>>  <https://samba.org>
>>> >
>>> Samba Team Lead
>>> https://catalyst.net.nz/services/samba
>>>  <https://catalyst.net.nz/services/samba>
>>>   <
>>> https://catalyst.net.nz/services/samba
>>>  <https://catalyst.net.nz/services/samba>
>>> >
>>> Catalyst.Net Ltd
>>>
>>> Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company
>>>
>>> Samba Development and Support:
>>> https://catalyst.net.nz/services/samba
>>>  <https://catalyst.net.nz/services/samba>
>>>   <
>>> https://catalyst.net.nz/services/samba
>>>  <https://catalyst.net.nz/services/samba>
>>> >
>>>
>>> Catalyst IT - Expert Open Source Solutions
>>>
>>>
>>
>> -- 
>> -----------------------------------------
>>        Scientific Progress Goes Boing!
>>          
>> http://www.chingu.asia/wiki
>>  <http://www.chingu.asia/wiki>
>>
>> -----------------------------------------
>>
>>
> -- 
> 
> Andrew Bartlett (he/him) https://samba.org/~abartlet/ <https://samba.org/~abartlet/>
> Samba Team Member (since 2001) https://samba.org <https://samba.org>
> Samba Team Lead https://catalyst.net.nz/services/samba <https://catalyst.net.nz/services/samba>
> Catalyst.Net Ltd
> 
> Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company
> 
> Samba Development and Support: https://catalyst.net.nz/services/samba <https://catalyst.net.nz/services/samba>
> 
> Catalyst IT - Expert Open Source Solutions
> 
> 

-- 
-----------------------------------------
      Scientific Progress Goes Boing!
        http://www.chingu.asia/wiki
-----------------------------------------

More information about the samba mailing list