Help with Interpretation

Matthias Wächter matthias at waechter.wol.at
Mon Jul 26 05:48:57 GMT 1999


On Mon, 26 Jul 1999, Hendrik den Hartog wrote:

>  (Password change works without 'unix password sync')

Of course, Samba does no lexical checking of your password.

>  We need the sync because some Client machines (Acorn RiscPCs)
>  can't use encrypted PWs.

?? /etc/passwd is also encrypted, just in another way. If they send plain
text passwords you can always validate again the smbpasswd, too. Using
pam_smb I think you can also drop any password storing in /etc/passwd or
/etc/shadow.

Your problem is not the password sync itself, your problem is either the
underlaying UNIX or yourself using a really _easy-to-guess_ password. :-)

>  [1999/07/26 13:36:50, 3] smbd/chgpasswd.c:chgpasswd(394)
>   Password change for user: testpupil
> [1999/07/26 13:36:50, 3] smbd/chgpasswd.c:findpty(89)
>   pty: try to open ptya0, line was /dev/ptyXX
> [1999/07/26 13:36:50, 3] smbd/chgpasswd.c:findpty(93)
>   pty: opened /dev/ptya0
> [1999/07/26 13:36:50, 3] smbd/chgpasswd.c:chat_with_program(369)
>   Dochild for user testpupil (uid=0,gid=0)
> [1999/07/26 13:36:50, 10] smbd/chgpasswd.c:dochild(189)
>   Invoking '/usr/bin/passwd testpupil' as password change program.
> [1999/07/26 13:36:51, 100] smbd/chgpasswd.c:talktochild(263)
>   talktochild: chatbuf=[*New*UNIX*password*] responsebuf=[New UNIX 
>   password: ]
> [1999/07/26 13:36:51, 100] smbd/chgpasswd.c:talktochild(276)
>   talktochild: sendbuf=[test123
>   ]

Well... that password breaks your UNIX passwd program. Try it on the
command line (as non-root): you will receive the same message message:

> [1999/07/26 13:36:51, 100] smbd/chgpasswd.c:talktochild(263)
>   talktochild: chatbuf=[*ReType*new*UNIX*password*] responsebuf=[
>   BAD PASSWORD: it is based on a dictionary word
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>   Retype new UNIX password: ]

That's what's written here...

> [1999/07/26 13:36:51, 100] smbd/chgpasswd.c:talktochild(276)
>   talktochild: sendbuf=[test123
>   ]
> [1999/07/26 13:36:55, 100] smbd/chgpasswd.c:talktochild(263)
>   talktochild: chatbuf=[*passwd:*all*authentication*tokens*updated*
>   successfully*] responsebuf=[]

Interestingly, there is no response? Hmmm... maybe you didn't specify the
correct password chat for your system?

> [1999/07/26 13:36:55, 3] smbd/chgpasswd.c:talktochild(266)
>   response 3 incorrect

In fact, response 2 should have already been incorrect (from my point of
view), in case of "BAD PASSWORD:" samba should stop sending passwords to
the passwd program immediately. This is accomplished by not specifying
_any_ "*" in your password chat script (at least after the first
chatbuf) as long as the response isn't really random.

My chat script looks as follows:

passwd chat = *New\spassword: %n\n \nRe-enter\snew\spassword: %n\n \nPassword\schanged.\n

\s is replacement for " ", because " " is the separator for
chatbuf/sendbuf. It may look uglier than the star-ed default, but it only
accepts what I really receive from passwd in case of success in each
step.

Well, anyhow: Use a "better" password (from /bin/passwd's point of view)
and try again.

Sehr Wus,
- Matthias

-- 
Bunt ist das Dasein und granatenstark. Und: Volle Kanne, Hoschis!
                         aus: "Bill und Teds verrückte Reise durch die Zeit"
-----------------------------------------------------------------------------



More information about the samba-ntdom mailing list