Possible bug changing smb password from Win98

[Shirish Kalele]

Hi,

I think I might have found a possible bug in the SetUserPassword Remote API
code in Samba 2.0.6. I'm working with Windows 98, without domains and
without unix password sync in Samba 2.0.6 (encrypt passwords and user level
security set in smb.conf) on a Solaris 7 platform. What I'm testing is
changing a user's SMB password on the samba server from Win98 using the net
pass command. This works when changing a user password on a NT server but
not with samba. Has anyone else tried this successfully?

I traced the problem to the api_SetUserPassword function in smbd/ipc.c.
Win98 (even with password encryption set), sends the username, old and new
passwords in cleartext for the SetUserPassword call over the LANMAN pipe. So
what should happen is that the old password sent is hashed and tested
against the smbpasswd file entry for the user and then new NT and LM hashes
should be generated for the entry from the new password sent again in
cleartext.

However, from the code, it appears that first if the old plaintext password
is verified, the new password is set using the unix passwd program (no
modification to smbpasswd!?) Otherwise, it is assumed that the old password
in the remote API call is the LM hash of the password encrypted with the
key.. And the code tries to check this and of course, fails because the
username, old and new passwords are all sent in plaintext..

Shirish