smbpasswd remote password change problem (& fix?)

Wed May 17 15:30:59 GMT 2000

Hi, I was having a problem with Samba-2.0.7 (on Solaris 2.5.1 sparc)
where smbpasswd would not change the password when run by a normal user.
I determined that this was because it had to do a remote password
change, whereas when run by root, the password was changed directly
in the smbpasswd database (I happen to be using nisplus, but I don't
think that is relevant).

The error returned was "the specified password is invalid" or something
to that effect. The logs from smbd showed the error was
"incorrect password length (n)" where n was some ridiculously huge number,
sometimes negative.

Following the code through it appears that the server required that a
length field be encoded in the four bytes (?) starting at offset 512
in the lmdata array. The smbpasswd program when it calls the library
routines to make the remote password change client rpc, ends up calling the
SamOEMhash function on the data. This function runs some sort of hashing
scheme over the data, rewriting it as it does. This is then transmitted
to the server. But this function hashes all 516 bytes (which includes
the 4 byte length value at offset 512). The server appeared to use the
hashed bytes at offset 512 without un-hashing them, and hence got a crap
value.

When I made SamOEMhash() hash only 512 bytes, by changing the code like so:

--- libsmb/smbdes.c-dist        Thu Nov 12 15:17:54 1998
+++ libsmb/smbdes.c     Thu May 18 00:23:33 2000
@@ -381,7 +381,7 @@
      s_box[ind] = s_box[j];
      s_box[j] = tc;
   }
-  for( ind = 0; ind < (val ? 516 : 16); ind++)
+  for( ind = 0; ind < (val ? 512 : 16); ind++)
   {
     unsigned char tc;
     unsigned char t;

password changing began to work.

Now, I know next to nothing about the internals of samba (and I don't
want to know - I know more about Microsoft networking than I can stomach
already :-). I have no idea of the implications of making this change
on other code that might use this function. All I know is that this change
makes remote password changing via smbpasswd, to a samba server, work (as is
the case when a non-root user runs smbpasswd).

Because of this, I haven't submitted this as a patch, but if someone who
does know about this stuff could look at this change and figure out why it
works and then maybe submit a better patch, it would be appreciated.
(until then I will run with this change and see what happens :-)

Cheers!
								Murray...
--
Murray Jensen, CSIRO Manufacturing Sci & Tech,         Phone: +61 3 9662 7763
Locked Bag No. 9, Preston, Vic, 3072, Australia.         Fax: +61 3 9662 7853
Internet: Murray.Jensen at cmst.csiro.au  (old address was mjj at mlb.dmt.csiro.au)
