Retry: smbclient 3.0 broken WRT null password and security mode 0x03

David Wuertele dave-gnus at
Wed Dec 24 19:06:23 GMT 2003

V3.0 of smbclient and smbmount don't work with null passwords on some
servers.  The clients work with windows servers that have null
password, but they don't work against Mac OS X 10.3 servers, and they
don't work against linux servers that have the following in their

  security = user
  encrypt passwords = yes
  null passwords = yes

This configuration results in the server requiring security mode 0x03.
On the linux server, if I change the 'encrypt passwords' to '= no',
smbclient-3.0 works fine.  The problem is that I have the exact same
problem on hosts over which I have no control of the smb.conf file,
for example Mac OS X 10.3.

V2.2.8a of smbclient and smbmount work fine against servers using
security mode 0x03.  I've looked at the packets on the wire, and found
that smbclient-3.0 never sends the encrypted null password.  Here's
the command I ran:

  smbclient //g4-box-1/dood  -I -U dood

Here are the differences I saw between 2.2.8a and 3.0:

1.  client sends "Extended Security Negotiation: Extended security
    negotiation is supported" on 3.0, but not on 2.2.8a

2.  2.2.8a client sends ANSI Password, Unicode Password, and
    uppercased-account name.  Meanwhile, 3.0 client doesn't send
    either passwords, and sends a lowercased-account name.  I think
    this is actually the key here.

3.  the "primary domain" sent by 2.2.8a is the client's default
    domain, while the "primary domain" sent by 3.0 is the domain of
    the share being accessed

4.  2.2.8a sends "SMB Command: Session Setup AndX (0x73)" and gets
        response "NT Status: STATUS_SUCCESS (0x00000000)"
    3.0 sends same command and gets response
           "NT Status: STATUS_LOGON_FAILURE (0xc000006d)"

I'm attaching the two decoded frames that I think are the culprit
(i.e., missing encrypted null password).  Here's a snippet from these
decoded frames:

  samba-2.2.8a sending encrypted null password:

<        Byte Count (BCC): 69
<        ANSI Password: 4C0154EFEF076CCBAE3A6256E351DF5A...
<        Unicode Password: B30B73818904C5A7111948521702F985...
<        Account: DOOD
<        Primary Domain: ABCD

  samba-3.0 sending no password:

>        Byte Count (BCC): 26
>        Account: dood
>        Primary Domain: WORKGROUP

What can I do on the CLIENT side to make smbclient-3.0 send the
encrypted null password?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2.2.8a.password-frame
Type: application/octet-stream
Size: 6337 bytes
Desc: not available
Url :
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 3.0.nopassword-frame
Type: application/octet-stream
Size: 6209 bytes
Desc: not available
Url :

More information about the samba-technical mailing list