FW: encrypt passwords=no, security=yes, samba 2.2.8, W2K user aut h fails

MCCALL,DON (HP-USA,ex1) don_mccall at hp.com
Mon Mar 31 21:36:12 GMT 2003 

Sorry, forgot to cc the list...
Jerry, you made some comments around the code I modified, maybe you
could take a look at this and comment??
Don
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) 
Sent: Monday, March 31, 2003 16:30
To: 'tony shepherd'; MCCALL,DON (HP-USA,ex1);
'samba-technical at lists.samba.org'
Subject: RE: encrypt passwords=no, security=yes, samba 2.2.8, W2K user
aut h fails


Hi Tony,
Problem appears to be a result of your having 
null passwords = no
map to guest = bad user
AND 
encrypt passwords = no


What appears to be happening is that reply.c only checks the smbpasswd file
to see if you have a 'bad user', and with encrypt passwords = NO, you won't
have an smbpasswd file, and it never goes to check the /etc/passwd or nis
store, etc, for this map to guest=bad user case.
Since it's ALREADY failed password_ok, what it's doing at this time is
trying to decide if it has the 'bad password' or the 'bad user' case, since
the return from password_ok doesn't differentiate.  Since it never finds the
username in smbpasswd (since that doesn't exist), it assumes that the
problem is NOT a bad password, but a bad USER, and goes off to try to use
guest.
in your log file, this actually works, your sessionsetup&x succeeds, but you
are mapped to the guest user. ( Registered username ts74081 for guest
access)  Later on, the actual share (home share for ts7481 I am assuming)
tconX fails because the guest account has a null password, and you didn't
specify guest ok for homes.
For reasons completely unknown to me, win2k is NOT ever sending the password
you type in UNTIL
you try a different user, which generates an SMBulogoff() request, so the
next negotprot,sesssetupX sequence starts, and THEN the win2k client sends
the appropriate password,
and you get authenticated appropriately (instead of being mapped to
guest...)
My guess is that the original attempt to connect to the share used your
current username with a null password, which set up the vc, and from then
on, all the sessionsetups are on that vc, no more negot.prot's are made,
until an SMBulogoff is done.  Since win2k was successful in it's initial
attempt at sessionsetup&X with a null password (because you got mapped to
guest as a bad user), it won't send a real password, even though it's ASKING
FOR ONE, until you force an SMBulogoff, and a complete resetup of the vc,
etc... (which is what using another username does)
Win2k REALLY doesn't like using cleartext passwords, apparently (grin).

I can make this problem go away by changing reply.c so that it checks the
/etc/passwd/nis store for a user instead of smbpasswd when encrypted
passwords = no; my diffs are listed below if you want to try it.

I'm copying the samba_technical list in hopes that someone smarter than I
(practically everyone) will know more about what's going on and do an
appropriate fix for this.  This diff is on a 2.2.8 code base.

# diff reply.c reply.original.c
1028c1028
<         if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER &&
lp_encrypted_pass
words())
---
>         if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER)
1054,1062d1053
< /* add mccall */
<         if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER &&
!lp_encrypted_pas
swords() && sys_getpwnam(user))
<         {
< /*          delete_nt_token(&ptok); */
<           DEBUG(1,("Rejecting user '%s': authentication failed\n", user));
<                 END_PROFILE(SMBsesssetupX);
<           return ERROR_BOTH(NT_STATUS_LOGON_FAILURE,ERRSRV,ERRbadpw);
<         }
< /* end add mccall */
> -----Original Message-----
> From: tony shepherd [mailto:tony.shepherd at sun.com]
> Sent: Sunday, March 30, 2003 22:49
> To: MCCALL,DON (HP-USA,ex1)
> Cc: tony.shepherd
> Subject: RE: encrypt passwords=no, security=yes, samba 2.2.8, W2K user
> aut h fails
> 
> 
> 
> 
> Hi Don
> 
> attached are the files requested.  Thanks for looking at this for me. 
> Solaris must be tweaking something that is not showing up 
> under other OS's.
> 
> 
> 
> tony
> 
> --On Friday, March 28, 2003 06:13:14 AM -0800 "MCCALL,DON 
> (HP-USA,ex1)" 
> <don_mccall at hp.com> wrote:
> 
> > Hi Tony,
> > Can't make it happen here on my HP-UX system, and I don't 
> have a Solaris
> > system to test on.  But if you want to get me a log level 
> 10 debug of
> > the issue, and the output of testparm, I'll see if I can 
> spot anything.
> > Send the log and testparm off list, and compressed, ok?
> >
> > Don
> >
> >> -----Original Message-----
> >> From: tony shepherd [mailto:tony.shepherd at sun.com]
> >> Sent: Thursday, March 27, 2003 23:31
> >> To: MCCALL,DON (HP-USA,ex1); samba-technical at samba.org
> >> Subject: RE: encrypt passwords=no, security=yes, samba 
> 2.2.8, W2K user
> >> aut h fails
> >>
> >>
> >>
> >>
> >> --On Thursday, March 27, 2003 10:06:08 AM -0500 "MCCALL,DON
> >> (HP-USA,ex1)"
> >> <don_mccall at hp.com> wrote:
> >>
> >> > Hi tony,
> >> > based on your log file, it sure does APPEAR that you have
> >> NOT turned off
> >> > encrypted passwords,
> >> > as samba is trying to open
> >> /usr/local/samba/private/smbpasswd.  It should
> >> > only do that if it negotiated encrypted passwords in the
> >> negot prot call,
> >> > which it should only be able to do if encrypted passwords
> >> is set to yes.
> >> >
> >> > I note that you are including ANOTHER smb.conf file at the
> >> end of your
> >> > global section; please check there and see if you have an encrypt
> >> > passwords = yes, and/or include the contents of that
> >> smb.conf file as
> >> > well in your next message to the list, ok?
> >> > 	include=/etc/sfw/local-smb.conf
> >>
> >> local-smb.conf is an empty file.   I don't have another
> >> encrypt passwords =
> >> yes anywhere in the config file.
> >>
> >> What is weird is that I can eventually authenticate after I
> >> change the
> >> username I try to authenticate with and then change back again.
> >>
> >> So, this looks like a bug?  I wonder whether it only 
> effects Solaris
> >> systems.  I would have thought others would have fallen across it.
> >>
> >> I can't code, but I can provide logs and testing.  Please let
> >> me know if I
> >> can help at all.
> >>
> >> tony
> >>
> >>
> >>
> >> >> -----Original Message-----
> >> >> From: tony shepherd [mailto:tony.shepherd at sun.com]
> >> >> Sent: Tuesday, March 25, 2003 21:31
> >> >> To: samba-technical at samba.org
> >> >> Cc: tony.shepherd
> >> >> Subject: BUG: encrypt passwords=no, security=yes, samba
> >> >> 2.2.8, W2K user
> >> >> auth fails
> >> >>
> >> >>
> >> >> folks
> >> >>
> >> >> **
> >> >> I am not on this mail list.  Can all replied please be Cc'ed
> >> >> to me as well.
> >> >> **
> >> >>
> >> >> I have come across the following bug using samba 2.2.8 (in
> >> >> the throws of
> >> >> upgrading from 2.0.10 to fix security vul).
> >> >>
> >> >> I discovered this bug using a W2K system; it was not present
> >> >> when testing
> >> >> with win98.  I am running the samba server on a solaris 
> 9 system.
> >> >>
> >> >> I am using "encrypt passwords = no" and "security=user" and
> >> >> using the Unix
> >> >> passwords for authentication.  Registry modification have
> >> >> been made to the
> >> >> windows system.
> >> >>
> >> >> To replicate the bug, I do the following:
> >> >>
> >> >> * log onto w2k system as user ts74081, passwd: fred
> >> >> * try and open the share: \\huey\ts74081.  As my password is
> >> >> different
> >> >> between the windows system and the samba server, it
> >> prompts me for a
> >> >> username/password pair.  I give the correct values but I
> >> >> still get rejected.
> >> >> * I then try to access the share as a different user (one
> >> >> that does not
> >> >> exist on the system):  username fred, passwd fred.  Naturally
> >> >> it fails.
> >> >> * I then try again with the proper username/password 
> pair and I get
> >> >> authenticated correctly and the share is made available.
> >> >>
> >> >>
> >> >> If I do not try and authenticate as a different user before
> >> >> retrying with
> >> >> the proper username, it will continue to fail to authenticate.
> >> >>
> >> >> I have attached debug 3 logs of the above scenario as well as
> >> >> the smb.conf
> >> >> I am using.
> >> >>
> >> >> If I change the security parameter to "security=share", the
> >> >> above bug does
> >> >> not show itself.
> >> >>
> >> >>
> >> >> thanks
> >> >>
> >> >> tony
> >> >>
> >> >>
> >>
> >>
> 
>

More information about the samba-technical mailing list