encrypt passwords=no, security=yes, samba 2.2.8,
W2K user aut h fails
tony shepherd
tony.shepherd at sun.com
Mon Mar 31 22:59:28 GMT 2003
How do bug fixes work? Do they go through some sort of review? Who
decides whether they get put into the next release?
As Sun is now distributing Samba as part of the OS (started in Solaris 9),
we are tracking this issue as bugID: #4839885.
tony
--On Monday, March 31, 2003 04:29:57 PM -0500 "MCCALL,DON (HP-USA,ex1)"
<don_mccall at hp.com> wrote:
> From: "MCCALL,DON (HP-USA,ex1)" <don_mccall at hp.com>
> To: 'tony shepherd' <tony.shepherd at sun.com>,
> "MCCALL,DON (HP-USA,ex1)" <don_mccall at hp.com>,
> "'samba_technical at lists.samba.org'" <samba_technical at lists.samba.org>
> Subject: RE: encrypt passwords=no, security=yes, samba 2.2.8, W2K user
> aut h fails Date-Sent: Tuesday, April 01, 2003 07:29:57 AM
>
> Hi Tony,
> Problem appears to be a result of your having
> null passwords = no
> map to guest = bad user
> AND
> encrypt passwords = no
>
>
> What appears to be happening is that reply.c only checks the smbpasswd
> file to see if you have a 'bad user', and with encrypt passwords = NO,
> you won't have an smbpasswd file, and it never goes to check the
> /etc/passwd or nis store, etc, for this map to guest=bad user case.
> Since it's ALREADY failed password_ok, what it's doing at this time is
> trying to decide if it has the 'bad password' or the 'bad user' case,
> since the return from password_ok doesn't differentiate. Since it never
> finds the username in smbpasswd (since that doesn't exist), it assumes
> that the problem is NOT a bad password, but a bad USER, and goes off to
> try to use guest.
> in your log file, this actually works, your sessionsetup&x succeeds, but
> you are mapped to the guest user. ( Registered username ts74081 for guest
> access) Later on, the actual share (home share for ts7481 I am assuming)
> tconX fails because the guest account has a null password, and you didn't
> specify guest ok for homes.
> For reasons completely unknown to me, win2k is NOT ever sending the
> password you type in UNTIL
> you try a different user, which generates an SMBulogoff() request, so the
> next negotprot,sesssetupX sequence starts, and THEN the win2k client sends
> the appropriate password,
> and you get authenticated appropriately (instead of being mapped to
> guest...)
> My guess is that the original attempt to connect to the share used your
> current username with a null password, which set up the vc, and from then
> on, all the sessionsetups are on that vc, no more negot.prot's are made,
> until an SMBulogoff is done. Since win2k was successful in it's initial
> attempt at sessionsetup&X with a null password (because you got mapped to
> guest as a bad user), it won't send a real password, even though it's
> ASKING FOR ONE, until you force an SMBulogoff, and a complete resetup of
> the vc, etc... (which is what using another username does)
> Win2k REALLY doesn't like using cleartext passwords, apparently (grin).
>
> I can make this problem go away by changing reply.c so that it checks the
> /etc/passwd/nis store for a user instead of smbpasswd when encrypted
> passwords = no; my diffs are listed below if you want to try it.
>
> I'm copying the samba_technical list in hopes that someone smarter than I
> (practically everyone) will know more about what's going on and do an
> appropriate fix for this. This diff is on a 2.2.8 code base.
>
> # diff reply.c reply.original.c
> 1028c1028
> < if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER &&
> lp_encrypted_pass
> words())
> ---
>> if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER)
> 1054,1062d1053
> < /* add mccall */
> < if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER &&
> !lp_encrypted_pas
> swords() && sys_getpwnam(user))
> < {
> < /* delete_nt_token(&ptok); */
> < DEBUG(1,("Rejecting user '%s': authentication failed\n",
> user)); < END_PROFILE(SMBsesssetupX);
> < return ERROR_BOTH(NT_STATUS_LOGON_FAILURE,ERRSRV,ERRbadpw);
> < }
> < /* end add mccall */
>> -----Original Message-----
>> From: tony shepherd [mailto:tony.shepherd at sun.com]
>> Sent: Sunday, March 30, 2003 22:49
>> To: MCCALL,DON (HP-USA,ex1)
>> Cc: tony.shepherd
>> Subject: RE: encrypt passwords=no, security=yes, samba 2.2.8, W2K user
>> aut h fails
>>
>>
>>
>>
>> Hi Don
>>
>> attached are the files requested. Thanks for looking at this for me.
>> Solaris must be tweaking something that is not showing up
>> under other OS's.
>>
>>
>>
>> tony
>>
>> --On Friday, March 28, 2003 06:13:14 AM -0800 "MCCALL,DON
>> (HP-USA,ex1)"
>> <don_mccall at hp.com> wrote:
>>
>> > Hi Tony,
>> > Can't make it happen here on my HP-UX system, and I don't
>> have a Solaris
>> > system to test on. But if you want to get me a log level
>> 10 debug of
>> > the issue, and the output of testparm, I'll see if I can
>> spot anything.
>> > Send the log and testparm off list, and compressed, ok?
>> >
>> > Don
>> >
>> >> -----Original Message-----
>> >> From: tony shepherd [mailto:tony.shepherd at sun.com]
>> >> Sent: Thursday, March 27, 2003 23:31
>> >> To: MCCALL,DON (HP-USA,ex1); samba-technical at samba.org
>> >> Subject: RE: encrypt passwords=no, security=yes, samba
>> 2.2.8, W2K user
>> >> aut h fails
>> >>
>> >>
>> >>
>> >>
>> >> --On Thursday, March 27, 2003 10:06:08 AM -0500 "MCCALL,DON
>> >> (HP-USA,ex1)"
>> >> <don_mccall at hp.com> wrote:
>> >>
>> >> > Hi tony,
>> >> > based on your log file, it sure does APPEAR that you have
>> >> NOT turned off
>> >> > encrypted passwords,
>> >> > as samba is trying to open
>> >> /usr/local/samba/private/smbpasswd. It should
>> >> > only do that if it negotiated encrypted passwords in the
>> >> negot prot call,
>> >> > which it should only be able to do if encrypted passwords
>> >> is set to yes.
>> >> >
>> >> > I note that you are including ANOTHER smb.conf file at the
>> >> end of your
>> >> > global section; please check there and see if you have an encrypt
>> >> > passwords = yes, and/or include the contents of that
>> >> smb.conf file as
>> >> > well in your next message to the list, ok?
>> >> > include=/etc/sfw/local-smb.conf
>> >>
>> >> local-smb.conf is an empty file. I don't have another
>> >> encrypt passwords =
>> >> yes anywhere in the config file.
>> >>
>> >> What is weird is that I can eventually authenticate after I
>> >> change the
>> >> username I try to authenticate with and then change back again.
>> >>
>> >> So, this looks like a bug? I wonder whether it only
>> effects Solaris
>> >> systems. I would have thought others would have fallen across it.
>> >>
>> >> I can't code, but I can provide logs and testing. Please let
>> >> me know if I
>> >> can help at all.
>> >>
>> >> tony
>> >>
>> >>
>> >>
>> >> >> -----Original Message-----
>> >> >> From: tony shepherd [mailto:tony.shepherd at sun.com]
>> >> >> Sent: Tuesday, March 25, 2003 21:31
>> >> >> To: samba-technical at samba.org
>> >> >> Cc: tony.shepherd
>> >> >> Subject: BUG: encrypt passwords=no, security=yes, samba
>> >> >> 2.2.8, W2K user
>> >> >> auth fails
>> >> >>
>> >> >>
>> >> >> folks
>> >> >>
>> >> >> **
>> >> >> I am not on this mail list. Can all replied please be Cc'ed
>> >> >> to me as well.
>> >> >> **
>> >> >>
>> >> >> I have come across the following bug using samba 2.2.8 (in
>> >> >> the throws of
>> >> >> upgrading from 2.0.10 to fix security vul).
>> >> >>
>> >> >> I discovered this bug using a W2K system; it was not present
>> >> >> when testing
>> >> >> with win98. I am running the samba server on a solaris
>> 9 system.
>> >> >>
>> >> >> I am using "encrypt passwords = no" and "security=user" and
>> >> >> using the Unix
>> >> >> passwords for authentication. Registry modification have
>> >> >> been made to the
>> >> >> windows system.
>> >> >>
>> >> >> To replicate the bug, I do the following:
>> >> >>
>> >> >> * log onto w2k system as user ts74081, passwd: fred
>> >> >> * try and open the share: \\huey\ts74081. As my password is
>> >> >> different
>> >> >> between the windows system and the samba server, it
>> >> prompts me for a
>> >> >> username/password pair. I give the correct values but I
>> >> >> still get rejected.
>> >> >> * I then try to access the share as a different user (one
>> >> >> that does not
>> >> >> exist on the system): username fred, passwd fred. Naturally
>> >> >> it fails.
>> >> >> * I then try again with the proper username/password
>> pair and I get
>> >> >> authenticated correctly and the share is made available.
>> >> >>
>> >> >>
>> >> >> If I do not try and authenticate as a different user before
>> >> >> retrying with
>> >> >> the proper username, it will continue to fail to authenticate.
>> >> >>
>> >> >> I have attached debug 3 logs of the above scenario as well as
>> >> >> the smb.conf
>> >> >> I am using.
>> >> >>
>> >> >> If I change the security parameter to "security=share", the
>> >> >> above bug does
>> >> >> not show itself.
>> >> >>
>> >> >>
>> >> >> thanks
>> >> >>
>> >> >> tony
>> >> >>
>> >> >>
>> >>
>> >>
>>
>>
More information about the samba-technical
mailing list