samba 3.0.x / roaming profiles / NT MD4 problems
Wim Vandermissen
wim at bofh.be
Thu Apr 15 08:18:16 GMT 2004
Hi,
I'm setting up a new sambserver, migrating from 2.2.8a with ldap backend
to 3.0.x (3.0.0, 3.0.2a and 3.0.3pre2 tested) with openldap 2.1.26
backend and using sambaSamAccount
I'm experiencing the following problem:
- Roaming profiles sometimes work, sometimes not (most of the time not)
and show erratic behaviour like removing the local copy (without having
the DeleteRoamingCache key in my registry) on a windows XP with SP1
joined to the domain
I think I've pinpointed the problem to NT MD4 password checking
(libsmb/ntlm_check.c:ntlm_password_check(322))
With debug on 100 and DEBUG_PASSWORD on it shows the following:
[2004/04/10 22:23:49, 4] libsmb/ntlm_check.c:ntlm_password_check(322)
ntlm_password_check: Checking NT MD4 password
[2004/04/10 22:23:49, 100] libsmb/ntlm_check.c:smb_pwd_check_ntlmv1(67)
Part password (P16) was |
[2004/04/10 22:23:49, 100] lib/util.c:dump_data(1864)
[000] AB A4 5E 23 42 B3 27 7E 03 0C DB 4F 97 48 B6 0E ..^#B.'~
...O.H..
Password from client was |
[2004/04/10 22:23:49, 100] lib/util.c:dump_data(1864)
[000] 22 63 62 8E 2A BD 54 16 D1 0F EE 6C 0F B5 F7 46 "cb.*.T.
...l...F
[010] 4E BB D2 52 74 EB B2 09 N..Rt...
Given challenge was |
[2004/04/10 22:23:49, 100] lib/util.c:dump_data(1864)
[000] CE 8D D3 56 F8 7E 7D 7A ...V.~}z
Value from encryption was |
[2004/04/10 22:23:49, 100] lib/util.c:dump_data(1864)
[000] 22 63 62 8E 2A BD 54 16 D1 0F EE 6C 0F B5 F7 46 "cb.*.T.
...l...F
[010] 4E BB D2 52 74 EB B2 09 N..Rt...
[2004/04/10 22:23:49, 4] auth/auth_sam.c:sam_account_ok(82)
sam_account_ok: Checking SMB password for user testing
It does that 3 times correctly, I guess it checks the authentication
when the user logs on. Now a minute later it checks again, I guess for
connecting to the profiles share? but now it fails. What results in
Windows XP telling me that it can't find the profiles directory.
[2004/04/10 22:25:22, 4] libsmb/ntlm_check.c:ntlm_password_check(322)
ntlm_password_check: Checking NT MD4 password
[2004/04/10 22:25:22, 100] libsmb/ntlm_check.c:smb_pwd_check_ntlmv1(67)
Part password (P16) was |
[2004/04/10 22:25:22, 100] lib/util.c:dump_data(1864)
[000] AB A4 5E 23 42 B3 27 7E 03 0C DB 4F 97 48 B6 0E ..^#B.'~
...O.H..
Password from client was |
[2004/04/10 22:25:22, 100] lib/util.c:dump_data(1864)
[000] EE 15 48 95 A2 6C D6 7A 14 C7 00 85 FE 20 D9 92 ..H..l.z
..... ..
[010] B4 D0 21 FC F0 FB 7D 61 ..!...}a
Given challenge was |
[2004/04/10 22:25:22, 100] lib/util.c:dump_data(1864)
[000] EC F9 F7 3E EE 20 47 E5 ...>. G.
Value from encryption was |
[2004/04/10 22:25:22, 100] lib/util.c:dump_data(1864)
[000] E7 DE 31 72 F0 E2 E1 97 40 2B 15 86 CA 4E 2A 4F ..1r....
<at> +...N*O
[010] 1D 32 DD 66 AC EA 8B 3C .2.f...<
[2004/04/10 22:25:22, 3] libsmb/ntlm_check.c:ntlm_password_check(338)
ntlm_password_check: NT MD4 password check failed for user testing
When I edit libsmb/ntlm_check.c to always return a NT_STATUS_OK instead
of a NT_STATUS_WRONG_PASSWORD the last check ofcourse works and the
roaming profiles work perfectly. (but that isn't very secure ;)
This is my current config, but I've used various mutations of it without
success ;)
Please let me know if you need any more information.
Thanks,
--Wim Vandersmissen
# Global parameters
[global]
dos charset = CP850
unix charset = UTF-8
display charset = LOCALE
workgroup = THEONEW
netbios name = OROCHIMARU
netbios aliases =
netbios scope =
server string = %h
interfaces =
bind interfaces only = No
security = USER
auth methods =
encrypt passwords = Yes
update encrypted = No
client schannel = Auto
server schannel = Auto
allow trusted domains = Yes
hosts equiv =
min passwd length = 5
use cracklib = No
map to guest = Bad Password
null passwords = No
obey pam restrictions = No
password server = *
smb passwd file = /usr/local/samba/private/smbpasswd
private dir = /usr/local/samba/private
passdb backend = ldapsam:ldap://localhost
algorithmic rid base = 1000
root directory =
guest account = nobody
pam password change = No
passwd program =
passwd chat = *new*password* %n\n *new*password* %n\n *changed*
passwd chat debug = No
passwd chat timeout = 2
username map =
password level = 0
username level = 0
unix password sync = No
restrict anonymous = 0
lanman auth = Yes
ntlm auth = Yes
client NTLMv2 auth = No
client lanman auth = Yes
client plaintext auth = Yes
preload modules =
log level = 100
syslog = 1
syslog only = No
log file = /var/log/samba/inverse/%m.log
max log size = 50000
timestamp logs = Yes
debug hires timestamp = No
debug pid = No
debug uid = No
smb ports = 445 139
protocol = NT1
large readwrite = Yes
max protocol = NT1
min protocol = CORE
read bmpx = No
read raw = Yes
write raw = Yes
disable netbios = No
acl compatibility =
nt pipe support = Yes
nt status support = Yes
announce version = 4.9
announce as = NT
max mux = 50
max xmit = 16644
name resolve order = lmhosts wins host bcast
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = No
unix extensions = Yes
use spnego = Yes
client signing = auto
server signing = No
client use spnego = No
change notify timeout = 60
deadtime = 0
getwd cache = Yes
keepalive = 300
kernel change notify = Yes
lpq cache time = 10
max smbd processes = 0
paranoid server security = Yes
max disk size = 0
max open files = 10000
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=4096
SO_RCVBUF=4096
use mmap = Yes
hostname lookups = No
name cache timeout = 660
load printers = Yes
printcap name = cups
disable spoolss = No
enumports command =
addprinter command =
deleteprinter command =
show add printer wizard = Yes
os2 driver map =
mangling method = hash2
mangle prefix = 1
stat cache = Yes
machine password timeout = 604800
add user script =
delete user script =
add group script =
delete group script =
add user to group script =
delete user from group script =
set primary group script =
add machine script =
shutdown script =
abort shutdown script =
logon script =
logon path = \\%L\profiles\%U
logon drive =
logon home = \\%N\%U
domain logons = Yes
os level = 66
lm announce = Auto
lm interval = 60
preferred master = Yes
local master = Yes
domain master = Yes
browse list = Yes
enhanced browsing = Yes
dns proxy = Yes
wins proxy = No
wins server =
wins support = No
wins hook =
wins partners =
kernel oplocks = Yes
lock spin count = 3
lock spin time = 10
oplock break wait time = 0
ldap suffix = "ou=people,dc=theo,dc=be"
ldap machine suffix =
ldap user suffix =
ldap group suffix =
ldap idmap suffix =
ldap filter = "(&(uid=%u)(objectclass=sambaSamAccount))
ldap admin dn = "cn=root,dc=theo,dc=be"
ldap ssl =
ldap passwd sync = no
ldap delete dn = No
ldap replication sleep = 1000
add share command =
change share command =
delete share command =
config file =
preload =
lock directory = /usr/local/samba/var/locks
pid directory = /usr/local/samba/var/locks
utmp directory =
wtmp directory =
utmp = No
default service =
message command =
dfree command =
get quota command =
set quota command =
remote announce =
remote browse sync =
socket address = 0.0.0.0
homedir map =
afs username map =
time offset = 0
NIS homedir = No
panic action =
host msdfs = No
enable rid algorithm = Yes
idmap backend =
idmap uid =
idmap gid =
template primary group = nobody
template homedir = /home/%D/%U
template shell = /bin/false
winbind separator = \
winbind cache time = 300
winbind enable local accounts = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = No
winbind trusted domains only = No
comment =
path =
username =
invalid users =
valid users =
admin users =
read list =
write list =
printer admin = root
force user =
force group =
read only = Yes
create mask = 0744
force create mode = 00
security mask = 0777
force security mode = 00
directory mask = 0755
force directory mode = 00
directory security mask = 0777
force directory security mode = 00
inherit permissions = No
inherit acls = No
guest only = No
guest ok = No
only user = No
hosts allow =
hosts deny =
ea support = No
nt acl support = Yes
profile acls = No
map acl inherit = No
afs share = No
block size = 1024
max connections = 0
min print space = 0
strict allocate = No
strict sync = No
sync always = No
use sendfile = No
write cache size = 0
max reported print jobs = 0
max print jobs = 1000
printable = No
printing = cups
print command =
lpq command =
lprm command =
lppause command =
lpresume command =
queuepause command =
queueresume command =
printer name =
use client driver = No
default devmode = No
default case = lower
case sensitive = No
preserve case = Yes
short preserve case = Yes
mangle case = No
mangling char = ~
hide dot files = Yes
hide special files = No
hide unreadable = No
hide unwriteable files = No
delete veto files = No
veto files =
hide files = /desktop.ini/Desktop.ini/
veto oplock files =
map system = No
map hidden = No
map archive = Yes
mangled names = Yes
mangled map =
store dos attributes = No
browseable = Yes
blocking locks = Yes
csc policy = manual
fake oplocks = No
locking = Yes
oplocks = Yes
level2 oplocks = Yes
oplock contention limit = 2
posix locking = Yes
strict locking = Yes
share modes = Yes
copy =
include =
exec =
preexec close = No
postexec =
root preexec =
root preexec close = No
root postexec =
available = Yes
volume =
fstype = NTFS
set directory = No
wide links = Yes
follow symlinks = Yes
dont descend =
magic script =
magic output =
delete readonly = No
dos filemode = No
dos filetimes = No
dos filetime resolution = No
fake directory create times = No
vfs objects =
msdfs root = No
msdfs proxy =
[profiles]
path = /mnt/theo/profiles/
read only = No
profile acls = Yes
browseable = No
More information about the samba-technical
mailing list