samba 3.0.x / roaming profiles / NT MD4 problems
Wim Vandermissen
wim at bofh.be
Thu Apr 15 10:29:18 GMT 2004
The problem also only seems to happen when I logoff and try to logon
again without rebooting the computer.
If I reboot the computer and logon, the roaming profiles always work
correctly and there is no trace of a MD4 check failed in the samba logs.
Thanks,
--Wim
Wim Vandermissen wrote:
> Hi,
>
> I'm setting up a new sambserver, migrating from 2.2.8a with ldap backend
> to 3.0.x (3.0.0, 3.0.2a and 3.0.3pre2 tested) with openldap 2.1.26
> backend and using sambaSamAccount
>
> I'm experiencing the following problem:
>
> - Roaming profiles sometimes work, sometimes not (most of the time not)
> and show erratic behaviour like removing the local copy (without having
> the DeleteRoamingCache key in my registry) on a windows XP with SP1
> joined to the domain
>
> I think I've pinpointed the problem to NT MD4 password checking
> (libsmb/ntlm_check.c:ntlm_password_check(322))
>
> With debug on 100 and DEBUG_PASSWORD on it shows the following:
>
> [2004/04/10 22:23:49, 4] libsmb/ntlm_check.c:ntlm_password_check(322)
> ntlm_password_check: Checking NT MD4 password
> [2004/04/10 22:23:49, 100] libsmb/ntlm_check.c:smb_pwd_check_ntlmv1(67)
> Part password (P16) was |
> [2004/04/10 22:23:49, 100] lib/util.c:dump_data(1864)
> [000] AB A4 5E 23 42 B3 27 7E 03 0C DB 4F 97 48 B6 0E ..^#B.'~
> ...O.H..
> Password from client was |
> [2004/04/10 22:23:49, 100] lib/util.c:dump_data(1864)
> [000] 22 63 62 8E 2A BD 54 16 D1 0F EE 6C 0F B5 F7 46 "cb.*.T.
> ...l...F
> [010] 4E BB D2 52 74 EB B2 09 N..Rt...
> Given challenge was |
> [2004/04/10 22:23:49, 100] lib/util.c:dump_data(1864)
> [000] CE 8D D3 56 F8 7E 7D 7A ...V.~}z
> Value from encryption was |
> [2004/04/10 22:23:49, 100] lib/util.c:dump_data(1864)
> [000] 22 63 62 8E 2A BD 54 16 D1 0F EE 6C 0F B5 F7 46 "cb.*.T.
> ...l...F
> [010] 4E BB D2 52 74 EB B2 09 N..Rt...
> [2004/04/10 22:23:49, 4] auth/auth_sam.c:sam_account_ok(82)
> sam_account_ok: Checking SMB password for user testing
>
> It does that 3 times correctly, I guess it checks the authentication
> when the user logs on. Now a minute later it checks again, I guess for
> connecting to the profiles share? but now it fails. What results in
> Windows XP telling me that it can't find the profiles directory.
>
> [2004/04/10 22:25:22, 4] libsmb/ntlm_check.c:ntlm_password_check(322)
> ntlm_password_check: Checking NT MD4 password
> [2004/04/10 22:25:22, 100] libsmb/ntlm_check.c:smb_pwd_check_ntlmv1(67)
> Part password (P16) was |
> [2004/04/10 22:25:22, 100] lib/util.c:dump_data(1864)
> [000] AB A4 5E 23 42 B3 27 7E 03 0C DB 4F 97 48 B6 0E ..^#B.'~
> ...O.H..
> Password from client was |
> [2004/04/10 22:25:22, 100] lib/util.c:dump_data(1864)
> [000] EE 15 48 95 A2 6C D6 7A 14 C7 00 85 FE 20 D9 92 ..H..l.z
> ..... ..
> [010] B4 D0 21 FC F0 FB 7D 61 ..!...}a
> Given challenge was |
> [2004/04/10 22:25:22, 100] lib/util.c:dump_data(1864)
> [000] EC F9 F7 3E EE 20 47 E5 ...>. G.
> Value from encryption was |
> [2004/04/10 22:25:22, 100] lib/util.c:dump_data(1864)
> [000] E7 DE 31 72 F0 E2 E1 97 40 2B 15 86 CA 4E 2A 4F ..1r.... <at>
> +...N*O
> [010] 1D 32 DD 66 AC EA 8B 3C .2.f...<
> [2004/04/10 22:25:22, 3] libsmb/ntlm_check.c:ntlm_password_check(338)
> ntlm_password_check: NT MD4 password check failed for user testing
>
>
> When I edit libsmb/ntlm_check.c to always return a NT_STATUS_OK instead
> of a NT_STATUS_WRONG_PASSWORD the last check ofcourse works and the
> roaming profiles work perfectly. (but that isn't very secure ;)
>
> This is my current config, but I've used various mutations of it without
> success ;)
>
> Please let me know if you need any more information.
> Thanks,
>
> --Wim Vandersmissen
>
> # Global parameters
> [global]
> dos charset = CP850
> unix charset = UTF-8
> display charset = LOCALE
> workgroup = THEONEW
> netbios name = OROCHIMARU
> netbios aliases =
> netbios scope =
> server string = %h
> interfaces =
> bind interfaces only = No
> security = USER
> auth methods =
> encrypt passwords = Yes
> update encrypted = No
> client schannel = Auto
> server schannel = Auto
> allow trusted domains = Yes
> hosts equiv =
> min passwd length = 5
> use cracklib = No
> map to guest = Bad Password
> null passwords = No
> obey pam restrictions = No
> password server = *
> smb passwd file = /usr/local/samba/private/smbpasswd
> private dir = /usr/local/samba/private
> passdb backend = ldapsam:ldap://localhost
> algorithmic rid base = 1000
> root directory =
> guest account = nobody
> pam password change = No
> passwd program =
> passwd chat = *new*password* %n\n *new*password* %n\n *changed*
> passwd chat debug = No
> passwd chat timeout = 2
> username map =
> password level = 0
> username level = 0
> unix password sync = No
> restrict anonymous = 0
> lanman auth = Yes
> ntlm auth = Yes
> client NTLMv2 auth = No
> client lanman auth = Yes
> client plaintext auth = Yes
> preload modules =
> log level = 100
> syslog = 1
> syslog only = No
> log file = /var/log/samba/inverse/%m.log
> max log size = 50000
> timestamp logs = Yes
> debug hires timestamp = No
> debug pid = No
> debug uid = No
> smb ports = 445 139
> protocol = NT1
> large readwrite = Yes
> max protocol = NT1
> min protocol = CORE
> read bmpx = No
> read raw = Yes
> write raw = Yes
> disable netbios = No
> acl compatibility =
> nt pipe support = Yes
> nt status support = Yes
> announce version = 4.9
> announce as = NT
> max mux = 50
> max xmit = 16644
> name resolve order = lmhosts wins host bcast
> max ttl = 259200
> max wins ttl = 518400
> min wins ttl = 21600
> time server = No
> unix extensions = Yes
> use spnego = Yes
> client signing = auto
> server signing = No
> client use spnego = No
> change notify timeout = 60
> deadtime = 0
> getwd cache = Yes
> keepalive = 300
> kernel change notify = Yes
> lpq cache time = 10
> max smbd processes = 0
> paranoid server security = Yes
> max disk size = 0
> max open files = 10000
> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=4096
> SO_RCVBUF=4096
> use mmap = Yes
> hostname lookups = No
> name cache timeout = 660
> load printers = Yes
> printcap name = cups
> disable spoolss = No
> enumports command =
> addprinter command =
> deleteprinter command =
> show add printer wizard = Yes
> os2 driver map =
> mangling method = hash2
> mangle prefix = 1
> stat cache = Yes
> machine password timeout = 604800
> add user script =
> delete user script =
> add group script =
> delete group script =
> add user to group script =
> delete user from group script =
> set primary group script =
> add machine script =
> shutdown script =
> abort shutdown script =
> logon script =
> logon path = \\%L\profiles\%U
> logon drive =
> logon home = \\%N\%U
> domain logons = Yes
> os level = 66
> lm announce = Auto
> lm interval = 60
> preferred master = Yes
> local master = Yes
> domain master = Yes
> browse list = Yes
> enhanced browsing = Yes
> dns proxy = Yes
> wins proxy = No
> wins server =
>
> wins support = No
> wins hook =
> wins partners =
> kernel oplocks = Yes
> lock spin count = 3
> lock spin time = 10
> oplock break wait time = 0
> ldap suffix = "ou=people,dc=theo,dc=be"
> ldap machine suffix =
> ldap user suffix =
> ldap group suffix =
> ldap idmap suffix =
> ldap filter = "(&(uid=%u)(objectclass=sambaSamAccount))
> ldap admin dn = "cn=root,dc=theo,dc=be"
> ldap ssl =
> ldap passwd sync = no
> ldap delete dn = No
> ldap replication sleep = 1000
> add share command =
> change share command =
> delete share command =
> config file =
> preload =
> lock directory = /usr/local/samba/var/locks
> pid directory = /usr/local/samba/var/locks
> utmp directory =
> wtmp directory =
> utmp = No
> default service =
> message command =
> dfree command =
> get quota command =
> set quota command =
> remote announce =
> remote browse sync =
> socket address = 0.0.0.0
> homedir map =
> afs username map =
> time offset = 0
> NIS homedir = No
> panic action =
> host msdfs = No
> enable rid algorithm = Yes
> idmap backend =
> idmap uid =
> idmap gid =
> template primary group = nobody
> template homedir = /home/%D/%U
> template shell = /bin/false
> winbind separator = \
> winbind cache time = 300
> winbind enable local accounts = Yes
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = No
> winbind trusted domains only = No
> comment =
> path =
> username =
> invalid users =
> valid users =
> admin users =
> read list =
> write list =
> printer admin = root
> force user =
> force group =
> read only = Yes
> create mask = 0744
> force create mode = 00
> security mask = 0777
> force security mode = 00
> directory mask = 0755
> force directory mode = 00
> directory security mask = 0777
> force directory security mode = 00
> inherit permissions = No
> inherit acls = No
> guest only = No
> guest ok = No
> only user = No
> hosts allow =
> hosts deny =
> ea support = No
> nt acl support = Yes
> profile acls = No
> map acl inherit = No
> afs share = No
> block size = 1024
> max connections = 0
> min print space = 0
> strict allocate = No
> strict sync = No
> sync always = No
> use sendfile = No
> write cache size = 0
> max reported print jobs = 0
> max print jobs = 1000
> printable = No
> printing = cups
> print command =
> lpq command =
> lprm command =
> lppause command =
> lpresume command =
> queuepause command =
> queueresume command =
> printer name =
> use client driver = No
> default devmode = No
> default case = lower
> case sensitive = No
> preserve case = Yes
> short preserve case = Yes
> mangle case = No
> mangling char = ~
> hide dot files = Yes
> hide special files = No
> hide unreadable = No
> hide unwriteable files = No
> delete veto files = No
> veto files =
> hide files = /desktop.ini/Desktop.ini/
> veto oplock files =
> map system = No
> map hidden = No
> map archive = Yes
> mangled names = Yes
> mangled map =
> store dos attributes = No
> browseable = Yes
> blocking locks = Yes
> csc policy = manual
> fake oplocks = No
> locking = Yes
>
>
> oplocks = Yes
> level2 oplocks = Yes
> oplock contention limit = 2
> posix locking = Yes
> strict locking = Yes
> share modes = Yes
> copy =
> include =
> exec =
> preexec close = No
> postexec =
> root preexec =
> root preexec close = No
> root postexec =
> available = Yes
> volume =
> fstype = NTFS
> set directory = No
> wide links = Yes
> follow symlinks = Yes
> dont descend =
> magic script =
> magic output =
> delete readonly = No
> dos filemode = No
> dos filetimes = No
> dos filetime resolution = No
> fake directory create times = No
> vfs objects =
> msdfs root = No
> msdfs proxy =
>
> [profiles]
> path = /mnt/theo/profiles/
> read only = No
> profile acls = Yes
> browseable = No
>
>
>
>
More information about the samba-technical
mailing list