Side effect of recent change to more secure defaults like "lanman auth = No" intentionally?

Guenter Kukkukk linux at
Thu Sep 13 22:55:13 GMT 2007

Hi all,   (Version 3.2.1pre1-SVN-build-25136)

in recent svn rev. 25049 more secure defaults for Samba 3.2 have
been introduced:
   client lanman auth = No
   client plaintext auth = No
   lanman auth = No

I ran into a problem when my daily svn build (and install) touched the
new default setting "lanman auth = No" the _first_ time.

Was wondering, why OS/2 clients suddenly got an "access denied" error
during sesssetup, but remembered the ml discussions about new planned more secure
defaults. Testparm was showing the new defaults and a svn check confirmed abartlets
Did add the following to the [global] section of smb.conf
   client lanman auth = Yes
   lanman auth = Yes

Again - _any_ further access from OS/2 gave "access denied"!

During debugging, I realized that "lm_pw = pdb_get_lanman_passwd(sampass);" in
auth_sam.c always returned a null ptr for the lanman password.
The rest was easy...

When this version (and later ones) is installed - and no administrative
changes are being done to smb.conf before a restart - _each_ OS/2 user's 
LM password hash will be _deleted_ from the passdb backend on it's 
very first next logon request! (here smbpasswd was used)
Even with now ongoing administrative action, the already accessed
LM password hashes are _gone_!

Is this the intended behaviour - or is it an unwanted / untested side effect?

If it's intended - which seems a bit ugly to me - the next realease notes should
make this behaviour _very_ clear and how it can be avoided...

Sample smbpasswd entry (slightly modified) before first access:
gk:1000:EC00EEA187473ED4C2265B23734E0DAC:3A7F56DC5DB01A34FC389A6FB2954BC0:[U          ]:LCT-46E8CFC4:
and after:

When "protocol = LANMAN2" is set, it can also be easily tested with smbclient.

When "client lanman auth = No" is set, and (some) samba client tools access
such a server, a somewhat strange error string is shown:
smbclient //server01/test -Ugk
Server requested LM password but 'client lanman auth' is disabled
session setup failed: NT_STATUS_OK

Best wishes, Guenter

More information about the samba-technical mailing list