samba error message - "broken (and insecure) behavior"

Jim Watt jimw at
Mon Aug 31 19:55:44 GMT 1998

I've seen error messages about this since we installed 1.9.18p10 of samba,
so I went looking in the code for the context.

Here (from password.c) is the context:

         * Attempt a session setup with a totally incorrect password.
         * If this succeeds with the guest bit *NOT* set then the password
         * server is broken and is not correctly setting the guest bit. We
         * need to detect this as some versions of NT4.x are broken. JRA.

        if (cli_session_setup(&cli, user, (char *)badpass, sizeof(badpass),
                              (char *)badpass, sizeof(badpass), domain)) {
          if ((SVAL(cli.inbuf,smb_vwv2) & 1) == 0) {
            DEBUG(0,("server_validate: password server %s allows users as non-guest \
with a bad password.\n", cli.desthost));
            DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
use this machine as the password server.\n"));
            return False;

WHAT versions of NT4 have this problem?  Obviously, we have one!

Jim Watt                                 jimw at PE-Nelson.COM
Perkin-Elmer Corporation                 Voice (desk): +1 408 577 2228
PE-Nelson Division                       Fax:          +1 408 894 9307
3833 North First Street                  Voice (main): +1 408 577 2200
San Jose CA 95134-1701

More information about the samba mailing list