NT domain accounts keep being locked out

Firebeard stend+samba at sten.tivoli.com
Fri Jan 29 04:19:02 GMT 1999

>>>>> Andrew Williamson writes:

AW> I had 'read only = true' and 'write list = andreww jons' (I also
AW> 'force user' so that files are owned by me..) so that everyone
AW> else could read, but I could update. This worked well on old
AW> samba, but now I appear to have to enable encrypted passwords,
AW> make private/smbpasswd and do an initial smbpasswd to set up an
AW> entry. However, samba is still occassionally either receiving the
AW> wrong password or passing it to the domain wrongly with the result
AW> that I get my account locked out (our policy is 10 attempts and
AW> lockout). Should I disable the registry entry for
AW> EnableClearTextPasswords now that I'm (I think) using encrypted
AW> passwords? But then I'll need to make smbpasswd entries for anyone
AW> in the organisation that wants to connect..

	Actually, the problem you are seeing has nothing to do with
the connection between the client and the samba server, but the
connection between the samba server and the domain controller.  If you 
look as the server_validate function in smbd/password.c, you will see
that samba deliberately generates invalid login requests in order to
detect a (fairly serious) bug in some versions of NT 4.x.  Their FAQ
answers to the bug report I just filed include the following relevant

6) Logon errors in NT Event Viewer

The logon errors in the NT event viewer are caused by Samba trying to detect
broken NT password servers. 

Some NT servers will accept any username/password for session setup requests
and always validate it, returning a positive session setup response
without the guest bit set. Samba checks for this by deliberately sending
an incorrect password when calling the password server in server
level security. If the incorrect password succeeds then Samba logs
an error and refuses to use the password server.

You can remove this check from the code if you want, but as we have
not yet worked out what causes a NT server to show this behaviour
there is a risk that your NT server will start behaving incorrectly
and thus make your Samba server insecure.

Future versions Samba will have a new security option "security = domain"
which will use the same protocols that NT uses for domain authentication.
(currently Samba uses the method that MS documents, rather than that which
Microsoft actually use). Once that in place this problem should be solved.

8) NT Guest Access

What you are seeing is normal and deliberate.

MS Windows NT can be configured with the guest account enabled. When this is the
case no logon attempt will ever fail. Instead NT will allow the user access as
the guest account IF the username and / or password are incorrect. In a situation
where Samba is using and NT system to validate user passwords, if the NT server
guest account is enabled then a user logging on as "root" will always be valdated
even if the password was incorrect. There is NO way that samba can tell from then
reply packet from NT whether the password was correct and normal user privilidge
has been granted, or whether the password was incorrect and the user has been given
only "guest" privilidges.

In short, if we were NOT to do what we do, then there would be no way of telling
whether or not the password server allows guest only logons. Were we to just accept
the validation response from such a server the a user could easily gain "root" level
access to a Samba server.

Now you would not really want us to change the current behaviour, would you?

> Hi folks ... I don't know if you have seen this, have corrected this yet
> or it is my configuration.
> I am using our company PDC for passwd authentication and it works OK
> except for one snag.
> The authentication process between the our Samba server & the PDC always
> includes one unsuccessful pass thru attempt.
>    This initial pass thru validation has an incorrect user password
> (1F1F1F1F......). A SMB reject from the PDC forces the Samba Svr to
> immediately send a second validation with the correct
> encrypted Bell Master Domain user password.
>    It would be nice to get rid of the first bad validation attempt.


	As you can see, they recognize the annoyance value of these
checks, but seem to be unaware of the functional impact of them in an
environment which actually watches for bad login attempts.  Until the
devlopers (or one of us - is there a difference where open source is
concerned?) comes up with a better way of either testing for the bug,
or maintaining the tested state across smbd invocations, I've
hard-coded tested_server_value to be True (instead of False).

#include <disclaimer.h>                               /* Sten Drescher */
Unsolicited bulk email will be stored and handled for a US$500/KB fee.
Amendment II, Revised: A well-regulated population being necessary to
the security of a police state, the right of the Government to keep
and destroy arms shall not be infringed.

More information about the samba mailing list