Weird password problems

Nicholas R LeRoy nick.leroy at norland.com
Thu Oct 21 16:21:31 GMT 1999 

Hello, all..

I'm running into some weird password problems with Samba 2.0.5a.

Here's what I'm *trying* to do.

I have several Linux & Sun boxes that I'd like to share their
resources with various DOS/Win9x PCs.  I don't want to have to
maintain password files on each of the these.  Currently, the Unix
passwords are shared via NIS, with a SunOS box as the master.

What I understand is the *right* way to handle this is to have one
box handle all smb password authentication.  This box, BTW, is
named 'grumpy2'.  So, grumpy2 has in his smb.conf:

> [global]
>   wins support = yes
>   domain master = yes
>   local master = yes
>   preferred master = yes
>   os level = 65
>   encrypt passwords = yes
>   printing = bsd
>   printcap name = /etc/printcap
>   load printers = yes
>   workgroup = software
>   log file = /usr/local/samba/log/samba-log.%m
>   lock directory = /var/spool/locks/samba
>   client code page = 437
>   ; update encrypted = yes
>   share modes = yes
>   debug level = 2
>   password level = 4
>   mangled names = yes
>   max log size = 500

Grumpy2 also has the 'smbpasswd' file.  This seems to work ok, as
DOS boxes (at least) can use services directly on grumpy2.
  net use m: \\grumpy2\local

Now, I'm trying to set up a Linux box (gandalf) to use grumpy2 to do
the password validation...  This isn't working very well at all.
First, here's the relevant portion of smb.conf:

> [global]
>   printing = bsd
>   printcap name = /etc/printcap
>   load printers = yes
>   workgroup = software
>   log file = /usr/local/samba/var/samba-log.%m
>   lock directory = /var/spool/locks/samba
>   client code page = 437
>   ; encrypt passwords = yes
>   ; update encrypted = yes
>   share modes = yes
>   password level = 4
>   mangled names = yes
>   max log size = 500
>   security = server
>   password server = grumpy2

What I see is the following:

>From the DOS box, I type:
  net use m: \\gandalf\local

There's a several second delay *before* I get (from DOS):
> The password is invalid for \\GANDALF\LOCAL.
> Type the password for \\GANDALF\LOCAL

What I've found, from examining the log files, is that all authentical
is done *before* I type in the password here.  I can see that gandalf
talks to grumpy2, the password (*what password?*) is rejected.  The
logs on grumpy2 agree.

*Then*, I type in the password, and, as far as I can tell, gandalf
doesn't even try to talk to grumpy2.  Since there is no smbpasswd
file on gandalf, the session is rejected, although the password is
correct.

Wait...  I just tried this again, while typing this.  There was a
several minute delay between the time that I typed the 'net use'
and the password at the prompt.  This time, gandalf actually sent
*something* to grumpy2 for authentication, but it was rejected.

I have debug level 25 enabled -- here's a snippet from this last
session on grumpy2 (after I typed the password at the DOS box):
The user 'nleroy', BTW, is correct.

> [1999/10/21 11:14:31, 5] passdb/smbpass.c:getsmbfilepwent(258)
>   getsmbfilepwent: returning passwd entry for user nleroy, uid 224
> [1999/10/21 11:14:31, 10] passdb/passdb.c:iterate_getsmbpwnam(158)
>   found by name: nleroy
> [1999/10/21 11:14:31, 7] passdb/smbpass.c:endsmbfilepwent(81)
>   endsmbfilepwent: closed password file.
> [1999/10/21 11:14:31, 4] smbd/password.c:smb_password_ok(404)
>   Checking SMB password for user nleroy
> [1999/10/21 11:14:31, 5] smbd/password.c:smb_password_ok(423)
>   challenge received
> [1999/10/21 11:14:31, 4] smbd/password.c:smb_password_ok(431)
>   smb_password_ok: Checking NT MD4 password
> [1999/10/21 11:14:31, 4] smbd/password.c:smb_password_ok(438)
>   NT MD4 password check failed
> [1999/10/21 11:14:31, 4] smbd/password.c:smb_password_ok(444)
>   Checking LM MD4 password
> [1999/10/21 11:14:31, 4] smbd/password.c:smb_password_ok(460)
>   LM MD4 password check failed
> [1999/10/21 11:14:31, 1] smbd/password.c:pass_check_smb(532)
>   smb_password_check failed. Invalid password given for user 'nleroy'

Obviously, I have something ill configured, but I've tried just about
every combination that I can think of, and just can't get this working.
I'd appreciate any light anybody can shed on this.

Thanks

-Nick

-- 
+-------------------------------+--------------------------------------------+
| /`--_   Nicholas R LeRoy      | In a world without fences, Who needs Gates?|
|{     }/ Norland Corporation   |        ---- Experience Linux! ----         |
| \ *  / W6340 Hackbarth Rd     | http://www.linux.org | http://www.ssc.com  |
| |___| Fort Atkinson, WI 53538 +--------------------------------------------+
|      nick.leroy at norland.com   | #include <disclaimer.h>                    |
|http://www3.norland.com/~nleroy| These are my own ideas, not my employer's. |
+----------------------------------------------------------------------------+

More information about the samba mailing list