Samba - Workaround for "The account is not authorized to log in from this station."

Karsten Breivik (cybercity) karsten.breivik at mail.com
Thu Apr 12 04:28:48 GMT 2001 

Problem:
--------
On the client mascines I get the msg: "The account is not authorized to log
in from this station."

This has bugged me for days now, so I am posting this sloution around varius
places on the net...


Analysis:
---------
from a round of analysis by Jamz Boman B.Sc (Jamz at Boman.com), Toby
Corkindale (tjcorkin at steadycom.com.au)
Andreja Zivkovic (zivkotech at ozemail.com.au) at
http://www.linuxsa.org.au/mailing-list/1999-02/474.html


Jamz Boman wrote:
>
> Howdy,
>
>         I have also experienced this problem.  I realise that if browsing
with
> SAMBA didn't work with Win98 someone would know by now, so it is probably
a
> simple configuration issue somehwere in the smb.conf.  However, I have
> experienced the problem and while I was taking a look at it I found some
> interesting stuff.  The problem was even though you open up all the
security
> in your smb.conf your Win98 and NT4 boxes continue to ask for passwords
and
> even if you correctly enter the password, still no go.  However on a Win95
> OSR2 machine it works...
> and here is what I found:
>
> I am using a straight off the CD not fiddled with redhat 5.2, I have not
> edited the smb.conf file and am using the '\\server\username' share.
>
> A packet filter between the Win95 OSR2 machine reveals the order of
events:
>
> Win95 box sends NBT session request
> Samba sends positive session responce
> Win95 box lists the Dialects it is able to speak (0-5)and says it would
like
> NT LM 0.12 (No.5)
> Samba accepts and selects dialect 5 (NT LM 0.12)
> Win95 sends session setup with username and password in CLEARTEXT!
> All sorts of things happen now Tree connects and filsystem info packets..
> and the connection is successful
>
> The same situation, same untouched server.. but with win98
>
> Win98 box sends NBT session request
> Samba sends positive session responce
> Win98 box lists the Dialects it is able to speak (0-5)and says it would
like
> NT LM 0.12 (No.5)
> Samba accepts and selects dialect 5 (NT LM 0.12)
> Win98 sends session setup with username but at the same position where the
> CLEARTEXT PASSWORD was in the Win95 frame now is just "USERNAME DOMAIN"
>
> I assume this so that samba can initiate validating the user's domain
> security token with the PDC.
> Even though the USERNAME and DOMAIN details are correct and the password
for
> the account is the same on the PDC as it is on the Linux box the session
> still fails.
>
> Im thinking that you probably need to mess about with the new settings in
> Samba that deal with making validations via a NT PDC, or perhaps turning
> DOMAIN validation off on the Win98 client.
>
> NT4 sessions to samba in this way also fail with a similar packet
structure,
> and the error is returned on the NT4 client - "The account is not
authorized
> to log in from this station"
>
> The fact that OSR2 sends cleartext to Samba is fairly interesting! But
what
> more would you expect.
>
>         Jamz.




Workaround:
-----------

Change the registry keys in windows as follows:

Win NT (from SP 3):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters
      Value Name: EnablePlainTextPassword
      Data Type: REG_DWORD
      Data: 1
see: http://support.microsoft.com/support/kb/articles/q166/7/30.asp?FR=0


Win 2000:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkStation\Param
eters
Value Name: EnablePlainTextPassword
Data Type: REG_DWORD
Data: 1
see:
http://support.microsoft.com/support/kb/articles/Q224/2/87.ASP?LN=EN-US&SD=g
n&FR=0&qry=The%20account%20is%20not%20authorized%20to%20login%20from%20this%
20station&rnk=1&src=DHCS_MSPSS_gn_SRCH&SPR=WIN2000

Win 98:
Dunno - have a look at the Microsoft knowledge base...

Win 95:
Dunno, but should work directly as w95 transmits unencrypted passwds

Comment:
--------
Apparantly it is possible to fix by using samba features for handling
encrypted passwords by using the smbpasswd command and some other stuff.
This would be safer, more elegant and propably increase performance in
accessing the machine for the first time, as the uthentication method would
settle on better authentication scheme. I am guessing wildly here, but this
worked for me, and will look into the alternatives when somebody pays me
to...

A sleepdrunk consultant signing off.

Karsten Breivik
karsten.breivik at no.pwcglobal.com
karsten.breivik at mail.com

More information about the samba mailing list