Samba - Workaround for "The account is not authorized to log in from this station."

Chris Fry chris at quillsoft.com.au
Tue Apr 17 03:42:03 GMT 2001


Just thought I'd share an experience with you regarding Samba, Win95/98 and
encrypted passwords.

I set up a RH7 server for one of my clients who has 8 Win95 & 8 Win98 clients. I
came across the problem with the 95 passwords in clear & 98 passwords encrypted
so I dug around and read the README & FAQ.

I was going to use the registry hack on 98 to disable the encryption but the
client wanted to be able to sync the linux passwords from the Win PC's. I
discovered (trial & error) that, if you log in as a user from Win 98 first you
can then log in as that user from Win 95. It appears that Samba is cacheing the
passwords somehow and copes with both the clear & encrypted versions.

I was then concerned that Samba would "forget" these passwords on reboot but it
appears that they are being cached on disk as it still works after reboot.

This does not appear to be documented although it would be impossible to read
all of the FAQ etc.


Chris Fry

"Karsten Breivik (cybercity)" wrote:

> Problem:
> --------
> On the client mascines I get the msg: "The account is not authorized to log
> in from this station."
>
> This has bugged me for days now, so I am posting this sloution around varius
> places on the net...
>
> Analysis:
> ---------
> from a round of analysis by Jamz Boman B.Sc (Jamz at Boman.com), Toby
> Corkindale (tjcorkin at steadycom.com.au)
> Andreja Zivkovic (zivkotech at ozemail.com.au) at
> http://www.linuxsa.org.au/mailing-list/1999-02/474.html
>
> Jamz Boman wrote:
> >
> > Howdy,
> >
> >         I have also experienced this problem.  I realise that if browsing
> with
> > SAMBA didn't work with Win98 someone would know by now, so it is probably
> a
> > simple configuration issue somehwere in the smb.conf.  However, I have
> > experienced the problem and while I was taking a look at it I found some
> > interesting stuff.  The problem was even though you open up all the
> security
> > in your smb.conf your Win98 and NT4 boxes continue to ask for passwords
> and
> > even if you correctly enter the password, still no go.  However on a Win95
> > OSR2 machine it works...
> > and here is what I found:
> >
> > I am using a straight off the CD not fiddled with redhat 5.2, I have not
> > edited the smb.conf file and am using the '\\server\username' share.
> >
> > A packet filter between the Win95 OSR2 machine reveals the order of
> events:
> >
> > Win95 box sends NBT session request
> > Samba sends positive session responce
> > Win95 box lists the Dialects it is able to speak (0-5)and says it would
> like
> > NT LM 0.12 (No.5)
> > Samba accepts and selects dialect 5 (NT LM 0.12)
> > Win95 sends session setup with username and password in CLEARTEXT!
> > All sorts of things happen now Tree connects and filsystem info packets..
> > and the connection is successful
> >
> > The same situation, same untouched server.. but with win98
> >
> > Win98 box sends NBT session request
> > Samba sends positive session responce
> > Win98 box lists the Dialects it is able to speak (0-5)and says it would
> like
> > NT LM 0.12 (No.5)
> > Samba accepts and selects dialect 5 (NT LM 0.12)
> > Win98 sends session setup with username but at the same position where the
> > CLEARTEXT PASSWORD was in the Win95 frame now is just "USERNAME DOMAIN"
> >
> > I assume this so that samba can initiate validating the user's domain
> > security token with the PDC.
> > Even though the USERNAME and DOMAIN details are correct and the password
> for
> > the account is the same on the PDC as it is on the Linux box the session
> > still fails.
> >
> > Im thinking that you probably need to mess about with the new settings in
> > Samba that deal with making validations via a NT PDC, or perhaps turning
> > DOMAIN validation off on the Win98 client.
> >
> > NT4 sessions to samba in this way also fail with a similar packet
> structure,
> > and the error is returned on the NT4 client - "The account is not
> authorized
> > to log in from this station"
> >
> > The fact that OSR2 sends cleartext to Samba is fairly interesting! But
> what
> > more would you expect.
> >
> >         Jamz.
>
> Workaround:
> -----------
>
> Change the registry keys in windows as follows:
>
> Win NT (from SP 3):
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters
>       Value Name: EnablePlainTextPassword
>       Data Type: REG_DWORD
>       Data: 1
> see: http://support.microsoft.com/support/kb/articles/q166/7/30.asp?FR=0
>
> Win 2000:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkStation\Param
> eters
> Value Name: EnablePlainTextPassword
> Data Type: REG_DWORD
> Data: 1
> see:
> http://support.microsoft.com/support/kb/articles/Q224/2/87.ASP?LN=EN-US&SD=g
> n&FR=0&qry=The%20account%20is%20not%20authorized%20to%20login%20from%20this%
> 20station&rnk=1&src=DHCS_MSPSS_gn_SRCH&SPR=WIN2000
>
> Win 98:
> Dunno - have a look at the Microsoft knowledge base...
>
> Win 95:
> Dunno, but should work directly as w95 transmits unencrypted passwds
>
> Comment:
> --------
> Apparantly it is possible to fix by using samba features for handling
> encrypted passwords by using the smbpasswd command and some other stuff.
> This would be safer, more elegant and propably increase performance in
> accessing the machine for the first time, as the uthentication method would
> settle on better authentication scheme. I am guessing wildly here, but this
> worked for me, and will look into the alternatives when somebody pays me
> to...
>
> A sleepdrunk consultant signing off.
>
> Karsten Breivik
> karsten.breivik at no.pwcglobal.com
> karsten.breivik at mail.com
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

--
Chris Fry
Quillsoft Pty Ltd
Specialists in Secure Internet Services and E-Commerce Solutions
10 Gray Street
Kogarah
NSW  2217
Australia

Phone: +61 2 9553 1691
Fax: +61 2 9553 1692
Mobile: 0419 414 323
eMail: chris at quillsoft.com.au
http://www.quillsoft.com.au

You can download our Public CA Certificate from:-
https://ca.secureanywhere.com/htdocs/cacert.crt

**********************************************************************

This information contains confidential information intended only for
the use of the authorised recipient.  If you are not an authorised
recipient of this e-mail, please contact Quillsoft Pty Ltd by return
e-mail.
In this case, you should not read, print, re-transmit, store or act
in reliance on this e-mail or any attachments, and should destroy all
copies of them.
This e-mail and any attachments may also contain copyright material
belonging to Quillsoft Pty Ltd.
The views expressed in this e-mail or attachments are the views of
the author and not the views of Quillsoft Pty Ltd.
You should only deal with the material contained in this e-mail if
you are authorised to do so.

This notice should not be removed.

-------------- next part --------------
HTML attachment scrubbed and removed


More information about the samba mailing list