[Samba] Dispelling Myths About Samba Encrypted passwords, NT_STATUS_LOGON _FAILURE and XP
abartlet at samba.org
abartlet at samba.org
Sun May 12 18:39:02 GMT 2002
On Mon, May 13, 2002 at 10:46:53AM +1000, David Balnaves wrote:
> Hi,
>
> I've been using samba for a while now with relatively simple configurations.
> I do however have a few questions:
>
> * When using encrypted passwords with samba, is it possible to authenticate
> users using the Unix user password(/etc/passwd)?
No.
> * When using smbclient I get the error NT_STATUS_LOGON_FAILURE:
>
> added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
> Password:
> session setup failed: NT_STATUS_LOGON_FAILURE
> david at Wintermute:~$ smbclient -L wintermute -U david
> added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
> Password:
> session setup failed: NT_STATUS_LOGON_FAILURE
> david at Wintermute:~$ smbclient -L wintermute -U root
> added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
> Password:
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> When nothing is entered in the password prompt:
>
> david at Wintermute:~$ smbclient -L wintermute
> added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
> Password:
> Anonymous login successful
> * What does this error mean? (What's it caused by?) And how can I fix it?
NT_STATUS_LOGON_FAILURE means that the password you entered was incorrect, or
the user doesn't exist. For a samba server, this also includes the case
that the user has no encrypted password stored on the system.
smbclient will attempt an anonymous logon if you don't specify a password,
and some information (the share listing in this case) is available anonymously.
> * Does definition of WorkGroups change across different Windows versions?
Not particularly, but people usually move up to a domain when dealing with NT.
> * Lastly, is there any tricks involved in getting samba to work with Windows
> XP? I want it so it uses the unix user authentication if possible. I've
> loaded the WinXP_SignOrSeal.reg patch on XP. I also loaded the
> Win2000_PlainPassword.reg in the hope I could access my shares from my XP
> box.
The SignOrSeal should not be required - as you are not a PDC. Using plaintext
passwords will cause Windows > NT4 SP3 and > Win95OSR1 to always prompt for a
password (as a 'do you really wan to do this' measure). They won't even
go past a negprot (not authorised to log in from this workstation) without
the registry hack.
This is why Samba 3.0 will default to 'encryupt passwords = yes' and why
this has been the default in most distribution's smb.conf files for a
long time.
Andrew Bartlett
More information about the samba
mailing list