[Samba] Re: samba 3.0.x / roaming profiles / NT MD4 problems (SOLVED/samba bug?)

Wim Vandermissen wim at bofh.be
Tue Apr 20 09:57:17 GMT 2004


Follow-up to myself ;-)

First, the problem also exists with the smbpasswd and the ldapsamcompat 
backends.

I've "fixed" the problem by putting "map to guest = Never" in the 
smb.conf, this still shows an NT MD4 password checking failed in the 
logs, but I don't get the profiles error anymore. Maybe this is a bug in 
samba?

Logon and logoff now works perfectly with roaming profiles.

--Wim


Wim Vandersmissen wrote:
> Hi,
> 
> I'm setting up a new sambserver, migrating from 2.2.8a with ldap backend 
> to 3.0.x (3.0.2a and 3.0.3pre2 tested) with openldap 2.1.26 backend and 
> using sambaSamAccount
> 
> I'm experiencing the following problem:
> 
> - Roaming profiles sometimes work, sometimes not (most of the time not) 
> and show erratic behaviour like removing the local copy (without having 
> the DeleteRoamingCache key in my registry) on a windows XP with SP1 
> joined to the domain
> 
> I think I've pinpointed the problem to NT MD4 password checking 
> (libsmb/ntlm_check.c:ntlm_password_check(322))
> 
> With debug on 100 and DEBUG_PASSWORD on it shows the following:
> 
> [2004/04/10 22:23:49, 4] libsmb/ntlm_check.c:ntlm_password_check(322)
>   ntlm_password_check: Checking NT MD4 password
> [2004/04/10 22:23:49, 100] libsmb/ntlm_check.c:smb_pwd_check_ntlmv1(67)
>   Part password (P16) was |
> [2004/04/10 22:23:49, 100] lib/util.c:dump_data(1864)
>   [000] AB A4 5E 23 42 B3 27 7E  03 0C DB 4F 97 48 B6 0E  ..^#B.'~ ...O.H..
>   Password from client was |
> [2004/04/10 22:23:49, 100] lib/util.c:dump_data(1864)
>   [000] 22 63 62 8E 2A BD 54 16  D1 0F EE 6C 0F B5 F7 46  "cb.*.T. ...l...F
>   [010] 4E BB D2 52 74 EB B2 09                           N..Rt...
>   Given challenge was |
> [2004/04/10 22:23:49, 100] lib/util.c:dump_data(1864)
>   [000] CE 8D D3 56 F8 7E 7D 7A                           ...V.~}z
>   Value from encryption was |
> [2004/04/10 22:23:49, 100] lib/util.c:dump_data(1864)
>   [000] 22 63 62 8E 2A BD 54 16  D1 0F EE 6C 0F B5 F7 46  "cb.*.T. ...l...F
>   [010] 4E BB D2 52 74 EB B2 09                           N..Rt...
> [2004/04/10 22:23:49, 4] auth/auth_sam.c:sam_account_ok(82)
>   sam_account_ok: Checking SMB password for user testing
> 
> It does that 3 times correctly, I guess it checks the authentication 
> when the user logs on. Now a minute later it checks again, I guess for 
> connecting to the profiles share? but now it fails. What results in 
> Windows XP telling me that it can't find the profiles directory.
> 
> [2004/04/10 22:25:22, 4] libsmb/ntlm_check.c:ntlm_password_check(322)
>   ntlm_password_check: Checking NT MD4 password
> [2004/04/10 22:25:22, 100] libsmb/ntlm_check.c:smb_pwd_check_ntlmv1(67)
>   Part password (P16) was |
> [2004/04/10 22:25:22, 100] lib/util.c:dump_data(1864)
>   [000] AB A4 5E 23 42 B3 27 7E  03 0C DB 4F 97 48 B6 0E  ..^#B.'~ ...O.H..
>   Password from client was |
> [2004/04/10 22:25:22, 100] lib/util.c:dump_data(1864)
>   [000] EE 15 48 95 A2 6C D6 7A  14 C7 00 85 FE 20 D9 92  ..H..l.z ..... ..
>   [010] B4 D0 21 FC F0 FB 7D 61                           ..!...}a
>   Given challenge was |
> [2004/04/10 22:25:22, 100] lib/util.c:dump_data(1864)
>   [000] EC F9 F7 3E EE 20 47 E5                           ...>. G.
>   Value from encryption was |
> [2004/04/10 22:25:22, 100] lib/util.c:dump_data(1864)
>   [000] E7 DE 31 72 F0 E2 E1 97  40 2B 15 86 CA 4E 2A 4F  ..1r.... @+...N*O
>   [010] 1D 32 DD 66 AC EA 8B 3C                           .2.f...<
> [2004/04/10 22:25:22, 3] libsmb/ntlm_check.c:ntlm_password_check(338)
>   ntlm_password_check: NT MD4 password check failed for user testing
> 
> 
> When I edit libsmb/ntlm_check.c to always return a NT_STATUS_OK instead 
> of a NT_STATUS_WRONG_PASSWORD the last check ofcourse works and the 
> roaming profiles work perfectly. (but that isn't very secure ;)
> 
> This is my current config, but I've used various mutations of it without 
> success ;)
> 
> Please let me know if you need any more information.
> Thanks,
> 
> --Wim Vandersmissen
> 
> # Global parameters
> [global]
>         dos charset = CP850
>         unix charset = UTF-8
>         display charset = LOCALE
>         workgroup = THEONEW
>         netbios name = OROCHIMARU
>         netbios aliases =
>         netbios scope =
>         server string = %h
>         interfaces =
>         bind interfaces only = No
>         security = USER
>         auth methods =
>         encrypt passwords = Yes
>         update encrypted = No
>         client schannel = Auto
>         server schannel = Auto
>         allow trusted domains = Yes
>         hosts equiv =
>         min passwd length = 5
>         use cracklib = No
>         map to guest = Bad Password
>         null passwords = No
>         obey pam restrictions = No
>         password server = *
>         smb passwd file = /usr/local/samba/private/smbpasswd
>         private dir = /usr/local/samba/private
>         passdb backend = ldapsam:ldap://localhost
>         algorithmic rid base = 1000
>         root directory =
>         guest account = nobody
>         pam password change = No
>         passwd program =
>         passwd chat = *new*password* %n\n *new*password* %n\n *changed*
>         passwd chat debug = No
>         passwd chat timeout = 2
>         username map =
>         password level = 0
>         username level = 0
>         unix password sync = No
>         restrict anonymous = 0
>         lanman auth = Yes
>         ntlm auth = Yes
>         client NTLMv2 auth = No
>         client lanman auth = Yes
>         client plaintext auth = Yes
>         preload modules =
>         log level = 100
>         syslog = 1
>         syslog only = No
>         log file = /var/log/samba/inverse/%m.log
>         max log size = 50000
>         timestamp logs = Yes
>         debug hires timestamp = No
>         debug pid = No
>         debug uid = No
>         smb ports = 445 139
>         protocol = NT1
>         large readwrite = Yes
>         max protocol = NT1
>         min protocol = CORE
>         read bmpx = No
>         read raw = Yes
>         write raw = Yes
>         disable netbios = No
>         acl compatibility =
>         nt pipe support = Yes
>         nt status support = Yes
>         announce version = 4.9
>         announce as = NT
>         max mux = 50
>         max xmit = 16644
>         name resolve order = lmhosts wins host bcast
>         max ttl = 259200
>         max wins ttl = 518400
>         min wins ttl = 21600
>         time server = No
>         unix extensions = Yes
>         use spnego = Yes
>         client signing = auto
>         server signing = No
>         client use spnego = No
>         change notify timeout = 60
>         deadtime = 0
>         getwd cache = Yes
>         keepalive = 300
>         kernel change notify = Yes
>         lpq cache time = 10
>         max smbd processes = 0
>        paranoid server security = Yes
>         max disk size = 0
>         max open files = 10000
>         socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=4096 
> SO_RCVBUF=4096
>         use mmap = Yes
>         hostname lookups = No
>         name cache timeout = 660
>         load printers = Yes
>         printcap name = cups
>         disable spoolss = No
>         enumports command =
>         addprinter command =
>         deleteprinter command =
>         show add printer wizard = Yes
>         os2 driver map =
>         mangling method = hash2
>         mangle prefix = 1
>         stat cache = Yes
>         machine password timeout = 604800
>         add user script =
>         delete user script =
>         add group script =
>         delete group script =
>         add user to group script =
>         delete user from group script =
>         set primary group script =
>         add machine script =
>         shutdown script =
>         abort shutdown script =
>         logon script =
>         logon path = \\%L\profiles\%U
>         logon drive =
>         logon home = \\%N\%U
>         domain logons = Yes
>         os level = 66
>         lm announce = Auto
>         lm interval = 60
>         preferred master = Yes
>         local master = Yes
>         domain master = Yes
>         browse list = Yes
>         enhanced browsing = Yes
>         dns proxy = Yes
>         wins proxy = No
>         wins server =
> 
>        wins support = No
>         wins hook =
>         wins partners =
>         kernel oplocks = Yes
>         lock spin count = 3
>         lock spin time = 10
>         oplock break wait time = 0
>         ldap suffix = "ou=people,dc=theo,dc=be"
>         ldap machine suffix =
>         ldap user suffix =
>         ldap group suffix =
>         ldap idmap suffix =
>         ldap filter = "(&(uid=%u)(objectclass=sambaSamAccount))
>         ldap admin dn = "cn=root,dc=theo,dc=be"
>         ldap ssl =
>         ldap passwd sync = no
>         ldap delete dn = No
>         ldap replication sleep = 1000
>         add share command =
>         change share command =
>         delete share command =
>         config file =
>         preload =
>         lock directory = /usr/local/samba/var/locks
>         pid directory = /usr/local/samba/var/locks
>         utmp directory =
>         wtmp directory =
>         utmp = No
>         default service =
>         message command =
>         dfree command =
>         get quota command =
>         set quota command =
>         remote announce =
>         remote browse sync =
>         socket address = 0.0.0.0
>         homedir map =
>         afs username map =
>         time offset = 0
>         NIS homedir = No
>         panic action =
>         host msdfs = No
>         enable rid algorithm = Yes
>         idmap backend =
>         idmap uid =
>        idmap gid =
>         template primary group = nobody
>         template homedir = /home/%D/%U
>         template shell = /bin/false
>         winbind separator = \
>         winbind cache time = 300
>         winbind enable local accounts = Yes
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind use default domain = No
>         winbind trusted domains only = No
>         comment =
>         path =
>         username =
>         invalid users =
>         valid users =
>         admin users =
>         read list =
>         write list =
>         printer admin = root
>         force user =
>         force group =
>         read only = Yes
>         create mask = 0744
>         force create mode = 00
>         security mask = 0777
>         force security mode = 00
>         directory mask = 0755
>         force directory mode = 00
>         directory security mask = 0777
>         force directory security mode = 00
>         inherit permissions = No
>         inherit acls = No
>         guest only = No
>         guest ok = No
>         only user = No
>         hosts allow =
>         hosts deny =
>         ea support = No
>         nt acl support = Yes
>         profile acls = No
>         map acl inherit = No
>         afs share = No
>         block size = 1024
>         max connections = 0
>        min print space = 0
>         strict allocate = No
>         strict sync = No
>         sync always = No
>         use sendfile = No
>         write cache size = 0
>         max reported print jobs = 0
>         max print jobs = 1000
>         printable = No
>         printing = cups
>         print command =
>         lpq command =
>         lprm command =
>         lppause command =
>         lpresume command =
>         queuepause command =
>         queueresume command =
>         printer name =
>         use client driver = No
>         default devmode = No
>         default case = lower
>         case sensitive = No
>         preserve case = Yes
>         short preserve case = Yes
>         mangle case = No
>         mangling char = ~
>         hide dot files = Yes
>         hide special files = No
>         hide unreadable = No
>         hide unwriteable files = No
>         delete veto files = No
>         veto files =
>         hide files = /desktop.ini/Desktop.ini/
>         veto oplock files =
>         map system = No
>         map hidden = No
>         map archive = Yes
>         mangled names = Yes
>         mangled map =
>         store dos attributes = No
>         browseable = Yes
>         blocking locks = Yes
>         csc policy = manual
>         fake oplocks = No
>         locking = Yes
> 
> 
>         oplocks = Yes
>         level2 oplocks = Yes
>         oplock contention limit = 2
>         posix locking = Yes
>         strict locking = Yes
>         share modes = Yes
>         copy =
>         include =
>         exec =
>         preexec close = No
>         postexec =
>         root preexec =
>         root preexec close = No
>         root postexec =
>         available = Yes
>         volume =
>         fstype = NTFS
>         set directory = No
>         wide links = Yes
>         follow symlinks = Yes
>         dont descend =
>         magic script =
>         magic output =
>         delete readonly = No
>         dos filemode = No
>         dos filetimes = No
>         dos filetime resolution = No
>         fake directory create times = No
>         vfs objects =
>         msdfs root = No
>         msdfs proxy =
> 
> [profiles]
>         path = /mnt/theo/profiles/
>         read only = No
>         profile acls = Yes
>         browseable = No
> 
> 
> 
> 
> 




More information about the samba mailing list