[Samba] windows password longer than 8 chars will not work

Tony Wallace hushp1pt at yahoo.com
Tue May 4 05:28:15 GMT 2004

--- Andrew Bartlett <abartlet at samba.org> wrote:
> On Sun, 2004-05-02 at 09:09, Tony Wallace wrote:
> > Hello,, 
> > 
> > Is there anything I can do to our Samba servers to make Windows
> > passwords longer than 8 characters work?  Thanks.
> > 
> > Our Samba servers use SERVER security, and authenticate against the
> > same
> > Windows 2K logon server (PDC) that serves all our Windows 2K & XP
> > desktops.  Any of us with a Windows network password less than or
> equal
> > to 8 characters long can mount the Samba shares seamlessly, just
> like
> > any Windows file server.  However, if you set your Windows password
> > longer than 8 characters, Samba authentication always fails.  
> > 
> > In general, we know that both Windows and Samba can use longer
> > passwords-  the problem occurs when the Windows desktop client
> tries to
> > initiate a connection to the Samba server. Passwords longer than 8
> just
> > don't get transferred correctly from client to server, or so it
> seems. 
> While probably unreated to your issue, you should move to
> 'security=domain', due to the numerous other known issues with
> 'security=server'.
> Have you tried connecting directly to the 'password server'?  Samba
> simply passes on the 24 byte authentication response on to that
> server,
> and doesn't care too much what is inside it.  
> As the password is hashed first with MD4 (normally) there is nothing
> special about longer/shorter passwords.  Even the DES hash has it's
> internal breakup at 7 and a limit 14, so that's not the issue.
> So, it's an issues with the 'password server':
> What is the password server running?  What did you use to set the
> password on that server?
> If the password server is Samba, are you sure you have not used a
> buggy
> 'getpass()' function when reading passwords in on that system (well
> known to cut passwords off at 8 chars).  Samba will attempt to
> replace
> this function, but I suppose it's possible that the configure magic
> might not have fired correctly.
> Andrew Bartlett
> -- 
> Andrew Bartlett                                 abartlet at pcug.org.au
> Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
> Student Network Administrator, Hawker College   abartlet at hawkerc.net
> http://samba.org     http://build.samba.org     http://hawkerc.net

> ATTACHMENT part 2 application/pgp-signature name=signature.asc

Andrew, thank you for replying. 

> Have you tried connecting directly to the 'password server'? 

Yes, the password server is also a Windows file server, and we connect
to it frequently- that is, we mount shares on our Windows desktops. 
Never had any problem w/ long passwords in that context. 

> What is the password server running?  What did you use to set the
> password on that server?

The password server is Windows NT.  It is the PDC of the domain that
holds all our personal Windows network logins.  Each individual user
sets/resets their own Windows password via their Windows desktop, in
the usual Windows way. 

One of our Samba systems was run with SECURITY=user instead of
SECURITY=server for several months.  No Windows passwd server. 
Smbpasswd would accept a longer-than-8 pw when run from the Unix
cmdline- but you still could not get a Windows client connection
authenticated until you changed your Samba pw (using smbpasswd) to 8
chars or less. 

The longer-than-8 Windows pw fails only when Win 2K or XP desktops try
to connect to the Samba servers.  The longer pw works fine in every
other respect- on the Windows network, on Solaris, and in smbpasswd.  

Thanks again-


Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  

More information about the samba mailing list