[Samba] smbpasswd produces INCORRECT sambaNTPasswd hash on ppc
(yellowdog 4.0 on xserve G5)
Jarom
jerovich at gmail.com
Sat Nov 20 03:39:14 GMT 2004
I'm having trouble setting up samba as a PDC on an apple xserve, using
yellowdog linux 4.0. After a lot of thrashing, I believe the problem
may be smbpasswd generating the wrong NT hash. Running smbpasswd on a
redhat box (intel architecture) produces the follow LDAP entry:
dn: uid=testuser2,ou=Users,dc=allstate,dc=network
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: testuser2
sn: testuser2
uid: testuser2
uidNumber: 1006
gidNumber: 513
homeDirectory: /home/testuser2
loginShell: /bin/bash
gecos: System User
description: System User
sambaSID: S-1-5-21-813279244-2815909583-2512609307-3012
sambaPrimaryGroupSID: S-1-5-21-813279244-2815909583-2512609307-513
displayName: System User
sambaPwdMustChange: 2147483647
sambaAcctFlags: [U ]
sambaPwdCanChange: 1100885825
sambaLMPassword: 44EFCE164AB921CAAAD3B435B51404EE
sambaNTPassword: 32ED87BDB5FDC5E9CBA88547376818D4
Running smbpasswd on the Xserve produces the following entry:
dn: uid=testuser1,ou=Users,dc=allstate,dc=network
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: testuser1
sn: testuser1
uid: testuser1
uidNumber: 1000
gidNumber: 513
homeDirectory: /home/testuser1
loginShell: /bin/bash
gecos: System User
description: System User
sambaSID: S-1-5-21-471028381-1047030085-1551032810-3000
sambaPrimaryGroupSID: S-1-5-21-471028381-1047030085-1551032810-513
displayName: System User
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
00000000
sambaLMPassword: 44EFCE164AB921CAAAD3B435B51404EE
sambaPwdCanChange: 1100920198
sambaPwdMustChange: 2147483647
sambaNTPassword: CAE238A01BFF98AB2A465882B20D01B7
sambaPwdLastSet: 1100920198
sambaAcctFlags: [U ]
userPassword:: e1NNRDV9Z09tN08zWjJ6TEpOQUNvdDVYN0FQTCs2NWM0PQ==
Notice that the sambaNTPassword: entries are different! And if I run:
[root at localhost /]# smbclient -L localhost -U testuser1%123456
Domain=[ALLSTATE] OS=[Unix] Server=[Samba 3.0.8]
Sharename Type Comment
--------- ---- -------
print$ Disk
public Disk Repertoire public
IPC$ IPC IPC Service (Samba Server 3.0.8)
ADMIN$ IPC IPC Service (Samba Server 3.0.8)
testuser1 Disk repertoire de testuser1, testuser1
Domain=[ALLSTATE] OS=[Unix] Server=[Samba 3.0.8]
Server Comment
--------- -------
PDC-SMB3 Samba Server 3.0.8
Workgroup Master
--------- -------
ALLSTATE PDC-SMB3
INDIANA EWC-TECH
Seems to work just fine, but if I try that from the redhat box, (or
from a windows machine):
smbclient -L PDC-SMB3 -U testuser1%123456
added interface ip=192.168.1.253 bcast=192.168.1.255 nmask=255.255.255.0
Got a positive name query response from 192.168.1.5 ( 192.168.1.5 )
session setup failed: NT_STATUS_LOGON_FAILURE
I thought I had resolved the problem by using smbldap-passwd, which
uses Crypt::SmbHash and produces the correct sambaNTPassword, I can
authenticate from the windows box and from the intel redhat box just
fine, even though smbclient -L localhost -U testuser1%123456 from the
Xserve fails, but alas when I try to add a windows XP box to the
domain I get an access denied error. I've done some googling, but
havent found the solution to this dilemma. Is anyone else trying this?
Is this a new bug, or am I RTFing the wrong Manual?
smb.conf follows:
# Global parameters
[global]
workgroup = allstate
netbios name = PDC-SMB3
#interfaces = 192.168.5.11
username map = /etc/samba/smbusers
#admin users= @"Domain Admins"
server string = Samba Server %v
security = user
encrypt passwords = Yes
min passwd length = 3
obey pam restrictions = No
#unix password sync = Yes
#passwd program = /usr/local/sbin/smbldap-passwd -u %u
#passwd chat = "Changing password for*\nNew password*" %n\n "*Retype
new password*" %n\n"
ldap passwd sync = Yes
log level = 20
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
logon script = logon.bat
logon drive = H:
logon home =
logon path =
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
# passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://slave.idealx.com"
# ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
#ldap admin dn = cn=samba,ou=DSA,dc=allstate,dc=network
ldap admin dn =cn=Manager,dc=allstate,dc=network
ldap suffix = dc=allstate,dc=network
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
ldap ssl = off
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
#delete user script = /usr/local/sbin/smbldap-userdel "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
#delete group script = /usr/local/sbin/smbldap-groupdel "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script =
/usr/local/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
# printers configuration
printer admin = @"Print Operators"
load printers = Yes
create mask = 0640
directory mask = 0750
nt acl support = No
printing = cups
printcap name = cups
deadtime = 10
guest account = nobody
#map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
; to maintain capital letters in shortcuts in any of the
profile folders:
preserve case = yes
short preserve case = yes
case sensitive = no
[homes]
comment = repertoire de %U, %u
read only = No
create mask = 0644
directory mask = 0775
browseable = No
[netlogon]
path = /home/netlogon/
browseable = No
read only = yes
[profiles]
path = /home/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
# next line is a great way to secure the profiles
force user = %U
# next line allows administrator to access all profiles
valid users = %U @"Domain Admins"
More information about the samba
mailing list