[Samba] Re: samba-3.0.23d, smbpasswd, and "NO PASSWORD" behaviour

Gary Dale garydale at torfree.net
Mon Feb 26 20:28:19 GMT 2007 

The obvious question is, why would you want a null password to begin 
with? This seems to me to be a serious security problem.

If it's for new users, give them a temporary password through a secure 
channel and require them to change it the first time they log on.


Todd Pfaff wrote:
> I've had no responses to this question yet, and I'm still stuck with 
> this problem.  Can anybody help, please?
>
> Is this a capability of samba that not many people take advantage of?
>
> Or am I trying to do something that just isn't possible anymore?
>
> Picking through a the level 10 debug log of smbd, I see this:
>
>   [2007/02/26 11:49:36, 3] auth/auth_sam.c:sam_password_ok(51)
>   Account for user 'testuser' has no password and null passwords are NOT
>   allowed.
>   [2007/02/26 11:49:36, 9]
>   passdb/passdb.c:pdb_update_bad_password_count(1373)
>   No bad password attempts.
>   [2007/02/26 11:49:36, 5] auth/auth.c:check_ntlm_password(273)
>   check_ntlm_password: sam authentication for user [testuser] FAILED with
>   error NT_STATUS_LOGON_FAILURE
>
>
> Is it no longer possible for a user to change their own samba password 
> from null "NO PASSWORD" using the smbpasswd command?
>
> -- 
> Todd Pfaff <pfaff at mcmaster.ca>
> Research & High-Performance Computing Support
> McMaster University, Hamilton, Ontario, Canada
> http://www.rhpcs.mcmaster.ca/~pfaff
>
> On Thu, 22 Feb 2007, Todd Pfaff wrote:
>
>> We've recently started using samba-3.0.23d on Mandriva 2007.0 linux 
>> systems and we've noticed a change in behaviour of smbpasswd when a 
>> non-root user tries to change their password from "NO PASSWORD".
>>
>> Here's an example smbpasswd entry (all one line):
>>
>>  testuser:12345:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:
>>  NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NU         ]:LCT-00000000:
>>
>>
>> The possibly related settings in our smb.conf are:
>>
>>  encrypt passwords = yes
>>  security = user
>>  unix password sync = yes
>>  passwd program = /usr/bin/passwd %u
>>  passwd chat = *password:* %n\n *password* %n\n *successfully*
>>  null passwords = no
>>
>>
>> Since "null passwords = no" a user with "NO PASSWORD" should not be 
>> able to login to the samba account.  That's working as expected.
>>
>> In past versions of samba, testuser could login to the linux account, 
>> run smbpasswd, enter an empty old password, and set a new password.
>>
>> Now when we try this we get this failure:
>>
>>  [testuser at localhost ~]$ smbpasswd
>>  Old SMB password:
>>  New SMB password:
>>  Retype new SMB password:
>>  Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE
>>  Failed to change password for testuser
>>
>>
>> Does anyone know why this failure is happening now?
>>
>> Was the behaviour of smbpasswd changed intentionally?
>> If so, in what samba version did this change happen?
>>
>> Is there an alternative way to achieve the smbpasswd
>> behaviour that we had in the past?
>>
>>
>> Thanks,
>> -- 
>> Todd Pfaff <pfaff at mcmaster.ca>
>> Research & High-Performance Computing Support
>> McMaster University, Hamilton, Ontario, Canada
>> http://www.rhpcs.mcmaster.ca/~pfaff
>>

More information about the samba mailing list