[Samba] Re: samba-3.0.23d, smbpasswd, and "NO PASSWORD" behaviour
garydale at torfree.net
Mon Feb 26 20:28:19 GMT 2007
The obvious question is, why would you want a null password to begin
with? This seems to me to be a serious security problem.
If it's for new users, give them a temporary password through a secure
channel and require them to change it the first time they log on.
Todd Pfaff wrote:
> I've had no responses to this question yet, and I'm still stuck with
> this problem. Can anybody help, please?
> Is this a capability of samba that not many people take advantage of?
> Or am I trying to do something that just isn't possible anymore?
> Picking through a the level 10 debug log of smbd, I see this:
> [2007/02/26 11:49:36, 3] auth/auth_sam.c:sam_password_ok(51)
> Account for user 'testuser' has no password and null passwords are NOT
> [2007/02/26 11:49:36, 9]
> No bad password attempts.
> [2007/02/26 11:49:36, 5] auth/auth.c:check_ntlm_password(273)
> check_ntlm_password: sam authentication for user [testuser] FAILED with
> error NT_STATUS_LOGON_FAILURE
> Is it no longer possible for a user to change their own samba password
> from null "NO PASSWORD" using the smbpasswd command?
> Todd Pfaff <pfaff at mcmaster.ca>
> Research & High-Performance Computing Support
> McMaster University, Hamilton, Ontario, Canada
> On Thu, 22 Feb 2007, Todd Pfaff wrote:
>> We've recently started using samba-3.0.23d on Mandriva 2007.0 linux
>> systems and we've noticed a change in behaviour of smbpasswd when a
>> non-root user tries to change their password from "NO PASSWORD".
>> Here's an example smbpasswd entry (all one line):
>> testuser:12345:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:
>> NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NU ]:LCT-00000000:
>> The possibly related settings in our smb.conf are:
>> encrypt passwords = yes
>> security = user
>> unix password sync = yes
>> passwd program = /usr/bin/passwd %u
>> passwd chat = *password:* %n\n *password* %n\n *successfully*
>> null passwords = no
>> Since "null passwords = no" a user with "NO PASSWORD" should not be
>> able to login to the samba account. That's working as expected.
>> In past versions of samba, testuser could login to the linux account,
>> run smbpasswd, enter an empty old password, and set a new password.
>> Now when we try this we get this failure:
>> [testuser at localhost ~]$ smbpasswd
>> Old SMB password:
>> New SMB password:
>> Retype new SMB password:
>> Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE
>> Failed to change password for testuser
>> Does anyone know why this failure is happening now?
>> Was the behaviour of smbpasswd changed intentionally?
>> If so, in what samba version did this change happen?
>> Is there an alternative way to achieve the smbpasswd
>> behaviour that we had in the past?
>> Todd Pfaff <pfaff at mcmaster.ca>
>> Research & High-Performance Computing Support
>> McMaster University, Hamilton, Ontario, Canada
More information about the samba