[Samba] Just a simple smbpasswd authentication won't work

Carlyle Sutphen carlyle.sutphen at db.com
Fri Oct 9 03:42:47 MDT 2009 

Hello List.

We have a number of working ADS servers. One of out clients is not in the Kerberized domain so there users log in via NIS. Having looked at the options for enabling NIS authentication I have decided to use the smbpasswd. Now I can't get that to work.

After using smbpasswd to create two users, one created locally, in the /etc/passwd, and one that exists already in NIS. Not only can I not map the share to my XP workstation, as either user, I am unable to change the password.

I will include the failed password change and the server configuration followed by a log excerpt from the session.

Here is the location of the smbpasswd file:
# l /export/samba/var/private
total 40
drwxr-x---    2 root     system          512 Oct 09 10:17 .
drwxr-x---    5 root     system          512 Oct 07 18:13 ..
-rw-------    1 root     system         8192 Oct 09 11:37 secrets.tdb
-rw-------    1 root     system          325 Oct 09 09:44 smbpasswd

And:
# cat /export/samba/var/private/smbpasswd
nobody:4294967294:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[DU         ]:LCT-00000000:
test:200:01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537:[U          ]:LCT-4ACEE647:
zgunchr:2289386:01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537:[U          ]:LCT-4ACEE9EC:

Now the failed smbpasswd session:
smbpasswd -r fracosmad3
Old SMB password:
New SMB password:
Retype new SMB password:
Could not connect to machine fracosmad3: NT_STATUS_LOGON_FAILURE
Failed to change password for test

The configuration:

[global]
  security = USER
  workgroup = GWG
  wins server = fraeswwnp1.de.db.com,mhgeswwnp1.de.db.com
  server string = GWG
  dns proxy = no
  encrypt passwords = yes
  client ntlmv2 auth = yes
  lanman auth = no
  ntlm auth = no
  deadtime = 5
  hide dot files = yes
  bind interfaces only = yes
  max log size = 4096
  socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
  username map = /export/samba/etc/username.map
  pid directory = /export/samba/var/locks
  private dir = /export/samba/var/private
  interfaces = 10.216.5.45
  netbios name = fracosmad3
  netbios aliases = GWG
  log level = 3
  log file = /export/samba/var/log/log.samba
  nis homedir = no

[gwgro]
        comment = GWG Read Only User
        path = /home/gwgro
        valid users = gwgro,test
        read only = No
        writable = yes

Log excerpt:
[2009/10/09 10:54:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/10/09 10:54:43, 3] smbd/sesssetup.c:reply_sesssetup_and_X(822)
  wct=12 flg2=0xc801
[2009/10/09 10:54:43, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(633)
  Doing spnego session setup
[2009/10/09 10:54:43, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(664)
  NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
[2009/10/09 10:54:43, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(662)
  Got user=[test] domain=[] workstation=[FRACOSMAD3] len1=24 len2=24
[2009/10/09 10:54:43, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user []\[test]@[FRACOSMAD3] with the new password interface
[2009/10/09 10:54:43, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [FRACOSMAD3]\[test]@[FRACOSMAD3]
[2009/10/09 10:54:43, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/10/09 10:54:43, 3] smbd/uid.c:push_conn_ctx(393)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/10/09 10:54:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/10/09 10:54:43, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2009/10/09 10:54:43, 3] smbd/uid.c:push_conn_ctx(393)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2009/10/09 10:54:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2009/10/09 10:54:43, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/10/09 10:54:43, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/10/09 10:54:43, 2] libsmb/ntlm_check.c:ntlm_password_check(349)
  ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user test
[2009/10/09 10:54:43, 3] libsmb/ntlm_check.c:ntlm_password_check(356)
  ntlm_password_check: NEITHER LanMan nor NT password supplied for user test
[2009/10/09 10:54:43, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/10/09 10:54:43, 3] smbd/uid.c:push_conn_ctx(393)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/10/09 10:54:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/10/09 10:54:43, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/10/09 10:54:43, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/10/09 10:54:43, 3] smbd/uid.c:push_conn_ctx(393)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/10/09 10:54:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/10/09 10:54:43, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/10/09 10:54:43, 2] auth/auth.c:check_ntlm_password(317)
  check_ntlm_password:  Authentication for user [test] -> [test] FAILED with error NT_STATUS_WRONG_PASSWORD
[2009/10/09 10:54:43, 3] smbd/process.c:timeout_processing(1447)
  timeout_processing: End of file from client (client has disconnected).
[2009/10/09 10:54:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/10/09 10:54:43, 2] smbd/server.c:exit_server(614)
  Closing connections
[2009/10/09 10:54:43, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2009/10/09 10:54:43, 3] smbd/server.c:exit_server(655)
  Server exit (normal exit)

--

Informationen (einschließlich Pflichtangaben) zu einzelnen, innerhalb der EU tätigen Gesellschaften und Zweigniederlassungen des Konzerns Deutsche Bank finden Sie unter http://www.db.com/de/content/pflichtangaben.htm. Diese E-Mail enthält vertrauliche und/ oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.

Please refer to http://www.db.com/en/content/eu_disclosures.htm for information (including mandatory corporate particulars) on selected Deutsche Bank branches and group companies registered or incorporated in the European Union. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

More information about the samba mailing list