[Samba] 3.4.0 Samba box w/ NT 4 PDC and Win 95 client

Günter Kukkukk linux at kukkukk.com
Sat Jun 5 21:51:19 MDT 2010 

Am Sonntag 06 Juni 2010 03:10:04 schrieb John Lawler:
> Hi guys,
> 
> Thanks for those of you whole kept reading after seeing the subject line
> -- I know, it's like a flashback to about 2000 or so, but for mostly
> uninteresting reasons, I've got a situation that I wanted to run by the
> list just in case there's a work around.
> 
> I have an NT 4 server that's the PDC that my new Samba box, running
> 3.4.0 w/ "security = domain" uses to authenticate users for the Samba
> shares.
> 
> This was done to begin migrating away from the NT server, but we still
> need it for the PDC.
> 
> Anyway, I've got everything (finally) working with a little help from
> the list for my Win2k and WinXP clients.  I'm happy with that, but when
> I tried to connect one of the two remaining Win95 machines, I get
> authentication failures.
> 
> The interesting thing is, this worked fine in a couple of older Samba
> boxes I'm running with version 3.0.28, with a very similar configuration
> (security = domain, using the same NT 4 PDC to authenticate, etc.).
> 
> So, the question is, is anyone aware of what might've changed between
> 3.0.28 and 3.4.0 that could affect Win95 clients in this situation?  I
> tried the few ideas I found like:
> 
>    lanman auth = yes
>    client lanman auth = yes
>    client plaintext auth = yes
>    ntlm auth = yes
> 
> (I assume the client options may not do me any good here anyway), and
> I'm still not getting any joy.
> 
> Any help would be greatly appreciated.  Thanks for reading.
> 
> Here are samples of the same Win95 box connecting first to the 3.0.28
> box, which works, and then to the 3.4.0 one, which doesn't:
> 
> ------------------------------------------------------------------------
> 
> [2010/06/04 18:18:45, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
>    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old resources.
> [2010/06/04 18:18:45, 3] auth/auth.c:check_ntlm_password(221)
>    check_ntlm_password:  Checking password for unmapped user
> [MAIN]\[NODE008]@[node008] with the new password interface
> [2010/06/04 18:18:45, 3] auth/auth.c:check_ntlm_password(224)
>    check_ntlm_password:  mapped user is: [MAIN]\[NODE008]@[node008]
> [2010/06/04 18:18:45, 3] auth/auth.c:check_ntlm_password(270)
>    check_ntlm_password: winbind authentication for user [NODE008] succeeded
> [2010/06/04 18:18:45, 2] auth/auth.c:check_ntlm_password(309)
>    check_ntlm_password:  authentication for user [NODE008] -> [NODE008]
> -> [MAIN\node008] succeeded
> 
> ------------------------------------------------------------------------
> 
> [2010/06/04 18:25:54,  2] smbd/sesssetup.c:1360(setup_new_vc_session)
>    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old resources.
> [2010/06/04 18:25:54,  3] auth/auth.c:222(check_ntlm_password)
>    check_ntlm_password:  Checking password for unmapped user
> [MAIN]\[NODE008]@[node008] with the new password interface
> [2010/06/04 18:25:54,  3] auth/auth.c:225(check_ntlm_password)
>    check_ntlm_password:  mapped user is: [MAIN]\[NODE008]@[node008]
> [2010/06/04 18:25:54,  2] auth/auth.c:320(check_ntlm_password)
>    check_ntlm_password:  Authentication for user [NODE008] -> [NODE008]
> FAILED wi
> th error NT_STATUS_LOGON_FAILURE
> [2010/06/04 18:25:54,  2] smbd/sesssetup.c:1360(setup_new_vc_session)
>    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old
> resources.
> [2010/06/04 18:25:54,  3] auth/auth.c:222(check_ntlm_password)
>    check_ntlm_password:  Checking password for unmapped user
> [MAIN]\[NODE008]@[no
> de008] with the new password interface
> [2010/06/04 18:25:54,  3] auth/auth.c:225(check_ntlm_password)
>    check_ntlm_password:  mapped user is: [MAIN]\[NODE008]@[node008]
> [2010/06/04 18:25:54,  2] auth/auth.c:320(check_ntlm_password)
>    check_ntlm_password:  Authentication for user [NODE008] -> [NODE008]
> FAILED with error NT_STATUS_LOGON_FAILURE
> 
> ------------------------------------------------------------------------
> 
Hi John,

make sure that
    lanman auth = yes
is still set in your smb.conf.

As root run 'pdbedit -Lw' to list all configured samba users in the old ASCII smbpasswd format.

All users listed with _both_ the LANMAN and the NT hash have valid stored password hashes for the
old legacy case and the newer ones- like:
linux:1003:BBBBD20B0D2670EBAAD3B435B4140475:B123AB4ECC88F8BBB126FF3A08D9C600:[U          ]:LCT-4B1ED764:
Those listed users should be able to logon.

In case you get user entries like
linux:1003:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:B123664EC733B395A7260A3A08D9C699:[U          ]:LCT-4B1ED796:
the old LANMAN hash is no longer available and a legacy logon will fail.

What you can do:

1.) make sure, that "lanman auth = yes" is still set in your smb.conf
2.) for all your win95 client users listed as "....XXXXXXXXXXXXXXXXX...." above, you need to run (as root)
    smbpasswd username
    (or even smbpasswd -a username )
    You need to enter the users password twice as usual
   This procedure will re-install the LANMAN hash again (and also the NT hash!)
3.) check again with 'pdbedit -Lw' that the LANMAN hash is available now your for your win95 users

Please note, that setting "lanman auth = yes" implies a security problem.

Cheers, Günter

BTW - never ever post above mentioned LANMAN and NT hashes to the public - they are like
plaintext passwords (so my ones above are scrambled by intention)

More information about the samba mailing list