[Samba] Login Attempt Resets Password in smbpasswd
Andrew Martin
amartin at xes-inc.com
Wed May 2 12:23:47 MDT 2012
Hello,
I am running Samba 3.4.7 on Ubuntu 10.04 amd64. Due to legacy support, I am using a smbpasswd file (chmod 600) instead of the newer tdbsam database. It is also worth noting that this server also has LDAP authentication enabled (for SSH access). Clients access Samba from both Windows 7 and Windows XP. The smb.conf file is as follows:
[global]
workgroup = HOME
printcap name = /etc/printcap
load printers = no
printing = lprng
log file = /var/log/samba/%m.log
max log size = 0
security = user
encrypt passwords = true
passdb backend = smbpasswd
smb passwd file = /etc/samba/smbpasswd
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
pam password change = yes
obey pam restrictions = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
os level = 65
domain master = no
preferred master = no
name resolve order = wins bcast host lmhosts
wins server = xxx.xxx.xxx.xxx
dns proxy = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = no
[MyShare]
path = /mnt/MyShare
browseable = yes
public = yes
guest ok = yes
writable = yes
printable = no
create mode = 0664
directory mode = 0775
veto oplock files = /*mgc*/
force create mode = 0660
force directory mode = 0660
Samba is not a PDC, however the Windows accounts on client machines have the same credentials as are stored in smbpasswd, so the share is automatically authenticated. I have observed that if a user is required to enter their password, e.g. their Windows password is not the same as in smbpasswd, then their password in smbpasswd gets reset. For example, before attempting to connect, user1's entry in smbpasswd looks like this (password hashes randomized in example below):
user1:111: f0faf5d8955e92206354485d29a1b15e : e580c2260de48ababdd67d6ed063a641 :[UX ]:LCT-4E985F55:
After the user attempts to connect, and enters the wrong credentials,
user1:111: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX : e580c2260de48ababdd67d6ed063a641 :[UX ]:LCT-4E985F55:
Thus if the user then tries a second time with the correct password, they are unable to login. If the correct password is supplied the first time, then no change is made to smbpasswd. Sometimes the password gets changed to XXXXX... even after a successful login. When this error occurs, nothing is logged in /var/log or /var/log/samba. An strace of the parent smbd process reveals only the following:
gettimeofday({1335971419, 254991}, NULL) = 0
select(27, [6 24 25 26], [], NULL, {9999, 0}) = 1 (in [24], left {9993, 133747})
gettimeofday({1335971425, 122816}, NULL) = 0
accept(24, {sa_family=AF_INET, sin_port=htons(61726), sin_addr=inet_addr("192.168.1.20")}, [16]) = 28
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f07d9ead9f0) = 4371
close(28) = 0
gettimeofday({1335971425, 133599}, NULL) = 0
Do you have any ideas on why the smbpasswd file is being changed, and how to correct this behavior so the smbpasswd file is not changed?
Thanks,
Andrew
More information about the samba
mailing list