[Samba] Login Attempt Resets Password in smbpasswd

Andrew Martin amartin at xes-inc.com
Wed May 2 12:23:47 MDT 2012 

Hello, 


I am running Samba 3.4.7 on Ubuntu 10.04 amd64. Due to legacy support, I am using a smbpasswd file (chmod 600) instead of the newer tdbsam database. It is also worth noting that this server also has LDAP authentication enabled (for SSH access). Clients access Samba from both Windows 7 and Windows XP. The smb.conf file is as follows: 

[global] 
workgroup = HOME 
printcap name = /etc/printcap 
load printers = no 
printing = lprng 
log file = /var/log/samba/%m.log 
max log size = 0 
security = user 
encrypt passwords = true 
passdb backend = smbpasswd 
smb passwd file = /etc/samba/smbpasswd 
unix password sync = Yes 
passwd program = /usr/bin/passwd %u 
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* 
pam password change = yes 
obey pam restrictions = yes 
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 
local master = no 
os level = 65 
domain master = no 
preferred master = no 
name resolve order = wins bcast host lmhosts 
wins server = xxx.xxx.xxx.xxx 
dns proxy = no 
idmap uid = 16777216-33554431 
idmap gid = 16777216-33554431 
template shell = /bin/false 
winbind use default domain = no 
[MyShare] 
path = /mnt/MyShare 
browseable = yes 
public = yes 
guest ok = yes 
writable = yes 
printable = no 
create mode = 0664 
directory mode = 0775 
veto oplock files = /*mgc*/ 
force create mode = 0660 
force directory mode = 0660 


Samba is not a PDC, however the Windows accounts on client machines have the same credentials as are stored in smbpasswd, so the share is automatically authenticated. I have observed that if a user is required to enter their password, e.g. their Windows password is not the same as in smbpasswd, then their password in smbpasswd gets reset. For example, before attempting to connect, user1's entry in smbpasswd looks like this (password hashes randomized in example below): 
user1:111: f0faf5d8955e92206354485d29a1b15e : e580c2260de48ababdd67d6ed063a641 :[UX ]:LCT-4E985F55: 


After the user attempts to connect, and enters the wrong credentials, 
user1:111: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX : e580c2260de48ababdd67d6ed063a641 :[UX ]:LCT-4E985F55: 


Thus if the user then tries a second time with the correct password, they are unable to login. If the correct password is supplied the first time, then no change is made to smbpasswd. Sometimes the password gets changed to XXXXX... even after a successful login. When this error occurs, nothing is logged in /var/log or /var/log/samba. An strace of the parent smbd process reveals only the following: 
gettimeofday({1335971419, 254991}, NULL) = 0 
select(27, [6 24 25 26], [], NULL, {9999, 0}) = 1 (in [24], left {9993, 133747}) 
gettimeofday({1335971425, 122816}, NULL) = 0 
accept(24, {sa_family=AF_INET, sin_port=htons(61726), sin_addr=inet_addr("192.168.1.20")}, [16]) = 28 
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f07d9ead9f0) = 4371 
close(28) = 0 
gettimeofday({1335971425, 133599}, NULL) = 0 


Do you have any ideas on why the smbpasswd file is being changed, and how to correct this behavior so the smbpasswd file is not changed? 


Thanks, 


Andrew

More information about the samba mailing list