[Samba] Login Attempt Resets Password in smbpasswd

TAKAHASHI Motonobu monyo at monyo.com
Fri May 4 10:57:50 MDT 2012

From: Andrew Martin <amartin at xes-inc.com>
Date: Wed, 02 May 2012 13:23:47 -0500 (CDT)

> I am running Samba 3.4.7 on Ubuntu 10.04 amd64. Due to legacy
> support, I am using a smbpasswd file (chmod 600) instead of the
> newer tdbsam database.


> Samba is not a PDC, however the Windows accounts on client machines
> have the same credentials as are stored in smbpasswd, so the share
> is automatically authenticated. I have observed that if a user is
> required to enter their password, e.g. their Windows password is not
> the same as in smbpasswd, then their password in smbpasswd gets
> reset. For example, before attempting to connect, user1's entry in
> smbpasswd looks like this (password hashes randomized in example
> below): 
> user1:111: f0faf5d8955e92206354485d29a1b15e : e580c2260de48ababdd67d6ed063a641 :[UX ]:LCT-4E985F55: 
> After the user attempts to connect, and enters the wrong credentials, 
> user1:111: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX : e580c2260de48ababdd67d6ed063a641 :[UX ]:LCT-4E985F55: 
> Thus if the user then tries a second time with the correct password,
> they are unable to login. If the correct password is supplied the
> first time, then no change is made to smbpasswd. Sometimes the
> password gets changed to XXXXX... even after a successful
> login. When this error occurs, nothing is logged in /var/log or
> /var/log/samba. An strace of the parent smbd process reveals only
> the following: 
> Do you have any ideas on why the smbpasswd file is being changed,
> and how to correct this behavior so the smbpasswd file is not
> changed?

This behavior (changing the former password string changes XXXXX...)
is expected unless you explicitly enable "lanman auth = yes". 

In smb.conf(5):

When this parameter is set to no this will also result in
sambaLMPassword in Samba's passdb being blanked after the next
password change. As a result of that lanman clients won't be able
to authenticate, even if lanman auth is reenabled later on.

The former part, LANMAN hash is no longer used unless if you
connect to Samba from Windows 9x.

> Thus if the user then tries a second time with the correct password,
> they are unable to login.

As far as I examined, users can login...

Could you examine to reboot the client and try to connect to the Samba
server after changing password string to XXXXX...

Why I say "reboot" is that it is the easiest way to clear
authentication cache. Basically "reboot" is not required.

TAKAHASHI Motonobu <monyo at monyo.com>

More information about the samba mailing list