[Samba] Samba 4 empty password

Andrew Bartlett abartlet at samba.org
Wed Aug 7 23:30:12 MDT 2013

On Wed, 2013-08-07 at 13:56 +0000, Fink Oliver wrote:
> Hello,
> We are trying to setup a SAMBA-Server with users that have empty passwords.
> We are using:
> Samba 4.0.8
> Kernel 3.10.5
> Slackware 14.0 x64
> When we set a password the login successes!
> That's what we get when trying to login:

>  Kerberos: Looking for ENC-TS pa-data -- media1 at BC
> [2013/08/07 13:31:46,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: Failed to decrypt PA-DATA -- media1 at BC (enctype aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
> [2013/08/07 13:31:46,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: Failed to decrypt PA-DATA -- media1 at BC

This means the KDC had a different hash to the one the user encrypted the time with.  

Aside from the flag 'ACB_NOPWREQ' (which does *not* mean no password
required, it actually means no password requirements, ie no minimum
length), the KDC doesn't know the length (even zero length) of the
password, it just performs calculations based on the stored hash. 

How did you set the 'empty' password in Samba?

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz

More information about the samba mailing list