[Samba] Sudden authentication failures, hex dumps in log.samba
abartlet at samba.org
Tue May 14 10:31:25 MDT 2013
On Tue, 2013-05-14 at 11:04 +0300, Pekka L.J. Jalkanen wrote:
> On 14.5.2013 8:04, Andrew Bartlett wrote:
> > On Mon, 2013-05-13 at 14:24 +0300, Pekka L.J. Jalkanen wrote:
> >>> Any ideas how to resolve this problem?
> >> No comments, it seems.
> >> I can see that even if this is a bug in Samba it would be really hard to
> >> reproduce. But it's really frustrating too, because if the
> >> authentication isn't reliable I sort of have to keep the Windows DC around.
> >> So if somebody would have an enlightened suggestion what to do, I'd be
> >> grateful.
> >> The only idea I'm having myself would be to recreate the machine
> >> accounts of the computers in question, but that'd be just a shot in the
> >> dark, and if the problem lies within the user accounts instead, that
> >> wouldn't help.
> > G'Day,
> > I'm sorry I haven't been able to get back to you.
> Please don't. I've had all too many questions for you already. Thank you
> for your patience with me!
> > The issue is the same
> > for all of these accounts. We simply have a password encoded in a
> > format that we do not correctly parse. The 00 20 stuff is literally
> > some unicode space (ie the spacebar, yes!) padding that is in this
> > structure.
> Huh?! Now I'm surprised, both about that there is such a parsing problem
> and that the problem is _that_ trivial.
> Shouldn't this mean that I can most likely work the problem away by
> simply changing the passwords of these users? Now that would be great
> news indeed!
Yes, if I'm understanding it correctly.
> > I need to get both and encrypted copy of the data and some time to work
> > over it, so we can correct this issue in our IDL.
> You already have a complete copy of our Samba DC's DB due to that
> exportkeytab issue. I can send you nonsanitised logs separately so that
> you can see the relevant account names. Is that enough, or do you need
> me to try to make an actual packet capture of this problem?
The exportkeytab issue is the same issue. You are just seeing the same
failure to read the password for a particular account in multiple ways.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba