[Samba] Sudden authentication failures, hex dumps in log.samba

Andrew Bartlett abartlet at samba.org
Tue May 14 10:31:25 MDT 2013 

On Tue, 2013-05-14 at 11:04 +0300, Pekka L.J. Jalkanen wrote:
> On 14.5.2013 8:04, Andrew Bartlett wrote:
> > On Mon, 2013-05-13 at 14:24 +0300, Pekka L.J. Jalkanen wrote:
> > 
> >>> Any ideas how to resolve this problem?
> >>
> >> No comments, it seems.
> >>
> >> I can see that even if this is a bug in Samba it would be really hard to
> >> reproduce. But it's really frustrating too, because if the
> >> authentication isn't reliable I sort of have to keep the Windows DC around.
> >>
> >> So if somebody would have an enlightened suggestion what to do, I'd be
> >> grateful.
> >>
> >> The only idea I'm having myself would be to recreate the machine
> >> accounts of the computers in question, but that'd be just a shot in the
> >> dark, and if the problem lies within the user accounts instead, that
> >> wouldn't help.
> > 
> > G'Day,
> > 
> > I'm sorry I haven't been able to get back to you.
> 
> Please don't. I've had all too many questions for you already. Thank you
> for your patience with me!
> 
> > The issue is the same
> > for all of these accounts.  We simply have a password encoded in a
> > format that we do not correctly parse.  The 00 20 stuff is literally
> > some unicode space (ie the spacebar, yes!) padding that is in this
> > structure.  
> 
> Huh?! Now I'm surprised, both about that there is such a parsing problem
> and that the problem is _that_ trivial.
> 
> Shouldn't this mean that I can most likely work the problem away by
> simply changing the passwords of these users? Now that would be great
> news indeed!

Yes, if I'm understanding it correctly. 

> > I need to get both and encrypted copy of the data and some time to work
> > over it, so we can correct this issue in our IDL. 
> 
> You already have a complete copy of our Samba DC's DB due to that
> exportkeytab issue. I can send you nonsanitised logs separately so that
> you can see the relevant account names. Is that enough, or do you need
> me to try to make an actual packet capture of this problem?

The exportkeytab issue is the same issue.  You are just seeing the same
failure to read the password for a particular account in multiple ways. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list