[Samba] Sudden authentication failures, hex dumps in log.samba

Pekka L.J. Jalkanen pekka.jalkanen at vihreat.fi
Fri May 17 12:02:57 MDT 2013 

On 14.5.2013 19:49, Pekka L.J. Jalkanen wrote:
> On 14.5.2013 19:31, Andrew Bartlett wrote:
>> On Tue, 2013-05-14 at 11:04 +0300, Pekka L.J. Jalkanen wrote:
>>> On 14.5.2013 8:04, Andrew Bartlett wrote:
>>>> The issue is the same
>>>> for all of these accounts.  We simply have a password encoded in a
>>>> format that we do not correctly parse.  The 00 20 stuff is literally
>>>> some unicode space (ie the spacebar, yes!) padding that is in this
>>>> structure.  
>>>
>>> Huh?! Now I'm surprised, both about that there is such a parsing problem
>>> and that the problem is _that_ trivial.
>>>
>>> Shouldn't this mean that I can most likely work the problem away by
>>> simply changing the passwords of these users? Now that would be great
>>> news indeed!
>>
>> Yes, if I'm understanding it correctly. 
> 
> OK, I'll ask some of them to change their password, and then see what
> will happen. Thank you!

Confirmed (so far only on one user): after password change logon works
normally, and there are no errors in log.samba.

> (The account migration between domains was done earlier this year, but
> the accounts were temporarily marked as having never expiring passwords
> so that no password changes would be imposed in the process. Perhaps the
> whole issue wouldn't exist if this hadn't been done...)

So it is now quite clear that there is something fishy in passwords
migrated by MS's Password Export Server (the one shipped with ADMT
v3.0). Unless this is fixed it will be important that at least one
password change should be forced for any users previously migrated from
other domains, or any present or future Samba DCs in the target domain
won't understand them.

(It's good to remember that even pure Samba DC environments could end up
using ADMT if in need, because running it only requires presence of a
Windows DC for a short period of time, so eval version should do. Also,
one-way trust should suffice, with the target domain as the trusted one,
so having Samba DC's on target shouldn't cause any problems. ADMT is
also often simply quite necessary tool when organisation's structure
changes for some reason.)

Pekka L.J. Jalkanen

More information about the samba mailing list