[Samba] Inconsistency with LANMAN1 and Samba 4.9
Andreas Reichel
homebase_ar at web.de
Fri May 31 17:09:44 UTC 2019
On 31.05.19 18:47, Jeremy Allison wrote:
> On Fri, May 31, 2019 at 06:32:56PM +0200, Andreas Reichel via samba wrote:
>> Dear samba team,
>>
>> I have a lot of hobby projects including old PCs. I wanted to hook up a Win3.11 machine to my current
>> Arch-Linux Workstation running samba 4.9.4.
>>
>> I have used the following configuration:
>>
>> [global]
>> workgroup = HOMEBASE
>> netbios name = Orcane
>> wins support = Yes
>> client signing = No
>> domain master = No
>> lanman auth = Yes
>> log file = /var/log/samba/%m.log
>> max log size = 50
>> name resolve order = host lmhosts wins bcast
>> passdb backend = smbpasswd
>> preferred master = Yes
>> security = USER
>> server signing = No
>> server string = Orcane Cortex Gateway
>> smb passwd file = /etc/samba/smbpasswd
>>
>> [homes]
>> browseable = No
>> comment = Home Directories
>> read only = No
>>
>>
>> [printers]
>> browseable = No
>> comment = All Printers
>> path = /var/spool/samba
>> printable = Yes
>>
>>
>> [win311]
>> comment = File transfer1
>> guest ok = Yes
>> path = /win311
>> read only = No
>>
>> ---
>>
>> Fact is, for Windows 3.11, I need lanman authentication.
>> The following problems arose:
>>
>> When adding me as the user with 'smbpasswd -a andreas', and entering a password,
>> no LANMAN hash is generated. The generated smbpasswd entry always contains 32 X as the first hash.
>>
>> When I do the same with Samba 4.3.11-Ubuntu, the hash IS generated correctly.
>>
>> When I manually add the hash in 4.9.4, I still cannot connect from Win 3.11 and always get access denied.
>>
>> In 4.3.11, it works flawlessly, I can connect from Windows 3.11 without any problem.
>>
>> Question: Is this intended? And if yes, why are there all these options still settable?
> You may be running into this code in passdb:
>
> bool pdb_set_plaintext_passwd(struct samu *sampass, const char *plaintext)
> {
> ...
> if (!E_deshash(plaintext, new_lanman_p16)) {
> /* E_deshash returns false for 'long' passwords (> 14
> DOS chars). This allows us to match Win2k, which
> does not store a LM hash for these passwords (which
> would reduce the effective password length to 14 */
>
> if (!pdb_set_lanman_passwd (sampass, NULL, PDB_CHANGED))
> return False;
> } else {
> if (!pdb_set_lanman_passwd (sampass, new_lanman_p16, PDB_CHANGED))
> return False;
> }
> ...
>
> Is the password greater that 14 characters ? If so, looks like
> we won't store it.
No, it has 8 characters. And I tried to enter the hash manually into the
smbpasswd, which didn't work either. It is as if samba 4.9.4 would
ignore lanman completely.
More information about the samba
mailing list