[Samba] Inconsistency with LANMAN1 and Samba 4.9

Andreas Reichel homebase_ar at web.de
Fri May 31 19:59:14 UTC 2019 

On 31.05.19 20:40, Jeremy Allison wrote:
> On Fri, May 31, 2019 at 07:09:44PM +0200, Andreas Reichel wrote:
>>>> When adding me as the user with 'smbpasswd -a andreas', and entering a password,
>>>> no LANMAN hash is generated. The generated smbpasswd entry always contains 32 X as the first hash.
>>>>
>>>> When I do the same with Samba 4.3.11-Ubuntu, the hash IS generated correctly.
>>>>
>>>> When I manually add the hash in 4.9.4, I still cannot connect from Win 3.11 and always get access denied.
>>>>
>>>> In 4.3.11, it works flawlessly, I can connect from Windows 3.11 without any problem.
>>>>
>>>> Question: Is this intended? And if yes, why are there all these options still settable?
>>> You may be running into this code in passdb:
>>>
>>> bool pdb_set_plaintext_passwd(struct samu *sampass, const char *plaintext)
>>> {
>>> ...
>>>           if (!E_deshash(plaintext, new_lanman_p16)) {
>>>                   /* E_deshash returns false for 'long' passwords (> 14
>>>                      DOS chars).  This allows us to match Win2k, which
>>>                      does not store a LM hash for these passwords (which
>>>                      would reduce the effective password length to 14 */
>>>
>>>                   if (!pdb_set_lanman_passwd (sampass, NULL, PDB_CHANGED))
>>>                           return False;
>>>           } else {
>>>                   if (!pdb_set_lanman_passwd (sampass, new_lanman_p16, PDB_CHANGED))
>>>                           return False;
>>>           }
>>> ...
>>>
>>> Is the password greater that 14 characters ? If so, looks like
>>> we won't store it.
>> No, it has 8 characters. And I tried to enter the hash manually into the
>> smbpasswd, which didn't work either. It is as if samba 4.9.4 would
>> ignore lanman completely.
> Hmmm. Sounds like a bug. Are you able to use gdb to
> walk through the call stack to debug ?
>
> If not someone here will do it, but you might have
> to wait a while (log a bug at bugzilla.samba.org
> so we can track it) as getting LANMAN auth working
> is low priority (it's completely insecure I'm afraid).
>
> Jeremy.

Okay, I am relieved you say it sounds like a bug. If it is not important
to the group, I can surely take a debug session, but I don't know when I
have time for it. I will log a bug, thanks so far.

Andreas

More information about the samba mailing list