[Samba] scanner stopped working to store files on samba-4.21.5

Stefan G. Weichinger lists at xunil.at
Wed Apr 9 12:21:02 UTC 2025 

Losing my mind again ;-)

A Ricoh MPC-3003 doesn't store scans anymore:

[2025/04/09 14:12:32.414091,  2] 
source3/auth/auth.c:353(auth_check_ntlm_password)
   check_ntlm_password:  Authentication for user [scanner] -> [scanner] 
FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2025/04/09 14:12:32.414315,  2] 
auth/auth_log.c:858(log_authentication_event_human_readable)
   Auth: [SMB2,(null)] user [BUERO]\[scanner] at [Mi, 09 Apr 2025 
14:12:32.414263 CEST] with [NTLMv1] status [NT_STATUS_WRONG_PASSWORD] 
workstation [SCANNER_OG] remote host [ipv4:192.168.16.110:65001] mapped 
to [BUERO]\[scanner]. local host [ipv4:192.168.16.202:445]
   {"timestamp": "2025-04-09T14:12:32.414530+0200", "type": 
"Authentication", "Authentication": {"version": {"major": 1, "minor": 
3}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": 
"NT_STATUS_WRONG_PASSWORD", "localAddress": "ipv4:192.168.16.202:445", 
"remoteAddress": "ipv4:192.168.16.110:65001", "serviceDescription": 
"SMB2", "authDescription": null, "clientDomain": "BUERO", 
"clientAccount": "scanner", "workstation": "SCANNER_OG", 
"becameAccount": null, "becameDomain": null, "becameSid": null, 
"mappedAccount": "scanner", "mappedDomain": "BUERO", "netlogonComputer": 
null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": 
"0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": 
null, "passwordType": "NTLMv1", "clientPolicyAccessCheck": null, 
"serverPolicyAccessCheck": null, "duration": 60286}}


I edited the password of the domain-user "BUERO\scanner" multiple times 
and edited it in the scanner settings also.

Right now I added :

	server min protocol = SMB2

maybe I should try NT1 here??

(is that possible per share?)

I remember that this didn't work with user/pw years ago, that's why I 
created a separate share "scan_og" with "guest ok".

See my good old config (this is a member server grown over >10 years 
now. Will be turned off in a few months):


[global]
	dedicated keytab file = /etc/krb5.keytab
	kerberos method = secrets and keytab
	log file = /var/log/samba/%m.log
	log level = 2
	logon home = ""
	logon path = ""
	map to guest = Bad User
	max log size = 150000
	netbios name = SERVER
	printcap name = /dev/null
	realm = PILSBACHER.AT
	security = ADS
	server min protocol = SMB2
	template homedir = /mnt/samba/Daten/%U
	template shell = /bin/bash
	username map = /etc/samba/smbusers
	winbind nss info = template
	winbind offline logon = Yes
	winbind refresh tickets = Yes
	winbind use default domain = Yes
	workgroup = BUERO
	full_audit:priority = notice
	full_audit:facility = local5
	full_audit:success = mkdir rmdir read pread write pwrite rename unlink
	full_audit:failure = connect
	full_audit:prefix = %u|%I|%m|%S
	idmap config buero:range = 10000-99999
	idmap config buero:backend = rid
	idmap config *:range = 2000-9999
	idmap config *:backend = tdb
	hosts allow = localhost 192.168.16. 172.32.99.
	map acl inherit = Yes
	store dos attributes = Yes
	vfs objects = acl_xattr

[scan_og]
	comment = Scanner OG
	guest ok = Yes
	path = /mnt/samba/scan_og
	read only = No


The printer/scanner is not a domain member, I can't find a way to join 
it. AFAI know that isn't necessary.

The scanning worked for years, without user/pw.

Server-OS: debian-12.10, up to date, samba-4.21.5 from bookworm-backports

thanks for any insights. I rotate editing the password for ~2 hrs now :-P

More information about the samba mailing list