[Samba] scanner stopped working to store files on samba-4.21.5

Wed Apr 9 12:54:37 UTC 2025

On Wed, 9 Apr 2025 14:21:02 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:

> 
> Losing my mind again ;-)
> 
> A Ricoh MPC-3003 doesn't store scans anymore:
> 
> [2025/04/09 14:12:32.414091,  2] 
> source3/auth/auth.c:353(auth_check_ntlm_password)
>    check_ntlm_password:  Authentication for user [scanner] ->
> [scanner] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
> [2025/04/09 14:12:32.414315,  2] 
> auth/auth_log.c:858(log_authentication_event_human_readable)
>    Auth: [SMB2,(null)] user [BUERO]\[scanner] at [Mi, 09 Apr 2025 
> 14:12:32.414263 CEST] with [NTLMv1] status [NT_STATUS_WRONG_PASSWORD] 
> workstation [SCANNER_OG] remote host [ipv4:192.168.16.110:65001]
> mapped to [BUERO]\[scanner]. local host [ipv4:192.168.16.202:445]
>    {"timestamp": "2025-04-09T14:12:32.414530+0200", "type": 
> "Authentication", "Authentication": {"version": {"major": 1, "minor": 
> 3}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": 
> "NT_STATUS_WRONG_PASSWORD", "localAddress":
> "ipv4:192.168.16.202:445", "remoteAddress":
> "ipv4:192.168.16.110:65001", "serviceDescription": "SMB2",
> "authDescription": null, "clientDomain": "BUERO", "clientAccount":
> "scanner", "workstation": "SCANNER_OG", "becameAccount": null,
> "becameDomain": null, "becameSid": null, "mappedAccount": "scanner",
> "mappedDomain": "BUERO", "netlogonComputer": null,
> "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
> "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
> "passwordType": "NTLMv1", "clientPolicyAccessCheck": null,
> "serverPolicyAccessCheck": null, "duration": 60286}}
> 
> 
> I edited the password of the domain-user "BUERO\scanner" multiple
> times and edited it in the scanner settings also.
> 
> Right now I added :
> 
> 	server min protocol = SMB2
> 
> maybe I should try NT1 here??
> 
> (is that possible per share?)
> 
> I remember that this didn't work with user/pw years ago, that's why I 
> created a separate share "scan_og" with "guest ok".
> 
> See my good old config (this is a member server grown over >10 years 
> now. Will be turned off in a few months):
> 
> 
> [global]
> 	dedicated keytab file = /etc/krb5.keytab
> 	kerberos method = secrets and keytab
> 	log file = /var/log/samba/%m.log
> 	log level = 2
> 	logon home = ""
> 	logon path = ""
> 	map to guest = Bad User
> 	max log size = 150000
> 	netbios name = SERVER
> 	printcap name = /dev/null
> 	realm = PILSBACHER.AT
> 	security = ADS
> 	server min protocol = SMB2
> 	template homedir = /mnt/samba/Daten/%U
> 	template shell = /bin/bash
> 	username map = /etc/samba/smbusers
> 	winbind nss info = template
> 	winbind offline logon = Yes
> 	winbind refresh tickets = Yes
> 	winbind use default domain = Yes
> 	workgroup = BUERO
> 	full_audit:priority = notice
> 	full_audit:facility = local5
> 	full_audit:success = mkdir rmdir read pread write pwrite
> rename unlink full_audit:failure = connect
> 	full_audit:prefix = %u|%I|%m|%S
> 	idmap config buero:range = 10000-99999
> 	idmap config buero:backend = rid
> 	idmap config *:range = 2000-9999
> 	idmap config *:backend = tdb
> 	hosts allow = localhost 192.168.16. 172.32.99.
> 	map acl inherit = Yes
> 	store dos attributes = Yes
> 	vfs objects = acl_xattr
> 
> [scan_og]
> 	comment = Scanner OG
> 	guest ok = Yes
> 	path = /mnt/samba/scan_og
> 	read only = No
> 
> 
> The printer/scanner is not a domain member, I can't find a way to
> join it. AFAI know that isn't necessary.
> 
> The scanning worked for years, without user/pw.
> 
> Server-OS: debian-12.10, up to date, samba-4.21.5 from
> bookworm-backports
> 
> thanks for any insights. I rotate editing the password for ~2 hrs now
> :-P
> 
> 
> 

From your log output there are these two facts:

Auth: [SMB2,(null)]
with [NTLMv1] 

Another way of saying 'NTLMv1' is SMBv1, so yes, you need to either
beat the scanner to death or turn on SMBv1 and sorry, it has to be
in 'global'.

Rowland