samba - Dec 2018 - Using MS-DOS client

Hi, all.

I know this is ancient history, but I have a couple of DOS machines that 
host older device programming hardware.  I've been able to access an older 
version of Samba for years without incident.  Last weekend I upgraded my 
server to Ubuntu 18.04, which provides Samba 4.7.6.  Unfortunately, after 
hours of frustration I find I'm unable to connect from any of the older 
machines.  By cranking up debug, I can see this:

[2018/12/24 16:04:02.012369,  2] 
../source3/auth/auth.c:332(auth_check_ntlm_password)
   check_ntlm_password:  Authentication for user [HIRSCH] -> [hirsch] FAILED
with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2018/12/24 16:04:02.012420,  2] 
../auth/auth_log.c:760(log_authentication_event_human_readable)
   Auth: [SMB,(null)] user []\[HIRSCH] at [Mon, 24 Dec 2018 16:04:02.012407 
EST] with [LANMan] status [NT_STATUS_WRONG_
PASSWORD] workstation [vmdos] remote host [ipv4:192.168.245.103:38962] 
mapped to []\[hirsch]. local host [ipv4:192.168
.245.30:139]
[2018/12/24 16:04:02.012527,  2] ../auth/auth_log.c:220(log_json)
   JSON Authentication: {"timestamp":
"2018-12-24T16:04:02.012467-0500",
"type": "Authentication", "Authentication":
{"
version": {"major": 1, "minor": 0}, "status":
"NT_STATUS_WRONG_PASSWORD",
"localAddress": "ipv4:192.168.245.30:139", "
remoteAddress": "ipv4:192.168.245.103:38962",
"serviceDescription": "SMB",
"authDescription": null, "clientDomain": ""
, "clientAccount": "HIRSCH", "workstation":
"vmdos", "becameAccount":
null, "becameDomain": null, "becameSid": "(NULL
SID)", "mappedAccount": "hirsch",
"mappedDomain": "", "netlogonComputer":
null, "netlogonTrustAccount": null, "netlogo
nNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": "(NULL SID)", "passwordType
": "LANMan"}}

But, the password IS correct and works fine from, e.g. smbclient on 
another Linux host.  I've tried setting:

encrypt passwords = no

but it makes no difference (other than to prevent smbclient from working).

On the client, I'm getting 'Error 5'.

Here are my current global settings:

[global]
         workgroup = WORKGROUP
         netbios name = PII
         server string = %h server (Samba, Ubuntu)
         lanman auth = yes
         client lanman auth = yes
         ntlm auth = yes
         lm announce = yes
         lm interval = 30
         dns proxy = No
         encrypt passwords = yes
         username map = /etc/samba/smbusers
         log level = 1
         log file = /var/log/samba/log.%m
         preferred master = Yes
         domain master = Yes
         wins support = yes
         security = user
         passdb backend = tdbsam
         socket options = TCP_NODELAY
         idmap uid = 10000-20000
         idmap gid = 10000-20000
         template shell = /bin/bash
         usershare max shares = 100
         usershare allow guests = yes
         follow symlinks = yes
         wide links = yes
         unix extensions = no

The password was set using 'smbpasswd -a' and - as mentioned - works 
properly from other clients.

It is very important to me that I get MS-DOS access working again and 
would appreciate any advice or suggestions.  This is for use only on a 
home LAN with all incoming outside connections blocked.  Security is not 
a concern for me.



--

Try adding "server max protocol = nt1" in the [global] section?

On Mon, Dec 24, 2018 at 1:59 PM Steven Hirsch via samba <
samba at lists.samba.org> wrote:
> Hi, all.
>
> I know this is ancient history, but I have a couple of DOS machines that
> host older device programming hardware.  I've been able to access an
older
> version of Samba for years without incident.  Last weekend I upgraded my
> server to Ubuntu 18.04, which provides Samba 4.7.6.  Unfortunately, after
> hours of frustration I find I'm unable to connect from any of the older
> machines.  By cranking up debug, I can see this:
>
> [2018/12/24 16:04:02.012369,  2]
> ../source3/auth/auth.c:332(auth_check_ntlm_password)
>    check_ntlm_password:  Authentication for user [HIRSCH] -> [hirsch]
> FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
> [2018/12/24 16:04:02.012420,  2]
> ../auth/auth_log.c:760(log_authentication_event_human_readable)
>    Auth: [SMB,(null)] user []\[HIRSCH] at [Mon, 24 Dec 2018
> 16:04:02.012407
> EST] with [LANMan] status [NT_STATUS_WRONG_
> PASSWORD] workstation [vmdos] remote host [ipv4:192.168.245.103:38962]
> mapped to []\[hirsch]. local host [ipv4:192.168
> .245.30:139]
> [2018/12/24 16:04:02.012527,  2] ../auth/auth_log.c:220(log_json)
>    JSON Authentication: {"timestamp":
"2018-12-24T16:04:02.012467-0500",
> "type": "Authentication", "Authentication":
{"
> version": {"major": 1, "minor": 0},
"status": "NT_STATUS_WRONG_PASSWORD",
> "localAddress": "ipv4:192.168.245.30:139", "
> remoteAddress": "ipv4:192.168.245.103:38962",
"serviceDescription":
> "SMB",
> "authDescription": null, "clientDomain": ""
> , "clientAccount": "HIRSCH", "workstation":
"vmdos", "becameAccount":
> null, "becameDomain": null, "becameSid": "(NULL
> SID)", "mappedAccount": "hirsch",
"mappedDomain": "", "netlogonComputer":
> null, "netlogonTrustAccount": null, "netlogo
> nNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0,
> "netlogonTrustAccountSid": "(NULL SID)",
"passwordType
> ": "LANMan"}}
>
> But, the password IS correct and works fine from, e.g. smbclient on
> another Linux host.  I've tried setting:
>
> encrypt passwords = no
>
> but it makes no difference (other than to prevent smbclient from working).
>
> On the client, I'm getting 'Error 5'.
>
> Here are my current global settings:
>
> [global]
>          workgroup = WORKGROUP
>          netbios name = PII
>          server string = %h server (Samba, Ubuntu)
>          lanman auth = yes
>          client lanman auth = yes
>          ntlm auth = yes
>          lm announce = yes
>          lm interval = 30
>          dns proxy = No
>          encrypt passwords = yes
>          username map = /etc/samba/smbusers
>          log level = 1
>          log file = /var/log/samba/log.%m
>          preferred master = Yes
>          domain master = Yes
>          wins support = yes
>          security = user
>          passdb backend = tdbsam
>          socket options = TCP_NODELAY
>          idmap uid = 10000-20000
>          idmap gid = 10000-20000
>          template shell = /bin/bash
>          usershare max shares = 100
>          usershare allow guests = yes
>          follow symlinks = yes
>          wide links = yes
>          unix extensions = no
>
> The password was set using 'smbpasswd -a' and - as mentioned -
works
> properly from other clients.
>
> It is very important to me that I get MS-DOS access working again and
> would appreciate any advice or suggestions.  This is for use only on a
> home LAN with all incoming outside connections blocked.  Security is not
> a concern for me.
>
>
>
> --
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Mon, 24 Dec 2018, Luke Barone via samba wrote:

Thanks, Luke.  Unfortunately that makes no difference.  Still getting:

Error 5: Access has been denied

at the MS_DOS console.
> Try adding "server max protocol = nt1" in the [global] section?
>
> On Mon, Dec 24, 2018 at 1:59 PM Steven Hirsch via samba <
> samba at lists.samba.org> wrote:
>
>> Hi, all.
>>
>> I know this is ancient history, but I have a couple of DOS machines
that
>> host older device programming hardware.  I've been able to access
an older
>> version of Samba for years without incident.  Last weekend I upgraded
my
>> server to Ubuntu 18.04, which provides Samba 4.7.6.  Unfortunately,
after
>> hours of frustration I find I'm unable to connect from any of the
older
>> machines.  By cranking up debug, I can see this:
>>
>> [2018/12/24 16:04:02.012369,  2]
>> ../source3/auth/auth.c:332(auth_check_ntlm_password)
>>    check_ntlm_password:  Authentication for user [HIRSCH] ->
[hirsch]
>> FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
>> [2018/12/24 16:04:02.012420,  2]
>> ../auth/auth_log.c:760(log_authentication_event_human_readable)
>>    Auth: [SMB,(null)] user []\[HIRSCH] at [Mon, 24 Dec 2018
>> 16:04:02.012407
>> EST] with [LANMan] status [NT_STATUS_WRONG_
>> PASSWORD] workstation [vmdos] remote host [ipv4:192.168.245.103:38962]
>> mapped to []\[hirsch]. local host [ipv4:192.168
>> .245.30:139]
>> [2018/12/24 16:04:02.012527,  2] ../auth/auth_log.c:220(log_json)
>>    JSON Authentication: {"timestamp":
"2018-12-24T16:04:02.012467-0500",
>> "type": "Authentication",
"Authentication": {"
>> version": {"major": 1, "minor": 0},
"status": "NT_STATUS_WRONG_PASSWORD",
>> "localAddress": "ipv4:192.168.245.30:139", "
>> remoteAddress": "ipv4:192.168.245.103:38962",
"serviceDescription":
>> "SMB",
>> "authDescription": null, "clientDomain":
""
>> , "clientAccount": "HIRSCH",
"workstation": "vmdos", "becameAccount":
>> null, "becameDomain": null, "becameSid":
"(NULL
>> SID)", "mappedAccount": "hirsch",
"mappedDomain": "", "netlogonComputer":
>> null, "netlogonTrustAccount": null, "netlogo
>> nNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0,
>> "netlogonTrustAccountSid": "(NULL SID)",
"passwordType
>> ": "LANMan"}}
>>
>> But, the password IS correct and works fine from, e.g. smbclient on
>> another Linux host.  I've tried setting:
>>
>> encrypt passwords = no
>>
>> but it makes no difference (other than to prevent smbclient from
working).
>>
>> On the client, I'm getting 'Error 5'.
>>
>> Here are my current global settings:
>>
>> [global]
>>          workgroup = WORKGROUP
>>          netbios name = PII
>>          server string = %h server (Samba, Ubuntu)
>>          lanman auth = yes
>>          client lanman auth = yes
>>          ntlm auth = yes
>>          lm announce = yes
>>          lm interval = 30
>>          dns proxy = No
>>          encrypt passwords = yes
>>          username map = /etc/samba/smbusers
>>          log level = 1
>>          log file = /var/log/samba/log.%m
>>          preferred master = Yes
>>          domain master = Yes
>>          wins support = yes
>>          security = user
>>          passdb backend = tdbsam
>>          socket options = TCP_NODELAY
>>          idmap uid = 10000-20000
>>          idmap gid = 10000-20000
>>          template shell = /bin/bash
>>          usershare max shares = 100
>>          usershare allow guests = yes
>>          follow symlinks = yes
>>          wide links = yes
>>          unix extensions = no
>>
>> The password was set using 'smbpasswd -a' and - as mentioned -
works
>> properly from other clients.
>>
>> It is very important to me that I get MS-DOS access working again and
>> would appreciate any advice or suggestions.  This is for use only on a
>> home LAN with all incoming outside connections blocked.  Security is
not
>> a concern for me.
>>
>>
>>
>> --
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--

On Mon, 24 Dec 2018 15:37:45 -0800
Luke Barone via samba <samba at lists.samba.org> wrote:
> Try adding "server max protocol = nt1" in the [global] section?
> 
This should probably have been 'client max protocol = CORE'

If this works, then read in 'man smb.conf' about 'client max
protocol'
and raise the level until it stops working, then use the last level
that works.

I would also suggest you find a away of moving from DOS, at some point
it is highly likely that the old auth methods will be removed.

Rowland