Hi, recently we updated our Samba AD and Samba fileserver to 4.15.0-SerNet-RedHat-4.el8 and discovered a problem with a user wanted to connect to a samba share from a current macOS. The user has a exclamation point (!) at the very end of the password string. Samba disagrees with that and replies with an authentication error. Testwise we changed the ?!? to the penultimate character and the logon works again. This behaviour must be introduced with a version after 14.13 where we came from. Is this a known issue? Could not find something. Thanks anyway for a great software! Tobias -- collect at shift.agency
On Thu, Oct 7, 2021 at 7:36 AM Tobias Kirchhofer via samba <samba at lists.samba.org> wrote:> > Hi, > > recently we updated our Samba AD and Samba fileserver to 4.15.0-SerNet-RedHat-4.el8 and discovered a problem with a user wanted to connect to a samba share from a current macOS. The user has a exclamation point (!) at the very end of the password string. Samba disagrees with that and replies with an authentication error. > > Testwise we changed the ?!? to the penultimate character and the logon works again.If the "!' is in automatic scripting, rather than manual logging in, it may be your scripts interpreting it as syntactic sugar. If it's showing up even in manual logging in, then that *does* sound like a bug in Samba! I will point out that the "Gotta put in special characters" requirement is fairly nonsensical, based on some ancient guidelines when password length was restricted to only 8 characters or so and dictionary attacks were easy. But these days, training every piece of password managing software in the world to correctly handle Unicode and syntactic sugar like $, !, #, ;, :, /, and @ is an incredible pain in the keister., much more easily and robustly handled by using longer passwords or passphrases without these problematic requirements. See the old XKCD cartoon for mockery about just how silly it got. https://xkcd.com/936/
Yes, what you showed on that cartoon is correct.. But still, I dont agree on statement (anymore, i use to also but..) A record was set for a computer trying to generate every conceivable password. It achieved a rate faster than 100,000,000,000 guesses per second. Quantum computer are getting way way smaller.. https://newatlas.com/quantum-computing/quantum-computing-desktop-room-temperature/ It's not there yet, but its getting close.. So yeah, i do recommend everyone to use a long password as shown in that cartoon But with complexity, because yeah, it was fairly nonsensical, with only 8 chars.. I recommend minimal 18 in length. This is why for example a bitcoin wallet has 12/24 words to unlock it. If its a bug then its a bug.. and this smells to me like a bug. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Nico > Kadel-Garcia via samba > Verzonden: donderdag 7 oktober 2021 14:32 > Aan: Tobias Kirchhofer > CC: sambalist > Onderwerp: Re: [Samba] Exclamation point (!) in password > > On Thu, Oct 7, 2021 at 7:36 AM Tobias Kirchhofer via samba > <samba at lists.samba.org> wrote: > > > > Hi, > > > > recently we updated our Samba AD and Samba fileserver to > 4.15.0-SerNet-RedHat-4.el8 and discovered a problem with a > user wanted to connect to a samba share from a current macOS. > The user has a exclamation point (!) at the very end of the > password string. Samba disagrees with that and replies with > an authentication error. > > > > Testwise we changed the ?!? to the penultimate character > and the logon works again. > > If the "!' is in automatic scripting, rather than manual logging in, > it may be your scripts interpreting it as syntactic sugar. If it's > showing up even in manual logging in, then that *does* sound like a > bug in Samba! > > I will point out that the "Gotta put in special characters" > requirement is fairly nonsensical, based on some ancient guidelines > when password length was restricted to only 8 characters or so and > dictionary attacks were easy. But these days, training every piece of > password managing software in the world to correctly handle Unicode > and syntactic sugar like $, !, #, ;, :, /, and @ is an incredible pain > in the keister., much more easily and robustly handled by using longer > passwords or passphrases without these problematic requirements. > > See the old XKCD cartoon for mockery about just how silly it got. > > https://xkcd.com/936/ > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On Thu, 2021-10-07 at 13:19 +0200, Tobias Kirchhofer via samba wrote:> Hi, > > recently we updated our Samba AD and Samba fileserver to 4.15.0- > SerNet-RedHat-4.el8 and discovered a problem with a user wanted to > connect to a samba share from a current macOS. The user has a > exclamation point (!) at the very end of the password string. Samba > disagrees with that and replies with an authentication error. > > Testwise we changed the ?!? to the penultimate character and the > logon works again. > > This behaviour must be introduced with a version after 14.13 where we > came from. Is this a known issue? Could not find something.If the password was unchanged in Samba during this process, then this is a client-side challenge - only the client will have access to the plaintext password, we on the server just get various types of challenge/response hashes. (The exception is LDAP simple bind). I hope this helps narrow things down. I think Nico is onto the point. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions