samba - Apr 2001 - Samba - Workaround for "The account is not authorized to log in from this station."

Problem:
--------
On the client mascines I get the msg: "The account is not authorized to log
in from this station."

This has bugged me for days now, so I am posting this sloution around varius
places on the net...


Analysis:
---------
from a round of analysis by Jamz Boman B.Sc (Jamz@Boman.com), Toby
Corkindale (tjcorkin@steadycom.com.au)
Andreja Zivkovic (zivkotech@ozemail.com.au) at
http://www.linuxsa.org.au/mailing-list/1999-02/474.html


Jamz Boman wrote:
>
> Howdy,
>
>         I have also experienced this problem.  I realise that if browsing
with
> SAMBA didn't work with Win98 someone would know by now, so it is
probably
a
> simple configuration issue somehwere in the smb.conf.  However, I have
> experienced the problem and while I was taking a look at it I found some
> interesting stuff.  The problem was even though you open up all the
security
> in your smb.conf your Win98 and NT4 boxes continue to ask for passwords
and
> even if you correctly enter the password, still no go.  However on a Win95
> OSR2 machine it works...
> and here is what I found:
>
> I am using a straight off the CD not fiddled with redhat 5.2, I have not
> edited the smb.conf file and am using the '\\server\username'
share.
>
> A packet filter between the Win95 OSR2 machine reveals the order of
events:
>
> Win95 box sends NBT session request
> Samba sends positive session responce
> Win95 box lists the Dialects it is able to speak (0-5)and says it would
like
> NT LM 0.12 (No.5)
> Samba accepts and selects dialect 5 (NT LM 0.12)
> Win95 sends session setup with username and password in CLEARTEXT!
> All sorts of things happen now Tree connects and filsystem info packets..
> and the connection is successful
>
> The same situation, same untouched server.. but with win98
>
> Win98 box sends NBT session request
> Samba sends positive session responce
> Win98 box lists the Dialects it is able to speak (0-5)and says it would
like
> NT LM 0.12 (No.5)
> Samba accepts and selects dialect 5 (NT LM 0.12)
> Win98 sends session setup with username but at the same position where the
> CLEARTEXT PASSWORD was in the Win95 frame now is just "USERNAME
DOMAIN"
>
> I assume this so that samba can initiate validating the user's domain
> security token with the PDC.
> Even though the USERNAME and DOMAIN details are correct and the password
for
> the account is the same on the PDC as it is on the Linux box the session
> still fails.
>
> Im thinking that you probably need to mess about with the new settings in
> Samba that deal with making validations via a NT PDC, or perhaps turning
> DOMAIN validation off on the Win98 client.
>
> NT4 sessions to samba in this way also fail with a similar packet
structure,
> and the error is returned on the NT4 client - "The account is not
authorized
> to log in from this station"
>
> The fact that OSR2 sends cleartext to Samba is fairly interesting! But
what
> more would you expect.
>
>         Jamz.



Workaround:
-----------

Change the registry keys in windows as follows:

Win NT (from SP 3):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters
      Value Name: EnablePlainTextPassword
      Data Type: REG_DWORD
      Data: 1
see: http://support.microsoft.com/support/kb/articles/q166/7/30.asp?FR=0


Win 2000:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkStation\Param
eters
Value Name: EnablePlainTextPassword
Data Type: REG_DWORD
Data: 1
see:
http://support.microsoft.com/support/kb/articles/Q224/2/87.ASP?LN=EN-US&SD=g
n&FR=0&qry=The%20account%20is%20not%20authorized%20to%20login%20from%20this%
20station&rnk=1&src=DHCS_MSPSS_gn_SRCH&SPR=WIN2000

Win 98:
Dunno - have a look at the Microsoft knowledge base...

Win 95:
Dunno, but should work directly as w95 transmits unencrypted passwds

Comment:
--------
Apparantly it is possible to fix by using samba features for handling
encrypted passwords by using the smbpasswd command and some other stuff.
This would be safer, more elegant and propably increase performance in
accessing the machine for the first time, as the uthentication method would
settle on better authentication scheme. I am guessing wildly here, but this
worked for me, and will look into the alternatives when somebody pays me
to...

A sleepdrunk consultant signing off.

Karsten Breivik
karsten.breivik@no.pwcglobal.com
karsten.breivik@mail.com

Just thought I'd share an experience with you regarding Samba, Win95/98 and
encrypted passwords.

I set up a RH7 server for one of my clients who has 8 Win95 & 8 Win98
clients. I
came across the problem with the 95 passwords in clear & 98 passwords
encrypted
so I dug around and read the README & FAQ.

I was going to use the registry hack on 98 to disable the encryption but the
client wanted to be able to sync the linux passwords from the Win PC's. I
discovered (trial & error) that, if you log in as a user from Win 98 first
you
can then log in as that user from Win 95. It appears that Samba is cacheing the
passwords somehow and copes with both the clear & encrypted versions.

I was then concerned that Samba would "forget" these passwords on
reboot but it
appears that they are being cached on disk as it still works after reboot.

This does not appear to be documented although it would be impossible to read
all of the FAQ etc.


Chris Fry

"Karsten Breivik (cybercity)" wrote:
> Problem:
> --------
> On the client mascines I get the msg: "The account is not authorized
to log
> in from this station."
>
> This has bugged me for days now, so I am posting this sloution around
varius
> places on the net...
>
> Analysis:
> ---------
> from a round of analysis by Jamz Boman B.Sc (Jamz@Boman.com), Toby
> Corkindale (tjcorkin@steadycom.com.au)
> Andreja Zivkovic (zivkotech@ozemail.com.au) at
> http://www.linuxsa.org.au/mailing-list/1999-02/474.html
>
> Jamz Boman wrote:
> >
> > Howdy,
> >
> >         I have also experienced this problem.  I realise that if
browsing
> with
> > SAMBA didn't work with Win98 someone would know by now, so it is
probably
> a
> > simple configuration issue somehwere in the smb.conf.  However, I have
> > experienced the problem and while I was taking a look at it I found
some
> > interesting stuff.  The problem was even though you open up all the
> security
> > in your smb.conf your Win98 and NT4 boxes continue to ask for
passwords
> and
> > even if you correctly enter the password, still no go.  However on a
Win95
> > OSR2 machine it works...
> > and here is what I found:
> >
> > I am using a straight off the CD not fiddled with redhat 5.2, I have
not
> > edited the smb.conf file and am using the '\\server\username'
share.
> >
> > A packet filter between the Win95 OSR2 machine reveals the order of
> events:
> >
> > Win95 box sends NBT session request
> > Samba sends positive session responce
> > Win95 box lists the Dialects it is able to speak (0-5)and says it
would
> like
> > NT LM 0.12 (No.5)
> > Samba accepts and selects dialect 5 (NT LM 0.12)
> > Win95 sends session setup with username and password in CLEARTEXT!
> > All sorts of things happen now Tree connects and filsystem info
packets..
> > and the connection is successful
> >
> > The same situation, same untouched server.. but with win98
> >
> > Win98 box sends NBT session request
> > Samba sends positive session responce
> > Win98 box lists the Dialects it is able to speak (0-5)and says it
would
> like
> > NT LM 0.12 (No.5)
> > Samba accepts and selects dialect 5 (NT LM 0.12)
> > Win98 sends session setup with username but at the same position where
the
> > CLEARTEXT PASSWORD was in the Win95 frame now is just "USERNAME
DOMAIN"
> >
> > I assume this so that samba can initiate validating the user's
domain
> > security token with the PDC.
> > Even though the USERNAME and DOMAIN details are correct and the
password
> for
> > the account is the same on the PDC as it is on the Linux box the
session
> > still fails.
> >
> > Im thinking that you probably need to mess about with the new settings
in
> > Samba that deal with making validations via a NT PDC, or perhaps
turning
> > DOMAIN validation off on the Win98 client.
> >
> > NT4 sessions to samba in this way also fail with a similar packet
> structure,
> > and the error is returned on the NT4 client - "The account is not
> authorized
> > to log in from this station"
> >
> > The fact that OSR2 sends cleartext to Samba is fairly interesting! But
> what
> > more would you expect.
> >
> >         Jamz.
>
> Workaround:
> -----------
>
> Change the registry keys in windows as follows:
>
> Win NT (from SP 3):
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters
>       Value Name: EnablePlainTextPassword
>       Data Type: REG_DWORD
>       Data: 1
> see: http://support.microsoft.com/support/kb/articles/q166/7/30.asp?FR=0
>
> Win 2000:
>
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkStation\Param
> eters
> Value Name: EnablePlainTextPassword
> Data Type: REG_DWORD
> Data: 1
> see:
>
http://support.microsoft.com/support/kb/articles/Q224/2/87.ASP?LN=EN-US&SD=g
>
n&FR=0&qry=The%20account%20is%20not%20authorized%20to%20login%20from%20this%
> 20station&rnk=1&src=DHCS_MSPSS_gn_SRCH&SPR=WIN2000
>
> Win 98:
> Dunno - have a look at the Microsoft knowledge base...
>
> Win 95:
> Dunno, but should work directly as w95 transmits unencrypted passwds
>
> Comment:
> --------
> Apparantly it is possible to fix by using samba features for handling
> encrypted passwords by using the smbpasswd command and some other stuff.
> This would be safer, more elegant and propably increase performance in
> accessing the machine for the first time, as the uthentication method would
> settle on better authentication scheme. I am guessing wildly here, but this
> worked for me, and will look into the alternatives when somebody pays me
> to...
>
> A sleepdrunk consultant signing off.
>
> Karsten Breivik
> karsten.breivik@no.pwcglobal.com
> karsten.breivik@mail.com
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
--
Chris Fry
Quillsoft Pty Ltd
Specialists in Secure Internet Services and E-Commerce Solutions
10 Gray Street
Kogarah
NSW  2217
Australia

Phone: +61 2 9553 1691
Fax: +61 2 9553 1692
Mobile: 0419 414 323
eMail: chris@quillsoft.com.au
http://www.quillsoft.com.au

You can download our Public CA Certificate from:-
https://ca.secureanywhere.com/htdocs/cacert.crt

**********************************************************************

This information contains confidential information intended only for
the use of the authorised recipient.  If you are not an authorised
recipient of this e-mail, please contact Quillsoft Pty Ltd by return
e-mail.
In this case, you should not read, print, re-transmit, store or act
in reliance on this e-mail or any attachments, and should destroy all
copies of them.
This e-mail and any attachments may also contain copyright material
belonging to Quillsoft Pty Ltd.
The views expressed in this e-mail or attachments are the views of
the author and not the views of Quillsoft Pty Ltd.
You should only deal with the material contained in this e-mail if
you are authorised to do so.

This notice should not be removed.

-------------- next part --------------
HTML attachment scrubbed and removed

On Wed, 11 Apr 2001 23:28:48 Karsten Breivik (cybercity)
wrote:
> 
> Problem:
> --------
> On the client mascines I get the msg: "The account is not 
> authorized to log in from this station."
..
> > Win98 sends session setup with username but at the 
> > same position where the CLEARTEXT PASSWORD was in the Win95 
> > frame now is just "USERNAME DOMAIN"
> >
> > I assume this so that samba can initiate validating the 
> > user's domain security token with the PDC.
Karsten,

A little additional information that you need here.  The bahavior is
this....

The problem you are experiencing is that the Samba server did not
set the "I support encrypted passwords" bit in the negprot response
packet.  The win98 client by default will not downgrade to
clear text passwords.  Win2000 is the same way as if Windows NT 
4.0 SP3+ and Win95 with the network redirector update installed.

This is a very common scenario and has been covered in lots 
of documentation distributed with Samba as well as in the 
mailing list archives.  Sorry you lost time on it.






Cheers, jerry
----------------------------------------------------------------------
   /\  Gerald (Jerry) Carter                     Professional Services
 \/    http://www.valinux.com/  VA Linux Systems   gcarter@valinux.com
       http://www.samba.org/       SAMBA Team          jerry@samba.org
       http://www.plainjoe.org/                     jerry@plainjoe.org

       "...a hundred billion castaways looking for a home."
                                - Sting "Message in a Bottle" ( 1979 )