samba - May 2002 - Dispelling Myths About Samba Encrypted passwords, NT_STATUS_LOGON _FAILURE and XP

Hi,

I've been using samba for a while now with relatively simple configurations.
I do however have a few questions:

* When using encrypted passwords with samba, is it possible to authenticate
users using the Unix user password(/etc/passwd)?

* When using smbclient I get the error NT_STATUS_LOGON_FAILURE:

added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
Password:
session setup failed: NT_STATUS_LOGON_FAILURE
david@Wintermute:~$ smbclient -L wintermute -U david
added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
Password:
session setup failed: NT_STATUS_LOGON_FAILURE
david@Wintermute:~$ smbclient -L wintermute -U root
added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
Password:
session setup failed: NT_STATUS_LOGON_FAILURE

When nothing is entered in the password prompt:

david@Wintermute:~$ smbclient -L wintermute
added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
Password:
Anonymous login successful
Domain=[UTOPIA] OS=[Unix] Server=[Samba 2.2.3a]

        Sharename      Type      Comment
        ---------      ----      -------
        public         Disk      Public Stuff
        IPC$           IPC       IPC Service (Samba Server)
        ADMIN$         Disk      IPC Service (Samba Server)
        lp             Printer

        Server               Comment
        ---------            -------
        ALPHA                Work Station
        WINTERMUTE           Samba Server

        Workgroup            Master
        ---------            -------
        UTOPIA               WINTERMUTE

* What does this error mean?  (What's it caused by?) And how can I fix it?

* Does definition of WorkGroups change across different Windows versions?

* Lastly, is there any tricks involved in getting samba to work with Windows
XP?  I want it so it uses the unix user authentication if possible.  I've
loaded the WinXP_SignOrSeal.reg patch on XP.  I also loaded the
Win2000_PlainPassword.reg in the hope I could access my shares from my XP
box.

Im running Samba-2.2.3a and here is my smb.conf:

[global]
   workgroup = utopia
   debuglevel = 2
   server string = Samba Server
   load printers = yes
   log file = /var/log/samba.%m
   max log size = 50
   security = user

[homes]
   comment = Home Directories
   browseable = no
   writable = yes

[public]
   comment = Public Stuff
   path = /home/pub
   public = yes
   writable = yes

Cheers,
David Balnaves

On Mon, May 13, 2002 at 10:46:53AM +1000, David Balnaves
wrote:
> Hi,
> 
> I've been using samba for a while now with relatively simple
configurations.
> I do however have a few questions:
> 
> * When using encrypted passwords with samba, is it possible to authenticate
> users using the Unix user password(/etc/passwd)?
No.
 
> * When using smbclient I get the error NT_STATUS_LOGON_FAILURE:
> 
> added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
> Password:
> session setup failed: NT_STATUS_LOGON_FAILURE
> david@Wintermute:~$ smbclient -L wintermute -U david
> added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
> Password:
> session setup failed: NT_STATUS_LOGON_FAILURE
> david@Wintermute:~$ smbclient -L wintermute -U root
> added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
> Password:
> session setup failed: NT_STATUS_LOGON_FAILURE
> 
> When nothing is entered in the password prompt:
> 
> david@Wintermute:~$ smbclient -L wintermute
> added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
> Password:
> Anonymous login successful
> * What does this error mean?  (What's it caused by?) And how can I fix
it?
NT_STATUS_LOGON_FAILURE means that the password you entered was incorrect, or
the user doesn't exist.  For a samba server, this also includes the case
that the user has no encrypted password stored on the system.

smbclient will attempt an anonymous logon if you don't specify a password, 
and some information (the share listing in this case) is available anonymously.
> * Does definition of WorkGroups change across different Windows versions?
Not particularly, but people usually move up to a domain when dealing with NT.
> * Lastly, is there any tricks involved in getting samba to work with
Windows
> XP?  I want it so it uses the unix user authentication if possible. 
I've
> loaded the WinXP_SignOrSeal.reg patch on XP.  I also loaded the
> Win2000_PlainPassword.reg in the hope I could access my shares from my XP
> box.
The SignOrSeal should not be required - as you are not a PDC.  Using plaintext
passwords will cause Windows > NT4 SP3 and > Win95OSR1 to always prompt
for a
password (as a 'do you really wan to do this' measure).  They won't
even
go past a negprot (not authorised to log in from this workstation) without 
the registry hack.

This is why Samba 3.0 will default to 'encryupt passwords = yes' and why
this has been the default in most distribution's smb.conf files for a
long time.

Andrew Bartlett