samba - Feb 2008 - Re: samba-3.0.23d, smbpasswd, and "NO PASSWORD" behaviour

Help! (pretty please :)

I'm still having the problem described below with samba-3.0.24.

Here's an excerpt from the smbpasswd man page:

    When run by an ordinary user with no  options,  smbpasswd  will  prompt
    them  for  their old SMB password and then ask them for their new pass
    word twice, to ensure that the new password  was  typed  correctly.  No
    passwords  will be echoed on the screen whilst being typed. If you have
    a blank SMB password (specified by the string "NO PASSWORD" in the
smb
    passwd  file)  then  just press the <Enter> key when asked for your
old
    password.

Is this samba documentation incorrect?
Or am I doing something incorrectly?

cheers,
Todd
> Date: Mon, 26 Feb 2007 15:59:44 -0500 (EST)
> From: Todd Pfaff <pfaff@rhpcs.mcmaster.ca>
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Re: samba-3.0.23d, smbpasswd, and "NO
PASSWORD"
> behaviour
> 
> The way it's documented to work in the smbpasswd man page, and the way
it
> used to work for us with older samba releases is: when a user has a null 
> password, and smb.conf "null passwords = no", the user can _not_
make an smb
> connection, but they _can_ set their samba password to something non-null
by
> running smbpasswd and entering an empty old password.
> In order to run smbpasswd the user must login to their linux account with 
> ssh, and that _does_ require a password.
> 
> So in fact this may be considered even more secure than what you're 
> suggesting because a new user has no ability to make smb connections to the
> server until they have logged in to their linux account with a password and
> run smbpasswd to set a samba password.
> 
> I realize that I could set an initial smb password for every user, but
there
> are situations where that is inconvenient, and since this null password 
> method did work perfectly well in the past without being a significant 
> security risk, it's now inconvenient that it no longer works as it did
in the
> past.
> 
> I'm trying to determine why the behaviour changed, or if it really
didn't
> change but I'm now doing something incorrectly on my samba server.
> And if it really did change then someone should fix the smbpasswd man page 
> accordingly, and maybe mention something in the release notes.
> 
> Regards,
> Todd
> 
> On Mon, 26 Feb 2007, Gary Dale wrote:
> 
>> The obvious question is, why would you want a null password to begin
with?
>> This seems to me to be a serious security problem.
>> 
>> If it's for new users, give them a temporary password through a
secure
>> channel and require them to change it the first time they log on.
>> 
>> 
>> Todd Pfaff wrote:
>>> I've had no responses to this question yet, and I'm still
stuck with this
>>> problem.  Can anybody help, please?
>>> 
>>> Is this a capability of samba that not many people take advantage
of?
>>> 
>>> Or am I trying to do something that just isn't possible
anymore?
>>> 
>>> Picking through a the level 10 debug log of smbd, I see this:
>>>
>>>   [2007/02/26 11:49:36, 3] auth/auth_sam.c:sam_password_ok(51)
>>>   Account for user 'testuser' has no password and null
passwords are NOT
>>>   allowed.
>>>   [2007/02/26 11:49:36, 9]
>>>   passdb/passdb.c:pdb_update_bad_password_count(1373)
>>>   No bad password attempts.
>>>   [2007/02/26 11:49:36, 5] auth/auth.c:check_ntlm_password(273)
>>>   check_ntlm_password: sam authentication for user [testuser]
FAILED with
>>>   error NT_STATUS_LOGON_FAILURE
>>> 
>>> 
>>> Is it no longer possible for a user to change their own samba
password from
>>> null "NO PASSWORD" using the smbpasswd command?
>>> 
>>> -- 
>>> Todd Pfaff <pfaff@mcmaster.ca>
>>> Research & High-Performance Computing Support
>>> McMaster University, Hamilton, Ontario, Canada
>>> http://www.rhpcs.mcmaster.ca/~pfaff
>>> 
>>> On Thu, 22 Feb 2007, Todd Pfaff wrote:
>>> 
>>>> We've recently started using samba-3.0.23d on Mandriva
2007.0 linux
>>>> systems and we've noticed a change in behaviour of
smbpasswd when a
>>>> non-root user tries to change their password from "NO
PASSWORD".
>>>> 
>>>> Here's an example smbpasswd entry (all one line):
>>>>
>>>>  testuser:12345:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:
>>>>  NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NU         ]:LCT-00000000:
>>>> 
>>>> 
>>>> The possibly related settings in our smb.conf are:
>>>>
>>>>  encrypt passwords = yes
>>>>  security = user
>>>>  unix password sync = yes
>>>>  passwd program = /usr/bin/passwd %u
>>>>  passwd chat = *password:* %n\n *password* %n\n *successfully*
>>>>  null passwords = no
>>>> 
>>>> 
>>>> Since "null passwords = no" a user with "NO
PASSWORD" should not be able
>>>> to login to the samba account.  That's working as expected.
>>>> 
>>>> In past versions of samba, testuser could login to the linux
account, run
>>>> smbpasswd, enter an empty old password, and set a new password.
>>>> 
>>>> Now when we try this we get this failure:
>>>>
>>>>  [testuser@localhost ~]$ smbpasswd
>>>>  Old SMB password:
>>>>  New SMB password:
>>>>  Retype new SMB password:
>>>>  Could not connect to machine 127.0.0.1:
NT_STATUS_LOGON_FAILURE
>>>>  Failed to change password for testuser
>>>> 
>>>> 
>>>> Does anyone know why this failure is happening now?
>>>> 
>>>> Was the behaviour of smbpasswd changed intentionally?
>>>> If so, in what samba version did this change happen?
>>>> 
>>>> Is there an alternative way to achieve the smbpasswd
>>>> behaviour that we had in the past?
>>>> 
>>>> 
>>>> Thanks,
>>>> -- 
>>>> Todd Pfaff <pfaff@mcmaster.ca>
>>>> Research & High-Performance Computing Support
>>>> McMaster University, Hamilton, Ontario, Canada
>>>> http://www.rhpcs.mcmaster.ca/~pfaff
>>>> 
>>

In case it can help someone diagnose this problem, here's output from:

   smbpasswd -D 10

when trying to change the password for this user:

testuser:10151:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:NO
PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NU         ]:LCT-00000000:Test User:


Netbios name list:-
my_netbios_names[0]="RHPCSERV"
added interface ip=192.168.12.34 bcast=192.168.255.255 nmask=255.255.0.0
Connecting to 127.0.0.1 at port 445
socket option SO_KEEPALIVE = 0
socket option SO_REUSEADDR = 0
socket option SO_BROADCAST = 0
socket option TCP_NODELAY = 1
socket option TCP_KEEPCNT = 9
socket option TCP_KEEPIDLE = 7200
socket option TCP_KEEPINTVL = 75
socket option IPTOS_LOWDELAY = 0
socket option IPTOS_THROUGHPUT = 0
socket option SO_SNDBUF = 50748
socket option SO_RCVBUF = 87584
socket option SO_SNDLOWAT = 1
socket option SO_RCVLOWAT = 1
socket option SO_SNDTIMEO = 0
socket option SO_RCVTIMEO = 0
write_socket(3,183)
write_socket(3,183) wrote 183
got smb length of 127
size=127
smb_com=0x72
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=2159
smb_uid=0
smb_mid=1
smt_wct=17
smb_vwv[ 0]=    7 (0x7)
smb_vwv[ 1]=12803 (0x3203)
smb_vwv[ 2]=  256 (0x100)
smb_vwv[ 3]= 1024 (0x400)
smb_vwv[ 4]=   65 (0x41)
smb_vwv[ 5]=    0 (0x0)
smb_vwv[ 6]=  256 (0x100)
smb_vwv[ 7]=28928 (0x7100)
smb_vwv[ 8]=    8 (0x8)
smb_vwv[ 9]=64768 (0xFD00)
smb_vwv[10]=33011 (0x80F3)
smb_vwv[11]=  128 (0x80)
smb_vwv[12]=33385 (0x8269)
smb_vwv[13]=20975 (0x51EF)
smb_vwv[14]=51304 (0xC868)
smb_vwv[15]=11265 (0x2C01)
smb_vwv[16]=    1 (0x1)
smb_bcc=58
[000] 72 68 70 63 73 65 72 76  00 00 00 00 00 00 00 00  rhpcserv ........
[010] 60 28 06 06 2B 06 01 05  05 02 A0 1E 30 1C A0 0E  `(..+... ....0...
[020] 30 0C 06 0A 2B 06 01 04  01 82 37 02 02 0A A3 0A  0...+... ..7.....
[030] 30 08 A0 06 1B 04 4E 4F  4E 45                    0.....NO NE
size=127
smb_com=0x72
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=2159
smb_uid=0
smb_mid=1
smt_wct=17
smb_vwv[ 0]=    7 (0x7)
smb_vwv[ 1]=12803 (0x3203)
smb_vwv[ 2]=  256 (0x100)
smb_vwv[ 3]= 1024 (0x400)
smb_vwv[ 4]=   65 (0x41)
smb_vwv[ 5]=    0 (0x0)
smb_vwv[ 6]=  256 (0x100)
smb_vwv[ 7]=28928 (0x7100)
smb_vwv[ 8]=    8 (0x8)
smb_vwv[ 9]=64768 (0xFD00)
smb_vwv[10]=33011 (0x80F3)
smb_vwv[11]=  128 (0x80)
smb_vwv[12]=33385 (0x8269)
smb_vwv[13]=20975 (0x51EF)
smb_vwv[14]=51304 (0xC868)
smb_vwv[15]=11265 (0x2C01)
smb_vwv[16]=    1 (0x1)
smb_bcc=58
[000] 72 68 70 63 73 65 72 76  00 00 00 00 00 00 00 00  rhpcserv ........
[010] 60 28 06 06 2B 06 01 05  05 02 A0 1E 30 1C A0 0E  `(..+... ....0...
[020] 30 0C 06 0A 2B 06 01 04  01 82 37 02 02 0A A3 0A  0...+... ..7.....
[030] 30 08 A0 06 1B 04 4E 4F  4E 45                    0.....NO NE
Doing spnego session setup (blob length=58)
got OID=1 3 6 1 4 1 311 2 2 10
got principal=NONE
write_socket(3,164)
write_socket(3,164) wrote 164
got smb length of 254
size=254
smb_com=0x73
smb_rcls=22
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=2159
smb_uid=100
smb_mid=2
smt_wct=4
smb_vwv[ 0]=  255 (0xFF)
smb_vwv[ 1]=    0 (0x0)
smb_vwv[ 2]=    0 (0x0)
smb_vwv[ 3]=  163 (0xA3)
smb_bcc=211
[000] A1 81 A0 30 81 9D A0 03  0A 01 01 A1 0C 06 0A 2B  ...0.... .......+
[010] 06 01 04 01 82 37 02 02  0A A2 81 87 04 81 84 4E  .....7.. .......N
[020] 54 4C 4D 53 53 50 00 02  00 00 00 10 00 10 00 30  TLMSSP.. .......0
[030] 00 00 00 15 02 8A 60 E4  DF 85 5B 94 A3 B6 5A 00  ......`. ..[...Z.
[040] 00 00 00 00 00 00 00 44  00 44 00 40 00 00 00 52  .......D .D.@...R
[050] 00 48 00 50 00 43 00 53  00 45 00 52 00 56 00 02  .H.P.C.S .E.R.V..
[060] 00 10 00 52 00 48 00 50  00 43 00 53 00 45 00 52  ...R.H.P .C.S.E.R
[070] 00 56 00 01 00 10 00 52  00 48 00 50 00 43 00 53  .V.....R .H.P.C.S
[080] 00 45 00 52 00 56 00 04  00 00 00 03 00 10 00 72  .E.R.V.. .......r
[090] 00 68 00 70 00 63 00 73  00 65 00 72 00 76 00 00  .h.p.c.s .e.r.v..
[0A0] 00 00 00 55 00 6E 00 69  00 78 00 00 00 53 00 61  ...U.n.i .x...S.a
[0B0] 00 6D 00 62 00 61 00 20  00 33 00 2E 00 30 00 2E  .m.b.a.  .3...0..
[0C0] 00 32 00 34 00 00 00 52  00 48 00 50 00 43 00 53  .2.4...R .H.P.C.S
[0D0] 00 00 00                                          ... 
size=254
smb_com=0x73
smb_rcls=22
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=2159
smb_uid=100
smb_mid=2
smt_wct=4
smb_vwv[ 0]=  255 (0xFF)
smb_vwv[ 1]=    0 (0x0)
smb_vwv[ 2]=    0 (0x0)
smb_vwv[ 3]=  163 (0xA3)
smb_bcc=211
[000] A1 81 A0 30 81 9D A0 03  0A 01 01 A1 0C 06 0A 2B  ...0.... .......+
[010] 06 01 04 01 82 37 02 02  0A A2 81 87 04 81 84 4E  .....7.. .......N
[020] 54 4C 4D 53 53 50 00 02  00 00 00 10 00 10 00 30  TLMSSP.. .......0
[030] 00 00 00 15 02 8A 60 E4  DF 85 5B 94 A3 B6 5A 00  ......`. ..[...Z.
[040] 00 00 00 00 00 00 00 44  00 44 00 40 00 00 00 52  .......D .D.@...R
[050] 00 48 00 50 00 43 00 53  00 45 00 52 00 56 00 02  .H.P.C.S .E.R.V..
[060] 00 10 00 52 00 48 00 50  00 43 00 53 00 45 00 52  ...R.H.P .C.S.E.R
[070] 00 56 00 01 00 10 00 52  00 48 00 50 00 43 00 53  .V.....R .H.P.C.S
[080] 00 45 00 52 00 56 00 04  00 00 00 03 00 10 00 72  .E.R.V.. .......r
[090] 00 68 00 70 00 63 00 73  00 65 00 72 00 76 00 00  .h.p.c.s .e.r.v..
[0A0] 00 00 00 55 00 6E 00 69  00 78 00 00 00 53 00 61  ...U.n.i .x...S.a
[0B0] 00 6D 00 62 00 61 00 20  00 33 00 2E 00 30 00 2E  .m.b.a.  .3...0..
[0C0] 00 32 00 34 00 00 00 52  00 48 00 50 00 43 00 53  .2.4...R .H.P.C.S
[0D0] 00 00 00                                          ... 
Got challenge flags:
Got NTLMSSP neg_flags=0x608a0215
   NTLMSSP_NEGOTIATE_UNICODE
   NTLMSSP_REQUEST_TARGET
   NTLMSSP_NEGOTIATE_SIGN
   NTLMSSP_NEGOTIATE_NTLM
   NTLMSSP_CHAL_ACCEPT_RESPONSE
   NTLMSSP_NEGOTIATE_NTLM2
   NTLMSSP_CHAL_TARGET_INFO
   NTLMSSP_NEGOTIATE_128
   NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60080215
   NTLMSSP_NEGOTIATE_UNICODE
   NTLMSSP_REQUEST_TARGET
   NTLMSSP_NEGOTIATE_SIGN
   NTLMSSP_NEGOTIATE_NTLM
   NTLMSSP_NEGOTIATE_NTLM2
   NTLMSSP_NEGOTIATE_128
   NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP challenge set by NTLM2
challenge is: 
[000] 60 BC A1 67 71 0D 14 9C                           `..gq... 
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60080215
   NTLMSSP_NEGOTIATE_UNICODE
   NTLMSSP_REQUEST_TARGET
   NTLMSSP_NEGOTIATE_SIGN
   NTLMSSP_NEGOTIATE_NTLM
   NTLMSSP_NEGOTIATE_NTLM2
   NTLMSSP_NEGOTIATE_128
   NTLMSSP_NEGOTIATE_KEY_EXCH
write_socket(3,258)
write_socket(3,258) wrote 258
got smb length of 35
size=35
smb_com=0x73
smb_rcls=109
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=2159
smb_uid=100
smb_mid=3
smt_wct=0
smb_bcc=0
size=35
smb_com=0x73
smb_rcls=109
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=2159
smb_uid=100
smb_mid=3
smt_wct=0
smb_bcc=0
SPNEGO login failed: Logon failure
Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE
Failed to change password for testuser



On Tue, 5 Feb 2008, Todd Pfaff wrote:
> Help! (pretty please :)
>
> I'm still having the problem described below with samba-3.0.24.
>
> Here's an excerpt from the smbpasswd man page:
>
>   When run by an ordinary user with no  options,  smbpasswd  will  prompt
>   them  for  their old SMB password and then ask them for their new pass
>   word twice, to ensure that the new password  was  typed  correctly.  No
>   passwords  will be echoed on the screen whilst being typed. If you have
>   a blank SMB password (specified by the string "NO PASSWORD" in
the smb
>   passwd  file)  then  just press the <Enter> key when asked for your
old
>   password.
>
> Is this samba documentation incorrect?
> Or am I doing something incorrectly?
>
> cheers,
> Todd
>
>> Date: Mon, 26 Feb 2007 15:59:44 -0500 (EST)
>> From: Todd Pfaff <pfaff@rhpcs.mcmaster.ca>
>> Cc: samba@lists.samba.org
>> Subject: Re: [Samba] Re: samba-3.0.23d, smbpasswd, and "NO
PASSWORD"
>> behaviour
>> 
>> The way it's documented to work in the smbpasswd man page, and the
way it
>> used to work for us with older samba releases is: when a user has a
null
>> password, and smb.conf "null passwords = no", the user can
_not_ make an
>> smb connection, but they _can_ set their samba password to something 
>> non-null by running smbpasswd and entering an empty old password.
>> In order to run smbpasswd the user must login to their linux account
with
>> ssh, and that _does_ require a password.
>> 
>> So in fact this may be considered even more secure than what you're
>> suggesting because a new user has no ability to make smb connections to
the
>> server until they have logged in to their linux account with a password
and
>> run smbpasswd to set a samba password.
>> 
>> I realize that I could set an initial smb password for every user, but 
>> there are situations where that is inconvenient, and since this null 
>> password method did work perfectly well in the past without being a 
>> significant security risk, it's now inconvenient that it no longer
works as
>> it did in the past.
>> 
>> I'm trying to determine why the behaviour changed, or if it really
didn't
>> change but I'm now doing something incorrectly on my samba server.
>> And if it really did change then someone should fix the smbpasswd man
page
>> accordingly, and maybe mention something in the release notes.
>> 
>> Regards,
>> Todd
>> 
>> On Mon, 26 Feb 2007, Gary Dale wrote:
>> 
>>> The obvious question is, why would you want a null password to
begin with?
>>> This seems to me to be a serious security problem.
>>> 
>>> If it's for new users, give them a temporary password through a
secure
>>> channel and require them to change it the first time they log on.
>>> 
>>> 
>>> Todd Pfaff wrote:
>>>> I've had no responses to this question yet, and I'm
still stuck with this
>>>> problem.  Can anybody help, please?
>>>> 
>>>> Is this a capability of samba that not many people take
advantage of?
>>>> 
>>>> Or am I trying to do something that just isn't possible
anymore?
>>>> 
>>>> Picking through a the level 10 debug log of smbd, I see this:
>>>>
>>>>   [2007/02/26 11:49:36, 3] auth/auth_sam.c:sam_password_ok(51)
>>>>   Account for user 'testuser' has no password and null
passwords are NOT
>>>>   allowed.
>>>>   [2007/02/26 11:49:36, 9]
>>>>   passdb/passdb.c:pdb_update_bad_password_count(1373)
>>>>   No bad password attempts.
>>>>   [2007/02/26 11:49:36, 5] auth/auth.c:check_ntlm_password(273)
>>>>   check_ntlm_password: sam authentication for user [testuser]
FAILED with
>>>>   error NT_STATUS_LOGON_FAILURE
>>>> 
>>>> 
>>>> Is it no longer possible for a user to change their own samba
password
>>>> from null "NO PASSWORD" using the smbpasswd command?
>>>> 
>>>> -- 
>>>> Todd Pfaff <pfaff@mcmaster.ca>
>>>> Research & High-Performance Computing Support
>>>> McMaster University, Hamilton, Ontario, Canada
>>>> http://www.rhpcs.mcmaster.ca/~pfaff
>>>> 
>>>> On Thu, 22 Feb 2007, Todd Pfaff wrote:
>>>> 
>>>>> We've recently started using samba-3.0.23d on Mandriva
2007.0 linux
>>>>> systems and we've noticed a change in behaviour of
smbpasswd when a
>>>>> non-root user tries to change their password from "NO
PASSWORD".
>>>>> 
>>>>> Here's an example smbpasswd entry (all one line):
>>>>>
>>>>>  testuser:12345:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:
>>>>>  NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NU        
]:LCT-00000000:
>>>>> 
>>>>> 
>>>>> The possibly related settings in our smb.conf are:
>>>>>
>>>>>  encrypt passwords = yes
>>>>>  security = user
>>>>>  unix password sync = yes
>>>>>  passwd program = /usr/bin/passwd %u
>>>>>  passwd chat = *password:* %n\n *password* %n\n
*successfully*
>>>>>  null passwords = no
>>>>> 
>>>>> 
>>>>> Since "null passwords = no" a user with "NO
PASSWORD" should not be able
>>>>> to login to the samba account.  That's working as
expected.
>>>>> 
>>>>> In past versions of samba, testuser could login to the
linux account,
>>>>> run smbpasswd, enter an empty old password, and set a new
password.
>>>>> 
>>>>> Now when we try this we get this failure:
>>>>>
>>>>>  [testuser@localhost ~]$ smbpasswd
>>>>>  Old SMB password:
>>>>>  New SMB password:
>>>>>  Retype new SMB password:
>>>>>  Could not connect to machine 127.0.0.1:
NT_STATUS_LOGON_FAILURE
>>>>>  Failed to change password for testuser
>>>>> 
>>>>> 
>>>>> Does anyone know why this failure is happening now?
>>>>> 
>>>>> Was the behaviour of smbpasswd changed intentionally?
>>>>> If so, in what samba version did this change happen?
>>>>> 
>>>>> Is there an alternative way to achieve the smbpasswd
>>>>> behaviour that we had in the past?
>>>>> 
>>>>> 
>>>>> Thanks,
>>>>> -- 
>>>>> Todd Pfaff <pfaff@mcmaster.ca>
>>>>> Research & High-Performance Computing Support
>>>>> McMaster University, Hamilton, Ontario, Canada
>>>>> http://www.rhpcs.mcmaster.ca/~pfaff
>>>>> 
>>> 
>

Stuart,

Thanks very much for trying.  I think you've proven what I suspected.
The smbpasswd "NO PASSWORD" behaviour has changed and the
documentation
no longer agrees with the behaviour.  The samba smbpasswd man page, at 
least as of samba-3.0.24, clearly indicates that this should work.  It 
used to work for us in the past.  But maybe that was pre-samba-3.0.

Todd

On Wed, 6 Feb 2008, Stuart Gall wrote:
>
> On 6 Feb 2008, at 04:43, Todd Pfaff wrote:
>
>> Good point.  I've now sent the output from 'smbpasswd -D
10' to the samba
>> mailing list.
>> 
>> Have you tried setting a user's samba password to "NO
PASSWORD" and then
>> changing it in recent samba versions?  If you haven't, and if you
don't
>> mind trying, please do something like this:
>> 
>> root> smbpasswd -n someuser
>> root> su - someuser
>> someuser> smbpasswd
>> - just press enter for old password
>> - enter new password
>> 
>> Does it work for you, or do you get the error message I reported?
>> 
>
> Version  3.0.7  (Domain member + NIS)
>
> Thats smbpasswd -a someuser -n  right ?
>
> [root@iridium root]# smbpasswd -a xyz -n
> Added user xyz.
> [root@iridium root]# su - xyz
> [xyz@iridium stuartl]$ smbpasswd
> Old SMB password:
> New SMB password:
> Retype new SMB password:
>
> machine 127.0.0.1 rejected the session setup. Error was : Call timed out: 
> server did not respond after 20000 milliseconds.
> Failed to change password for xyz
>
>
>
> Version 3.0.28	(Stand alone)
> slowcoach:~# /usr/local/samba/bin/smbpasswd -a xyz -n
> Added user xyz.
> slowcoach:~# su - xyz
> xyz@slowcoach:~$
> xyz@slowcoach:~$ /usr/local/samba/bin/smbpasswd
> Old SMB password:
> New SMB password:
> Retype new SMB password:
> cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR 
> received from remote machine 127.0.0.1 pipe \samr fnum 0x7528!
> machine 127.0.0.1 rejected the password change: Error was : NT code 
> 0x1c010002.
> Failed to change password for xyz
>
>
>
> ANOTHER 3.0.28 system (stand alone)
> [root@Server root]# smbpasswd -a xyz -n
> Added user xyz.
> [root@Server root]# su - xyz
> [xyz@Server xyz]$ smbpasswd
> Old SMB password:
> New SMB password:
> Retype new SMB password:
> Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE
> Failed to change password for xyz
> [xyz@Server xyz]$ logout
>
>
> Version 3.0.24
>
> Raid:~# su - xyz
> xyz@Raid:~$ smbpasswd
> Old SMB password:
> New SMB password:
> Retype new SMB password:
> Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE
> Failed to change password for xyz
>
> This is odd
>
> Raid:~# smbpasswd -a xyz -n
> Added user xyz.
> Raid:~# smbpasswd -a xyz -n
> User xyz password set to none.
> Raid:~# su - xyz
> xyz@Raid:~$ smbpasswd
> Old SMB password:
> New SMB password:
> Retype new SMB password:
> Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE
> Failed to change password for xyz
>
>
> FINALLY 3.0.24 with password encryption set to false (just an idea)
>
> Raid:~# smbpasswd -x xyz
> Deleted user xyz.
> Raid:~# smbpasswd -a xyz -n
> Added user xyz.
> Raid:~# smbpasswd -a xyz -n
> User xyz password set to none.
> Raid:~# su - xyz
> xyz@Raid:~$ smbpasswd
> Old SMB password:
> New SMB password:
> Retype new SMB password:
> Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE
> Failed to change password for xyz
>
>
>
> SO DAMN!
> I DONT KNOW MATE - Sorry
>
>
>
>
>> Thanks,
>> Todd
>> 
>> On Wed, 6 Feb 2008, Stuart Gall wrote:
>> 
>>> Just an idea ... have you tried
>>> 
>>> smbpasswd -D 10
>>> 
>>> And checked the logs ?
>>> 
>>> On 5 Feb 2008, at 18:33, Todd Pfaff wrote:
>>> 
>>>> Help! (pretty please :)
>>>> I'm still having the problem described below with
samba-3.0.24.
>>>> Here's an excerpt from the smbpasswd man page:
>>>>
>>>>  When run by an ordinary user with no  options,  smbpasswd 
will  prompt
>>>>  them  for  their old SMB password and then ask them for their
new pass
>>>>  word twice, to ensure that the new password  was  typed 
correctly.  No
>>>>  passwords  will be echoed on the screen whilst being typed. If
you have
>>>>  a blank SMB password (specified by the string "NO
PASSWORD" in the smb
>>>>  passwd  file)  then  just press the <Enter> key when
asked for your old
>>>>  password.
>>>> Is this samba documentation incorrect?
>>>> Or am I doing something incorrectly?
>>>> cheers,
>>>> Todd
>>>>> Date: Mon, 26 Feb 2007 15:59:44 -0500 (EST)
>>>>> From: Todd Pfaff <pfaff@rhpcs.mcmaster.ca>
>>>>> Cc: samba@lists.samba.org
>>>>> Subject: Re: [Samba] Re: samba-3.0.23d, smbpasswd, and
"NO PASSWORD"
>>>>> behaviour
>>>>> The way it's documented to work in the smbpasswd man
page, and the way
>>>>> it used to work for us with older samba releases is: when a
user has a
>>>>> null password, and smb.conf "null passwords =
no", the user can _not_
>>>>> make an smb connection, but they _can_ set their samba
password to
>>>>> something non-null by running smbpasswd and entering an
empty old
>>>>> password.
>>>>> In order to run smbpasswd the user must login to their
linux account
>>>>> with ssh, and that _does_ require a password.
>>>>> So in fact this may be considered even more secure than
what you're
>>>>> suggesting because a new user has no ability to make smb
connections to
>>>>> the server until they have logged in to their linux account
with a
>>>>> password and run smbpasswd to set a samba password.
>>>>> I realize that I could set an initial smb password for
every user, but
>>>>> there are situations where that is inconvenient, and since
this null
>>>>> password method did work perfectly well in the past without
being a
>>>>> significant security risk, it's now inconvenient that
it no longer works
>>>>> as it did in the past.
>>>>> I'm trying to determine why the behaviour changed, or
if it really
>>>>> didn't change but I'm now doing something
incorrectly on my samba
>>>>> server.
>>>>> And if it really did change then someone should fix the
smbpasswd man
>>>>> page accordingly, and maybe mention something in the
release notes.
>>>>> Regards,
>>>>> Todd
>>>>> On Mon, 26 Feb 2007, Gary Dale wrote:
>>>>>> The obvious question is, why would you want a null
password to begin
>>>>>> with? This seems to me to be a serious security
problem.
>>>>>> If it's for new users, give them a temporary
password through a secure
>>>>>> channel and require them to change it the first time
they log on.
>>>>>> Todd Pfaff wrote:
>>>>>>> I've had no responses to this question yet, and
I'm still stuck with
>>>>>>> this problem.  Can anybody help, please?
>>>>>>> Is this a capability of samba that not many people
take advantage of?
>>>>>>> Or am I trying to do something that just isn't
possible anymore?
>>>>>>> Picking through a the level 10 debug log of smbd, I
see this:
>>>>>>> 
>>>>>>> [2007/02/26 11:49:36, 3]
auth/auth_sam.c:sam_password_ok(51)
>>>>>>> Account for user 'testuser' has no password
and null passwords are NOT
>>>>>>> allowed.
>>>>>>> [2007/02/26 11:49:36, 9]
>>>>>>> passdb/passdb.c:pdb_update_bad_password_count(1373)
>>>>>>> No bad password attempts.
>>>>>>> [2007/02/26 11:49:36, 5]
auth/auth.c:check_ntlm_password(273)
>>>>>>> check_ntlm_password: sam authentication for user
[testuser] FAILED
>>>>>>> with
>>>>>>> error NT_STATUS_LOGON_FAILURE
>>>>>>> Is it no longer possible for a user to change their
own samba password
>>>>>>> from null "NO PASSWORD" using the
smbpasswd command?
>>>>>>> -- 
>>>>>>> Todd Pfaff <pfaff@mcmaster.ca>
>>>>>>> Research & High-Performance Computing Support
>>>>>>> McMaster University, Hamilton, Ontario, Canada
>>>>>>> http://www.rhpcs.mcmaster.ca/~pfaff
>>>>>>> On Thu, 22 Feb 2007, Todd Pfaff wrote:
>>>>>>>> We've recently started using samba-3.0.23d
on Mandriva 2007.0 linux
>>>>>>>> systems and we've noticed a change in
behaviour of smbpasswd when a
>>>>>>>> non-root user tries to change their password
from "NO PASSWORD".
>>>>>>>> Here's an example smbpasswd entry (all one
line):
>>>>>>>> testuser:12345:NO
PASSWORDXXXXXXXXXXXXXXXXXXXXX:
>>>>>>>> NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NU        
]:LCT-00000000:
>>>>>>>> The possibly related settings in our smb.conf
are:
>>>>>>>> encrypt passwords = yes
>>>>>>>> security = user
>>>>>>>> unix password sync = yes
>>>>>>>> passwd program = /usr/bin/passwd %u
>>>>>>>> passwd chat = *password:* %n\n *password* %n\n
*successfully*
>>>>>>>> null passwords = no
>>>>>>>> Since "null passwords = no" a user
with "NO PASSWORD" should not be
>>>>>>>> able to login to the samba account.  That's
working as expected.
>>>>>>>> In past versions of samba, testuser could login
to the linux account,
>>>>>>>> run smbpasswd, enter an empty old password, and
set a new password.
>>>>>>>> Now when we try this we get this failure:
>>>>>>>> [testuser@localhost ~]$ smbpasswd
>>>>>>>> Old SMB password:
>>>>>>>> New SMB password:
>>>>>>>> Retype new SMB password:
>>>>>>>> Could not connect to machine 127.0.0.1:
NT_STATUS_LOGON_FAILURE
>>>>>>>> Failed to change password for testuser
>>>>>>>> Does anyone know why this failure is happening
now?
>>>>>>>> Was the behaviour of smbpasswd changed
intentionally?
>>>>>>>> If so, in what samba version did this change
happen?
>>>>>>>> Is there an alternative way to achieve the
smbpasswd
>>>>>>>> behaviour that we had in the past?
>>>>>>>> Thanks,
>>>>>>>> -- 
>>>>>>>> Todd Pfaff <pfaff@mcmaster.ca>
>>>>>>>> Research & High-Performance Computing
Support
>>>>>>>> McMaster University, Hamilton, Ontario, Canada
>>>>>>>> http://www.rhpcs.mcmaster.ca/~pfaff
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>> 
>>> --
>>> Stuart Gall
>>> ----------------------------------------------
>>> All of your mail are belong to us
>>> 
>>> 
>>> 
>>> 
>> 
>
> --
> Stuart Gall
> ----------------------------------------------
> All of your mail are belong to us
>
>
>
>