samba - Jun 2010 - 3.4.0 Samba box w/ NT 4 PDC and Win 95 client

Hi guys,

Thanks for those of you whole kept reading after seeing the subject line 
-- I know, it's like a flashback to about 2000 or so, but for mostly 
uninteresting reasons, I've got a situation that I wanted to run by the 
list just in case there's a work around.

I have an NT 4 server that's the PDC that my new Samba box, running 
3.4.0 w/ "security = domain" uses to authenticate users for the Samba 
shares.

This was done to begin migrating away from the NT server, but we still 
need it for the PDC.

Anyway, I've got everything (finally) working with a little help from 
the list for my Win2k and WinXP clients.  I'm happy with that, but when 
I tried to connect one of the two remaining Win95 machines, I get 
authentication failures.

The interesting thing is, this worked fine in a couple of older Samba 
boxes I'm running with version 3.0.28, with a very similar configuration 
(security = domain, using the same NT 4 PDC to authenticate, etc.).

So, the question is, is anyone aware of what might've changed between 
3.0.28 and 3.4.0 that could affect Win95 clients in this situation?  I 
tried the few ideas I found like:

   lanman auth = yes
   client lanman auth = yes
   client plaintext auth = yes
   ntlm auth = yes

(I assume the client options may not do me any good here anyway), and 
I'm still not getting any joy.

Any help would be greatly appreciated.  Thanks for reading.

Here are samples of the same Win95 box connecting first to the 3.0.28 
box, which works, and then to the 3.4.0 one, which doesn't:

------------------------------------------------------------------------

[2010/06/04 18:18:45, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.
[2010/06/04 18:18:45, 3] auth/auth.c:check_ntlm_password(221)
   check_ntlm_password:  Checking password for unmapped user 
[MAIN]\[NODE008]@[node008] with the new password interface
[2010/06/04 18:18:45, 3] auth/auth.c:check_ntlm_password(224)
   check_ntlm_password:  mapped user is: [MAIN]\[NODE008]@[node008]
[2010/06/04 18:18:45, 3] auth/auth.c:check_ntlm_password(270)
   check_ntlm_password: winbind authentication for user [NODE008] succeeded
[2010/06/04 18:18:45, 2] auth/auth.c:check_ntlm_password(309)
   check_ntlm_password:  authentication for user [NODE008] -> [NODE008] 
-> [MAIN\node008] succeeded

------------------------------------------------------------------------

[2010/06/04 18:25:54,  2] smbd/sesssetup.c:1360(setup_new_vc_session)
   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.
[2010/06/04 18:25:54,  3] auth/auth.c:222(check_ntlm_password)
   check_ntlm_password:  Checking password for unmapped user 
[MAIN]\[NODE008]@[node008] with the new password interface
[2010/06/04 18:25:54,  3] auth/auth.c:225(check_ntlm_password)
   check_ntlm_password:  mapped user is: [MAIN]\[NODE008]@[node008]
[2010/06/04 18:25:54,  2] auth/auth.c:320(check_ntlm_password)
   check_ntlm_password:  Authentication for user [NODE008] -> [NODE008] 
FAILED wi
th error NT_STATUS_LOGON_FAILURE
[2010/06/04 18:25:54,  2] smbd/sesssetup.c:1360(setup_new_vc_session)
   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old
resources.
[2010/06/04 18:25:54,  3] auth/auth.c:222(check_ntlm_password)
   check_ntlm_password:  Checking password for unmapped user 
[MAIN]\[NODE008]@[no
de008] with the new password interface
[2010/06/04 18:25:54,  3] auth/auth.c:225(check_ntlm_password)
   check_ntlm_password:  mapped user is: [MAIN]\[NODE008]@[node008]
[2010/06/04 18:25:54,  2] auth/auth.c:320(check_ntlm_password)
   check_ntlm_password:  Authentication for user [NODE008] -> [NODE008] 
FAILED with error NT_STATUS_LOGON_FAILURE

------------------------------------------------------------------------

Am Sonntag 06 Juni 2010 03:10:04 schrieb John Lawler:
> Hi guys,
> 
> Thanks for those of you whole kept reading after seeing the subject line
> -- I know, it's like a flashback to about 2000 or so, but for mostly
> uninteresting reasons, I've got a situation that I wanted to run by the
> list just in case there's a work around.
> 
> I have an NT 4 server that's the PDC that my new Samba box, running
> 3.4.0 w/ "security = domain" uses to authenticate users for the
Samba
> shares.
> 
> This was done to begin migrating away from the NT server, but we still
> need it for the PDC.
> 
> Anyway, I've got everything (finally) working with a little help from
> the list for my Win2k and WinXP clients.  I'm happy with that, but when
> I tried to connect one of the two remaining Win95 machines, I get
> authentication failures.
> 
> The interesting thing is, this worked fine in a couple of older Samba
> boxes I'm running with version 3.0.28, with a very similar
configuration
> (security = domain, using the same NT 4 PDC to authenticate, etc.).
> 
> So, the question is, is anyone aware of what might've changed between
> 3.0.28 and 3.4.0 that could affect Win95 clients in this situation?  I
> tried the few ideas I found like:
> 
>    lanman auth = yes
>    client lanman auth = yes
>    client plaintext auth = yes
>    ntlm auth = yes
> 
> (I assume the client options may not do me any good here anyway), and
> I'm still not getting any joy.
> 
> Any help would be greatly appreciated.  Thanks for reading.
> 
> Here are samples of the same Win95 box connecting first to the 3.0.28
> box, which works, and then to the 3.4.0 one, which doesn't:
> 
> ------------------------------------------------------------------------
> 
> [2010/06/04 18:18:45, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
>    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old resources.
> [2010/06/04 18:18:45, 3] auth/auth.c:check_ntlm_password(221)
>    check_ntlm_password:  Checking password for unmapped user
> [MAIN]\[NODE008]@[node008] with the new password interface
> [2010/06/04 18:18:45, 3] auth/auth.c:check_ntlm_password(224)
>    check_ntlm_password:  mapped user is: [MAIN]\[NODE008]@[node008]
> [2010/06/04 18:18:45, 3] auth/auth.c:check_ntlm_password(270)
>    check_ntlm_password: winbind authentication for user [NODE008] succeeded
> [2010/06/04 18:18:45, 2] auth/auth.c:check_ntlm_password(309)
>    check_ntlm_password:  authentication for user [NODE008] -> [NODE008]
> -> [MAIN\node008] succeeded
> 
> ------------------------------------------------------------------------
> 
> [2010/06/04 18:25:54,  2] smbd/sesssetup.c:1360(setup_new_vc_session)
>    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old resources.
> [2010/06/04 18:25:54,  3] auth/auth.c:222(check_ntlm_password)
>    check_ntlm_password:  Checking password for unmapped user
> [MAIN]\[NODE008]@[node008] with the new password interface
> [2010/06/04 18:25:54,  3] auth/auth.c:225(check_ntlm_password)
>    check_ntlm_password:  mapped user is: [MAIN]\[NODE008]@[node008]
> [2010/06/04 18:25:54,  2] auth/auth.c:320(check_ntlm_password)
>    check_ntlm_password:  Authentication for user [NODE008] -> [NODE008]
> FAILED wi
> th error NT_STATUS_LOGON_FAILURE
> [2010/06/04 18:25:54,  2] smbd/sesssetup.c:1360(setup_new_vc_session)
>    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old
> resources.
> [2010/06/04 18:25:54,  3] auth/auth.c:222(check_ntlm_password)
>    check_ntlm_password:  Checking password for unmapped user
> [MAIN]\[NODE008]@[no
> de008] with the new password interface
> [2010/06/04 18:25:54,  3] auth/auth.c:225(check_ntlm_password)
>    check_ntlm_password:  mapped user is: [MAIN]\[NODE008]@[node008]
> [2010/06/04 18:25:54,  2] auth/auth.c:320(check_ntlm_password)
>    check_ntlm_password:  Authentication for user [NODE008] -> [NODE008]
> FAILED with error NT_STATUS_LOGON_FAILURE
> 
> ------------------------------------------------------------------------
> 
Hi John,

make sure that
    lanman auth = yes
is still set in your smb.conf.

As root run 'pdbedit -Lw' to list all configured samba users in the old
ASCII smbpasswd format.

All users listed with _both_ the LANMAN and the NT hash have valid stored
password hashes for the
old legacy case and the newer ones- like:
linux:1003:BBBBD20B0D2670EBAAD3B435B4140475:B123AB4ECC88F8BBB126FF3A08D9C600:[U 
]:LCT-4B1ED764:
Those listed users should be able to logon.

In case you get user entries like
linux:1003:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:B123664EC733B395A7260A3A08D9C699:[U
]:LCT-4B1ED796:
the old LANMAN hash is no longer available and a legacy logon will fail.

What you can do:

1.) make sure, that "lanman auth = yes" is still set in your smb.conf
2.) for all your win95 client users listed as
"....XXXXXXXXXXXXXXXXX...." above, you need to run (as root)
    smbpasswd username
    (or even smbpasswd -a username )
    You need to enter the users password twice as usual
   This procedure will re-install the LANMAN hash again (and also the NT hash!)
3.) check again with 'pdbedit -Lw' that the LANMAN hash is available now
your for your win95 users

Please note, that setting "lanman auth = yes" implies a security
problem.

Cheers, G?nter

BTW - never ever post above mentioned LANMAN and NT hashes to the public - they
are like
plaintext passwords (so my ones above are scrambled by intention)