Hello,
I am running Samba 3.4.7 on Ubuntu 10.04 amd64. Due to legacy support, I am
using a smbpasswd file (chmod 600) instead of the newer tdbsam database. It is
also worth noting that this server also has LDAP authentication enabled (for SSH
access). Clients access Samba from both Windows 7 and Windows XP. The smb.conf
file is as follows:
[global]
workgroup = HOME
printcap name = /etc/printcap
load printers = no
printing = lprng
log file = /var/log/samba/%m.log
max log size = 0
security = user
encrypt passwords = true
passdb backend = smbpasswd
smb passwd file = /etc/samba/smbpasswd
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
pam password change = yes
obey pam restrictions = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
os level = 65
domain master = no
preferred master = no
name resolve order = wins bcast host lmhosts
wins server = xxx.xxx.xxx.xxx
dns proxy = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = no
[MyShare]
path = /mnt/MyShare
browseable = yes
public = yes
guest ok = yes
writable = yes
printable = no
create mode = 0664
directory mode = 0775
veto oplock files = /*mgc*/
force create mode = 0660
force directory mode = 0660
Samba is not a PDC, however the Windows accounts on client machines have the
same credentials as are stored in smbpasswd, so the share is automatically
authenticated. I have observed that if a user is required to enter their
password, e.g. their Windows password is not the same as in smbpasswd, then
their password in smbpasswd gets reset. For example, before attempting to
connect, user1's entry in smbpasswd looks like this (password hashes
randomized in example below):
user1:111: f0faf5d8955e92206354485d29a1b15e : e580c2260de48ababdd67d6ed063a641
:[UX ]:LCT-4E985F55:
After the user attempts to connect, and enters the wrong credentials,
user1:111: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX : e580c2260de48ababdd67d6ed063a641
:[UX ]:LCT-4E985F55:
Thus if the user then tries a second time with the correct password, they are
unable to login. If the correct password is supplied the first time, then no
change is made to smbpasswd. Sometimes the password gets changed to XXXXX...
even after a successful login. When this error occurs, nothing is logged in
/var/log or /var/log/samba. An strace of the parent smbd process reveals only
the following:
gettimeofday({1335971419, 254991}, NULL) = 0
select(27, [6 24 25 26], [], NULL, {9999, 0}) = 1 (in [24], left {9993, 133747})
gettimeofday({1335971425, 122816}, NULL) = 0
accept(24, {sa_family=AF_INET, sin_port=htons(61726),
sin_addr=inet_addr("192.168.1.20")}, [16]) = 28
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0x7f07d9ead9f0) = 4371
close(28) = 0
gettimeofday({1335971425, 133599}, NULL) = 0
Do you have any ideas on why the smbpasswd file is being changed, and how to
correct this behavior so the smbpasswd file is not changed?
Thanks,
Andrew
TAKAHASHI Motonobu
2012-May-04 16:57 UTC
[Samba] Login Attempt Resets Password in smbpasswd
From: Andrew Martin <amartin at xes-inc.com> Date: Wed, 02 May 2012 13:23:47 -0500 (CDT)> I am running Samba 3.4.7 on Ubuntu 10.04 amd64. Due to legacy > support, I am using a smbpasswd file (chmod 600) instead of the > newer tdbsam database.(snip)> Samba is not a PDC, however the Windows accounts on client machines > have the same credentials as are stored in smbpasswd, so the share > is automatically authenticated. I have observed that if a user is > required to enter their password, e.g. their Windows password is not > the same as in smbpasswd, then their password in smbpasswd gets > reset. For example, before attempting to connect, user1's entry in > smbpasswd looks like this (password hashes randomized in example > below): > > user1:111: f0faf5d8955e92206354485d29a1b15e : e580c2260de48ababdd67d6ed063a641 :[UX ]:LCT-4E985F55: > > After the user attempts to connect, and enters the wrong credentials, > user1:111: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX : e580c2260de48ababdd67d6ed063a641 :[UX ]:LCT-4E985F55: > > Thus if the user then tries a second time with the correct password, > they are unable to login. If the correct password is supplied the > first time, then no change is made to smbpasswd. Sometimes the > password gets changed to XXXXX... even after a successful > login. When this error occurs, nothing is logged in /var/log or > /var/log/samba. An strace of the parent smbd process reveals only > the following: >(snip)> > Do you have any ideas on why the smbpasswd file is being changed, > and how to correct this behavior so the smbpasswd file is not > changed?This behavior (changing the former password string changes XXXXX...) is expected unless you explicitly enable "lanman auth = yes". In smb.conf(5): ----- When this parameter is set to no this will also result in sambaLMPassword in Samba's passdb being blanked after the next password change. As a result of that lanman clients won't be able to authenticate, even if lanman auth is reenabled later on. ----- The former part, LANMAN hash is no longer used unless if you connect to Samba from Windows 9x.> Thus if the user then tries a second time with the correct password, > they are unable to login.As far as I examined, users can login... Could you examine to reboot the client and try to connect to the Samba server after changing password string to XXXXX... Why I say "reboot" is that it is the easiest way to clear authentication cache. Basically "reboot" is not required. --- TAKAHASHI Motonobu <monyo at monyo.com>