samba - Mar 2024 - Cannot Get Samba to Work Without Encrypted Password with Legacy Client

Hi there,

	I have looked for a solution to my problem on the Internet (and in particular
this mailing list), but couldn't find one, probably due to searching for the
wrong thing :-)

	I have an RPI running Samba version 4.9.5-Debian. "pdbedit -L" shows
that the user "smbuser" exists. I used "smbpassword" to set
the password of "smbuser". I also have several "old"
computers that I want to connect to this RPI using Samba. I managed to get an
Amiga connected to the Samba server, by adding the directive "ntlm auth =
yes" to "smb.conf".

	But, I cannot get a NeXTstation to connect to the server. It seems to me that,
because the client on the NeXTstation only deals with unencrypted passwords, the
server is unable to verify the username/password. I tried using the directive
"encrypt passwords = no", but then neither the Amiga nor the
NeXTstation can connect, with the error: "FAILED with error
NT_STATUS_LOGON_FAILURE".

	I don't understand why, by forcing unencrypted passwords, the server cannot
find the username/password (anymore). I must be missing to allow the Samba
server to work with unencrypted password. Could anyone help?

	Thanks in advance!
	Tygre

PS. I do know that unencrypted passwords are unsecure and a bad idea but, right
now, I'd like both my Amiga and NeXTstation to connect, before
"hardening" the server.
PPS. I join my "smb.conf", working with the Amiga (not the
NeXTstation) and the log when trying to connect from the NeXTstation.

-----------------------------------------
       Scientific Progress Goes Boing!
         http://www.chingu.asia/wiki
-----------------------------------------

-------------- next part --------------
[global]
   log file     = /var/log/samba/log.%m
   log level    = 1 auth:5 winbind:5
   max log size = 1000
   logging      = file

   server role       = standalone server
   workgroup         = GIB
   # security          = user
   # encrypt passwords = no
   ntlm auth          = yes

   # client lanman auth = yes
   # client ntlmv2 auth = no

   map to guest = bad user
   dos charset  = CP850
   unix charset = UTF-8

[Archives]
   path           = /media/Archives
   writeable      = Yes
   create mask    = 0777
   directory mask = 0777
-------------- next part --------------
[2024/03/03 17:00:33.281085,  5]
../source3/auth/auth.c:536(make_auth3_context_for_ntlm)
  Making default auth method list for server role = 'standalone server',
encrypt passwords = yes
[2024/03/03 17:00:33.284126,  5] ../source3/auth/auth.c:412(load_auth_module)
  load_auth_module: Attempting to find an auth method to match anonymous
[2024/03/03 17:00:33.286241,  5] ../source3/auth/auth.c:437(load_auth_module)
  load_auth_module: auth method anonymous has a valid init
[2024/03/03 17:00:33.287295,  5] ../source3/auth/auth.c:412(load_auth_module)
  load_auth_module: Attempting to find an auth method to match sam_ignoredomain
[2024/03/03 17:00:33.289479,  5] ../source3/auth/auth.c:437(load_auth_module)
  load_auth_module: auth method sam_ignoredomain has a valid init
[2024/03/03 17:00:33.291585,  5]
../source3/auth/auth_util.c:290(make_user_info_for_reply)
  make_user_info_for_reply: User passwords not in encrypted format.
[2024/03/03 17:00:33.294426,  5] ../source3/auth/user_info.c:64(make_user_info)
  attempting to make a user_info for smbuser (smbuser)
[2024/03/03 17:00:33.296633,  5] ../source3/auth/user_info.c:72(make_user_info)
  making strings for smbuser's user_info struct
[2024/03/03 17:00:33.299024,  5] ../source3/auth/user_info.c:125(make_user_info)
  making blobs for smbuser's user_info struct
[2024/03/03 17:00:33.311777,  5]
../source3/auth/auth_util.c:122(make_user_info_map)
  Mapping user [WORKGROUP]\[smbuser] from workstation [daeumyeog]
[2024/03/03 17:00:33.314940,  5] ../source3/auth/user_info.c:64(make_user_info)
  attempting to make a user_info for smbuser (smbuser)
[2024/03/03 17:00:33.317880,  5] ../source3/auth/user_info.c:72(make_user_info)
  making strings for smbuser's user_info struct
[2024/03/03 17:00:33.320923,  5] ../source3/auth/user_info.c:125(make_user_info)
  making blobs for smbuser's user_info struct
[2024/03/03 17:00:33.324021,  3]
../source3/auth/auth.c:189(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[WORKGROUP]\[smbuser]@[daeumyeog] with the new password interface
[2024/03/03 17:00:33.326162,  3]
../source3/auth/auth.c:192(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [WORKGROUP]\[smbuser]@[daeumyeog]
[2024/03/03 17:00:33.336022,  5]
../source3/auth/auth.c:251(auth_check_ntlm_password)
  auth_check_ntlm_password: sam_ignoredomain authentication for user [smbuser]
FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2024/03/03 17:00:33.339780,  2]
../source3/auth/auth.c:334(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [smbuser] -> [smbuser] FAILED
with error NT_STATUS_WRONG_PASSWORD, authoritative=1

On Mon, 2024-03-04 at 20:10 -0500, Tygre via samba
wrote:
> 	Hi there,
> 	I have looked for a solution to my problem on the Internet (and
> in particular this mailing list), but couldn't find one, probably due
> to searching for the wrong thing :-)
> 	I have an RPI running Samba version 4.9.5-Debian. "pdbedit -L"
> shows that the user "smbuser" exists. I used
"smbpassword" to set the
> password of "smbuser". I also have several "old"
computers that I
> want to connect to this RPI using Samba. I managed to get an Amiga
> connected to the Samba server, by adding the directive "ntlm auth >
yes" to "smb.conf".
> 	But, I cannot get a NeXTstation to connect to the server. It
> seems to me that, because the client on the NeXTstation only deals
> with unencrypted passwords, the server is unable to verify the
> username/password. I tried using the directive "encrypt passwords >
no", but then neither the Amiga nor the NeXTstation can connect, with
> the error: "FAILED with error NT_STATUS_LOGON_FAILURE".
> 	I don't understand why, by forcing unencrypted passwords, the
> server cannot find the username/password (anymore). I must be missing
> to allow the Samba server to work with unencrypted password. Could
> anyone help?
> 	Thanks in advance!	Tygre
> PS. I do know that unencrypted passwords are unsecure and a bad idea
> but, right now, I'd like both my Amiga and NeXTstation to connect,
> before "hardening" the server.PPS. I join my
"smb.conf", working with
> the Amiga (not the NeXTstation) and the log when trying to connect
> from the NeXTstation.
You would be best to just use guest access and IP restrictions, but if
you want a password it will be checking it against PAM, not the
smbpasswd file.
Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd


Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions