Tygre
2024-Mar-09 20:37 UTC
[Samba] Cannot Get Samba to Work Without Encrypted Password with Legacy Client
Hi there, Sorry to come back to that, I tried to follow the code at https://github.com/samba-team/samba/blob/master/source3/auth/auth.c#L214 (and below) but I still can't understand why one Samba client can connect, but the other can't. I can't understand why, with one client, the code would go into "check_samsec.c:183" (and return "sam_account_ok") while, with the other client, the code would go immediately into "auth.c:251" (and fail to login). Could you help me understand, which could maybe give me an idea on configuring Samba for both client to work? Thanks in advance, Yann PS. I'm running *** CAN CONNECT: [2024/03/09 15:16:09.376816, 10, pid=5930, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:237(auth_check_ntlm_password) auth_check_ntlm_password: anonymous had nothing to say [2024/03/09 15:16:09.383493, 4, pid=5930, effective(0, 0), real(0, 0), class=auth] ../source3/auth/check_samsec.c:183(sam_account_ok) sam_account_ok: Checking SMB password for user smbuser [2024/03/09 15:16:09.386622, 5, pid=5930, effective(0, 0), real(0, 0), class=auth] ../source3/auth/check_samsec.c:165(logon_hours_ok) logon_hours_ok: user smbuser allowed to logon at this time (Sat Mar 9 20:16:09 2024 ) [2024/03/09 15:16:09.393510, 5, pid=5930, effective(0, 0), real(0, 0), class=auth] ../source3/auth/server_info_sam.c:122(make_server_info_sam) make_server_info_sam: made server info for user smbuser -> smbuser [2024/03/09 15:16:09.397225, 3, pid=5930, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:256(auth_check_ntlm_password) auth_check_ntlm_password: sam_ignoredomain authentication for user [SMBUSER] succeeded *** CANNOT CONNECT: [2024/03/09 15:16:15.178909, 10, pid=5931, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:237(auth_check_ntlm_password) auth_check_ntlm_password: anonymous had nothing to say [2024/03/09 15:16:15.187847, 5, pid=5931, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:251(auth_check_ntlm_password) auth_check_ntlm_password: sam_ignoredomain authentication for user [SMBUSER] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1 On 2024-03-04 20:24, Andrew Bartlett wrote:> On Mon, 2024-03-04 at 20:10 -0500, Tygre via samba wrote: >> Hi there, >> >> I have looked for a solution to my problem on the Internet (and in particular this mailing list), but couldn't find one, probably due to searching for the wrong thing :-) >> >> I have an RPI running Samba version 4.9.5-Debian. "pdbedit -L" shows that the user "smbuser" exists. I used "smbpassword" to set the password of "smbuser". I also have several "old" computers that I want to connect to this RPI using Samba. I managed to get an Amiga connected to the Samba server, by adding the directive "ntlm auth = yes" to "smb.conf". >> >> But, I cannot get a NeXTstation to connect to the server. It seems to me that, because the client on the NeXTstation only deals with unencrypted passwords, the server is unable to verify the username/password. I tried using the directive "encrypt passwords = no", but then neither the Amiga nor the NeXTstation can connect, with the error: "FAILED with error NT_STATUS_LOGON_FAILURE". >> >> I don't understand why, by forcing unencrypted passwords, the server cannot find the username/password (anymore). I must be missing to allow the Samba server to work with unencrypted password. Could anyone help? >> >> Thanks in advance! >> Tygre >> >> PS. I do know that unencrypted passwords are unsecure and a bad idea but, right now, I'd like both my Amiga and NeXTstation to connect, before "hardening" the server. >> PPS. I join my "smb.conf", working with the Amiga (not the NeXTstation) and the log when trying to connect from the NeXTstation. > > You would be best to just use guest access and IP restrictions, but if you want a password it will be checking it against PAM, not the smbpasswd file. > > > Andrew Bartlett > > > -- > > Andrew Bartlett (he/him) https://samba.org/~abartlet/ <https://samba.org/~abartlet/> > Samba Team Member (since 2001) https://samba.org <https://samba.org> > Samba Team Lead https://catalyst.net.nz/services/samba <https://catalyst.net.nz/services/samba> > Catalyst.Net Ltd > > Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company > > Samba Development and Support: https://catalyst.net.nz/services/samba <https://catalyst.net.nz/services/samba> > > Catalyst IT - Expert Open Source Solutions > >-- ----------------------------------------- Scientific Progress Goes Boing! http://www.chingu.asia/wiki -----------------------------------------
Tygre
2024-Mar-09 20:45 UTC
[Samba] Cannot Get Samba to Work Without Encrypted Password with Legacy Client
PS. I forgot to add the version information: Version 4.9.5-Debian On 2024-03-09 15:37, Tygre wrote:> > Hi there, > > Sorry to come back to that, I tried to follow the code at https://github.com/samba-team/samba/blob/master/source3/auth/auth.c#L214 (and below) but I still can't understand why one Samba client can connect, but the other can't. > > I can't understand why, with one client, the code would go into "check_samsec.c:183" (and return "sam_account_ok") while, with the other client, the code would go immediately into "auth.c:251" (and fail to login). > > Could you help me understand, which could maybe give me an idea on configuring Samba for both client to work? > > Thanks in advance, > Yann > > PS. I'm running > > *** CAN CONNECT: > > [2024/03/09 15:16:09.376816, 10, pid=5930, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:237(auth_check_ntlm_password) > auth_check_ntlm_password: anonymous had nothing to say > [2024/03/09 15:16:09.383493, 4, pid=5930, effective(0, 0), real(0, 0), class=auth] ../source3/auth/check_samsec.c:183(sam_account_ok) > sam_account_ok: Checking SMB password for user smbuser > [2024/03/09 15:16:09.386622, 5, pid=5930, effective(0, 0), real(0, 0), class=auth] ../source3/auth/check_samsec.c:165(logon_hours_ok) > logon_hours_ok: user smbuser allowed to logon at this time (Sat Mar 9 20:16:09 2024 > ) > [2024/03/09 15:16:09.393510, 5, pid=5930, effective(0, 0), real(0, 0), class=auth] ../source3/auth/server_info_sam.c:122(make_server_info_sam) > make_server_info_sam: made server info for user smbuser -> smbuser > [2024/03/09 15:16:09.397225, 3, pid=5930, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:256(auth_check_ntlm_password) > auth_check_ntlm_password: sam_ignoredomain authentication for user [SMBUSER] succeeded > > *** CANNOT CONNECT: > > [2024/03/09 15:16:15.178909, 10, pid=5931, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:237(auth_check_ntlm_password) > auth_check_ntlm_password: anonymous had nothing to say > [2024/03/09 15:16:15.187847, 5, pid=5931, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:251(auth_check_ntlm_password) > auth_check_ntlm_password: sam_ignoredomain authentication for user [SMBUSER] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1 > > On 2024-03-04 20:24, Andrew Bartlett wrote: >> On Mon, 2024-03-04 at 20:10 -0500, Tygre via samba wrote: >>> Hi there, >>> >>> I have looked for a solution to my problem on the Internet (and in particular this mailing list), but couldn't find one, probably due to searching for the wrong thing :-) >>> >>> I have an RPI running Samba version 4.9.5-Debian. "pdbedit -L" shows that the user "smbuser" exists. I used "smbpassword" to set the password of "smbuser". I also have several "old" computers that I want to connect to this RPI using Samba. I managed to get an Amiga connected to the Samba server, by adding the directive "ntlm auth = yes" to "smb.conf". >>> >>> But, I cannot get a NeXTstation to connect to the server. It seems to me that, because the client on the NeXTstation only deals with unencrypted passwords, the server is unable to verify the username/password. I tried using the directive "encrypt passwords = no", but then neither the Amiga nor the NeXTstation can connect, with the error: "FAILED with error NT_STATUS_LOGON_FAILURE". >>> >>> I don't understand why, by forcing unencrypted passwords, the server cannot find the username/password (anymore). I must be missing to allow the Samba server to work with unencrypted password. Could anyone help? >>> >>> Thanks in advance! >>> Tygre >>> >>> PS. I do know that unencrypted passwords are unsecure and a bad idea but, right now, I'd like both my Amiga and NeXTstation to connect, before "hardening" the server. >>> PPS. I join my "smb.conf", working with the Amiga (not the NeXTstation) and the log when trying to connect from the NeXTstation. >> >> You would be best to just use guest access and IP restrictions, but if you want a password it will be checking it against PAM, not the smbpasswd file. >> >> >> Andrew Bartlett >> >> >> -- >> >> Andrew Bartlett (he/him) https://samba.org/~abartlet/ <https://samba.org/~abartlet/> >> Samba Team Member (since 2001) https://samba.org <https://samba.org> >> Samba Team Lead https://catalyst.net.nz/services/samba <https://catalyst.net.nz/services/samba> >> Catalyst.Net Ltd >> >> Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company >> >> Samba Development and Support: https://catalyst.net.nz/services/samba <https://catalyst.net.nz/services/samba> >> >> Catalyst IT - Expert Open Source Solutions >> >> >-- ----------------------------------------- Scientific Progress Goes Boing! http://www.chingu.asia/wiki -----------------------------------------
Rowland Penny
2024-Mar-10 10:30 UTC
[Samba] Cannot Get Samba to Work Without Encrypted Password with Legacy Client
On Sat, 9 Mar 2024 15:37:09 -0500 Tygre via samba <samba at lists.samba.org> wrote:> > Hi there, > > Sorry to come back to that, I tried to follow the code at > https://github.com/samba-team/samba/blob/master/source3/auth/auth.c#L214 > (and below) but I still can't understand why one Samba client can > connect, but the other can't. > > I can't understand why, with one client, the code would go > into "check_samsec.c:183" (and return "sam_account_ok") while, with > the other client, the code would go immediately into "auth.c:251" > (and fail to login). > > Could you help me understand, which could maybe give me an > idea on configuring Samba for both client to work? > > Thanks in advance, > Yann >I think one of your problems is that you seem to be failing to understand that when you you run Samba as a standalone server, it is also a client for other servers, this means that you may have missed this parameter: lanman auth Which defaults to 'no', so your 'server' will only use SMBv1 (at a minimum and if configured to do so) and, from memory, an Amiga hasn't a clue what SMB is. Rowland
Andrew Bartlett
2024-Mar-10 20:29 UTC
[Samba] Cannot Get Samba to Work Without Encrypted Password with Legacy Client
The logs below still look like Samba is configured for encrypted passwords. As to your other mail, please, please use a more recent version than Samba 4.9 Andrew Bartlett On Sat, 2024-03-09 at 15:37 -0500, Tygre via samba wrote:> Hi there, > Sorry to come back to that, I tried to follow the code at > https://github.com/samba-team/samba/blob/master/source3/auth/auth.c#L214 > (and below) but I still can't understand why one Samba client can > connect, but the other can't. > I can't understand why, with one client, the code would go into > "check_samsec.c:183" (and return "sam_account_ok") while, with the > other client, the code would go immediately into "auth.c:251" (and > fail to login). > Could you help me understand, which could maybe give me an idea > on configuring Samba for both client to work? > Thanks in advance, Yann > PS. I'm running > *** CAN CONNECT: > [2024/03/09 15:16:09.376816, 10, pid=5930, effective(0, 0), real(0, > 0), class=auth] > ../source3/auth/auth.c:237(auth_check_ntlm_password) auth_check_ntl > m_password: anonymous had nothing to say[2024/03/09 > 15:16:09.383493, 4, pid=5930, effective(0, 0), real(0, 0), > class=auth] > ../source3/auth/check_samsec.c:183(sam_account_ok) sam_account_ok: > Checking SMB password for user smbuser[2024/03/09 > 15:16:09.386622, 5, pid=5930, effective(0, 0), real(0, 0), > class=auth] > ../source3/auth/check_samsec.c:165(logon_hours_ok) logon_hours_ok: > user smbuser allowed to logon at this time (Sat Mar 9 20:16:09 > 2024 )[2024/03/09 15:16:09.393510, 5, pid=5930, effective(0, 0), > real(0, 0), class=auth] > ../source3/auth/server_info_sam.c:122(make_server_info_sam) make_se > rver_info_sam: made server info for user smbuser -> > smbuser[2024/03/09 15:16:09.397225, 3, pid=5930, effective(0, 0), > real(0, 0), class=auth] > ../source3/auth/auth.c:256(auth_check_ntlm_password) auth_check_ntl > m_password: sam_ignoredomain authentication for user [SMBUSER] > succeeded > *** CANNOT CONNECT: > [2024/03/09 15:16:15.178909, 10, pid=5931, effective(0, 0), real(0, > 0), class=auth] > ../source3/auth/auth.c:237(auth_check_ntlm_password) auth_check_ntl > m_password: anonymous had nothing to say[2024/03/09 > 15:16:15.187847, 5, pid=5931, effective(0, 0), real(0, 0), > class=auth] > ../source3/auth/auth.c:251(auth_check_ntlm_password) auth_check_ntl > m_password: sam_ignoredomain authentication for user [SMBUSER] FAILED > with error NT_STATUS_WRONG_PASSWORD, authoritative=1 > On 2024-03-04 20:24, Andrew Bartlett wrote: > > On Mon, 2024-03-04 at 20:10 -0500, Tygre via samba wrote: > > > Hi there, > > > I have looked for a solution to my problem on the Internet (and > > > in particular this mailing list), but couldn't find one, probably > > > due to searching for the wrong thing :-) > > > I have an RPI running Samba version 4.9.5-Debian. "pdbedit -L" > > > shows that the user "smbuser" exists. I used "smbpassword" to set > > > the password of "smbuser". I also have several "old" computers > > > that I want to connect to this RPI using Samba. I managed to get > > > an Amiga connected to the Samba server, by adding the directive > > > "ntlm auth = yes" to "smb.conf". > > > But, I cannot get a NeXTstation to connect to the server. It > > > seems to me that, because the client on the NeXTstation only > > > deals with unencrypted passwords, the server is unable to verify > > > the username/password. I tried using the directive "encrypt > > > passwords = no", but then neither the Amiga nor the NeXTstation > > > can connect, with the error: "FAILED with error > > > NT_STATUS_LOGON_FAILURE". > > > I don't understand why, by forcing unencrypted passwords, the > > > server cannot find the username/password (anymore). I must be > > > missing to allow the Samba server to work with unencrypted > > > password. Could anyone help? > > > Thanks in advance! Tygre > > > PS. I do know that unencrypted passwords are unsecure and a bad > > > idea but, right now, I'd like both my Amiga and NeXTstation to > > > connect, before "hardening" the server.PPS. I join my "smb.conf", > > > working with the Amiga (not the NeXTstation) and the log when > > > trying to connect from the NeXTstation. > > > > You would be best to just use guest access and IP restrictions, but > > if you want a password it will be checking it against PAM, not the > > smbpasswd file. > > > > Andrew Bartlett > > > > -- > > Andrew Bartlett (he/him) https://samba.org/~abartlet/ < > > https://samba.org/~abartlet/>Samba Team Member (since 2001) > > https://samba.org <https://samba.org>Samba Team Lead > > https://catalyst.net.nz/services/samba < > > https://catalyst.net.nz/services/samba>Catalyst.Net Ltd > > Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group > > company > > Samba Development and Support: > > https://catalyst.net.nz/services/samba < > > https://catalyst.net.nz/services/samba> > > Catalyst IT - Expert Open Source Solutions > > > > -- ----------------------------------------- Scientific Progress > Goes Boing! http://www.chingu.asia/wiki > ----------------------------------------- >-- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions
Possibly Parallel Threads
- Cannot Get Samba to Work Without Encrypted Password with Legacy Client
- Cannot Get Samba to Work Without Encrypted Password with Legacy Client
- Cannot Get Samba to Work Without Encrypted Password with Legacy Client
- Cannot Get Samba to Work Without Encrypted Password with Legacy Client
- Changing user account passwords using smbpasswd after password expiration