samba - Mar 2024 - Cannot Get Samba to Work Without Encrypted Password with Legacy Client

Hi there,

	Sorry to come back to that, I tried to follow the code at
https://github.com/samba-team/samba/blob/master/source3/auth/auth.c#L214 (and
below) but I still can't understand why one Samba client can connect, but
the other can't.

	I can't understand why, with one client, the code would go into
"check_samsec.c:183" (and return "sam_account_ok") while,
with the other client, the code would go immediately into "auth.c:251"
(and fail to login).

	Could you help me understand, which could maybe give me an idea on configuring
Samba for both client to work?

	Thanks in advance,
	Yann

PS. I'm running

*** CAN CONNECT:

[2024/03/09 15:16:09.376816, 10, pid=5930, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:237(auth_check_ntlm_password)
   auth_check_ntlm_password: anonymous had nothing to say
[2024/03/09 15:16:09.383493,  4, pid=5930, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/check_samsec.c:183(sam_account_ok)
   sam_account_ok: Checking SMB password for user smbuser
[2024/03/09 15:16:09.386622,  5, pid=5930, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/check_samsec.c:165(logon_hours_ok)
   logon_hours_ok: user smbuser allowed to logon at this time (Sat Mar  9
20:16:09 2024
   )
[2024/03/09 15:16:09.393510,  5, pid=5930, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/server_info_sam.c:122(make_server_info_sam)
   make_server_info_sam: made server info for user smbuser -> smbuser
[2024/03/09 15:16:09.397225,  3, pid=5930, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:256(auth_check_ntlm_password)
   auth_check_ntlm_password: sam_ignoredomain authentication for user [SMBUSER]
succeeded

*** CANNOT CONNECT:

[2024/03/09 15:16:15.178909, 10, pid=5931, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:237(auth_check_ntlm_password)
   auth_check_ntlm_password: anonymous had nothing to say
[2024/03/09 15:16:15.187847,  5, pid=5931, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:251(auth_check_ntlm_password)
   auth_check_ntlm_password: sam_ignoredomain authentication for user [SMBUSER]
FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1

On 2024-03-04 20:24, Andrew Bartlett wrote:
> On Mon, 2024-03-04 at 20:10 -0500, Tygre via samba wrote:
>> 	Hi there,
>>
>> 	I have looked for a solution to my problem on the Internet (and in
particular this mailing list), but couldn't find one, probably due to
searching for the wrong thing :-)
>>
>> 	I have an RPI running Samba version 4.9.5-Debian. "pdbedit
-L" shows that the user "smbuser" exists. I used
"smbpassword" to set the password of "smbuser". I also have
several "old" computers that I want to connect to this RPI using
Samba. I managed to get an Amiga connected to the Samba server, by adding the
directive "ntlm auth = yes" to "smb.conf".
>>
>> 	But, I cannot get a NeXTstation to connect to the server. It seems to
me that, because the client on the NeXTstation only deals with unencrypted
passwords, the server is unable to verify the username/password. I tried using
the directive "encrypt passwords = no", but then neither the Amiga nor
the NeXTstation can connect, with the error: "FAILED with error
NT_STATUS_LOGON_FAILURE".
>>
>> 	I don't understand why, by forcing unencrypted passwords, the
server cannot find the username/password (anymore). I must be missing to allow
the Samba server to work with unencrypted password. Could anyone help?
>>
>> 	Thanks in advance!
>> 	Tygre
>>
>> PS. I do know that unencrypted passwords are unsecure and a bad idea
but, right now, I'd like both my Amiga and NeXTstation to connect, before
"hardening" the server.
>> PPS. I join my "smb.conf", working with the Amiga (not the
NeXTstation) and the log when trying to connect from the NeXTstation.
> 
> You would be best to just use guest access and IP restrictions, but if you
want a password it will be checking it against PAM, not the smbpasswd file.
> 
> 
> Andrew Bartlett
> 
> 
> -- 
> 
> Andrew Bartlett (he/him) https://samba.org/~abartlet/
<https://samba.org/~abartlet/>
> Samba Team Member (since 2001) https://samba.org <https://samba.org>
> Samba Team Lead https://catalyst.net.nz/services/samba
<https://catalyst.net.nz/services/samba>
> Catalyst.Net Ltd
> 
> Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company
> 
> Samba Development and Support: https://catalyst.net.nz/services/samba
<https://catalyst.net.nz/services/samba>
> 
> Catalyst IT - Expert Open Source Solutions
> 
> 
-- 
-----------------------------------------
      Scientific Progress Goes Boing!
        http://www.chingu.asia/wiki
-----------------------------------------

PS. I forgot to add the version information: Version 4.9.5-Debian

On 2024-03-09 15:37, Tygre wrote:
> 
> 	Hi there,
> 
> 	Sorry to come back to that, I tried to follow the code at
https://github.com/samba-team/samba/blob/master/source3/auth/auth.c#L214 (and
below) but I still can't understand why one Samba client can connect, but
the other can't.
> 
> 	I can't understand why, with one client, the code would go into
"check_samsec.c:183" (and return "sam_account_ok") while,
with the other client, the code would go immediately into "auth.c:251"
(and fail to login).
> 
> 	Could you help me understand, which could maybe give me an idea on
configuring Samba for both client to work?
> 
> 	Thanks in advance,
> 	Yann
> 
> PS. I'm running
> 
> *** CAN CONNECT:
> 
> [2024/03/09 15:16:09.376816, 10, pid=5930, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:237(auth_check_ntlm_password)
>     auth_check_ntlm_password: anonymous had nothing to say
> [2024/03/09 15:16:09.383493,  4, pid=5930, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/check_samsec.c:183(sam_account_ok)
>     sam_account_ok: Checking SMB password for user smbuser
> [2024/03/09 15:16:09.386622,  5, pid=5930, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/check_samsec.c:165(logon_hours_ok)
>     logon_hours_ok: user smbuser allowed to logon at this time (Sat Mar  9
20:16:09 2024
>     )
> [2024/03/09 15:16:09.393510,  5, pid=5930, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/server_info_sam.c:122(make_server_info_sam)
>     make_server_info_sam: made server info for user smbuser -> smbuser
> [2024/03/09 15:16:09.397225,  3, pid=5930, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:256(auth_check_ntlm_password)
>     auth_check_ntlm_password: sam_ignoredomain authentication for user
[SMBUSER] succeeded
> 
> *** CANNOT CONNECT:
> 
> [2024/03/09 15:16:15.178909, 10, pid=5931, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:237(auth_check_ntlm_password)
>     auth_check_ntlm_password: anonymous had nothing to say
> [2024/03/09 15:16:15.187847,  5, pid=5931, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:251(auth_check_ntlm_password)
>     auth_check_ntlm_password: sam_ignoredomain authentication for user
[SMBUSER] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
> 
> On 2024-03-04 20:24, Andrew Bartlett wrote:
>> On Mon, 2024-03-04 at 20:10 -0500, Tygre via samba wrote:
>>> 	Hi there,
>>>
>>> 	I have looked for a solution to my problem on the Internet (and in
particular this mailing list), but couldn't find one, probably due to
searching for the wrong thing :-)
>>>
>>> 	I have an RPI running Samba version 4.9.5-Debian. "pdbedit
-L" shows that the user "smbuser" exists. I used
"smbpassword" to set the password of "smbuser". I also have
several "old" computers that I want to connect to this RPI using
Samba. I managed to get an Amiga connected to the Samba server, by adding the
directive "ntlm auth = yes" to "smb.conf".
>>>
>>> 	But, I cannot get a NeXTstation to connect to the server. It seems
to me that, because the client on the NeXTstation only deals with unencrypted
passwords, the server is unable to verify the username/password. I tried using
the directive "encrypt passwords = no", but then neither the Amiga nor
the NeXTstation can connect, with the error: "FAILED with error
NT_STATUS_LOGON_FAILURE".
>>>
>>> 	I don't understand why, by forcing unencrypted passwords, the
server cannot find the username/password (anymore). I must be missing to allow
the Samba server to work with unencrypted password. Could anyone help?
>>>
>>> 	Thanks in advance!
>>> 	Tygre
>>>
>>> PS. I do know that unencrypted passwords are unsecure and a bad
idea but, right now, I'd like both my Amiga and NeXTstation to connect,
before "hardening" the server.
>>> PPS. I join my "smb.conf", working with the Amiga (not
the NeXTstation) and the log when trying to connect from the NeXTstation.
>>
>> You would be best to just use guest access and IP restrictions, but if
you want a password it will be checking it against PAM, not the smbpasswd file.
>>
>>
>> Andrew Bartlett
>>
>>
>> -- 
>>
>> Andrew Bartlett (he/him) https://samba.org/~abartlet/
<https://samba.org/~abartlet/>
>> Samba Team Member (since 2001) https://samba.org
<https://samba.org>
>> Samba Team Lead https://catalyst.net.nz/services/samba
<https://catalyst.net.nz/services/samba>
>> Catalyst.Net Ltd
>>
>> Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
>>
>> Samba Development and Support: https://catalyst.net.nz/services/samba
<https://catalyst.net.nz/services/samba>
>>
>> Catalyst IT - Expert Open Source Solutions
>>
>>
> 
-- 
-----------------------------------------
      Scientific Progress Goes Boing!
        http://www.chingu.asia/wiki
-----------------------------------------

On Sat, 9 Mar 2024 15:37:09 -0500
Tygre via samba <samba at lists.samba.org> wrote:
> 
> 	Hi there,
> 
> 	Sorry to come back to that, I tried to follow the code at
> https://github.com/samba-team/samba/blob/master/source3/auth/auth.c#L214
> (and below) but I still can't understand why one Samba client can
> connect, but the other can't.
> 
> 	I can't understand why, with one client, the code would go
> into "check_samsec.c:183" (and return "sam_account_ok")
while, with
> the other client, the code would go immediately into "auth.c:251"
> (and fail to login).
> 
> 	Could you help me understand, which could maybe give me an
> idea on configuring Samba for both client to work?
> 
> 	Thanks in advance,
> 	Yann
> 
I think one of your problems is that you seem to be failing to
understand that when you you run Samba as a standalone server, it is
also a client for other servers, this means that you may have missed
this parameter: lanman auth

Which defaults to 'no', so your 'server' will only use SMBv1 (at
a
minimum and if configured to do so) and, from memory, an Amiga hasn't a
clue what SMB is.

Rowland

The logs below still look like Samba is configured for encrypted
passwords.
As to your other mail, please, please use a more recent version than
Samba 4.9
Andrew Bartlett
On Sat, 2024-03-09 at 15:37 -0500, Tygre via samba
wrote:
> 	Hi there,
> 	Sorry to come back to that, I tried to follow the code at 
> https://github.com/samba-team/samba/blob/master/source3/auth/auth.c#L214
> (and below) but I still can't understand why one Samba client can
> connect, but the other can't.
> 	I can't understand why, with one client, the code would go into
> "check_samsec.c:183" (and return "sam_account_ok")
while, with the
> other client, the code would go immediately into "auth.c:251"
(and
> fail to login).
> 	Could you help me understand, which could maybe give me an idea
> on configuring Samba for both client to work?
> 	Thanks in advance,	Yann
> PS. I'm running
> *** CAN CONNECT:
> [2024/03/09 15:16:09.376816, 10, pid=5930, effective(0, 0), real(0,
> 0), class=auth]
> ../source3/auth/auth.c:237(auth_check_ntlm_password)   auth_check_ntl
> m_password: anonymous had nothing to say[2024/03/09
> 15:16:09.383493,  4, pid=5930, effective(0, 0), real(0, 0),
> class=auth]
> ../source3/auth/check_samsec.c:183(sam_account_ok)   sam_account_ok:
> Checking SMB password for user smbuser[2024/03/09
> 15:16:09.386622,  5, pid=5930, effective(0, 0), real(0, 0),
> class=auth]
> ../source3/auth/check_samsec.c:165(logon_hours_ok)   logon_hours_ok:
> user smbuser allowed to logon at this time (Sat Mar  9 20:16:09
> 2024   )[2024/03/09 15:16:09.393510,  5, pid=5930, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/server_info_sam.c:122(make_server_info_sam)   make_se
> rver_info_sam: made server info for user smbuser ->
> smbuser[2024/03/09 15:16:09.397225,  3, pid=5930, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth.c:256(auth_check_ntlm_password)   auth_check_ntl
> m_password: sam_ignoredomain authentication for user [SMBUSER]
> succeeded
> *** CANNOT CONNECT:
> [2024/03/09 15:16:15.178909, 10, pid=5931, effective(0, 0), real(0,
> 0), class=auth]
> ../source3/auth/auth.c:237(auth_check_ntlm_password)   auth_check_ntl
> m_password: anonymous had nothing to say[2024/03/09
> 15:16:15.187847,  5, pid=5931, effective(0, 0), real(0, 0),
> class=auth]
> ../source3/auth/auth.c:251(auth_check_ntlm_password)   auth_check_ntl
> m_password: sam_ignoredomain authentication for user [SMBUSER] FAILED
> with error NT_STATUS_WRONG_PASSWORD, authoritative=1
> On 2024-03-04 20:24, Andrew Bartlett wrote:
> > On Mon, 2024-03-04 at 20:10 -0500, Tygre via samba wrote:
> > > 	Hi there,
> > > 	I have looked for a solution to my problem on the Internet (and
> > > in particular this mailing list), but couldn't find one,
probably
> > > due to searching for the wrong thing :-)
> > > 	I have an RPI running Samba version 4.9.5-Debian. "pdbedit
-L"
> > > shows that the user "smbuser" exists. I used
"smbpassword" to set
> > > the password of "smbuser". I also have several
"old" computers
> > > that I want to connect to this RPI using Samba. I managed to get
> > > an Amiga connected to the Samba server, by adding the directive
> > > "ntlm auth = yes" to "smb.conf".
> > > 	But, I cannot get a NeXTstation to connect to the server. It
> > > seems to me that, because the client on the NeXTstation only
> > > deals with unencrypted passwords, the server is unable to verify
> > > the username/password. I tried using the directive "encrypt
> > > passwords = no", but then neither the Amiga nor the
NeXTstation
> > > can connect, with the error: "FAILED with error
> > > NT_STATUS_LOGON_FAILURE".
> > > 	I don't understand why, by forcing unencrypted passwords,
the
> > > server cannot find the username/password (anymore). I must be
> > > missing to allow the Samba server to work with unencrypted
> > > password. Could anyone help?
> > > 	Thanks in advance!	Tygre
> > > PS. I do know that unencrypted passwords are unsecure and a bad
> > > idea but, right now, I'd like both my Amiga and NeXTstation
to
> > > connect, before "hardening" the server.PPS. I join my
"smb.conf",
> > > working with the Amiga (not the NeXTstation) and the log when
> > > trying to connect from the NeXTstation.
> > 
> > You would be best to just use guest access and IP restrictions, but
> > if you want a password it will be checking it against PAM, not the
> > smbpasswd file.
> > 
> > Andrew Bartlett
> > 
> > -- 
> > Andrew Bartlett (he/him) https://samba.org/~abartlet/ <
> > https://samba.org/~abartlet/>Samba Team Member (since 2001) 
> > https://samba.org <https://samba.org>Samba Team Lead 
> > https://catalyst.net.nz/services/samba <
> > https://catalyst.net.nz/services/samba>Catalyst.Net Ltd
> > Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
> > company
> > Samba Development and Support: 
> > https://catalyst.net.nz/services/samba <
> > https://catalyst.net.nz/services/samba>
> > Catalyst IT - Expert Open Source Solutions
> > 
> 
> -- -----------------------------------------      Scientific Progress
> Goes Boing!        http://www.chingu.asia/wiki
> -----------------------------------------
> 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd


Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions