samba - Apr 2025 - scanner stopped working to store files on samba-4.21.5

Losing my mind again ;-)

A Ricoh MPC-3003 doesn't store scans anymore:

[2025/04/09 14:12:32.414091,  2] 
source3/auth/auth.c:353(auth_check_ntlm_password)
   check_ntlm_password:  Authentication for user [scanner] -> [scanner] 
FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2025/04/09 14:12:32.414315,  2] 
auth/auth_log.c:858(log_authentication_event_human_readable)
   Auth: [SMB2,(null)] user [BUERO]\[scanner] at [Mi, 09 Apr 2025 
14:12:32.414263 CEST] with [NTLMv1] status [NT_STATUS_WRONG_PASSWORD] 
workstation [SCANNER_OG] remote host [ipv4:192.168.16.110:65001] mapped 
to [BUERO]\[scanner]. local host [ipv4:192.168.16.202:445]
   {"timestamp": "2025-04-09T14:12:32.414530+0200",
"type":
"Authentication", "Authentication": {"version":
{"major": 1, "minor":
3}, "eventId": 4625, "logonId": "0",
"logonType": 3, "status":
"NT_STATUS_WRONG_PASSWORD", "localAddress":
"ipv4:192.168.16.202:445",
"remoteAddress": "ipv4:192.168.16.110:65001",
"serviceDescription":
"SMB2", "authDescription": null, "clientDomain":
"BUERO",
"clientAccount": "scanner", "workstation":
"SCANNER_OG",
"becameAccount": null, "becameDomain": null,
"becameSid": null,
"mappedAccount": "scanner", "mappedDomain":
"BUERO", "netlogonComputer":
null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags":
"0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid":
null, "passwordType": "NTLMv1",
"clientPolicyAccessCheck": null,
"serverPolicyAccessCheck": null, "duration": 60286}}


I edited the password of the domain-user "BUERO\scanner" multiple
times
and edited it in the scanner settings also.

Right now I added :

	server min protocol = SMB2

maybe I should try NT1 here??

(is that possible per share?)

I remember that this didn't work with user/pw years ago, that's why I 
created a separate share "scan_og" with "guest ok".

See my good old config (this is a member server grown over >10 years 
now. Will be turned off in a few months):


[global]
	dedicated keytab file = /etc/krb5.keytab
	kerberos method = secrets and keytab
	log file = /var/log/samba/%m.log
	log level = 2
	logon home = ""
	logon path = ""
	map to guest = Bad User
	max log size = 150000
	netbios name = SERVER
	printcap name = /dev/null
	realm = PILSBACHER.AT
	security = ADS
	server min protocol = SMB2
	template homedir = /mnt/samba/Daten/%U
	template shell = /bin/bash
	username map = /etc/samba/smbusers
	winbind nss info = template
	winbind offline logon = Yes
	winbind refresh tickets = Yes
	winbind use default domain = Yes
	workgroup = BUERO
	full_audit:priority = notice
	full_audit:facility = local5
	full_audit:success = mkdir rmdir read pread write pwrite rename unlink
	full_audit:failure = connect
	full_audit:prefix = %u|%I|%m|%S
	idmap config buero:range = 10000-99999
	idmap config buero:backend = rid
	idmap config *:range = 2000-9999
	idmap config *:backend = tdb
	hosts allow = localhost 192.168.16. 172.32.99.
	map acl inherit = Yes
	store dos attributes = Yes
	vfs objects = acl_xattr

[scan_og]
	comment = Scanner OG
	guest ok = Yes
	path = /mnt/samba/scan_og
	read only = No


The printer/scanner is not a domain member, I can't find a way to join 
it. AFAI know that isn't necessary.

The scanning worked for years, without user/pw.

Server-OS: debian-12.10, up to date, samba-4.21.5 from bookworm-backports

thanks for any insights. I rotate editing the password for ~2 hrs now :-P

On Wed, 9 Apr 2025 14:21:02 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> 
> Losing my mind again ;-)
> 
> A Ricoh MPC-3003 doesn't store scans anymore:
> 
> [2025/04/09 14:12:32.414091,  2] 
> source3/auth/auth.c:353(auth_check_ntlm_password)
>    check_ntlm_password:  Authentication for user [scanner] ->
> [scanner] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
> [2025/04/09 14:12:32.414315,  2] 
> auth/auth_log.c:858(log_authentication_event_human_readable)
>    Auth: [SMB2,(null)] user [BUERO]\[scanner] at [Mi, 09 Apr 2025 
> 14:12:32.414263 CEST] with [NTLMv1] status [NT_STATUS_WRONG_PASSWORD] 
> workstation [SCANNER_OG] remote host [ipv4:192.168.16.110:65001]
> mapped to [BUERO]\[scanner]. local host [ipv4:192.168.16.202:445]
>    {"timestamp": "2025-04-09T14:12:32.414530+0200",
"type":
> "Authentication", "Authentication":
{"version": {"major": 1, "minor":
> 3}, "eventId": 4625, "logonId": "0",
"logonType": 3, "status":
> "NT_STATUS_WRONG_PASSWORD", "localAddress":
> "ipv4:192.168.16.202:445", "remoteAddress":
> "ipv4:192.168.16.110:65001", "serviceDescription":
"SMB2",
> "authDescription": null, "clientDomain":
"BUERO", "clientAccount":
> "scanner", "workstation": "SCANNER_OG",
"becameAccount": null,
> "becameDomain": null, "becameSid": null,
"mappedAccount": "scanner",
> "mappedDomain": "BUERO", "netlogonComputer":
null,
> "netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000",
> "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null,
> "passwordType": "NTLMv1",
"clientPolicyAccessCheck": null,
> "serverPolicyAccessCheck": null, "duration": 60286}}
> 
> 
> I edited the password of the domain-user "BUERO\scanner" multiple
> times and edited it in the scanner settings also.
> 
> Right now I added :
> 
> 	server min protocol = SMB2
> 
> maybe I should try NT1 here??
> 
> (is that possible per share?)
> 
> I remember that this didn't work with user/pw years ago, that's why
I
> created a separate share "scan_og" with "guest ok".
> 
> See my good old config (this is a member server grown over >10 years 
> now. Will be turned off in a few months):
> 
> 
> [global]
> 	dedicated keytab file = /etc/krb5.keytab
> 	kerberos method = secrets and keytab
> 	log file = /var/log/samba/%m.log
> 	log level = 2
> 	logon home = ""
> 	logon path = ""
> 	map to guest = Bad User
> 	max log size = 150000
> 	netbios name = SERVER
> 	printcap name = /dev/null
> 	realm = PILSBACHER.AT
> 	security = ADS
> 	server min protocol = SMB2
> 	template homedir = /mnt/samba/Daten/%U
> 	template shell = /bin/bash
> 	username map = /etc/samba/smbusers
> 	winbind nss info = template
> 	winbind offline logon = Yes
> 	winbind refresh tickets = Yes
> 	winbind use default domain = Yes
> 	workgroup = BUERO
> 	full_audit:priority = notice
> 	full_audit:facility = local5
> 	full_audit:success = mkdir rmdir read pread write pwrite
> rename unlink full_audit:failure = connect
> 	full_audit:prefix = %u|%I|%m|%S
> 	idmap config buero:range = 10000-99999
> 	idmap config buero:backend = rid
> 	idmap config *:range = 2000-9999
> 	idmap config *:backend = tdb
> 	hosts allow = localhost 192.168.16. 172.32.99.
> 	map acl inherit = Yes
> 	store dos attributes = Yes
> 	vfs objects = acl_xattr
> 
> [scan_og]
> 	comment = Scanner OG
> 	guest ok = Yes
> 	path = /mnt/samba/scan_og
> 	read only = No
> 
> 
> The printer/scanner is not a domain member, I can't find a way to
> join it. AFAI know that isn't necessary.
> 
> The scanning worked for years, without user/pw.
> 
> Server-OS: debian-12.10, up to date, samba-4.21.5 from
> bookworm-backports
> 
> thanks for any insights. I rotate editing the password for ~2 hrs now
> :-P
> 
> 
> 
From your log output there are these two facts:

Auth: [SMB2,(null)]
with [NTLMv1] 

Another way of saying 'NTLMv1' is SMBv1, so yes, you need to either
beat the scanner to death or turn on SMBv1 and sorry, it has to be
in 'global'.

Rowland