From: Günter Kukkukk on
Am Sonntag 06 Juni 2010 03:10:04 schrieb John Lawler:
> Hi guys,
>
> Thanks for those of you whole kept reading after seeing the subject line
> -- I know, it's like a flashback to about 2000 or so, but for mostly
> uninteresting reasons, I've got a situation that I wanted to run by the
> list just in case there's a work around.
>
> I have an NT 4 server that's the PDC that my new Samba box, running
> 3.4.0 w/ "security = domain" uses to authenticate users for the Samba
> shares.
>
> This was done to begin migrating away from the NT server, but we still
> need it for the PDC.
>
> Anyway, I've got everything (finally) working with a little help from
> the list for my Win2k and WinXP clients. I'm happy with that, but when
> I tried to connect one of the two remaining Win95 machines, I get
> authentication failures.
>
> The interesting thing is, this worked fine in a couple of older Samba
> boxes I'm running with version 3.0.28, with a very similar configuration
> (security = domain, using the same NT 4 PDC to authenticate, etc.).
>
> So, the question is, is anyone aware of what might've changed between
> 3.0.28 and 3.4.0 that could affect Win95 clients in this situation? I
> tried the few ideas I found like:
>
> lanman auth = yes
> client lanman auth = yes
> client plaintext auth = yes
> ntlm auth = yes
>
> (I assume the client options may not do me any good here anyway), and
> I'm still not getting any joy.
>
> Any help would be greatly appreciated. Thanks for reading.
>
> Here are samples of the same Win95 box connecting first to the 3.0.28
> box, which works, and then to the 3.4.0 one, which doesn't:
>
> ------------------------------------------------------------------------
>
> [2010/06/04 18:18:45, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old resources.
> [2010/06/04 18:18:45, 3] auth/auth.c:check_ntlm_password(221)
> check_ntlm_password: Checking password for unmapped user
> [MAIN]\[NODE008]@[node008] with the new password interface
> [2010/06/04 18:18:45, 3] auth/auth.c:check_ntlm_password(224)
> check_ntlm_password: mapped user is: [MAIN]\[NODE008]@[node008]
> [2010/06/04 18:18:45, 3] auth/auth.c:check_ntlm_password(270)
> check_ntlm_password: winbind authentication for user [NODE008] succeeded
> [2010/06/04 18:18:45, 2] auth/auth.c:check_ntlm_password(309)
> check_ntlm_password: authentication for user [NODE008] -> [NODE008]
> -> [MAIN\node008] succeeded
>
> ------------------------------------------------------------------------
>
> [2010/06/04 18:25:54, 2] smbd/sesssetup.c:1360(setup_new_vc_session)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old resources.
> [2010/06/04 18:25:54, 3] auth/auth.c:222(check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user
> [MAIN]\[NODE008]@[node008] with the new password interface
> [2010/06/04 18:25:54, 3] auth/auth.c:225(check_ntlm_password)
> check_ntlm_password: mapped user is: [MAIN]\[NODE008]@[node008]
> [2010/06/04 18:25:54, 2] auth/auth.c:320(check_ntlm_password)
> check_ntlm_password: Authentication for user [NODE008] -> [NODE008]
> FAILED wi
> th error NT_STATUS_LOGON_FAILURE
> [2010/06/04 18:25:54, 2] smbd/sesssetup.c:1360(setup_new_vc_session)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old
> resources.
> [2010/06/04 18:25:54, 3] auth/auth.c:222(check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user
> [MAIN]\[NODE008]@[no
> de008] with the new password interface
> [2010/06/04 18:25:54, 3] auth/auth.c:225(check_ntlm_password)
> check_ntlm_password: mapped user is: [MAIN]\[NODE008]@[node008]
> [2010/06/04 18:25:54, 2] auth/auth.c:320(check_ntlm_password)
> check_ntlm_password: Authentication for user [NODE008] -> [NODE008]
> FAILED with error NT_STATUS_LOGON_FAILURE
>
> ------------------------------------------------------------------------
>
Hi John,

make sure that
lanman auth = yes
is still set in your smb.conf.

As root run 'pdbedit -Lw' to list all configured samba users in the old ASCII smbpasswd format.

All users listed with _both_ the LANMAN and the NT hash have valid stored password hashes for the
old legacy case and the newer ones- like:
linux:1003:BBBBD20B0D2670EBAAD3B435B4140475:B123AB4ECC88F8BBB126FF3A08D9C600:[U ]:LCT-4B1ED764:
Those listed users should be able to logon.

In case you get user entries like
linux:1003:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:B123664EC733B395A7260A3A08D9C699:[U ]:LCT-4B1ED796:
the old LANMAN hash is no longer available and a legacy logon will fail.

What you can do:

1.) make sure, that "lanman auth = yes" is still set in your smb.conf
2.) for all your win95 client users listed as "....XXXXXXXXXXXXXXXXX...." above, you need to run (as root)
smbpasswd username
(or even smbpasswd -a username )
You need to enter the users password twice as usual
This procedure will re-install the LANMAN hash again (and also the NT hash!)
3.) check again with 'pdbedit -Lw' that the LANMAN hash is available now your for your win95 users

Please note, that setting "lanman auth = yes" implies a security problem.

Cheers, Günter

BTW - never ever post above mentioned LANMAN and NT hashes to the public - they are like
plaintext passwords (so my ones above are scrambled by intention)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: John Lawler on
Thanks for the reply, Günter. I should've mentioned that I had run
across similar advice when trying to diagnose Samba problems with Win95
login past version 3.0.x, but the reason this doesn't apply to me is
that I don't have the users defined in native Unix at all -- they're all
only defined on the NT 4 PDC (I have "security = domain"), so I don't
think the pdbedit -Lw / smbpasswd advice applies to me (I run pdbedit
anyway, and confirmed th was only an entry for "nobody").

So I don't think this has anything to do with how Samba is storing a
password, it must have to do with how it's sending the authentication
attempt through to the NT server which is different from how it used to
in 3.0.x. My goal is to determine whether there's a straightforward way
(hopefully through smb.conf) that I can regain this old behavior for the
sake of a couple of Win95 clients.

Thanks for taking the time to reply.

On 2010-06-05 22:51, Günter Kukkukk wrote:
> Am Sonntag 06 Juni 2010 03:10:04 schrieb John Lawler:
> Hi John,
>
> make sure that
> lanman auth = yes
> is still set in your smb.conf.
>
> As root run 'pdbedit -Lw' to list all configured samba users in the old ASCII smbpasswd format.
>
> All users listed with _both_ the LANMAN and the NT hash have valid stored password hashes for the
> old legacy case and the newer ones- like:
> linux:1003:BBBBD20B0D2670EBAAD3B435B4140475:B123AB4ECC88F8BBB126FF3A08D9C600:[U ]:LCT-4B1ED764:
> Those listed users should be able to logon.
>
> In case you get user entries like
> linux:1003:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:B123664EC733B395A7260A3A08D9C699:[U ]:LCT-4B1ED796:
> the old LANMAN hash is no longer available and a legacy logon will fail.
>
> What you can do:
>
> 1.) make sure, that "lanman auth = yes" is still set in your smb.conf
> 2.) for all your win95 client users listed as "....XXXXXXXXXXXXXXXXX...." above, you need to run (as root)
> smbpasswd username
> (or even smbpasswd -a username )
> You need to enter the users password twice as usual
> This procedure will re-install the LANMAN hash again (and also the NT hash!)
> 3.) check again with 'pdbedit -Lw' that the LANMAN hash is available now your for your win95 users
>
> Please note, that setting "lanman auth = yes" implies a security problem.
>
> Cheers, Günter
>
> BTW - never ever post above mentioned LANMAN and NT hashes to the public - they are like
> plaintext passwords (so my ones above are scrambled by intention)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba