From: Andrew Martin <amar...@xes-inc.com>
Date: Wed, 02 May 2012 13:23:47 -0500 (CDT)

> I am running Samba 3.4.7 on Ubuntu 10.04 amd64. Due to legacy
> support, I am using a smbpasswd file (chmod 600) instead of the
> newer tdbsam database.

(snip)

> Samba is not a PDC, however the Windows accounts on client machines
> have the same credentials as are stored in smbpasswd, so the share
> is automatically authenticated. I have observed that if a user is
> required to enter their password, e.g. their Windows password is not
> the same as in smbpasswd, then their password in smbpasswd gets
> reset. For example, before attempting to connect, user1's entry in
> smbpasswd looks like this (password hashes randomized in example
> below): 
>
> user1:111: f0faf5d8955e92206354485d29a1b15e : 
> e580c2260de48ababdd67d6ed063a641 :[UX ]:LCT-4E985F55: 
> 
> After the user attempts to connect, and enters the wrong credentials, 
> user1:111: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX : 
> e580c2260de48ababdd67d6ed063a641 :[UX ]:LCT-4E985F55: 
> 
> Thus if the user then tries a second time with the correct password,
> they are unable to login. If the correct password is supplied the
> first time, then no change is made to smbpasswd. Sometimes the
> password gets changed to XXXXX... even after a successful
> login. When this error occurs, nothing is logged in /var/log or
> /var/log/samba. An strace of the parent smbd process reveals only
> the following: 
> 
(snip)
> 
> Do you have any ideas on why the smbpasswd file is being changed,
> and how to correct this behavior so the smbpasswd file is not
> changed?

This behavior (changing the former password string changes XXXXX...)
is expected unless you explicitly enable "lanman auth = yes". 

In smb.conf(5):

-----
When this parameter is set to no this will also result in
sambaLMPassword in Samba's passdb being blanked after the next
password change. As a result of that lanman clients won't be able
to authenticate, even if lanman auth is reenabled later on.
-----

The former part, LANMAN hash is no longer used unless if you
connect to Samba from Windows 9x.

> Thus if the user then tries a second time with the correct password,
> they are unable to login.

As far as I examined, users can login...

Could you examine to reboot the client and try to connect to the Samba
server after changing password string to XXXXX...

Why I say "reboot" is that it is the easiest way to clear
authentication cache. Basically "reboot" is not required.

---
TAKAHASHI Motonobu <mo...@monyo.com>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to