Stuart,
Thanks very much for trying. I think you've proven what I suspected.
The smbpasswd "NO PASSWORD" behaviour has changed and the documentation
no longer agrees with the behaviour. The samba smbpasswd man page, at
least as of samba-3.0.24, clearly indicates that this should work. It
used to work for us in the past. But maybe that was pre-samba-3.0.
Todd
On Wed, 6 Feb 2008, Stuart Gall wrote:
On 6 Feb 2008, at 04:43, Todd Pfaff wrote:
Good point. I've now sent the output from 'smbpasswd -D 10' to the samba
mailing list.
Have you tried setting a user's samba password to "NO PASSWORD" and then
changing it in recent samba versions? If you haven't, and if you don't
mind trying, please do something like this:
root> smbpasswd -n someuser
root> su - someuser
someuser> smbpasswd
- just press enter for old password
- enter new password
Does it work for you, or do you get the error message I reported?
Version 3.0.7 (Domain member + NIS)
Thats smbpasswd -a someuser -n right ?
[EMAIL PROTECTED] root]# smbpasswd -a xyz -n
Added user xyz.
[EMAIL PROTECTED] root]# su - xyz
[EMAIL PROTECTED] stuartl]$ smbpasswd
Old SMB password:
New SMB password:
Retype new SMB password:
machine 127.0.0.1 rejected the session setup. Error was : Call timed out:
server did not respond after 20000 milliseconds.
Failed to change password for xyz
Version 3.0.28 (Stand alone)
slowcoach:~# /usr/local/samba/bin/smbpasswd -a xyz -n
Added user xyz.
slowcoach:~# su - xyz
[EMAIL PROTECTED]:~$
[EMAIL PROTECTED]:~$ /usr/local/samba/bin/smbpasswd
Old SMB password:
New SMB password:
Retype new SMB password:
cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR
received from remote machine 127.0.0.1 pipe \samr fnum 0x7528!
machine 127.0.0.1 rejected the password change: Error was : NT code
0x1c010002.
Failed to change password for xyz
ANOTHER 3.0.28 system (stand alone)
[EMAIL PROTECTED] root]# smbpasswd -a xyz -n
Added user xyz.
[EMAIL PROTECTED] root]# su - xyz
[EMAIL PROTECTED] xyz]$ smbpasswd
Old SMB password:
New SMB password:
Retype new SMB password:
Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE
Failed to change password for xyz
[EMAIL PROTECTED] xyz]$ logout
Version 3.0.24
Raid:~# su - xyz
[EMAIL PROTECTED]:~$ smbpasswd
Old SMB password:
New SMB password:
Retype new SMB password:
Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE
Failed to change password for xyz
This is odd
Raid:~# smbpasswd -a xyz -n
Added user xyz.
Raid:~# smbpasswd -a xyz -n
User xyz password set to none.
Raid:~# su - xyz
[EMAIL PROTECTED]:~$ smbpasswd
Old SMB password:
New SMB password:
Retype new SMB password:
Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE
Failed to change password for xyz
FINALLY 3.0.24 with password encryption set to false (just an idea)
Raid:~# smbpasswd -x xyz
Deleted user xyz.
Raid:~# smbpasswd -a xyz -n
Added user xyz.
Raid:~# smbpasswd -a xyz -n
User xyz password set to none.
Raid:~# su - xyz
[EMAIL PROTECTED]:~$ smbpasswd
Old SMB password:
New SMB password:
Retype new SMB password:
Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE
Failed to change password for xyz
SO DAMN!
I DONT KNOW MATE - Sorry
Thanks,
Todd
On Wed, 6 Feb 2008, Stuart Gall wrote:
Just an idea ... have you tried
smbpasswd -D 10
And checked the logs ?
On 5 Feb 2008, at 18:33, Todd Pfaff wrote:
Help! (pretty please :)
I'm still having the problem described below with samba-3.0.24.
Here's an excerpt from the smbpasswd man page:
When run by an ordinary user with no options, smbpasswd will prompt
them for their old SMB password and then ask them for their new pass
word twice, to ensure that the new password was typed correctly. No
passwords will be echoed on the screen whilst being typed. If you have
a blank SMB password (specified by the string "NO PASSWORD" in the smb
passwd file) then just press the <Enter> key when asked for your old
password.
Is this samba documentation incorrect?
Or am I doing something incorrectly?
cheers,
Todd
Date: Mon, 26 Feb 2007 15:59:44 -0500 (EST)
From: Todd Pfaff <[EMAIL PROTECTED]>
Cc: [email protected]
Subject: Re: [Samba] Re: samba-3.0.23d, smbpasswd, and "NO PASSWORD"
behaviour
The way it's documented to work in the smbpasswd man page, and the way
it used to work for us with older samba releases is: when a user has a
null password, and smb.conf "null passwords = no", the user can _not_
make an smb connection, but they _can_ set their samba password to
something non-null by running smbpasswd and entering an empty old
password.
In order to run smbpasswd the user must login to their linux account
with ssh, and that _does_ require a password.
So in fact this may be considered even more secure than what you're
suggesting because a new user has no ability to make smb connections to
the server until they have logged in to their linux account with a
password and run smbpasswd to set a samba password.
I realize that I could set an initial smb password for every user, but
there are situations where that is inconvenient, and since this null
password method did work perfectly well in the past without being a
significant security risk, it's now inconvenient that it no longer works
as it did in the past.
I'm trying to determine why the behaviour changed, or if it really
didn't change but I'm now doing something incorrectly on my samba
server.
And if it really did change then someone should fix the smbpasswd man
page accordingly, and maybe mention something in the release notes.
Regards,
Todd
On Mon, 26 Feb 2007, Gary Dale wrote:
The obvious question is, why would you want a null password to begin
with? This seems to me to be a serious security problem.
If it's for new users, give them a temporary password through a secure
channel and require them to change it the first time they log on.
Todd Pfaff wrote:
I've had no responses to this question yet, and I'm still stuck with
this problem. Can anybody help, please?
Is this a capability of samba that not many people take advantage of?
Or am I trying to do something that just isn't possible anymore?
Picking through a the level 10 debug log of smbd, I see this:
[2007/02/26 11:49:36, 3] auth/auth_sam.c:sam_password_ok(51)
Account for user 'testuser' has no password and null passwords are NOT
allowed.
[2007/02/26 11:49:36, 9]
passdb/passdb.c:pdb_update_bad_password_count(1373)
No bad password attempts.
[2007/02/26 11:49:36, 5] auth/auth.c:check_ntlm_password(273)
check_ntlm_password: sam authentication for user [testuser] FAILED
with
error NT_STATUS_LOGON_FAILURE
Is it no longer possible for a user to change their own samba password
from null "NO PASSWORD" using the smbpasswd command?
--
Todd Pfaff <[EMAIL PROTECTED]>
Research & High-Performance Computing Support
McMaster University, Hamilton, Ontario, Canada
http://www.rhpcs.mcmaster.ca/~pfaff
On Thu, 22 Feb 2007, Todd Pfaff wrote:
We've recently started using samba-3.0.23d on Mandriva 2007.0 linux
systems and we've noticed a change in behaviour of smbpasswd when a
non-root user tries to change their password from "NO PASSWORD".
Here's an example smbpasswd entry (all one line):
testuser:12345:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:
NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NU ]:LCT-00000000:
The possibly related settings in our smb.conf are:
encrypt passwords = yes
security = user
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *password:* %n\n *password* %n\n *successfully*
null passwords = no
Since "null passwords = no" a user with "NO PASSWORD" should not be
able to login to the samba account. That's working as expected.
In past versions of samba, testuser could login to the linux account,
run smbpasswd, enter an empty old password, and set a new password.
Now when we try this we get this failure:
[EMAIL PROTECTED] ~]$ smbpasswd
Old SMB password:
New SMB password:
Retype new SMB password:
Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE
Failed to change password for testuser
Does anyone know why this failure is happening now?
Was the behaviour of smbpasswd changed intentionally?
If so, in what samba version did this change happen?
Is there an alternative way to achieve the smbpasswd
behaviour that we had in the past?
Thanks,
--
Todd Pfaff <[EMAIL PROTECTED]>
Research & High-Performance Computing Support
McMaster University, Hamilton, Ontario, Canada
http://www.rhpcs.mcmaster.ca/~pfaff
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--
Stuart Gall
----------------------------------------------
All of your mail are belong to us
--
Stuart Gall
----------------------------------------------
All of your mail are belong to us
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
