Bug 478741 - LanMan password functionality broken in Samba 3.2.5
LanMan password functionality broken in Samba 3.2.5
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: samba (Show other bugs)
10
i686 Linux
low Severity medium
: ---
: ---
Assigned To: Simo Sorce
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-04 09:50 EST by Max E
Modified: 2009-01-04 12:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-04 12:07:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Max E 2009-01-04 09:50:40 EST
Description of problem:

Upgraded from Fedora 7 to Fedora 10 (fresh install) the other day.  All seems to work except Samba connectivity.  I have an elderly LanMan client (not upgradeable - although this might be resolved soon) that I need to connect to the Samba server.  Samba 3.0.25 (f7) worked correctly with this client (RiscOS Lanman98 client version 1.21), but Samba 3.2.5 seems to stop this connectivity from working.  I copied the exact smb.conf file from 3.0.25 to 3.2.5 and testparm does not have any problems with it.

For the record, Windows XP and other Linux machines do not have any problems connecting to the shares.

Version-Release number of selected component (if applicable):

Samba3.2.5-0.23.fc10

How reproducible:

Everytime

Steps to Reproduce:

1. Lanman98 client tries to connect to the Linux server
2. Lanman98 client produces 'Access denied' error message
3.
  
Actual results:

I turned up the logging to Level 3 on the server.  

[2009/01/04 14:33:55,  3] smbd/process.c:process_smb(1549)
  Transaction 0 of length 197 (0 toread)
[2009/01/04 14:33:55,  3] smbd/process.c:switch_message(1361)
  switch message SMBnegprot (pid 10124) conn 0x0
[2009/01/04 14:33:55,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/01/04 14:33:55,  3] smbd/negprot.c:reply_negprot(568)
  Requested protocol [PC NETWORK PROGRAM 1.0]
[2009/01/04 14:33:55,  3] smbd/negprot.c:reply_negprot(568)
  Requested protocol [PCLAN1.0]
[2009/01/04 14:33:55,  3] smbd/negprot.c:reply_negprot(568)
  Requested protocol [MICROSOFT NETWORKS 1.03]
[2009/01/04 14:33:55,  3] smbd/negprot.c:reply_negprot(568)
  Requested protocol [MICROSOFT NETWORKS 3.0]
[2009/01/04 14:33:55,  3] smbd/negprot.c:reply_negprot(568)
  Requested protocol [LANMAN1.0]
[2009/01/04 14:33:55,  3] smbd/negprot.c:reply_negprot(568)
  Requested protocol [LM1.2X002]
[2009/01/04 14:33:55,  3] smbd/negprot.c:reply_negprot(568)
  Requested protocol [DOS LM1.2X002]
[2009/01/04 14:33:55,  3] smbd/negprot.c:reply_negprot(568)
  Requested protocol [DOS LANMAN2.1]
[2009/01/04 14:33:55,  3] smbd/negprot.c:reply_negprot(568)
  Requested protocol [LANMAN2.1]
[2009/01/04 14:33:55,  3] smbd/negprot.c:reply_negprot(568)
  Requested protocol [NT LM 0.12]
[2009/01/04 14:33:55,  3] smbd/negprot.c:reply_nt1(373)
  not using SPNEGO
[2009/01/04 14:33:55,  3] smbd/negprot.c:reply_negprot(673)
  Selected protocol NT LM 0.12
[2009/01/04 14:33:55,  3] smbd/process.c:process_smb(1549)
  Transaction 1 of length 91 (0 toread)
[2009/01/04 14:33:55,  3] smbd/process.c:switch_message(1361)
  switch message SMBsesssetupX (pid 10124) conn 0x0
[2009/01/04 14:33:55,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/01/04 14:33:55,  3] smbd/sesssetup.c:reply_sesssetup_and_X(1409)
  wct=13 flg2=0x1
[2009/01/04 14:33:55,  3] smbd/sesssetup.c:reply_sesssetup_and_X(1608)
  Domain=[]  NativeOS=[RiscOS] NativeLanMan=[CIFS] PrimaryDomain=[null]
[2009/01/04 14:33:55,  3] smbd/sesssetup.c:reply_sesssetup_and_X(1624)
  sesssetupX:name=[]\[peter]@[virtualriscpc]
[2009/01/04 14:33:55,  3] auth/auth.c:check_ntlm_password(220)
  check_ntlm_password:  Checking password for unmapped user []\[peter]@[virtualriscpc] with the new password interface
[2009/01/04 14:33:55,  3] auth/auth.c:check_ntlm_password(223)
  check_ntlm_password:  mapped user is: [ISIS]\[peter]@[virtualriscpc]
[2009/01/04 14:33:55,  3] smbd/sec_ctx.c:push_sec_ctx(224)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/01/04 14:33:55,  3] smbd/uid.c:push_conn_ctx(357)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/01/04 14:33:55,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/01/04 14:33:55,  3] smbd/sec_ctx.c:push_sec_ctx(224)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2009/01/04 14:33:55,  3] smbd/uid.c:push_conn_ctx(357)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2009/01/04 14:33:55,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2009/01/04 14:33:55,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/01/04 14:33:55,  3] smbd/sec_ctx.c:push_sec_ctx(224)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2009/01/04 14:33:55,  3] smbd/uid.c:push_conn_ctx(357)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2009/01/04 14:33:55,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2009/01/04 14:33:55,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/01/04 14:33:55,  3] smbd/sec_ctx.c:push_sec_ctx(224)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2009/01/04 14:33:55,  3] smbd/uid.c:push_conn_ctx(357)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2009/01/04 14:33:55,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2009/01/04 14:33:55,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/01/04 14:33:55,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/01/04 14:33:55,  3] libsmb/ntlm_check.c:ntlm_password_check(457)
  ntlm_password_check: LM password, NT MD4 password in LM field and LMv2 failed for user peter
[2009/01/04 14:33:55,  2] auth/auth.c:check_ntlm_password(318)
  check_ntlm_password:  Authentication for user [peter] -> [peter] FAILED with error NT_STATUS_WRONG_PASSWORD
[2009/01/04 14:33:55,  3] smbd/error.c:error_packet_set(80)
  error packet at smbd/sesssetup.c(1725) cmd=115 (SMBsesssetupX) eclass=1 ecode=5
[2009/01/04 14:33:55,  3] smbd/process.c:smbd_process(2035)
  receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting
[2009/01/04 14:33:55,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/01/04 14:33:55,  3] smbd/connection.c:yield_connection(31)
  Yielding connection to 
[2009/01/04 14:33:55,  3] smbd/server.c:exit_server_common(945)
  Server exit (normal exit)


****************************
The correct users are added into smbpasswd

$ pdbedit -L
peter:500:peter
commonuser:502:commonuser

smbpasswd has usernames etc

peter:500:XXXXXXXXXXXXXXXXXXXXXXXXXX:75316B38D5E42982788491CD7C169D0C:[U          ]:LCT-49603:
commonuser:502:XXXXXXXXXXXXXXXXXXXXXXX:75316B38D5E42982788491CD7C169D0C:[U          ]:LCT-4960B:

(I've changed some of the output for this report, but it is all there)

/etc/passwd also shows the above users at the correct UID too.

Testparm shows the following (the all important lanman auth and client lanman auth are in there):

[global]
	workgroup = Workgroup
	server string = Samba Server
	smb passwd file = /etc/samba/smbpasswd
	lanman auth = Yes
	client lanman auth = Yes
	log level = 3
	log file = /var/log/samba/log.%m
	max log size = 50
	add user script = /usr/sbin/useradd "%u" -n -g users
	add group script = /usr/sbin/groupadd "%g"
	os level = 33
	preferred master = Yes
	local master = No
	domain master = Yes

[peter]
	comment = Peter's Share
	path = /home/peter/riscos
	valid users = peter
	write list = peter
	read only = No

[commonuser]
	comment = General Shared Area
	path = /home/commonuser/
	valid users = commonuser
	write list = commonuser
	read only = No

Expected results:

Lanman client should connect to Samba correctly.

Additional info:

I've tried everything I can think of...hence my bug report.  I have also referenced http://forums.opensuse.org/network-internet/394589-client-98-does-not-work-samba.html  - which seems closest to the problem I am having.
Comment 1 Simo Sorce 2009-01-04 12:07:40 EST
Lanman auth is disabled by default in samba 3.2.x, see smb.conf and the "lanman auth" option. (and read why it has been disabled by default)

You have also to enable the lanman password which is currently empty (all the X in the first hash).
Last but not least change all the passwords you attached here, the LM and NT hashes are clear text equivalents, so you have just surrendered the password that you have for both peter and commonuser.

Note You need to log in before you can comment on or make changes to this bug.