Bug 1551 - smbpasswd is XXed after a logon attempt
Summary: smbpasswd is XXed after a logon attempt
Status: RESOLVED INVALID
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.4
Hardware: x86 Linux
: P3 major
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-07-22 05:55 UTC by Mark Hellman
Modified: 2004-07-22 08:03 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Hellman 2004-07-22 05:55:20 UTC
This is really bizarre. Running Samba 3.0.4 on SuSE 9.1. The password backend is
smbpasswd.

Each user has a system and samba account and everything has worked as
expected until recently. But now, every new user I create is unable to log
into Samba server (older users are still able to log in).

Inspecting log.smbd the following messages are displayed:

[2004/07/22 11:44:56, 2] smbd/sesssetup.c:setup_new_vc_session(602)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2004/07/22 11:44:56, 2] smbd/sesssetup.c:setup_new_vc_session(602)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2004/07/22 11:44:56, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [seara] -> [seara] FAILED
with error NT_STATUS_NO_SUCH_USER
[2004/07/22 11:45:04, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [andreiaferreira] ->
[andreiaferreira] FAILED with error NT_STATUS_WRONG_PASSWORD
[2004/07/22 11:45:07, 2] smbd/server.c:exit_server(568)
  Closing connections


But what is most bizarre is that the /etc/samba/smbpasswd entry for this
user is modified after this logon attempt! The password field is all XXed:

andreiaferreira:1001:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[U          ]:LTC-36635F00:

If I reset the password by running smbpasswd -a andreiaferreira, the entry
becomes:

andreiaferreira:1001:58DF4B83F19C0B91AAD3B435B51404EE:050B689D4906009845CE4D4E17AA6AF7
[U          ]:LTC-36635F00:

BUT the next time this user tries to log into the server she is denied and
the password entry is again XXed:

andreiaferreira:1001:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[U          ]:LTC-36635F00:

I even tried to  
     chmod a-w /etc/samba/smb.conf
just to see what happened. But it was still modified!

This happens using Windows XP Home and also using smbclient from a Linux
host.
First of all, the NT_STATUS_WRONG_PASSWORD shouldn't happen because the entered
password is correct. Secondly, how come the password in smbpasswd is XXed after
the failed logon attempt?

The [global] section of my smb.conf is as follows:

[global]
        workgroup = SEARA-LX
        log level = 2
        syslog = 0
        preferred master = Yes
        domain master = Yes
        wins support = Yes
Comment 1 Gerald (Jerry) Carter (dead mail address) 2004-07-22 06:20:24 UTC
Does this apply to you ?


                  ==============================
                  Release Notes for Samba 3.0.2a
                        February 13, 2004
                  ==============================

Samba 3.0.2a is a minor patch release for the 3.0.2 code base
to address, in particular, a problem when using pdbedit to
sanitize (--force-initialized-passwords) Samba's tdbsam
backend.   This is the latest stable release of Samba. This
is the version that all production Samba servers should be
running for all current bug-fixes.

******************* Attention! Achtung! Kree! *********************

Beginning with Samba 3.0.2, passwords for accounts with a last
change time (LCT-XXX in smbpasswd, sambaPwdLastSet attribute in
ldapsam, etc...) of zero (0) will be regarded as uninitialized
strings.  This will cause authentication to fail for such
accounts.  If you have valid passwords that meet this criteria,
you must update the last change time to a non-zero value.  If you
do not, then  'pdbedit --force-initialized-passwords' will disable
these accounts and reset the password hashes to a string of X's.

******************* Attention! Achtung! Kree! *********************
Comment 2 Mark Hellman 2004-07-22 08:03:20 UTC
Solved the problem.
Apparently it has nothing to do with Samba, but with the CGI script
ChangePassword (http://changepassword.sourceforge.net) which used the string
"LTC" instead of "LCT" in smbpasswd entries. I edited the affected smbpasswd
entries and changed LTC to LCT, and now it works.