In AIX with Samba 4.21.2, smbpasswd fails to change the user password. Below is the error., $ whoami test123 $ smbpasswd ..... ....... dcerpc_pull_auth_trailer: auth_pad_length 12 GENSEC auth ntlmssp_unseal_packet: seal ntlmssp_check_packet: NTLMSSP signature OK ! Got pdu len 64, data_len 4 rpc_api_pipe_got_pdu: got frag len of 64 at offset 0: NT_STATUS_OK rpc_api_pipe: host 127.0.0.1 returned 4 bytes. samr_ChangePasswordUser4: struct samr_ChangePasswordUser4 out: struct samr_ChangePasswordUser4 result : NT_STATUS_WRONG_PASSWORD signed SMB2 message (sign_algo_id=2) signed SMB2 message (sign_algo_id=2) machine 127.0.0.1 rejected to change the passwordwith error: When trying to update a password, this return status indicates that the value provided as the current password is not correct.Freeing parametrics: Debugging further reveals that it actually fails in samba_gnutls_aead_aes_256_cbc_hmac_sha512_decrypt gnutls_hmac_deinit(hmac_hnd, auth_data); equal = mem_equal_const_time(auth_data, auth_tag, sizeof(auth_data)); if (!equal) { return NT_STATUS_DECRYPTION_FAILED; ---> here } Any ideas ?
Any idea what could be wrong here ?
Hello, as IBM [ https://www.ibm.com/support/pages/aix-toolbox-open-source-software-downloads-alpha ] does not provide any newer Samba Version than 4.21.2 for AIX, the described bug makes usage of Samba on AIX more difficult than necesssary since almost 2 years. Can please someone check this bugreport? Kind regards Simon Klinner
(In reply to Ayappan from comment #0) > equal = mem_equal_const_time(auth_data, auth_tag, sizeof(auth_data)); If this is returning false, then gnutls_memcmp() is finding the data not equal. What you need to do is (in a lab environment! not with real users!) dump the values. With something like { size_t i; fprintf(stderr, "auth_data size %zu\n", sizeof(auth_data)); for (i = 0; i < sizeof(auth_data); i++) { fprintf(stderr, "%02x ", auth_data[i]); } fprintf(stderr, "\n"); for (i = 0; i < sizeof(auth_data); i++) { fprintf(stderr, "%02x ", auth_tag[i]); } fprintf(stderr, "\n"); } that could go in the 'if (!equal)' block.
(In reply to Douglas Bagnall from comment #3) Here is the output., auth_data size 64 10 68 3e 8b e5 a0 7e 1e 93 f5 d5 ea 35 69 6f 67 a9 b5 de 69 f9 89 d7 95 db 65 7c 43 23 b4 a6 a0 2a d5 00 f2 e4 b6 14 5a 0f e1 8d 2b f8 9e 8d 14 8f 67 6c 5a 5b fd c6 ab 20 09 40 07 7d fd d1 4e c0 12 36 66 3c d0 7c 5b b1 95 5f 73 7c 27 37 11 d2 fa 45 58 2c 7f 0d af fe 95 80 cb 12 4f 0c 1a 1e 45 75 44 c2 8d f9 33 cf 5a 1e e0 c5 65 d8 86 72 58 61 db e0 4f 96 c5 ff 26 bf 50 46 b7 90 05 I ran with debug level 10 and see this in the console output password : * password: struct samr_EncryptedPasswordAES auth_data: ARRAY(64) [0] : 0xc0 (192) [1] : 0x12 (18) [2] : 0x36 (54) [3] : 0x66 (102) [4] : 0x3c (60) [5] : 0xd0 (208) [6] : 0x7c (124) [7] : 0x5b (91) [8] : 0xb1 (177) [9] : 0x95 (149) [10] : 0x5f (95) [11] : 0x73 (115) [12] : 0x7c (124) [13] : 0x27 (39) [14] : 0x37 (55) [15] : 0x11 (17) [16] : 0xd2 (210) [17] : 0xfa (250) [18] : 0x45 (69) [19] : 0x58 (88) [20] : 0x2c (44) [21] : 0x7f (127) [22] : 0x0d (13) [23] : 0xaf (175) [24] : 0xfe (254) [25] : 0x95 (149) [26] : 0x80 (128) [27] : 0xcb (203) [28] : 0x12 (18) [29] : 0x4f (79) [30] : 0x0c (12) [31] : 0x1a (26) [32] : 0x1e (30) [33] : 0x45 (69) [34] : 0x75 (117) [35] : 0x44 (68) [36] : 0xc2 (194) [37] : 0x8d (141) [38] : 0xf9 (249) [39] : 0x33 (51) [40] : 0xcf (207) [41] : 0x5a (90) [42] : 0x1e (30) [43] : 0xe0 (224) [44] : 0xc5 (197) [45] : 0x65 (101) [46] : 0xd8 (216) [47] : 0x86 (134) [48] : 0x72 (114) [49] : 0x58 (88) [50] : 0x61 (97) [51] : 0xdb (219) [52] : 0xe0 (224) [53] : 0x4f (79) [54] : 0x96 (150) [55] : 0xc5 (197) [56] : 0xff (255) [57] : 0x26 (38) [58] : 0xbf (191) [59] : 0x50 (80) [60] : 0x46 (70) [61] : 0xb7 (183) [62] : 0x90 (144) [63] : 0x05 (5) which is matching with the second row above (auth_tag printed out).,