So, your claim is that a Win2k DC operates in this situation correctly, but
Samba does not?

If so, are you sure that Win2k does not have an LM hash for these accounts? 
('net rpc samdump' will show this, after a 'net rpc join BDC' from a samba client).

Andrew Bartlett

Unfortunately I can't to test this situation with Win2K DC.
Please refer to the Microsoft Knowledge Base Article - 299656.
http://support.microsoft.com/default.aspx?scid=kb;en-us;299656

Created attachment 667 [details]
smbd patch to solve the problem

My friend Stas Sergeyev proposes the patch to solve the problem.
We tested it. And it's works.

Excuse me for the reference to Microsoft -- I misunderstood your answer.
It was a bad idea to write so strange N.B. about Win2K&LMhash. I am sorry.

I do not claim that Win2K DC operates in this situation correctly
(but I hope), and I can't to test it now -- I shall try to test.

But there are some stranges in the Samba behavior:
1. Samba have both NT and LM hashes (smbpasswd file or pdbedit -Lv xxx),
but logs that "...we have no LanMan password to check it with".
2. The "lanman auth" parameter in smb.conf controls both LM authentication
method and WinMe password change mechanism.

Patched smbd allows WinMe clients to change passwords on Samba PDC
with "lanman auth=no" in smb.conf and NTLMv2 auth enabled in registry.

If that patch solves the issue, I'll have to resolve this as 'WONTFIX'.  I will
however try to better describe the effects of this change in the docs, and
clarify the error message.

If I were to apply the proposed patch, then Samba would allow an attack via the
weaker LM password hash, on the user's password.  The express purpose of this
parameter is to disable this attack, over the entire Samba (server side) suite.

Documentation and debug messages have been updated.  Otherwise this bug is invalid.

sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.