The Samba-Bugzilla – Bug 1754
WinMe clients can't change password without "lanman auth = yes".
Last modified: 2005-08-24 10:21:33 UTC
Samba PDC works good.
lanman auth = no
ntlm auth = no
WinMe clients use NTLMv2 auth (lmcompatibility = 3,
MinClientSec = 0x80000, MinServerSec = 0x80000).
WinMe clients can't change password
(without "lanman auth = yes").
Log file contain the next sentence:
LM password change supplied for user xxx,
but we have no LanMan password to check it with".
N.B. Win2K have NoLMhash key in registry...
So, your claim is that a Win2k DC operates in this situation correctly, but
Samba does not?
If so, are you sure that Win2k does not have an LM hash for these accounts?
('net rpc samdump' will show this, after a 'net rpc join BDC' from a samba client).
Unfortunately I can't to test this situation with Win2K DC.
Please refer to the Microsoft Knowledge Base Article - 299656.
Created attachment 667 [details]
smbd patch to solve the problem
My friend Stas Sergeyev proposes the patch to solve the problem.
We tested it. And it's works.
Excuse me for the reference to Microsoft -- I misunderstood your answer.
It was a bad idea to write so strange N.B. about Win2K&LMhash. I am sorry.
I do not claim that Win2K DC operates in this situation correctly
(but I hope), and I can't to test it now -- I shall try to test.
But there are some stranges in the Samba behavior:
1. Samba have both NT and LM hashes (smbpasswd file or pdbedit -Lv xxx),
but logs that "...we have no LanMan password to check it with".
2. The "lanman auth" parameter in smb.conf controls both LM authentication
method and WinMe password change mechanism.
Patched smbd allows WinMe clients to change passwords on Samba PDC
with "lanman auth=no" in smb.conf and NTLMv2 auth enabled in registry.
If that patch solves the issue, I'll have to resolve this as 'WONTFIX'. I will
however try to better describe the effects of this change in the docs, and
clarify the error message.
If I were to apply the proposed patch, then Samba would allow an attack via the
weaker LM password hash, on the user's password. The express purpose of this
parameter is to disable this attack, over the entire Samba (server side) suite.
Documentation and debug messages have been updated. Otherwise this bug is invalid.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.