Bug 1754 - WinMe clients can't change password without "lanman auth = yes".
Summary: WinMe clients can't change password without "lanman auth = yes".
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: ntlm_auth tool (show other bugs)
Version: 3.0.5
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2004-09-13 10:58 UTC by German Marchenko
Modified: 2005-08-24 10:21 UTC (History)
0 users

See Also:

smbd patch to solve the problem (449 bytes, patch)
2004-09-17 14:53 UTC, German Marchenko
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description German Marchenko 2004-09-13 10:58:54 UTC
Samba PDC works good.
lanman auth = no
ntlm auth = no

WinMe clients use NTLMv2 auth (lmcompatibility = 3,
MinClientSec = 0x80000, MinServerSec = 0x80000).

WinMe clients can't change password
(without "lanman auth = yes").

Log file contain the next sentence:
"smbd/chgpasswd.c: check_oem_password(822)
LM password change supplied for user xxx,
but we have no LanMan password to check it with".

N.B. Win2K have NoLMhash key in registry...
Comment 1 Andrew Bartlett 2004-09-13 17:11:38 UTC
So, your claim is that a Win2k DC operates in this situation correctly, but
Samba does not?

If so, are you sure that Win2k does not have an LM hash for these accounts? 
('net rpc samdump' will show this, after a 'net rpc join BDC' from a samba client).

Andrew Bartlett
Comment 2 German Marchenko 2004-09-15 02:22:10 UTC
Unfortunately I can't to test this situation with Win2K DC.
Please refer to the Microsoft Knowledge Base Article - 299656.
Comment 3 German Marchenko 2004-09-17 14:53:12 UTC
Created attachment 667 [details]
smbd patch to solve the problem

My friend Stas Sergeyev proposes the patch to solve the problem.
We tested it. And it's works.
Comment 4 German Marchenko 2004-09-17 15:32:46 UTC
Excuse me for the reference to Microsoft -- I misunderstood your answer.
It was a bad idea to write so strange N.B. about Win2K&LMhash. I am sorry.

I do not claim that Win2K DC operates in this situation correctly
(but I hope), and I can't to test it now -- I shall try to test.

But there are some stranges in the Samba behavior:
1. Samba have both NT and LM hashes (smbpasswd file or pdbedit -Lv xxx),
but logs that "...we have no LanMan password to check it with".
2. The "lanman auth" parameter in smb.conf controls both LM authentication
method and WinMe password change mechanism.

Patched smbd allows WinMe clients to change passwords on Samba PDC
with "lanman auth=no" in smb.conf and NTLMv2 auth enabled in registry.
Comment 5 Andrew Bartlett 2004-09-20 02:16:28 UTC
If that patch solves the issue, I'll have to resolve this as 'WONTFIX'.  I will
however try to better describe the effects of this change in the docs, and
clarify the error message.

If I were to apply the proposed patch, then Samba would allow an attack via the
weaker LM password hash, on the user's password.  The express purpose of this
parameter is to disable this attack, over the entire Samba (server side) suite.
Comment 6 Andrew Bartlett 2004-12-22 19:12:08 UTC
Documentation and debug messages have been updated.  Otherwise this bug is invalid.
Comment 7 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:21:33 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.