Our setup: Two Samba servers: the first one being the PDC. The second one a member of the specified domain. The PDC server uses ldapsam as password backend. The member server has "security = domain" set in smb.conf. When authenticating with the PDC using NTLMv2 authentication no problems are reported and users gain access to their shares. However, when authenticating with the Samba member server, NT_STATUS_WRONG_PASSWORD is returned. This only happens when authentication level is set to NTLMv2 on the client attempting to log in. This has been verified from the Samba PDC server by feeding smbclient an smb.conf with "client ntlmv2 auth" set. While the parameter was set to "yes" authentication failed. The same is true when using Windows XP with the appropriate settings to connect to the member server. The logs from the Samba member server follows (names and addresses have been changed to protect the innocent): smbd[15374]: [2005/02/04 11:16:59, 3] smbd/sesssetup.c: reply_sesssetup_and_X_spnego(566) smbd[15374]: NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] smbd[15374]: [2005/02/04 11:16:59, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615) smbd[15374]: Got user=[myuser] domain=[MYDOMAIN.NET] workstation=[SAMBA] len1=24 len2=148 smbd[15374]: [2005/02/04 11:16:59, 3] libsmb/namequery_dc.c:rpc_dc_name(145) smbd[15374]: rpc_dc_name: Returning DC SAMBA (10.0.0.186) for domain MYDOMAIN. NET smbd[15374]: [2005/02/04 11:16:59, 3] libsmb/cliconnect.c: cli_start_connection(1388) smbd[15374]: Connecting to host=SAMBA smbd[15374]: [2005/02/04 11:16:59, 3] lib/util_sock.c:open_socket_out(752) smbd[15374]: Connecting to 10.0.0.186 at port 445 smbd[15374]: [2005/02/04 11:16:59, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(181) smbd[15374]: lsa_io_sec_qos: length c does not match size 8 smbd[15374]: [2005/02/04 11:16:59, 3] auth/auth.c:check_ntlm_password(219) smbd[15374]: check_ntlm_password: Checking password for unmapped user [MYDOMAIN.NET]\[myuser]@[SAMBA] with the new password interface smbd[15374]: [2005/02/04 11:16:59, 3] auth/auth.c:check_ntlm_password(222) smbd[15374]: check_ntlm_password: mapped user is: [MYDOMAIN.NET]\[myuser] @[SAMBA] smbd[15374]: [2005/02/04 11:16:59, 3] smbd/sec_ctx.c:push_sec_ctx(256) smbd[15374]: push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 smbd[15374]: [2005/02/04 11:16:59, 3] smbd/uid.c:push_conn_ctx(365) smbd[15374]: push_conn_ctx(0) : conn_ctx_stack_ndx = 0 smbd[15374]: [2005/02/04 11:16:59, 3] smbd/sec_ctx.c:set_sec_ctx(288) smbd[15374]: setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 smbd[15374]: [2005/02/04 11:16:59, 3] smbd/sec_ctx.c:pop_sec_ctx(386) smbd[15374]: pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 smbd[15374]: [2005/02/04 11:16:59, 3] libsmb/namequery_dc.c:rpc_dc_name(145) smbd[15374]: rpc_dc_name: Returning DC SAMBA (10.0.0.186) for domain MYDOMAIN. NET smbd[15374]: [2005/02/04 11:16:59, 3] libsmb/cliconnect.c: cli_start_connection(1388) smbd[15374]: Connecting to host=SAMBA smbd[15374]: [2005/02/04 11:16:59, 3] lib/util_sock.c:open_socket_out(752) smbd[15374]: Connecting to 10.0.0.186 at port 445 smbd[15374]: [2005/02/04 11:16:59, 0] auth/auth_domain.c: domain_client_validate(199) smbd[15374]: domain_client_validate: unable to validate password for user myuser in domain MYDOMAIN.NET to Domain controller \\SAMBA. Error was NT_STATUS_WRONG_PASSWORD. smbd[15374]: [2005/02/04 11:16:59, 2] auth/auth.c:check_ntlm_password(312) smbd[15374]: check_ntlm_password: Authentication for user [myuser] -> [myuser] FAILED with error NT_STATUS_WRONG_PASSWORD smbd[15374]: [2005/02/04 11:16:59, 3] smbd/process.c:timeout_processing(1336) smbd[15374]: timeout_processing: End of file from client (client has disconnected). smbd[15374]: [2005/02/04 11:16:59, 3] smbd/sec_ctx.c:set_sec_ctx(288) smbd[15374]: setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 smbd[15374]: [2005/02/04 11:16:59, 2] smbd/server.c:exit_server(571) smbd[15374]: Closing connections smbd[15374]: [2005/02/04 11:16:59, 3] smbd/connection.c:yield_connection(69) smbd[15374]: Yielding connection to smbd[15374]: [2005/02/04 11:16:59, 3] smbd/connection.c:yield_connection(76) smbd[15374]: yield_connection: tdb_delete for name failed with error Record does not exist. smbd[15374]: [2005/02/04 11:16:59, 3] smbd/server.c:exit_server(614) smbd[15374]: Server exit (normal exit)
did you set 'lanman auth = no' and 'ntlm auth = no' on the domain member ?
(In reply to comment #1) > did you set 'lanman auth = no' and 'ntlm auth = no' on the domain member ? No, I didn't but I have tried it now with the same results.
we'll have to try to proeuce this locally. It might take a while to get to this one. Thanks in advance for being patient.
What would a suitable workaround be? We have several Windows XP workstations which attempt to connect to the member server in question but since most of them are configured to use NTLMv2 as their primary authentication type by default they fail to authenticate with the server. Since we are unable to control this setting on all the clients in question a server solution would be preferrable.
Bug is repeatable in our setup using backend = tdbsam or smbpasswd, Samba v3.0.8 - 3.0.11. I assume it comes from Member server not using NTLMv2 to auth. SMB.CONF files available if needed, just ask.
What I need to see is the smb.conf and logs from both the member server and the DC. I think we are munging one of the names in such a way that we break the hash.
no response from reporter and probably fixed in >=3.0.21