Bug 6631 - Windows 98 / lanmanager can not log in to Samba 3.4
Windows 98 / lanmanager can not log in to Samba 3.4
Status: RESOLVED WORKSFORME
Product: Samba 3.4
Classification: Unclassified
Component: User & Group Accounts
3.4.0
x86 Windows 98
: P3 major
: ---
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-08-12 06:50 UTC by Stanimir Petrović
Modified: 2009-10-21 10:12 UTC (History)
1 user (show)

See Also:


Attachments
This is log file for windows 98 client (30.62 KB, text/plain)
2009-08-12 06:52 UTC, Stanimir Petrović
no flags Details
This is log file for windows vista client (79.41 KB, application/octet-stream)
2009-08-12 06:52 UTC, Stanimir Petrović
no flags Details
Another Log as domain member (68.96 KB, application/octet-stream)
2009-08-19 02:09 UTC, Stanimir Petrović
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stanimir Petrović 2009-08-12 06:50:52 UTC
1) I have compiled samba from source with options:

 ./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc --with-privatedir=/etc/samba --with-fhs --with-quotas -with-pam --with-pam_smbpass --with-syslog --with-utmp --with-swatdir=/usr/share/swat --with-libsmbclient --with-acl-support --with-ldap



2) File smb.conf
[global]
        log file = /var/log/samba/%m.log
        load printers = yes
        idmap gid = 16777216-33554431
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        winbind use default domain = no
        template shell = /bin/false
        dns proxy = no
        cups options = raw
        netbios name = ns1
        netbios aliases = ns1
        server string = SMBNT1
        idmap uid = 16777216-33554431
        workgroup = SAMSHOP
        os level = 20
        printcap name = /etc/printcap
        security = user
        preferred master = no
        max log size = 500
        lanman auth = yes
        client lanman auth = yes
        log level = 10
[homes]
   comment = Home Directories
   browseable = no
   writable = yes

[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
   guest ok = no
   writable = no
   printable = yes


3) Added samba user miko

4) Sucessfuly log in to that server from VISTA
5) Unsucessful log in from Windows 98
Comment 1 Stanimir Petrović 2009-08-12 06:52:10 UTC
Created attachment 4545 [details]
This is log file for windows 98 client
Comment 2 Stanimir Petrović 2009-08-12 06:52:41 UTC
Created attachment 4546 [details]
This is log file for windows vista client
Comment 3 Stanimir Petrović 2009-08-12 08:29:00 UTC
One more thing i noticed in log lines:

[2009/08/12 15:26:00,  3] auth/auth_sam.c:check_sam_security(282)
  check_sam_security: Couldn't find user 'MIKO' in passdb.
[2009/08/12 15:26:00,  5] auth/auth.c:check_ntlm_password(272)
  check_ntlm_password: sam authentication for user [MIKO] FAILED with error NT_STATUS_NO_SUCH_USER
[2009/08/12 15:26:00,  2] auth/auth.c:check_ntlm_password(318)
  check_ntlm_password:  Authentication for user [MIKO] -> [MIKO] FAILED with error NT_STATUS_NO_SUCH_USER


Then i made another user but all with upper letters. After that it worked.
Comment 4 John H Terpstra 2009-08-17 15:20:26 UTC
(In reply to comment #3)
> One more thing i noticed in log lines:
> 
> [2009/08/12 15:26:00,  3] auth/auth_sam.c:check_sam_security(282)
>   check_sam_security: Couldn't find user 'MIKO' in passdb.
> [2009/08/12 15:26:00,  5] auth/auth.c:check_ntlm_password(272)
>   check_ntlm_password: sam authentication for user [MIKO] FAILED with error
> NT_STATUS_NO_SUCH_USER
> [2009/08/12 15:26:00,  2] auth/auth.c:check_ntlm_password(318)
>   check_ntlm_password:  Authentication for user [MIKO] -> [MIKO] FAILED with
> error NT_STATUS_NO_SUCH_USER
> 
> 
> Then i made another user but all with upper letters. After that it worked.
> 

Ever since Samba 3.2.x series Samba no longer defaults to providing the LANMAN password.  Instead, it only supports the NT password.  Windows 9x clients only support use of the LanMan password.  If it is necessary for releases of Samba 3.2.0 and later to support LanMan passwords please add to the [global] section "lanman auth = yes", then reset user passwords - the LanMan password will now be stored in your "passdb backend".

As to why an all upper-case password works:
a) LanMan passwords are converted to upper-case and then hashed.
b) When you added the NT password only in upper case, the resulting password is identical to the LanMan password.

In other words, your approach is an effective work-around solution.

The behavior you saw is expected behavior and is by design.  This bug is therefore closed.
Comment 5 Stanimir Petrović 2009-08-19 02:09:30 UTC
Created attachment 4572 [details]
Another Log as domain member
Comment 6 Stanimir Petrović 2009-08-19 02:12:05 UTC
(In reply to comment #4)
> (In reply to comment #3)
> > One more thing i noticed in log lines:
> > 
> > [2009/08/12 15:26:00,  3] auth/auth_sam.c:check_sam_security(282)
> >   check_sam_security: Couldn't find user 'MIKO' in passdb.
> > [2009/08/12 15:26:00,  5] auth/auth.c:check_ntlm_password(272)
> >   check_ntlm_password: sam authentication for user [MIKO] FAILED with error
> > NT_STATUS_NO_SUCH_USER
> > [2009/08/12 15:26:00,  2] auth/auth.c:check_ntlm_password(318)
> >   check_ntlm_password:  Authentication for user [MIKO] -> [MIKO] FAILED with
> > error NT_STATUS_NO_SUCH_USER
> > 
> > 
> > Then i made another user but all with upper letters. After that it worked.
> > 
> 
> Ever since Samba 3.2.x series Samba no longer defaults to providing the LANMAN
> password.  Instead, it only supports the NT password.  Windows 9x clients only
> support use of the LanMan password.  If it is necessary for releases of Samba
> 3.2.0 and later to support LanMan passwords please add to the [global] section
> "lanman auth = yes", then reset user passwords - the LanMan password will now
> be stored in your "passdb backend".
> 
> As to why an all upper-case password works:
> a) LanMan passwords are converted to upper-case and then hashed.
> b) When you added the NT password only in upper case, the resulting password is
> identical to the LanMan password.
> 
> In other words, your approach is an effective work-around solution.
> 
> The behavior you saw is expected behavior and is by design.  This bug is
> therefore closed.
> 
Why added parametars for LANMAN is not working as espected. This is only test config that i made. I am runing Domain Controler on ldap with 100+ users. some clients uses windows 98 in this cases RETAIL shop. And my point is that it dont work with or without those parametars in configuration example i made. Version of samba 3.3 works fine with it. That means i can not migrate my old samba DC to new one cause windows 98 clients wont log in to domain controller (i tryed it already it really wont work. Also the parametar: map untrusted to domain = yes  i put there).
I added Also log file for that Client.

Comment 7 Karolin Seeger 2009-08-19 02:39:49 UTC
> Why added parametars for LANMAN is not working as espected. This is only test
> config that i made. I am runing Domain Controler on ldap with 100+ users. some
> clients uses windows 98 in this cases RETAIL shop. And my point is that it dont
> work with or without those parametars in configuration example i made. Version
> of samba 3.3 works fine with it. That means i can not migrate my old samba DC
> to new one cause windows 98 clients wont log in to domain controller (i tryed
> it already it really wont work. Also the parametar: map untrusted to domain =
> yes  i put there).

Did you reset the password after enabling lanman auth and client lanman auth?

Comment 8 Stanimir Petrović 2009-08-19 02:49:16 UTC
(In reply to comment #7)
> > Why added parametars for LANMAN is not working as espected. This is only test
> > config that i made. I am runing Domain Controler on ldap with 100+ users. some
> > clients uses windows 98 in this cases RETAIL shop. And my point is that it dont
> > work with or without those parametars in configuration example i made. Version
> > of samba 3.3 works fine with it. That means i can not migrate my old samba DC
> > to new one cause windows 98 clients wont log in to domain controller (i tryed
> > it already it really wont work. Also the parametar: map untrusted to domain =
> > yes  i put there).
> 
> Did you reset the password after enabling lanman auth and client lanman auth?
> 
with command smbpasswd - yes when it wasnt on doamin.
(In reply to comment #7)
> > Why added parametars for LANMAN is not working as espected. This is only test
> > config that i made. I am runing Domain Controler on ldap with 100+ users. some
> > clients uses windows 98 in this cases RETAIL shop. And my point is that it dont
> > work with or without those parametars in configuration example i made. Version
> > of samba 3.3 works fine with it. That means i can not migrate my old samba DC
> > to new one cause windows 98 clients wont log in to domain controller (i tryed
> > it already it really wont work. Also the parametar: map untrusted to domain =
> > yes  i put there).
> 
> Did you reset the password after enabling lanman auth and client lanman auth?
> 
Shure i did try all of variations on that subject lanman.

I joined now this samba server to domain. if u didnt notice that

Is this the stuff u were looking for (it is ldap entry now) :
sambaLMPassword: F3A52DC93C893A4DAAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: F42EBA7082013FF18C648C5D137AC6B8
Comment 9 Björn Jacke 2009-10-09 07:57:15 UTC
ack, I saw the same thing with a plain lanmanager client
Comment 10 Björn Jacke 2009-10-21 10:12:04 UTC
my lanmanager case was indeed cause by the lack of setting map untrusted to domain. It works with 3.4.2 in all cases where it's supposed to work. Whenever there is a local user or where map untrusted to domain is enabled logon works when lanman auth is enabled on member server and DC.