Re: [Samba] Vista password being rejected on share security mode
Jeremy Allison wrote: On Wed, Feb 07, 2007 at 10:07:58AM -0600, Schaefer Jr, Thomas R. wrote: Using your patch and Vista, if I'm logged into Vista as someone other than username schaefer and go Start -> Run -> \\stercus\schaefer it won't connect, even if the current Vista user's password is the same as schaefer's password on stercus. So, then Vista prompts me for a username and password, I can enter schaefer and schaefer's correct password, it still won't be able to connect. I need to see a debug level 10 of this from a machine with the patch applied. This might be a bug, I'm not sure yet. What does work is if I'm logged into Vista as someone other than username schaefer I can right click My Computer, get into the "map network drive" dialogue, and in that dialogue I can specify a drive letter, \\stercus\schaefer, and, this is the key, click "Connect using a different user name" specify schaefer and schaefer's password on stercus and then the drive maps successfully. Eagerly awaiting any comments you might have. Again, thankyou for the patch, at least I have some funtionality now. I think this is by design on Vista. The key is that Vista does the sessionsetup as user name "schaefer" until you select the ""Connect using a different user name". We cache the user sent in the sessionsetupX call. With the patch for Vista share level security, I have found the following behavior when attempting to connect with start->run \\server\\sharename : On WinXP, the username is greyed out and not editable. I can get in with just the password. On Win2K, the username can be entered or left blank, and as long as the password is correct, it lets me in no matter what I type in the username field. On Vista, the username must be entered, or it won't even attempt to connect and the username must be the share name and sent along with the correct password. -Lee Devlin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Vista password being rejected on share security mode
On Wed, Feb 07, 2007 at 10:07:58AM -0600, Schaefer Jr, Thomas R. wrote: > > Using your patch and Vista, if I'm logged into Vista as someone other > than username schaefer and go Start -> Run -> \\stercus\schaefer it > won't connect, even if the current Vista user's password is the same as > schaefer's password on stercus. So, then Vista prompts me for a > username and password, I can enter schaefer and schaefer's correct > password, it still won't be able to connect. I need to see a debug level 10 of this from a machine with the patch applied. This might be a bug, I'm not sure yet. > What does work is if I'm logged into Vista as someone other than > username schaefer I can right click My Computer, get into the "map > network drive" dialogue, and in that dialogue I can specify a drive > letter, \\stercus\schaefer, and, this is the key, click "Connect using a > different user name" specify schaefer and schaefer's password on stercus > and then the drive maps successfully. > > Eagerly awaiting any comments you might have. Again, thankyou for the > patch, at least I have some funtionality now. I think this is by design on Vista. The key is that Vista does the sessionsetup as user name "schaefer" until you select the ""Connect using a different user name". We cache the user sent in the sessionsetupX call. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Vista password being rejected on share security mode
Hi Jeremy, First of all, thank you for sending us the patch! I applied it yesterday and have been testing, it mostly works ok but let me tell you the unexpected behavior I've found.. With Windows XP, and any other client I've ever used, it doesn't matter which, if any, username the client sends to my share level security Samba servers. I specify the username for them with the "username =" smb.conf parameter and whatever the client sends me is irrelevant. In the [HOMES] section, I've got a couple directives.. username = %S valid users = %S Say I've got a UNIX user schaefer on the Samba server stercus. With WinXP I can go Start -> Run -> \\stercus\schaefer and irregardless of what username I'm currently logged into WindowXP with I'll connect to stercus as schaefer if schaefer's password is the same as my current WinXP user's password or if not I'll be prompted for a password where I can just put schaefer's password and presto I'm connected to stercus as schaefer. Using your patch and Vista, if I'm logged into Vista as someone other than username schaefer and go Start -> Run -> \\stercus\schaefer it won't connect, even if the current Vista user's password is the same as schaefer's password on stercus. So, then Vista prompts me for a username and password, I can enter schaefer and schaefer's correct password, it still won't be able to connect. What does work is if I'm logged into Vista as someone other than username schaefer I can right click My Computer, get into the "map network drive" dialogue, and in that dialogue I can specify a drive letter, \\stercus\schaefer, and, this is the key, click "Connect using a different user name" specify schaefer and schaefer's password on stercus and then the drive maps successfully. Eagerly awaiting any comments you might have. Again, thankyou for the patch, at least I have some funtionality now. Tom Schaefer University of Missouri Saint Louis -Original Message- From: Jeremy Allison [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 06, 2007 12:54 PM To: Schaefer Jr, Thomas R. Cc: Lee Devlin; samba@lists.samba.org Subject: Re: [Samba] Vista password being rejected on share security mode On Tue, Feb 06, 2007 at 11:37:09AM -0600, Schaefer Jr, Thomas R. wrote: > I'm using Windows Vista Enterprise and also am having great difficulty > with security = share and 3.0.23d (as well as 3.0.11 and 3.0.14a). It > seems as though Vista will randomly, occasionally work with it, but in > general it just won't work at all. I wish I had your problem of a 10 > second connection delay, far better than no connection at all. Did > you have to do anything special to get it working, albiet with the 10 > second delay? You need the attached patch. It'll be up on the Vista patches page later this week or early next. Jeremy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Vista password being rejected on share security mode
On Tue, Feb 06, 2007 at 11:37:09AM -0600, Schaefer Jr, Thomas R. wrote: > I'm using Windows Vista Enterprise and also am having great difficulty > with security = share and 3.0.23d (as well as 3.0.11 and 3.0.14a). It > seems as though Vista will randomly, occasionally work with it, but in > general it just won't work at all. I wish I had your problem of a 10 > second connection delay, far better than no connection at all. Did you > have to do anything special to get it working, albiet with the 10 second > delay? You need the attached patch. It'll be up on the Vista patches page later this week or early next. Jeremy Index: smbd/sesssetup.c === --- smbd/sesssetup.c(revision 21127) +++ smbd/sesssetup.c(working copy) @@ -1035,6 +1035,7 @@ map_username(sub_user); add_session_user(sub_user); + add_session_workgroup(domain); /* Then force it to null for the benfit of the code below */ *user = 0; } Index: smbd/password.c === --- smbd/password.c (revision 21127) +++ smbd/password.c (working copy) @@ -23,6 +23,8 @@ /* users from session setup */ static char *session_userlist = NULL; static int len_session_userlist = 0; +/* workgroup from session setup. */ +static char *session_workgroup = NULL; /* this holds info on user ids that are already validated for this VC */ static user_struct *validated_users; @@ -406,6 +408,29 @@ } / + In security=share mode we need to store the client workgroup, as that's + what Vista uses for the NTLMv2 calculation. +/ + +void add_session_workgroup(const char *workgroup) +{ + if (session_workgroup) { + SAFE_FREE(session_workgroup); + } + session_workgroup = smb_xstrdup(workgroup); +} + +/ + In security=share mode we need to return the client workgroup, as that's + what Vista uses for the NTLMv2 calculation. +/ + +const char *get_session_workgroup(void) +{ + return session_workgroup; +} + +/ Check if a user is in a netgroup user list. If at first we don't succeed, try lower case. / Index: auth/auth_compat.c === --- auth/auth_compat.c (revision 21127) +++ auth/auth_compat.c (working copy) @@ -92,18 +92,25 @@ check if a username/password pair is ok via the auth subsystem. return True if the password is correct, False otherwise / + BOOL password_ok(char *smb_name, DATA_BLOB password_blob) { DATA_BLOB null_password = data_blob(NULL, 0); - BOOL encrypted = (global_encrypted_passwords_negotiated && password_blob.length == 24); + BOOL encrypted = (global_encrypted_passwords_negotiated && (password_blob.length == 24 || password_blob.length > 46)); if (encrypted) { /* * The password could be either NTLM or plain LM. Try NTLM first, * but fall-through as required. -* NTLMv2 makes no sense here. +* Vista sends NTLMv2 here - we need to try the client given workgroup. */ + if (get_session_workgroup()) { + if (NT_STATUS_IS_OK(pass_check_smb(smb_name, get_session_workgroup(), null_password, password_blob, null_password, encrypted))) { + return True; + } + } + if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), null_password, password_blob, null_password, encrypted))) { return True; } @@ -119,5 +126,3 @@ return False; } - - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Vista password being rejected on share security mode
I'm using Windows Vista Enterprise and also am having great difficulty with security = share and 3.0.23d (as well as 3.0.11 and 3.0.14a). It seems as though Vista will randomly, occasionally work with it, but in general it just won't work at all. I wish I had your problem of a 10 second connection delay, far better than no connection at all. Did you have to do anything special to get it working, albiet with the 10 second delay? Thankyou, Tom Schaefer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee Devlin Sent: Thursday, February 01, 2007 11:41 AM To: samba@lists.samba.org Subject: [Samba] Vista password being rejected on share security mode I'm working on trying to get Samba 3.0.23c to work with Vista and I've run into a snag. If a share is set up for security = share, and protected with a password, when I try to mount the share using Start->Run->\\server\share, the password is rejected by Samba for about the first 10 seconds, but after that, it lets me in. I've tried all the common suggestions such as changing NTLMV2 on the Vista system without success. I've looked high and low on the Internet and have not found a mention of this problem. The smb.conf file looks like this: [global] netbios name = TestSystem server string = "TestSystem" workgroup = MSHOME security = share guest account = guest log file = /var/log/samba.log socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536 encrypt passwords = yes use spnego = no client use spnego = no host msdfs = no interfaces = lo eth0 eth1 eth2 br0 qos enable = no level1 file extensions = level2 file extensions = os level = 20 preferred master = auto domain master = auto local master = yes domain logons = no log level = 0 max log size = 960 null passwords = yes wins server = (ip addresses deleted) passdb backend = smbpasswd:/tmp/smbpasswd use client driver = yes printer admin = root, guest show add printer wizard = yes load printers = yes default devmode = yes printcap name = /tmp/etc/printcap [printers] comment = All Printers path=/shares/Volume1/__var/spool/samba printing = brcm guest ok = yes printable = yes browseable = no print command = chmod 666 %s; printcmd jobsubmit %p '%J' %x '%u' lpq command = printcmd queuestat %p lprm command = printcmd jobcancel %p %j lppause command = printcmd jobpause %p %j lpresume command = printcmd jobresume %p %j queuepause command = printcmd queuepause %p queueresume command = printcmd queueresume %p [FileShare] comment = path = /shares/Volume1/FileShare writeable = yes browsable = yes inherit permissions = yes inherit acls = yes msdfs root = no valid users = %S user = %S guest ok = no guest only = no ... Any suggestions? Thanks, Lee -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba