[Samba] NTLMv2 configuration problems
I'm running Centos 4.3 and Samba 3.0.24. I have an OpenLDAP backend. I have
successfully got a Windows Domain to work, Windows XP -> Samba -> OpenLDAP.
I can add machines to the domain and I can login and change passwords. The
trouble is that I'm using NTLM and have been told that I must upgrade to
NTLMv2, but I'm having great difficulty doing so.
I have existing NTLM users. I want to disable the use of NTLM, so I ran
secpol.msc and changed the LAN Manager Authentication Level to:
"Send NTLMv2 response only \ refuse LM and NTLM passwords"
I change smb.conf to include:
ntlm auth = no
client ntlmv2 auth = yes
client lanman auth = no
lanman auth = no
min protocol = NT1
I restarted the PC and Samba
However, I can still login users which have NTLM hash passwords, is this
right? I don't think so. Does samba cache machine settings anywhere? I know
Samba works, I'm missing some configuration, I just don't know what it is
When I run smbpasswd, it seems to create NTLM hashed passwords? Should it
only create NTLMv2 passwords if I set client ntlmv2 auth = yes?
I created new users and I have stored an NTLMv2 hashed password in
sambaNTPassword, I'm assuming NTLMv2 passwords need to be stored in this
attribute as I don't see an alternative?
When I try to login to a user account with an NTLMv2 hashed password, I get
invalid password, but I think I've calculated the hash correctly, looking in
LDAP, I stored a 16bytes HEX String ( sambaNTPassword:
47E53AD35D61DE8F419F272FFBC4F175 ). The password check is failing in
ntlm_password_check (libsmb/ntlm_check.c). I've marked where the password
check is failing in bold,
NTSTATUS ntlm_password_check()
{
static const unsigned char zeros[8];
if (nt_pw == NULL) {
DEBUG(3,("ntlm_password_check: NO NT password stored for
user %s.\n",
username));
}
if (nt_interactive_pwd && nt_interactive_pwd->length && nt_pw) {
if (nt_interactive_pwd->length != 16) {
DEBUG(3,("ntlm_password_check: Interactive logon:
Invalid NT password length (%d) supplied for user %s\n",
(int)nt_interactive_pwd->length,
username));
return NT_STATUS_WRONG_PASSWORD;
}
if (memcmp(nt_interactive_pwd->data, nt_pw, 16) == 0) {
if (user_sess_key) {
*user_sess_key = data_blob(NULL, 16);
SMBsesskeygen_ntv1(nt_pw, NULL,
user_sess_key->data);
}
return NT_STATUS_OK;
} else {
DEBUG(3,("ntlm_password_check: Interactive logon: NT
password check failed for user %s\n",
username));
return NT_STATUS_WRONG_PASSWORD;
}
I can see that the code to check ntlmv2 password comes later
if (smb_pwd_check_ntlmv2( nt_response,
nt_pw, challenge,
client_username,
client_domain,
False,
user_sess_key)) {
return NT_STATUS_OK;
}
-
SMB.CONF---
[global]
workgroup = DEV
netbios name = DEV-PDC
security = user
server string = Samba Server
log level = 3
syslog = 0
log file = /var/log/samba/%m.log
max log size = 10
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
logon home = ""
logon path = ""
domain logons = Yes
domain master = Yes
os level = 65
preferred master = Yes
wins support = yes
encrypt passwords = Yes
ldap passwd sync = Yes
passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n
*Result**Success
pam password change = yes
check password script = /sbin/crackcheck -c -d /usr/lib/cracklib_dict
passdb backend = ldapsam:"ldap://ldap-1";
ntlm auth = no
client ntlmv2 auth = yes
client lanman auth = no
lanman auth = no
min protocol = NT1
ldap admin dn = cn=Manager,dc=example,dc=org
# ldap delete dn = no
ldap suffix = dc=example,dc=org
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
idmap backend = ldap:"ldap://ldap-1";
add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 1 -w "%u"
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
add
Re: [Samba] pdbedit password policy - not updating ldapsam
For anyone who runs into similar problems in the future I updated samba3 and samba3-client and it has solved the password lockout problem. http://www.nabble.com/CentOS-samba-upgrade-tf3178510.html#a8820049 installed latest versions for centos 4.3 from http://ftp.sernet.de/pub/samba/rhel/rhel4-i386/ [EMAIL PROTECTED] ~]# yum list | grep samba Repository base is listed more than once in the configuration samba3.i386 3.0.24-30 installed samba3-client.i386 3.0.24-30 installed samba.i386 3.0.10-1.4E.11 updates-released samba-client.i3863.0.10-1.4E.11 updates-released samba-common.i3863.0.10-1.4E.11 updates-released samba-swat.i386 3.0.10-1.4E.11 updates-released system-config-samba.noarch 1.2.21-1 base -- View this message in context: http://www.nabble.com/pdbedit-password-policy---not-updating-ldapsam-tf3239423.html#a9063162 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] pdbedit password policy - not updating ldapsam
I think the problem is part related to me having a wrong version of pdbedit. I need to update samba-client. Now I must see if I can find a source rpm that i can build and install on centos 4.3 [EMAIL PROTECTED] lib]# pdbedit -V Version 3.0.10-1.4E.11 [EMAIL PROTECTED] lib]# which pdbedit /usr/bin/pdbedit [EMAIL PROTECTED] lib]# yum list | grep samba Repository base is listed more than once in the configuration samba.i386 3.0.24-1 installed samba-common.i3863.0.10-1.4E.11 installed samba.i386 3.0.10-1.4E.11 updates-released samba-client.i3863.0.10-1.4E.11 updates-released samba-swat.i386 3.0.10-1.4E.11 updates-released system-config-samba.noarch 1.2.21-1 base -- View this message in context: http://www.nabble.com/pdbedit-password-policy---not-updating-ldapsam-tf3239423.html#a9060254 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] pdbedit password policy - not updating ldapsam
I removed version 3.0.22 and installed 3.0.24 (I removed samba files from /etc/samba, /var/lib/samba, /var/cache/samba), but afraid I still experiencing the same problem when I run pdbedit -y -i tdbsam -e ldapsam Found pdb backend guest pdb backend guest has a valid init called with username="(null)" tdb(unnamed): tdb_open_ex: could not open file /etc/samba/passdb.tdb: No such file or directory Unable to open/create TDB passwd Can't sampwent! I manually updated the password policy settings in sambaDomain=BLAHDEV,dc=example,dc=org ldapmodify -x -D "..." -W dn: sambaDomainName=BLAHDEV,dc=roke,dc=co,dc=uk changeType: modify sambaMinPwdAge: 0 sambaMaxPwdAge: 2592000 sambaPwdHistoryLength: 5 sambaLockoutThreshold: 3 sambaMinPwdLength: 8 sambaLockoutDuration: -1 Samba doesn't appear to recognise these changes. How can I get samba to just look in the ldapsam and not worry about what's in other backends. Any ideas on how to diagnose this problem would also be helpful [global] workgroup = BLAHDEV netbios name = BLAHDEV-PDC security = user server string = Samba Server log level = 2 syslog = 0 log file = /var/log/samba/%m.log max log size = 10 time server = Yes logon home = "" logon path = "" domain logons = Yes domain master = Yes os level = 65 preferred master = Yes wins support = yes encrypt passwords = Yes # unix password sync = Yes passwd program = /usr/sbin/ldap_userPassword_change %u passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n *Result**Success # Crackcheck settings to allow NT style password complexity checks check password script = /sbin/crackcheck -c -d /usr/lib/cracklib_dict passdb backend = ldapsam:"ldap://ldap-1"; ldap admin dn = cn=Manager,dc=example,dc=org ldap suffix = dc=example,dc=org ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap # idmap backend = ldap:"ldap://ldap-1 ldap://ldap-2"; idmap backend = ldap:"ldap://ldap-1"; add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u" delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u" add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 1 -w "%u" add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g" add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u' idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/false winbind use default domain = no I'm running on centos 4.3. Is there a Linux file or PAM setting or something that I need to change to make this work? -- View this message in context: http://www.nabble.com/pdbedit-password-policy---not-updating-ldapsam-tf3239423.html#a9043068 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] pdbedit password policy - not updating ldapsam
I have Samba and LDAP up and running, but I'm having problems editing the password policy using pdbedit. (I'm running 3.0.22) I've had a look at the man page for pdbedit but I don't really fully understand what it does in relation to passwd backends. Does pdbedit update just one backend and expect a user to export the updates to other backends? I think I've set up ldap as my default backend - but pdbedit doesn't update it. It looks like its updating some other backend. I guess my smb.conf (attached) isn't configured correctly? How do I find out which one it's updating?. I can also see a reference to pdbedit backend guest in the logs, but I don't understand why pdbedit is looking for this. I tried the following command: pdbedit -P "min password length" -C 7 -d 10 This is a snippet of the logs: The LDAP server is succesfully connected pdb backend ldapsam:ldap://ldap-1 ldap://ldap-2 has a valid init Attempting to find an passdb backend to match guest (guest) Found pdb backend guest pdb backend guest has a valid init account_policy_get: min password length:7 account policy value for min password length was 7 account_policy_set: min password length:7 account policy value for min password length is now 7 I'm guessing it's taking these values from /var/lib/samba/account_policy.tdb, it's not taking them from ldap - because it doesn't change sambaMinPwdLength I can see a search happening in the ldap logs, but I don't see any updates - is this expected behaviour? I believe I need to run the following command to update LDAP? pdbedit -y -i tdbsam -e ldapsam -d 10 However, when I do this, I get the following error message (more of log attached - but this is part I think is failing) Attempting to find an passdb backend to match guest (guest) Found pdb backend guest pdb backend guest has a valid init called with username="(null)" tdb(unnamed): tdb_open_ex: could not open file /etc/samba/passdb.tdb: No such file or directory Unable to open/create TDB passwd Can't sampwent! When configuring Samba initially, I had some problems, so I followed some instructions and deleted the following rm /etc/samba/*tdb rm /var/lib/samba/*tdb rm /var/lib/samba/*dat rm /var/log/samba/* as a result passdb.tdb is no longer, and didn't get re-created. Is there any way I can recreate this file? Is this the cause of my problems? Any help much appreciated, I've attached more details in case they are needed -- LDAP Entry dn: sambaDomainName=BLAHDEV,dc=example,dc=org sambaDomainName: BLAHDEV sambaMinPwdAge: 0 objectClass: top objectClass: sambaDomain objectClass: sambaUnixIdPool sambaPwdHistoryLength: 0 sambaNextGroupRid: 67109863 uidNumber: 1005 sambaLogonToChgPwd: 0 sambaLockoutDuration: 30 sambaMaxPwdAge: -1 sambaForceLogoff: -1 sambaLockoutThreshold: 0 gidNumber: 1000 sambaSID: S-1-5-21-317703500-4181503002-770181164 sambaNextUserRid: 67109862 sambaMinPwdLength: 5 sambaRefuseMachinePwdChange: 0 sambaAlgorithmicRidBase: 1000 sambaLockoutObservationWindow: 30 SMB.CONF --- [global] workgroup = BLAHDEV netbios name = BLAHDEV-PDC security = user server string = Samba Server log level = 2 syslog = 0 log file = /var/log/samba/%m.log max log size = 10 time server = Yes logon home = "" logon path = "" domain logons = Yes domain master = Yes os level = 65 preferred master = Yes wins support = yes encrypt passwords = Yes # unix password sync = Yes passwd program = /usr/sbin/ldap_userPassword_change %u passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n *Result**Success # Crackcheck settings to allow NT style password complexity checks check password script = /sbin/crackcheck -c -d /usr/lib/cracklib_dict passdb backend = ldapsam:"ldap://ldap-1 ldap://ldap-2"; ldap admin dn = cn=Manager,dc=example,dc=org ldap suffix = dc=dc=example,dc=org ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap idmap backend = ldap:"ldap://ldap-1 ldap://ldap-2"; add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u" delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u" add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 1 -w "%u" add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g" add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u' idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/false winbind use default domain = no FULL LOG FILE FOR PDBEDIT [EMAIL PROTECTED] samba]# pdbedit -y -i tdbsam -e ldapsam -d 10 INFO: Current debug levels: all: True/10 tdb: Fa
[Samba] Failed join a domain, root found ok, Administrator not found
I'm trying to join a Windows PC to a domain. I've got a root user set-up to add machines to the domain. When prompted by windows, I enter in root and the password. But I get a windows error dialog, indicating a user was not found. However, in the samba log file for the machine I'm trying to connect to the domain, I can see that the root user was found in ldap, however, for some reason I can see samba is trying to find another user "Administrator" entry in LDAP. There is no entry in ldap for Administrator. Anyone know why it is looking for this "Administrator" user? I'm relatively comfortable with LDAP, but my samba knowledge isn't good to be honest. I've used smbldap-populate to create entries in LDAP. The entry for the PC is added to LDAP ok on my attempt to join the domain. I did change /etc/samba/smbusers and added a mapping for Administrator = root, but this didn't help Following is more details and log file output Any help much appreciated Microsoft Windows Server 2003 Service Pack 1 Samba installed on Centos 4.3 smbd -V =>Version 3.0.22 winbindd -V => Version 3.0.10-1.4E.9 Running Openldap [2007/02/02 11:32:08, 2] lib/smbldap.c:smbldap_open_connection(722) smbldap_open_connection: connection opened [2007/02/02 11:32:08, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: root [2007/02/02 11:32:08, 2] auth/auth.c:check_ntlm_password(307) check_ntlm_password: authentication for user [root] -> [root] -> [root] succeeded [2007/02/02 11:32:08, 2] auth/auth.c:check_ntlm_password(317) check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER [2007/02/02 11:32:09, 2] smbd/server.c:exit_server(614) Closing connections [2007/02/02 11:32:09, 2] lib/smbldap.c:smbldap_open_connection(722) smbldap_open_connection: connection opened [2007/02/02 11:32:09, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: root [2007/02/02 11:32:09, 2] auth/auth.c:check_ntlm_password(307) check_ntlm_password: authentication for user [root] -> [root] -> [root] succeeded [2007/02/02 11:32:09, 2] auth/auth.c:check_ntlm_password(317) check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER [2007/02/02 11:32:09, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2670) Returning domain sid for domain XXXDEV -> S-1-5-21-3798003437-3932026004-3600456286 [2007/02/02 11:32:10, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2415) _samr_create_user: Running the command `/opt/IDEALX/sbin/smbldap-useradd -t 1 -w "dev-prefect-1$"' gave 9 [2007/02/02 11:32:10, 2] smbd/server.c:exit_server(614) Closing connections # Global parameters [global] workgroup = XXXDEV netbios name = XXXDEV-PDC security = user #enable privileges = yes #interfaces = 10.192.3.21 #username map = /etc/samba/smbusers server string = Samba Server encrypt passwords = Yes #pam password change = no #obey pam restrictions = No #ldap passwd sync = Yes unix password sync = Yes passwd program = /usr/sbin/ldap_userPassword_change %u passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n *Result**Success # Settings to debug passwd chat #passwd chat debug = Yes #debug level = 103 #log level = passdb:5 # Crackcheck settings to allow NT style password complexity checks check password script = /sbin/crackcheck -c -d /usr/lib/cracklib_dict log level = 2 syslog = 0 log file = /var/log/samba/%m.log max log size = 10 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = 850 Unix charset = ISO8859-1 # logon script = logon.bat # logon drive = H: logon home = "" logon path = "" domain logons = Yes domain master = Yes os level = 65 preferred master = Yes wins support = yes passdb backend = ldapsam:"ldap://ldap-1 ldap://ldap-2"; ldap admin dn = cn=Manager,dc=blah,dc=co,dc=uk ldap suffix = dc=blah,dc=co,dc=uk ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap idmap backend = ldap:"ldap://ldap-1 ldap://ldap-2"; add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u" #ldap delete dn = Yes delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u" add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 1 -w "%u" -- View this message in context: http://www.nabble.com/Failed-join-a-domain%2C-root-found-ok%2C-Administrator-not-found-tf3160558.html#a8766016 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to
