Re: [Samba] Vista password being rejected on share security mode

[Lee Devlin]

Jeremy Allison wrote:

On Wed, Feb 07, 2007 at 10:07:58AM -0600, Schaefer Jr, Thomas R.
wrote:


Using your patch and Vista, if I'm logged into Vista as someone other
than username schaefer and go Start - Run - \\stercus\schaefer it
won't connect, even if the current Vista user's password is the same
as schaefer's password on stercus.  So, then Vista prompts me for a
username and password, I can enter schaefer and schaefer's correct
password, it still won't be able to connect.


I need to see a debug level 10 of this from a machine with
the patch applied. This might be a bug, I'm not sure yet.


What does work is if I'm logged into Vista as someone other than
username schaefer I can right click My Computer, get into the map
network drive dialogue, and in that dialogue I can specify a drive
letter, \\stercus\schaefer, and, this is the key, click Connect
using a different user name specify schaefer and schaefer's
password on stercus and then the drive maps successfully.

Eagerly awaiting any comments you might have.  Again, thankyou for
the patch, at least I have some funtionality now.


I think this is by design on Vista. The key is that Vista
does the sessionsetup as user name schaefer until you
select the Connect using a different user name. We
cache the user sent in the sessionsetupX call.


With the patch for Vista share level security, I have found the following 
behavior when attempting to connect with start-run  \\server\\sharename :


On WinXP,  the username is greyed out and not editable.  I can get in with 
just the password.


On Win2K, the username can be entered or left blank, and as long as the 
password is correct, it lets me in no matter what I type in the username 
field.


On Vista, the username must be entered, or it won't even attempt to connect 
and the username must be the share name and sent along with the correct 
password.


-Lee Devlin

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Vista password being rejected on share security mode

[Schaefer Jr, Thomas R.]

Hi Jeremy,

First of all, thank you for sending us the patch!

I applied it yesterday and have been testing, it mostly works ok but let
me tell you the unexpected behavior I've found.. 

With Windows XP, and any other client I've ever used, it doesn't matter
which, if any, username the client sends to my share level security
Samba servers.  
I specify the username for them with the username = smb.conf parameter
and whatever the client sends me is irrelevant.

In the [HOMES] section, I've got a couple directives..

username = %S
valid users = %S

Say I've got a UNIX user schaefer on the Samba server stercus.
With WinXP I can go Start - Run - \\stercus\schaefer and irregardless
of what username I'm currently logged into WindowXP with I'll connect to
stercus as schaefer if schaefer's password is the same as my current
WinXP user's password or if not I'll be prompted for a password where I
can just put schaefer's password and presto I'm connected to stercus as
schaefer.

Using your patch and Vista, if I'm logged into Vista as someone other
than username schaefer and go Start - Run - \\stercus\schaefer it
won't connect, even if the current Vista user's password is the same as
schaefer's password on stercus.  So, then Vista prompts me for a
username and password, I can enter schaefer and schaefer's correct
password, it still won't be able to connect.  

What does work is if I'm logged into Vista as someone other than
username schaefer I can right click My Computer, get into the map
network drive dialogue, and in that dialogue I can specify a drive
letter, \\stercus\schaefer, and, this is the key, click Connect using a
different user name specify schaefer and schaefer's password on stercus
and then the drive maps successfully.

Eagerly awaiting any comments you might have.  Again, thankyou for the
patch, at least I have some funtionality now.

Tom Schaefer
University of Missouri Saint Louis

-Original Message-
From: Jeremy Allison [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 06, 2007 12:54 PM
To: Schaefer Jr, Thomas R.
Cc: Lee Devlin; samba@lists.samba.org
Subject: Re: [Samba] Vista password being rejected on share security
mode

On Tue, Feb 06, 2007 at 11:37:09AM -0600, Schaefer Jr, Thomas R. wrote:
 I'm using Windows Vista Enterprise and also am having great difficulty

 with security = share and 3.0.23d (as well as 3.0.11 and 3.0.14a).  It

 seems as though Vista will randomly, occasionally work with it, but in

 general it just won't work at all.  I wish I had your problem of a 10 
 second connection delay, far better than no connection at all.  Did 
 you have to do anything special to get it working, albiet with the 10 
 second delay?

You need the attached patch. It'll be up on the Vista patches page later
this week or early next.

Jeremy
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Vista password being rejected on share security mode

[Jeremy Allison]

On Wed, Feb 07, 2007 at 10:07:58AM -0600, Schaefer Jr, Thomas R. wrote:
 
 Using your patch and Vista, if I'm logged into Vista as someone other
 than username schaefer and go Start - Run - \\stercus\schaefer it
 won't connect, even if the current Vista user's password is the same as
 schaefer's password on stercus.  So, then Vista prompts me for a
 username and password, I can enter schaefer and schaefer's correct
 password, it still won't be able to connect.  

I need to see a debug level 10 of this from a machine with
the patch applied. This might be a bug, I'm not sure yet.

 What does work is if I'm logged into Vista as someone other than
 username schaefer I can right click My Computer, get into the map
 network drive dialogue, and in that dialogue I can specify a drive
 letter, \\stercus\schaefer, and, this is the key, click Connect using a
 different user name specify schaefer and schaefer's password on stercus
 and then the drive maps successfully.
 
 Eagerly awaiting any comments you might have.  Again, thankyou for the
 patch, at least I have some funtionality now.

I think this is by design on Vista. The key is that Vista
does the sessionsetup as user name schaefer until you
select the Connect using a different user name. We
cache the user sent in the sessionsetupX call.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Vista password being rejected on share security mode

[Schaefer Jr, Thomas R.]

I'm using Windows Vista Enterprise and also am having great difficulty
with security = share and 3.0.23d (as well as 3.0.11 and 3.0.14a).  It
seems as though Vista will randomly, occasionally work with it, but in
general it just won't work at all.  I wish I had your problem of a 10
second connection delay, far better than no connection at all.  Did you
have to do anything special to get it working, albiet with the 10 second
delay?

Thankyou,
Tom Schaefer
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lee
Devlin
Sent: Thursday, February 01, 2007 11:41 AM
To: samba@lists.samba.org
Subject: [Samba] Vista password being rejected on share security mode

I'm working on trying to get Samba 3.0.23c to work with Vista and I've
run into a snag.  If a share is set up for security = share, and
protected with a password, when I try to mount the share using
Start-Run-\\server\share,  the password is rejected by Samba for about
the first 10 seconds, but after that, it lets me in.  I've tried all the
common suggestions such as changing NTLMV2 on the Vista system without
success.

I've looked high and low on the Internet and have not found a mention of
this problem.  The smb.conf file looks like this:

[global]
netbios name = TestSystem
server string = TestSystem
workgroup = MSHOME
security = share
guest account = guest
log file = /var/log/samba.log
socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536 encrypt
passwords = yes use spnego = no client use spnego = no host msdfs = no
interfaces = lo eth0 eth1 eth2 br0 qos enable = no
level1 file extensions =
level2 file extensions =
os level = 20
preferred master = auto
domain master = auto
local master = yes
domain logons = no
log level = 0
max log size = 960
null passwords = yes
wins server = (ip addresses deleted)
passdb backend = smbpasswd:/tmp/smbpasswd use client driver = yes
printer admin = root, guest show add printer wizard = yes load printers
= yes default devmode = yes printcap name = /tmp/etc/printcap [printers]
comment = All Printers path=/shares/Volume1/__var/spool/samba
printing = brcm
guest ok = yes
printable = yes
browseable = no
print command = chmod 666 %s; printcmd jobsubmit %p '%J' %x '%u'
lpq command = printcmd queuestat %p
lprm command = printcmd jobcancel %p %j
lppause command = printcmd jobpause %p %j lpresume command = printcmd
jobresume %p %j queuepause command = printcmd queuepause %p queueresume
command = printcmd queueresume %p

[FileShare]
comment =
path = /shares/Volume1/FileShare
writeable = yes
browsable = yes
inherit permissions = yes
inherit acls = yes
msdfs root = no
valid users = %S
user = %S
guest ok = no
guest only = no


...

Any suggestions?  

Thanks,

Lee
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Vista password being rejected on share security mode

[Jeremy Allison]

On Tue, Feb 06, 2007 at 11:37:09AM -0600, Schaefer Jr, Thomas R. wrote:
 I'm using Windows Vista Enterprise and also am having great difficulty
 with security = share and 3.0.23d (as well as 3.0.11 and 3.0.14a).  It
 seems as though Vista will randomly, occasionally work with it, but in
 general it just won't work at all.  I wish I had your problem of a 10
 second connection delay, far better than no connection at all.  Did you
 have to do anything special to get it working, albiet with the 10 second
 delay?

You need the attached patch. It'll be up on the Vista
patches page later this week or early next.

Jeremy
Index: smbd/sesssetup.c
===
--- smbd/sesssetup.c(revision 21127)
+++ smbd/sesssetup.c(working copy)
@@ -1035,6 +1035,7 @@
 
map_username(sub_user);
add_session_user(sub_user);
+   add_session_workgroup(domain);
/* Then force it to null for the benfit of the code below */
*user = 0;
}
Index: smbd/password.c
===
--- smbd/password.c (revision 21127)
+++ smbd/password.c (working copy)
@@ -23,6 +23,8 @@
 /* users from session setup */
 static char *session_userlist = NULL;
 static int len_session_userlist = 0;
+/* workgroup from session setup. */
+static char *session_workgroup = NULL;
 
 /* this holds info on user ids that are already validated for this VC */
 static user_struct *validated_users;
@@ -406,6 +408,29 @@
 }
 
 /
+ In security=share mode we need to store the client workgroup, as that's
+  what Vista uses for the NTLMv2 calculation.
+/
+
+void add_session_workgroup(const char *workgroup)
+{
+   if (session_workgroup) {
+   SAFE_FREE(session_workgroup);
+   }
+   session_workgroup = smb_xstrdup(workgroup);
+}
+
+/
+ In security=share mode we need to return the client workgroup, as that's
+  what Vista uses for the NTLMv2 calculation.
+/
+
+const char *get_session_workgroup(void)
+{
+   return session_workgroup;
+}
+
+/
  Check if a user is in a netgroup user list. If at first we don't succeed,
  try lower case.
 /
Index: auth/auth_compat.c
===
--- auth/auth_compat.c  (revision 21127)
+++ auth/auth_compat.c  (working copy)
@@ -92,18 +92,25 @@
 check if a username/password pair is ok via the auth subsystem.
 return True if the password is correct, False otherwise
 /
+
 BOOL password_ok(char *smb_name, DATA_BLOB password_blob)
 {
 
DATA_BLOB null_password = data_blob(NULL, 0);
-   BOOL encrypted = (global_encrypted_passwords_negotiated  
password_blob.length == 24);
+   BOOL encrypted = (global_encrypted_passwords_negotiated  
(password_blob.length == 24 || password_blob.length  46));

if (encrypted) {
/* 
 * The password could be either NTLM or plain LM.  Try NTLM 
first, 
 * but fall-through as required.
-* NTLMv2 makes no sense here.
+* Vista sends NTLMv2 here - we need to try the client given 
workgroup.
 */
+   if (get_session_workgroup()) {
+   if (NT_STATUS_IS_OK(pass_check_smb(smb_name, 
get_session_workgroup(), null_password, password_blob, null_password, 
encrypted))) {
+   return True;
+   }
+   }
+
if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), 
null_password, password_blob, null_password, encrypted))) {
return True;
}
@@ -119,5 +126,3 @@
 
return False;
 }
-
-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba