Discussion:
[Samba] challenge/response password authentication failed
Luc Van Hoeylandt
21 years ago
Permalink
hi,

I'm having troubles joining a win2k domain with samba 2.2.3a. As you can
see below I always get a 'challenge/response password authentication failed'
when trying to authenticate(. I searched the mailinglist but can't find a
solution.
After 3 days of searching i'm still stuck :( I'd appreciate any pointers you
could give me.


- On the W2k PDC I created a computer account (name:LINUX) the
'Allow Pre-windows 2000 computer to use this account' checked
- I joined the domain
smbpasswd -r NT2000 -j CEREUSBE
2002/02/28 10:15:59 : change_trust_account_password: Changed password for
domain CEREUSBE.
Joined domain CEREUSBE.

wbinfo -u show a domain grouplisting
CEREUSBE+TemplateCursisten
CEREUSBE+testje
CEREUSBE+testusr
CEREUSBE+Thierry
CEREUSBE+TLuijbregts
CEREUSBE+travelcomp
CEREUSBE+TsInternetUser
CEREUSBE+tvermetten
CEREUSBE+TWillaert
CEREUSBE+VBrepoels
CEREUSBE+vdb213775
CEREUSBE+Walter
CEREUSBE+Wim
CEREUSBE+WIwens
CEREUSBE+wvalgaeren

So far so good ;)

I then try to authenticate a domain user using wbinfo:

wbinfo -a CEREUSBE+LVHoeylandt%LVHoeylandt
plaintext password authentication succeeded
challenge/response password authentication failed
Could not authenticate user CEREUSBE+LVHoeylandt%LVHoeylandt with
challenge/response

smb.conf contents:

[global]
workgroup = CEREUSBE
security = domain
encrypt passwords = Yes
password server = NT2000.cereus.be
keepalive = 30
os level = 33
local master = No
domain master = False
winbind uid = 10000-20000
winbind gid = 10000-20000
template shell = /bin/bash
winbind separator = +


Any ideas how to solve this problem ?

Thanks,

Luc
Andrew Bartlett
21 years ago
Permalink
Post by Luc Van Hoeylandt
hi,
I'm having troubles joining a win2k domain with samba 2.2.3a. As you can
see below I always get a 'challenge/response password authentication failed'
when trying to authenticate(. I searched the mailinglist but can't find a
solution.
After 3 days of searching i'm still stuck :( I'd appreciate any pointers you
could give me.
As long as the 'plaintext' version works, its fine. Samba 2.2 has this
feature disabled for security reasons.

Andrew Bartlett
--
Andrew Bartlett ***@pcug.org.au
Manager, Authentication Subsystems, Samba Team ***@samba.org
Student Network Administrator, Hawker College ***@hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
Luc Van Hoeylandt
21 years ago
Permalink
Post by Andrew Bartlett
Post by Luc Van Hoeylandt
hi,
I'm having troubles joining a win2k domain with samba 2.2.3a. As you can
see below I always get a 'challenge/response password authentication failed'
when trying to authenticate(. I searched the mailinglist but can't find a
solution.
After 3 days of searching i'm still stuck :( I'd appreciate any pointers you
could give me.
As long as the 'plaintext' version works, its fine. Samba 2.2 has this
feature disabled for security reasons.
Then i'm affraid something else is wrong :-( I'm unable to connect to my
shares (I am using a smb.conf that used to work on another machine)
I always seem to get NT_STATUS_WRONG_PASSWORD

smbclient //linux/webroot -U CEREUSBE+LVHoeylandt%LVHoeylandt
added interface ip=192.168.165.54 bcast=192.168.165.255 nmask=255.255.255.0
Domain=[CEREUSBE] OS=[Unix] Server=[Samba 2.2.3a]
tree connect failed: NT_STATUS_WRONG_PASSWORD


wbinfo -a CEREUSBE+LVHoeylandt%LVHoeylandt
plaintext password authentication succeeded
challenge/response password authentication failed
Could not authenticate user CEREUSBE+LVHoeylandt%LVHoeylandt with
challenge/response

BTW is it possible that 2.2.2 did have the challenge/response authentication
enabled ?
If i remember correctly wbinfo didn't fail with that version.

tnx a lot

Luc


smb.conf below

# Global parameters
[global]
workgroup = CEREUSBE
security = domain
encrypt passwords = Yes
password server = NT2000.cereus.be
keepalive = 30
os level = 33
local master = No
domain master = False
winbind uid = 10000-20000
winbind gid = 10000-20000
template shell = /bin/bash
winbind separator = +
#map to guest = Bad User


[Test]
comment = test share
path = /home/samba
valid users = CEREUSBE+LVHoeylandt CEREUSBE+JVDBroeck
read only = No

[webroot]
comment = Oracle webroot
path = /opt/oracle/product/901/Apache/Apache/htdocs
valid users = @CEREUSBE+Developers
force user = oracle
read only = No
preserve case = no
Andrew Bartlett
21 years ago
Permalink
Post by Luc Van Hoeylandt
Then i'm affraid something else is wrong :-( I'm unable to connect to my
shares (I am using a smb.conf that used to work on another machine)
I always seem to get NT_STATUS_WRONG_PASSWORD
smbclient //linux/webroot -U CEREUSBE+LVHoeylandt%LVHoeylandt
added interface ip=192.168.165.54 bcast=192.168.165.255 nmask=255.255.255.0
Domain=[CEREUSBE] OS=[Unix] Server=[Samba 2.2.3a]
tree connect failed: NT_STATUS_WRONG_PASSWORD
You can't use winbind and 'security = share'. Either that, or your
smb.conf has weird access restrictions.
Post by Luc Van Hoeylandt
wbinfo -a CEREUSBE+LVHoeylandt%LVHoeylandt
plaintext password authentication succeeded
challenge/response password authentication failed
Could not authenticate user CEREUSBE+LVHoeylandt%LVHoeylandt with
challenge/response
BTW is it possible that 2.2.2 did have the challenge/response authentication
enabled ?
If i remember correctly wbinfo didn't fail with that version.
It didn't have that code at all.
--
Andrew Bartlett ***@pcug.org.au
Manager, Authentication Subsystems, Samba Team ***@samba.org
Student Network Administrator, Hawker College ***@hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
Luc Van Hoeylandt
21 years ago
Permalink
Post by Andrew Bartlett
You can't use winbind and 'security = share'. Either that, or your
smb.conf has weird access restrictions.
My smb.conf should be fine i transferred it from a backup from
another machine (Check my previous mail for the smb.conf)

I found a new clue when trying to access a share from a W2k
client i get following entries in smbd log (debug level 3):


[2002/03/01 09:18:04, 3] smbd/reply.c:reply_sesssetup_and_X(848)
Domain=[CEREUSBE] NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000
5.0]
[2002/03/01 09:18:04, 3] smbd/reply.c:reply_sesssetup_and_X(858)
sesssetupX:name=[LVHoeylandt]
[2002/03/01 09:18:04, 3] libsmb/namequery.c:resolve_lmhosts(752)
resolve_lmhosts: Attempting lmhosts lookup for name NT2000.CEREUS.BE<0x20>
[2002/03/01 09:18:04, 3] libsmb/namequery.c:resolve_hosts(792)
resolve_hosts: Attempting host lookup for name NT2000.CEREUS.BE<0x20>
[2002/03/01 09:18:04, 3] lib/util_sock.c:open_socket_out(830)
Connecting to 192.168.165.35 at port 445
[2002/03/01 09:18:04, 3] smbd/reply.c:reply_sesssetup_and_X(1018)
No such user lvhoeylandt [CEREUSBE] - using guest account

As far as i can tell smbd doesn't 'see' the user and falls back to the
guest account. However the user lvhoeylandt does exist on the PDC
(see wbinfo output below).If logs at a higher debuglevel are more
helpfull I'll gladly send them.
Post by Andrew Bartlett
Post by Luc Van Hoeylandt
wbinfo -a CEREUSBE+LVHoeylandt%LVHoeylandt
plaintext password authentication succeeded
challenge/response password authentication failed
Could not authenticate user CEREUSBE+LVHoeylandt%LVHoeylandt with
challenge/response
tnx for your help,


Luc

Continue reading on narkive:
Loading...