Ubuntu
samba package

disable-weak-auth.patch renders ineffective "client plaintext auth = yes" in smb.conf

Bug #215410 reported by FluidDynamics
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Invalid
Undecided
Steve Langasek

Bug Description

Binary package hint: samba

A change introduced in 3.0.27a-2(seen below) makes it impossible to access samba resources that require a plaintext password. An instance of "client plaintext auth = yes" in the [global] options section is ignored by smbclient when attempting to connect to a samba server with
$smbclient -U <username> //<ipaddress>/<servicename>.
The error message given is: "Server requested plaintext password but 'client use plaintext auth' is disabled". Note the incorrect use of the word "use" in the single-quoted section. Adding a section of "client use plaintext auth = yes" in the global section results in an error about the afformentioned unknown option being ignored. An instance of "client plaintext auth = yes" is not an unknown option, but is ineffective becuase the patch "hard wires" the program preventing plaintext passwords.

A much better solution would be to make the default smb.conf configuration file to feature the "client use plaintext auth = no" option, and allow the user to set to "yes" if necessary.

This is not a case of the "client lanman auth = no" disabling the "client plaintext auth" option. This bug is important because certain large universities still have servers that require plaintext passwords.

======Problematic Update Below========
samba (3.0.27a-2) unstable; urgency=low

  * debian/patches/disable-weak-auth.patch: disable plaintext authentication
    on the client, and lanman authentication on both client and server, by
    default since these are only needed for Win9x or Samba with encrypted
    passwords disabled and are potential password attack vectors. This
    change is backported from Samba 3.2. LP: #163194.

Revision history for this message
Steve Langasek (vorlon) wrote :

> This is not a case of the "client lanman auth = no" disabling the "client plaintext auth" option.

Are you sure? That's the only case in which I can reproduce the behavior you describe.

If I set 'client plaintext auth = yes' in /etc/samba/smb.conf without also setting 'client lanman auth = Yes', then plaintext auth remains disabled.

If I set both options to 'yes', then plaintext auth works, verifiable with both testparm and smbclient.

Changed in samba:
assignee: nobody → vorlon
status: New → Incomplete
Revision history for this message
FluidDynamics (pawngameme) wrote :

> If I set both options to 'yes', then plaintext auth works, verifiable with both testparm and smbclient.

That is a good point. I greped the smb.conf file for a lanman option but didn't find one. I only added the "client plaintext auth = yes" option. I'll troubleshoot this the next time I have acess to the lab computer with this Ubuntu installation. Thank you for your rapid response. If the problem is due to not having the right config options, I'll try to figure out how to delete this bug so it doesn't take up any more of your time. [I'm new here.]

Revision history for this message
Steve Langasek (vorlon) wrote :

Marking as 'invalid'. If you find that you're still having problems, feel free to reopen the bug by setting the status back to 'new' and giving more info.

Changed in samba:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.