disable-weak-auth.patch renders ineffective "client plaintext auth = yes" in smb.conf
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
samba (Ubuntu) |
Invalid
|
Undecided
|
Steve Langasek |
Bug Description
Binary package hint: samba
A change introduced in 3.0.27a-2(seen below) makes it impossible to access samba resources that require a plaintext password. An instance of "client plaintext auth = yes" in the [global] options section is ignored by smbclient when attempting to connect to a samba server with
$smbclient -U <username> //<ipaddress>
The error message given is: "Server requested plaintext password but 'client use plaintext auth' is disabled". Note the incorrect use of the word "use" in the single-quoted section. Adding a section of "client use plaintext auth = yes" in the global section results in an error about the afformentioned unknown option being ignored. An instance of "client plaintext auth = yes" is not an unknown option, but is ineffective becuase the patch "hard wires" the program preventing plaintext passwords.
A much better solution would be to make the default smb.conf configuration file to feature the "client use plaintext auth = no" option, and allow the user to set to "yes" if necessary.
This is not a case of the "client lanman auth = no" disabling the "client plaintext auth" option. This bug is important because certain large universities still have servers that require plaintext passwords.
======Problematic Update Below========
samba (3.0.27a-2) unstable; urgency=low
* debian/
on the client, and lanman authentication on both client and server, by
default since these are only needed for Win9x or Samba with encrypted
passwords disabled and are potential password attack vectors. This
change is backported from Samba 3.2. LP: #163194.
> This is not a case of the "client lanman auth = no" disabling the "client plaintext auth" option.
Are you sure? That's the only case in which I can reproduce the behavior you describe.
If I set 'client plaintext auth = yes' in /etc/samba/smb.conf without also setting 'client lanman auth = Yes', then plaintext auth remains disabled.
If I set both options to 'yes', then plaintext auth works, verifiable with both testparm and smbclient.