create-hash.sh does not appear to output a valid hash when username is not lowercase about samba HOT 15 CLOSED

no problem, it happens - I can't recall how many hours I spend on IT problems caused by a small missing or wrong character :D.

sure test it and close this issue if you get it to work. if not I might close it in a week or so

from samba.

okay I've updated the readme, and it's kinda obvious why it makes problems, I bet it crashes the hashing - it's some windows reverse engineered hashing - that's why it's implemented in samba.

it somehow needs to generate a hash which is compatible with case insensivity - by providing a case sensetive example it might not be able to calculate a valid hash...

at least that what I think the root cause can be :)

from samba.

yeah I just released the update, the perfect place to lowercase the username is the create hash script itself, so I did that :)

from samba.

Hi there,

thanks for this issue, also thanks for testing it from different angles.

I'll take a look

from samba.

I've just run the script with foo and password password123. I've added the hash to a user and was able to connect to the share.
I retried with a fresh hash for foo and password bar this also worked without problems

  echo -e "$PASSWORD_1\n$PASSWORD_1" | smbpasswd "$USERNAME" 2> /dev/null >/dev/null

if your password contains something like \n or other backslashes it might act wierd, or you might need to replace a single \ with a escaped \\

      ACCOUNT_foo: "foo:1000:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:86C156FC198B358CCCF6278D8BD49B6A:[U          ]:LCT-63DCB9F1:"

it is important to put the value inside "

it seems to me that there is no issue

tried on currently latest, and even rebuild it from scratch without cache

from samba.

funny...I just ran into the same issue like @whitestrake. finally it was the trailing ":" that I missed to copy

from samba.

I'll be quite cross with myself and mildly embarrassed if that's the case in my error.

I'll be able to check on this on Monday and either try to find a way to reliably reproduce, or fall on my sword.

from samba.

Hey @MarvAmBass, can you perhaps try generating a password hash for a username with a capital letter?

It works for me when I generate an account with all lowercase:

matt in /mnt/ssd at npssvrx is 🐳 v20.10.21
➜ echo -e "matt\nfoo\nfoo" | docker run -i --rm --entrypoint create-hash.sh servercontainers/samba:latest
>> Enter username: >> New password:
>> Retype password:
matt:1000:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:AC8E657F83DF82BEEA5D43BDAF7800CC:[U          ]:LCT-63E04014:

matt in /mnt/ssd at npssvrx is 🐳 v20.10.21
➜ grep -A10 samba: docker-compose.yml
  samba:
    image: servercontainers/samba:latest
    restart: unless-stopped
    network_mode: host
    cap_add:
      - NET_ADMIN
    volumes:
      - /mnt/storage:/mnt/storage
    environment:
      ACCOUNT_matt: "matt:1000:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:AC8E657F83DF82BEEA5D43BDAF7800CC:[U          ]:LCT-63E04014:"
      SAMBA_VOLUME_CONFIG_Storage: "[Storage]; path=/mnt/storage"


matt in /mnt/ssd at npssvrx is 🐳 v20.10.21
➜ dc up -d samba
[+] Running 1/1
 ⠿ Container npssrvx-samba-1  Started                                                           0.2s

matt in /mnt/ssd at npssvrx is 🐳 v20.10.21
➜ dc exec samba env
PATH=/container/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=npssvrx
TERM=xterm
ACCOUNT_matt=matt:1000:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:AC8E657F83DF82BEEA5D43BDAF7800CC:[U          ]:LCT-63E04014:
SAMBA_VOLUME_CONFIG_Storage=[Storage]; path=/mnt/storage
HOME=/root

matt in /mnt/ssd at npssvrx is 🐳 v20.10.21
➜ echo "foo" | smbclient //npssvrx/Storage -U matt
Enter WORKGROUP\matt's password:
Try "help" to get a list of possible commands.

But not when I generate an account that starts with an uppercase letter:

matt in /mnt/ssd at npssvrx is 🐳 v20.10.21
➜ echo -e "Matt\nfoo\nfoo" | docker run -i --rm --entrypoint create-hash.sh servercontainers/samba:latest
>> Enter username: >> New password: >> Retype password:

Matt:1000:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:AC8E657F83DF82BEEA5D43BDAF7800CC:[U          ]:LCT-63E03EAA:

matt in /mnt/ssd at npssvrx is 🐳 v20.10.21
➜ grep -A10 samba: docker-compose.yml
  samba:
    image: servercontainers/samba:latest
    restart: unless-stopped
    network_mode: host
    cap_add:
      - NET_ADMIN
    volumes:
      - /mnt/storage:/mnt/storage
    environment:
      ACCOUNT_Matt: "Matt:1000:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:AC8E657F83DF82BEEA5D43BDAF7800CC:[U          ]:LCT-63E03EAA:"
      SAMBA_VOLUME_CONFIG_Storage: "[Storage]; path=/mnt/storage"

matt in /mnt/ssd at npssvrx is 🐳 v20.10.21
➜ dc up -d samba
[+] Running 1/1
 ⠿ Container npssrvx-samba-1  Started                                                           0.2s

matt in /mnt/ssd at npssvrx is 🐳 v20.10.21
➜ dc exec samba env
PATH=/container/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=npssvrx
TERM=xterm
SAMBA_VOLUME_CONFIG_Storage=[Storage]; path=/mnt/storage
ACCOUNT_Matt=Matt:1000:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:AC8E657F83DF82BEEA5D43BDAF7800CC:[U          ]:LCT-63E03EAA:
HOME=/root

matt in /mnt/ssd at npssvrx is 🐳 v20.10.21
➜ echo "foo" | smbclient //npssvrx/Storage -U Matt
Enter WORKGROUP\Matt's password:
session setup failed: NT_STATUS_LOGON_FAILURE

from samba.

Keep in mind, that I only maintain a container here, this seems like a typical samba/windows uppercase/lowercase issue

take a look at this docu: https://www.linuxtopia.org/online_books/network_administration_guides/using_samba_book/ch06_02_11.html

I suspect that it's currently turned of by default

also, maybe your client does the magic and converts it to all lowercase during transfer

from samba.

Works perfectly if I don't use this hash:

matt in /mnt/ssd at npssvrx is 🐳 v20.10.21
➜ grep -A10 samba: docker-compose.yml
  samba:
    image: servercontainers/samba:latest
    restart: unless-stopped
    network_mode: host
    cap_add:
      - NET_ADMIN
    volumes:
      - /mnt/storage:/mnt/storage
    environment:
      ACCOUNT_Matt: "foobar"
      SAMBA_VOLUME_CONFIG_Storage: "[Storage]; path=/mnt/storage"


matt in /mnt/ssd at npssvrx is 🐳 v20.10.21
➜ dc exec samba env
PATH=/container/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=npssvrx
TERM=xterm
ACCOUNT_Matt=foobar
SAMBA_VOLUME_CONFIG_Storage=[Storage]; path=/mnt/storage
HOME=/root

matt in /mnt/ssd at npssvrx is 🐳 v20.10.21
➜ echo "foobar" | smbclient //npssvrx/Storage -U Matt
Enter WORKGROUP\Matt's password:
Try "help" to get a list of possible commands.

from samba.

If I generate a hash for username matt then logins work for any permutation of capitalisation (e.g. Matt, mAtt, MaTT, etc). If I generate a hash for Matt, none of these work.

This doesn't strike me as an issue with case insensitivity defaults after the fact.

Is there a possibility it's an issue with the script? If not, would it be worth an addendum to your README that hash generation with mixed username capitalisation is broken due to the way Samba works in this container?

from samba.

here I was also thinking about updating the readme on this one.

super interesseting behaviour - it somehow doesn't make much sense - besides that all lowercase ignores capitalisation (think about samba as a windows facing software which usually needs to ignore capitalisation)

since my script only calls smbpasswd it's rooted within samba itself

from samba.

Yeah, looking at the script, that's pretty much literally all it does. No manipulation at all, no chance really for it to interfere with Samba's own behaviour.

Honestly - if you wanted to be super accommodating, you might consider having your script lowercase the username input to preempt user error here, maybe with a switch and a note in the README/comments regarding that behavior.

Otherwise, just a note that the user should use all lowercase usernames by default seems like plenty.

Feel free to close this issue, on that note.

Thanks again!

from samba.

yeah I was thinking about automatically putting it to lowercase... but I'm not sure

from samba.

Doing that seems sensible to me, with an optional switch to disable username normalisation, documented in the comments of the script. But, that is an accommodation on your part that would be nice to users, but not necessary.

If a much more proficient user with some corner case requirement for this seemingly broken hashing requires a capitalised username, we could assume such a user would be proficient enough to simply run the Samba utilities to generate their own hash even if you didn't provide an off switch for username normalisation.

from samba.