Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Root samba auth not working

Description

Hey,

I just updated to 12.1-MASTER-202009110438 from 12.0-MASTER-202006220424.

I use for all my samba shares the user "root" as the login (I know, not the most secure thing to do).

Now after the update, the root user got the "Samba Authentication" unchecked. I tried to activate It again, but If I check the box and press save I get the error: "Password must be changed in order to enable SMB authentication". If I now type in a new password(or the current password) and click save I get: "This attribute cannot be changed".

So now I can't use root for samba auth. I don't think that this is intended behavior, right?

Problem/Justification

None

Impact

None

Confluence content

mentioned on

SmartDraw Connector

Katalon Manual Tests (BETA)

Activity

Show:

Timothy Moore II 
September 15, 2020 at 5:03 PM

As requested, 12.0-RC1 release notes and SMB sharing documentation have been updated to warn against using the root account or built-in users for SMB shares.

Andrew Walker 
September 11, 2020 at 3:37 PM

This has to do with how SMB authentication works. NTLM auth (used in non-AD environments) requires that the server have an unsalted MD4 hash of password in memory for challenge/response. New validation routines related to it are as follows:

Going in reverse order. The password change requirement is due to the need to generate a secondary hash of password (md4) and store in the config file. This means that we must ask for a password reset whenever users switch from non-SMB to SMB.

The "attribute may not be changed" error regards a list of attributes that may not be changed for builtin users. One of these is "smb" for the fairly mundane reason that builtin accounts shouldn't be used for SMB. Among other things, this requires us to begin storing password hash for accounts such as root in a form that is more vulnerable to cracking.

As you yourself admitted, using the root account for SMB is fairly far from "best practice", and it is something we are putting guards around for our general users (which includes businesses and other places where security is somewhat more important).

The changes are being made in pre-release versions of TrueNAS, and so you have time to migrate any production servers on 11.3 to something more standard before you are impacted.

Complete

Details

Assignee

Reporter

Labels

Time remaining

0m

Components

Affects versions

Priority

Katalon Platform

Created September 11, 2020 at 2:36 PM
Updated July 1, 2022 at 4:55 PM
Resolved September 15, 2020 at 5:04 PM