plaintext to smbpasswd
Andrew Bartlett
abartlet at pcug.org.au
Sat Aug 4 13:01:26 GMT 2001
Gerald Carter wrote:
>
> On Sat, 4 Aug 2001, Andrew Bartlett wrote:
>
> > For the record here, this parameter checks plain text passwords against
> > smbpasswd, not PAM/shadow. The only reason not to do this is if PAM is
> > expected to do something interesting with these passwords, but that
> > requires 'obey pam restrictions = yes' in any case.
>
> The same as using pam_smbpass.so right?
Except that instead of doing:
Samba -> PAM -> pam_smbpass -> samba's included internals
we do
Samba -> Samba's internals
But yes, this is the same as if we had pam_smbpass.so configured in
samba's /etc/pam.d/samba file.
>
> > Furthermore, I'm not sure how it handles clients that sent UPPER case
> > passwords - win9X :-(. My guess is that it would generate an invalid
> > NTLM hash, we would compare that and fail the authentication. When I
> > get a chance, I'll look into changing the code to be case insensitive
> > for the older protocols. (That is, I will only generate the LM hash,
> > making us case insensitive).
>
> Might need to do both. See the 'lanman auth' parameter entry in
> smb.conf(5)
>
> > Changing the default would certainly be the 'path of least suprise'
> > for new administrators, but changes existing behavior. Probably worth
> > it once the bugs are fixed.
>
> Why would the plaintest to smbpasswd everev be used if encrypt passwords =
> yes? Unless we have a broken client somewhere that ignores the encryption
> bit in the negprot reply.
>
> cheers, jerry
As you can see, its a bit of a hack. The reason I got in was becouse
its also a design requirement: All authenticaions being passed to the
auth subsystem MUST include the hashes, even if we have the plain-text.
This paramater just says 'ignore the fact we got the plaintext at all'.
It was *too* simple to leave out :-)
There is also a practical use of it however: There are some sites that
don't sync their shadow/smbpasswd files *on purpose*, and would expect
samba's authentications to be constrained to smbpasswd, not matter how
(intentionally) broken the client.
--
Andrew Bartlett
abartlet at pcug.org.au
abartlet at samba.org
More information about the samba-technical
mailing list