plaintext to smbpasswd

Andrew Bartlett abartlet at pcug.org.au
Sat Aug 4 13:01:26 GMT 2001 

Gerald Carter wrote:
> 
> On Sat, 4 Aug 2001, Andrew Bartlett wrote:
> 
> > For the record here, this parameter checks plain text passwords against
> > smbpasswd, not PAM/shadow.  The only reason not to do this is if PAM is
> > expected to do something interesting with these passwords, but that
> > requires 'obey pam restrictions = yes' in any case.
> 
> The same as using pam_smbpass.so right?

Except that instead of doing:
Samba -> PAM -> pam_smbpass -> samba's included internals
we do
Samba -> Samba's internals

But yes, this is the same as if we had pam_smbpass.so configured in
samba's /etc/pam.d/samba file.

> 
> > Furthermore, I'm not sure how it handles clients that sent UPPER case
> > passwords - win9X :-(.  My guess is that it would generate an invalid
> > NTLM hash, we would compare that and fail the authentication.  When I
> > get a chance, I'll look into changing the code to be case insensitive
> > for the older protocols.  (That is, I will only generate the LM hash,
> > making us case insensitive).
> 
> Might need to do both.  See the 'lanman auth' parameter entry in
> smb.conf(5)
> 
> > Changing the default would certainly be the 'path of least suprise'
> > for new administrators, but changes existing behavior.  Probably worth
> > it once the bugs are fixed.
> 
> Why would the plaintest to smbpasswd everev be used if encrypt passwords =
> yes?  Unless we have a broken client somewhere that ignores the encryption
> bit in the negprot reply.
> 
> cheers, jerry

As you can see, its a bit of a hack.  The reason I got in was becouse
its also a design requirement:  All authenticaions being passed to the
auth subsystem MUST include the hashes, even if we have the plain-text. 
This paramater just says 'ignore the fact we got the plaintext at all'. 
It was *too* simple to leave out :-)

There is also a practical use of it however:  There are some sites that
don't sync their shadow/smbpasswd files *on purpose*, and would expect
samba's authentications to be constrained to smbpasswd, not matter how
(intentionally) broken the client.

-- 
Andrew Bartlett
abartlet at pcug.org.au
abartlet at samba.org

More information about the samba-technical mailing list