[Samba] [3.0.28a] Telling XP to save password?

Sat Jun 28 10:12:40 GMT 2008

On 2008-06-27, Charles Marcus (CMarcus at Media-Brokers.com) wrote:
> On 2008-06-27, Gilles (gilles.ganault at free.fr) wrote:
>
>> Is there a way to tell XP to remember the password between
>> reboots/sessions?
>
> Why on gods green earth would you want to do that?
>
> I know you can configure XP to auto-login with a certain
> username/password, but I've never even considered
> attempting that on a domain member so don't
> know if it will work in that context...

And on the same day a little later
Willy Offermans <Willy at Offermans.Rompen.nl>
> On 2008-06-27, Gilles (gilles.ganault at free.fr) wrote:
>
>>       We're successfully running Samba 3.0.28a on a FreeBSD
>> server and sharing files with XP clients. There's only one
>> problem: By default, XP doesn't let the user save the password,
>> so they have to type it every time they reboot.
>>
>> Is there a way to tell XP to remember the password between
>> reboots/sessions?

> In general, saving a password isn't a good idea. It is annoying
> to remember a password by heart and to retype it again and again,
> but it is the best option. So probably there is a way to
> ``tell XP to remember the password between reboots/sessions``,
> but that is most probably not what you want. I advice you to
> re-consider the issue to find a proper solution.

Yes, sure, it's a very bad idea, but a lot of industry fat-cats
(if you can call banks and insurers industry, however industrious
they are about your money) are willing to pay obscene amounts
of fees to identity provision specialists to make single-sign-on
possible for their employees, because if they have to keep 'em
all in their heads they usually tend to regress to very mnemonic
easy-to-crack passwords.

I'm all for security but one needs to keep things in perspective.
If I've logged myself in to a Samba NT-Type domain controller
with a very complicated combination of capitals and lowercases,
numerals and special characters, I don't see why the same password
and account name pair should not be useable to also connect to a
corporate print server, even if it is under the sovereignty of an
AD-type controller which doesn't trust my server by default because
it's not Microsoft.

Gilles' complaint is actually very easy to amend in principle:

Start -> Settings -> Control Panel -> User Accounts

And then to the tab "Manage Passwords". You can set a default
user/password pair for "*.yourCompany.COM" and as many
differing pairs as needed for those special resources with
restricted rights like "taxes.courCompany.COM" and when
you login again all those resources are at your fingertip
automagically.

The problem is that if you use roaming profiles in a Samba
domain and you rolled out your clients by means of cloning a
master client or some other complication like changing the
domain SID midstream it won't work again and I'll be damned
if I know why.

Can someone be more constructive and less proselytic?