[Samba] Can someone explain SMB passwords?

Paul D. DeRocco pderocco at ix.netcom.com
Sun Jul 21 02:34:23 MDT 2013 

> On Sat, Jul 20, 2013 at 10:41:31PM -0700, Paul D. DeRocco wrote:
> > I've read what I can find about SMB passwords, but I don't 
> > get what they
> > are. Are they Unix passwords or an alternative to them? If 
> > I have a file
> > share, and the underlying file system requires some sort of 
> > credentials to
> > access it, what is the relationship between that and an SMB 
> > password?
> > 
> > If a client tries to access the share, using a user account 
> > that is listed
> > in the smbpasswd file, does the client have to provide a 
> > password that
> > matches the SMB password in order for the server to allow 
> > the access, and
> > having done that, does it then not need to know the Unix 
> > password? Or is the
> > SMB password the Unix password that the server will use to 
> > access the share,
> > so that the client doesn't have to supply a password at all?
> > 
> > I don't even understand if the SMB server runs as root, and 
> > can therefore
> > access anything, or if it can't access local files unless 
> > it is given a
> > password somehow. The smbpasswd(5) and smbpasswd(8) man pages, and
> > everything else I've read, seem to assume that whoever is 
> > reading them
> > already knows the answers to these questions.

> From: Volker Lendecke [mailto:Volker.Lendecke at SerNet.DE] 
> 
> The Samba server never sees the plaintext password. The
> Samba password is a one-way hashed version of the plaintext
> password, that is all Samba needs to do its
> challenge-response authentication. If Samba is a domain
> member, it does not even have the hash, it has nothing but
> trusts the domain controller to have it and check it
> properly.
> 
> What file system is this? If it happens to be AFS, then
> there's the fake_kaserver functionality. The basic trick is
> that this makes the file server the KDC. A blatant violation
> of any security policy, but that's the only way.

You completely misunderstood my question. I'm asking something much simpler
and more basic than all that. What's an SMB password for, and how does it
relate to a Unix password?

Here's the situation. I have a directory on a machine, and the files in it
are created by a service which runs as root, so the files are owned by root
and only locally accessible to root. I need to make this directory
accessible to ANY remote client who knows a particular password. Do I have
to tell the client the root password, so that the client can tell the Samba
server the password needed to access the files? Or does Samba run as root
and have access to everything anyway? If the former, is the SMB password the
same as the Unix password needed to access the files, programmed into the
Samba server so that the client doesn't have to supply it? If the latter, is
the SMB password a completely independent password that Samba uses to grant
access?

Nothing in the docs gives me a clue how this works. It all seems to be
written by and for people who've been working with networking since the
Stone Age, and already know all the mechanisms and issues. My only involving
with networking over the years has been as a user, who is given a user name
and a password to access various network services. How that maps to what's
going on in the Samba server is a complete mystery to me. But now I need to
set up a simple server with one file share, as described above. Some of the
docs imply that the client must supply a password that matches a password on
one of the local Unix user accounts (or in some remote password server). Yet
then there's this talk about an SMB password. I don't see where that fits
in.

Is my question clearer now?

-- 

Ciao,               Paul D. DeRocco
Paul                mailto:pderocco at ix.netcom.com

More information about the samba mailing list