[Samba] how safe is "net use" in a batch file? plus some encryption questions

[Stefan G. Weichinger]

A customer asked me if someone would be able to sniff (wireshark or 
something like that) a password if plugging into the same switch as 
their samba server.

They use a desktop icon pointing at a plain old bat-file containing a 
"net use" command with the password right in there.

I *assume* that the "net use" authenticates via encrypted communication? 
could someone confirm that?

-

Unfortunately we can't use domain context there because of the special 
structure there: the thin clients are members in a AD domain separate 
from our protected standalone samba server (and these worlds have to be 
kept separated).

*and* I have to keep NTLMv1 etc activated to support old Windows XP VMs 
... as far as I remember there are ways to activate safer protocols for 
XP as well, correct? (they insist on XP because of a specific software ...)

-

They also ask for encryption. I think I could encrypt the underlying 
layer via encfs or something, but that means that somebody has to 
provide a passphrase at boot/mount-time. I want to avoid a 
single-person-of-failure-scenario here: even if I am not available they 
have to be able to get that server up and running again in case of some 
reboot or so.

Is it recommended to just place a container like Truecrypt or Veracrypt 
inside a Samba-share? Any thoughts or recommendations here, best 
practices ... ?

have a nice weekend,
Stefan