CVS update: samba/source/rpc_server

Luke Leighton lkcl at samba.anu.edu.au
Mon Jan 3 07:25:51 EST 2000


Date:	Monday January 3, 19100 @ 7:25
Author:	lkcl

Update of /data/cvs/samba/source/rpc_server
In directory samba:/data/people/lkcl/samba-tng/source/rpc_server

Modified Files:
      Tag: SAMBA_TNG
	srv_netlog.c 
Log Message:
ok.  the smb-fileserver-only saga continues.

noticed that there is an "update encrypted" option, and assumed that this
was a "migrate passwords" option.

on this basis, i didn't want "encrypt passwords = no", "security = user/share"
"update encrypted = no" to be dependent on dce/rpc NETLOGON services,
but i ALSO didn't want "update encrypted = yes" to have to write to
the smbp passwd interface, i'm trying very hard to get rid of that.

so, under the circumstances where "update enc = yes", but "enc pwd = no",
i decided to add a "General" Logon type info level (4) to NetrSamLogon,
client and server side.  this passes a CLEARTEXT password across the
\PIPE\NETLOGON on loop-back (which still requires a trust account
pasword, which i MAY change to use to encrypt the cleartext password
anyway).  i have no idea what a _real_ general Logon type actually
looks like, and i couldn't care less at this stage because it's used
on loop-back.

whe "update enc = yes" and "enc pwd = no", nt clients are told to send
cleartext passwords.  these are sent over a General Logon on loop-back;
the netlogon daemon receives them, does a *unix* password check, and
*also* does an update encrypted password.

this is a reasonable compromise.  if you're not intending to migrate
to smb passwords, you don't need to run "update encrypted".  all it
means is that you would have to run the netlogon daemon a little
bit earlier.  normally, you would have to start the netlogon daemon
when switching to "enc pwd = yes", but instead you have tostart it on
"update end = yes".

big deal :)

the only thing that bothers me is that i thought "update encrypted" was
actually "migrate passwords", so unless the smbpasswd entry is already
in there, the general login fails because there is still a requirement
to have an smbpasswd entry in netlogon daemon.  doesn't matter at the
moment.

next stage, password changing.  replace all password changes in
smbd/lanman.c and anywhere else i can find them with samr_change_user_passwd
instead.



More information about the samba-cvs mailing list