Must a Samba PDC use encrypted passwords?

Gerald Carter cartegw at Eng.Auburn.EDU
Tue Jun 9 19:59:40 GMT 1998

Andy Smith wrote:
> I am migrating UNIX NIS users to NT at a rate of about 5 per week for
> the next 3 months, I could really do with a strategy to automate it.
> I've read as much as I can find, but I still cant see how to use this
> in my particular situation  :-

It May not help you here.  See my comments at the end.

> I have a samba PDC (security = user) several samba domain clients
> (security = domain) and an armful of NT4/sp3 desktops.  If I set
> encryption = no and 'update encrypted' on the PDC, I have to visit
> every existing NT4 desktop to tweak the registry to use cleartext, or
> all the current users (71 so far) will fail to log in wont they?  I
> already assumed that I missed that boat.

Not if you edit the registry remotely.  There are several ways to do
this.  If you have a domain admin account, thne that simplifies things
immensely.  Use regedit.exe and connect remotely and import the
EnablePlainTextPassword setting.

> So, have I misinterpreted 'migration' completely, and you mean 
> migrating existing samba users? (all my samba users are first timers)  
> Or have I missed something that allows me to have the samba domain 
> clients culling hashes?

Here what I was thinking.  It really had more to do with migrating
accounts from an NT PDC than NIS.  The migration itself is designed to
work with current Samba / Win95 users or possibility NT domain users. 
Could also work if you NT boxes are sending clear text ( and hence the
users are being annoyed by having to enter the password for every first
connection to a different samba server ).

My idea was to have a samba server that was set to "security = server"
and the NT clients had the plaintext passwd enabled.  During the login
script to the NT controlled domain, a share would be mapped from the
samba server which would validate against the NT PDC. Since the user had
already logged into the domain, this would succeed and the Samba server
would put an encrypted version of the user's passwd in

This sort of strategy assumes a couple of things.  

1.	The password is sent in clear text to the samba server.  I am 
	not sure if this is the case using the "passwd server" option.  
	I am guessing it is.

2.	All users already have accounts on the NT PDC.

Make any more sense?

Corrections welcome as always, :)
                            Gerald ( Jerry ) Carter	
Engineering Network Services                           Auburn University 
jerry at   

       "...a hundred billion castaways looking for a home."
                                  - Sting "Message in a Bottle" ( 1979 )

More information about the samba-ntdom mailing list