Encrypted passwords really necessary for PDC ?

Greg Dickie greg at discreet.com
Wed Jan 27 12:27:00 GMT 1999

Bonjour Alain,

On 27-Jan-99 FAUCONNET Alain wrote:
> Hello,
> I'm trying to switch our old "share-only" setup  of  SAMBA  to  a  PDC
> configuration  and  migrating  all our W95 clients to NT/WS, trying to
> make them secure.
> I've  spent  hours  reading  the  documentation and testing, and a few
> things are still unclear to me :
> - are encrypted passwords really necessary for Samba to be used  as  a
> PDC  ? a  few mails I've read here seem to imply that one can run with
> plaintext  passwords,  but I have been unable to have a NT WS join the
> domain controlled by Samba until I switch on encrypted passwords (yes,
> I have applied the registry patch to the NT 4.0-SP4 WS). If  I  don't,
> it says "The machine account for this computer either does  not  exist
> or is not acessible".

Yes. Changing the registry seems to affect user password negotiation only. THe
machine still sends its password encrypted so encryption needs to be on.

> -  what release branch is likely to give me the most usable PDC code ?
> I've  found out that SAMBA_2_0 is the branch that seems to get all the
> recent CVS commits. The "default" branch (is that the same as HEAD  ?)
> appears to have older versions of many source  files,  so  I'm  a  bit
> lost.  Is  2.1-prealpha  accessible to common mortals like myself ? If
> so, what release branch id should be specified ?

HEAD branch = default branch = 2.1 prealpha. It is very quiet right now because
everyone is resting after the 2.0 release. 2.0 has all the basic PDC stuff but
PDC is not supported in thatr version. The CVS code has all the domain group
mapping and trust relationship stuff, and all the rpc stuff. I like it it
mostly works for me.

> - if I use  encrypted  passwords,  Samba  will  only  get  those  from
> smbpassword and not from Unix /etc/passwd or NIS map, right ? How can
> I "copy" my user's passwords from the NIS map to smbpasswd ? I've read
> things  along  the  lines  of  "running  for  a  while  with cleartext
> passwords" on this list but I don't get it yet.

There is no way to take passwords from the passwd file and put them in the
smbpasswd file. They are both implemented with one way hashes. What you are
referring to is a mode which will authenticate against passwd but at the same
time it will create an encrypted password in the smbpasswd file. After a while
everyone will have a valid entry in the smbpasswd file and you can then turn on
full encryption. The options to collect the passwords are

encrypt passwords = No
update encrypted = Yes

then you turn on encryption with

encrypt passwords = Yes
update encrypted = No

Hope this helps,

> Many thanks for your help,
> _Alain_
> --
> Alain FAUCONNET  Ingenieur systeme/System Administrator   AP-HP/SIM
> Public Health                91 bld de l'Hopital 75013 PARIS FRANCE
> Medical Computing Research Labs         Mail: af at biomath.jussieu.fr
> Tel: (+33) (0)1-40-77-96-19             Fax: (+33) (0)1-45-86-80-68
>     I've RTFMed. It says: "Refer to your system administrator"
>             But... I *am* the system administrator :-]

Greg Dickie
Just A Guy*
*from discreet logic
(514) 954-7171
greg at discreet.com

More information about the samba-ntdom mailing list