Encrypted passwords really necessary for PDC ?
greg at discreet.com
Wed Jan 27 12:27:00 GMT 1999
On 27-Jan-99 FAUCONNET Alain wrote:
> I'm trying to switch our old "share-only" setup of SAMBA to a PDC
> configuration and migrating all our W95 clients to NT/WS, trying to
> make them secure.
> I've spent hours reading the documentation and testing, and a few
> things are still unclear to me :
> - are encrypted passwords really necessary for Samba to be used as a
> PDC ? a few mails I've read here seem to imply that one can run with
> plaintext passwords, but I have been unable to have a NT WS join the
> domain controlled by Samba until I switch on encrypted passwords (yes,
> I have applied the registry patch to the NT 4.0-SP4 WS). If I don't,
> it says "The machine account for this computer either does not exist
> or is not acessible".
Yes. Changing the registry seems to affect user password negotiation only. THe
machine still sends its password encrypted so encryption needs to be on.
> - what release branch is likely to give me the most usable PDC code ?
> I've found out that SAMBA_2_0 is the branch that seems to get all the
> recent CVS commits. The "default" branch (is that the same as HEAD ?)
> appears to have older versions of many source files, so I'm a bit
> lost. Is 2.1-prealpha accessible to common mortals like myself ? If
> so, what release branch id should be specified ?
HEAD branch = default branch = 2.1 prealpha. It is very quiet right now because
everyone is resting after the 2.0 release. 2.0 has all the basic PDC stuff but
PDC is not supported in thatr version. The CVS code has all the domain group
mapping and trust relationship stuff, and all the rpc stuff. I like it it
mostly works for me.
> - if I use encrypted passwords, Samba will only get those from
> smbpassword and not from Unix /etc/passwd or NIS map, right ? How can
> I "copy" my user's passwords from the NIS map to smbpasswd ? I've read
> things along the lines of "running for a while with cleartext
> passwords" on this list but I don't get it yet.
There is no way to take passwords from the passwd file and put them in the
smbpasswd file. They are both implemented with one way hashes. What you are
referring to is a mode which will authenticate against passwd but at the same
time it will create an encrypted password in the smbpasswd file. After a while
everyone will have a valid entry in the smbpasswd file and you can then turn on
full encryption. The options to collect the passwords are
encrypt passwords = No
update encrypted = Yes
then you turn on encryption with
encrypt passwords = Yes
update encrypted = No
Hope this helps,
> Many thanks for your help,
> Alain FAUCONNET Ingenieur systeme/System Administrator AP-HP/SIM
> Public Health 91 bld de l'Hopital 75013 PARIS FRANCE
> Medical Computing Research Labs Mail: af at biomath.jussieu.fr
> Tel: (+33) (0)1-40-77-96-19 Fax: (+33) (0)1-45-86-80-68
> I've RTFMed. It says: "Refer to your system administrator"
> But... I *am* the system administrator :-]
Just A Guy*
*from discreet logic
greg at discreet.com
More information about the samba-ntdom