Encrypted passwords really necessary for PDC ?

Wed Jan 27 22:48:57 GMT 1999

I've attached a perl script that I wrote to build smbpasswd from
/etc/passwd.  Please note that this writes a samba-2.0 format smbpasswd
file.

This script will:

# - create accounts that exist in /etc/passwd and not in smbpasswd
# - remove accounts that exist in smbpasswd and not in /etc/passwd
# - preserve existing password, flags and LCT fields in smbpasswd
# - sets new account passwords to locked (all Xs)
# - put a W in the smbpasswd flag field of machine accounts
#   (ie. any account ending in $)
# - put a U in the smbpasswd flag field of user accounts

My smbpasswd server is also my NIS master server so I call this script
from my yp Makefile using this rule:

smbpasswd.time: passwd.time
        @echo 'building smbpasswd file';
        @/usr/local/samba/private/buildsmbpasswd;
        @touch smbpasswd.time; 

So the process to create a new user or machine account is:

- create unix account
- set unix password
- run yp make
- set smbpasswd

On Thu, 28 Jan 1999, Andrew Perrin - Demography wrote:

> Date: Thu, 28 Jan 1999 03:31:32 +1100
> From: Andrew Perrin - Demography <aperrin at demog.Berkeley.EDU>
> To: Multiple recipients of list <samba-ntdom at samba.org>
> Subject: Re: Encrypted passwords really necessary for PDC ?
> 
> WRONG -- mksmbpasswd only creates the file, but puts blank passwords in
> it. As has been pointed out multiple times on this list and elsewhere,
> there is no way to morph an /etc/passwd file into an smbpasswd file. You
> have to set up one or another hack for keeping them in sync.
> 
> ---------------------------------------------------------------------
> Andrew J. Perrin - aperrin at demog.berkeley.edu - NT/Unix Admin/Support
> Department of Demography    -    University of California at Berkeley
> 2232 Piedmont Avenue #2120  -    Berkeley, California, 94720-2120 USA
> http://demog.berkeley.edu/~aperrin --------------------------SEIU1199
> 
> On Thu, 28 Jan 1999, Ingo Kley wrote:
> 
> > > Subject:       Encrypted passwords really necessary for PDC ?		
> > 
> > 
> > > Hello,
> > 
> > > I'm trying to switch our old "share-only" setup  of  SAMBA  to  a  PDC
> > > configuration  and  migrating  all our W95 clients to NT/WS, trying to
> > > make them secure.
> > [...]
> > > - if I use  encrypted  passwords,  Samba  will  only  get  those  from
> > > smbpassword and not from Unix /etc/passwd or NIS map, right ? How can
> > > I "copy" my user's passwords from the NIS map to smbpasswd ? I've read
> > > things  along  the  lines  of  "running  for  a  while  with cleartext
> > > passwords" on this list but I don't get it yet.
> > > >
> > 
> > Hello,
> > 
> > it works like this:
> > cat /etc/passwd | mksmbpasswd.sh >/usr/local/samba/private/smbpasswd
> > After this, the new file smbpasswd includes the passwords.
> > 
> > If you are running NIS try this:
> > ypcat passwd  | mksmbpasswd.sh > /usr/local/samba/private/smbpasswd 
> > 
> > Bye
> > Ingo Kley
> > Westerfeldstr. 140B
> > 33613 Bielefeld
> > 
> > Tel 0521/986843
> > 
> 

--
Todd Pfaff                         \  Email: pfaff at mcmaster.ca
Computing and Information Services  \ Voice: (905) 525-9140 x22920
ABB 132                              \  FAX: (905) 528-3773
McMaster University                   \
Hamilton, Ontario, Canada  L8S 4M1     \
-------------- next part --------------
#!/usr/local/bin/perl
#
# build the smbpasswd file from the /etc/passwd file.
#
# - create accounts that exist in /etc/passwd and not in smbpasswd
# - remove accounts that exist in smbpasswd and not in /etc/passwd
# - preserve existing password, flags and LCT fields in smbpasswd
# - sets new account passwords to locked (all Xs)
# - put a W in the smbpasswd flag field of machine accounts
#   (ie. any account ending in $)
# - put a U in the smbpasswd flag field of user accounts
#
# Todd Pfaff
# pfaff at mcmaster.ca

$passwd="/etc/passwd";
$smbpasswd="/usr/local/samba/private/smbpasswd";
$osmbpasswd="$smbpasswd.old";

open(PW,"<$passwd");
while(<PW>) {
  chop;
  push @pw, $_;
}
close PW;

rename $smbpasswd, $osmbpasswd;

open(PW,"<$osmbpasswd");
while(<PW>) {
  chop;
  ($uname,$uid,$pw1,$pw2,$flags,$lct,$fname)=split(':');
  $spw{$uname}=$_;
}
close PW;

open(PW,">$smbpasswd");
foreach $account (@pw) {
  ($uname,$pw,$uid,$gid,$fname,$dir,$shell)=split(':',$account);
  $pw1="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
  $pw2="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
  if(substr($uname,-1) eq "\$") {
    $flags="[W          ]";
  }
  else {
    $flags="[U          ]";
  }
  $lct="LCT-00000000";
  if($spw{$uname}) {
    ($xuname,$xuid,$pw1,$pw2,$flags,$lct,$xfname)=split(':',$spw{$uname});
  }
  printf(PW "%s:%s:%s:%s:%s:%s:%s:\n",$uname,$uid,$pw1,$pw2,$flags,$lct,$fname);
}
close(PW);