Question about security

Lars Kneschke lkneschke at vater-gmbh.de
Wed Jun 7 09:14:15 GMT 2000 

> Someone within my company expressed the follow view:
>
> > I was told that Unix servers running SAMBA can display NT passwords in
> > clear text when they provide file sharing services for NT
> > workstations.  Was a determination ever made if we allow this type of
> > system to access the enterprise NT domain controllers?
>
> Can someone clarify this statement.  Here is the [global] section from
> by smb.conf file if that matters at all.  I'm running 2.0.6 on both
> Solaris and HP-UX boxes.
>
> [global]
>         workgroup = DOMAIN
>         security = SERVER
>         password server = ntpdc1
>         os level = 0
>         wins server = ntwins1
>
Just to add my comments! :-)


There is a option

encrypt passwords (G)

This boolean controls whether encrypted passwords will be negotiated with
the client. Note that Windows NT 4.0 SP3 and above and also Windows 98 will
by default expect encrypted passwords unless a registry entry is changed. To
use encrypted passwords in Samba see the file ENCRYPTION.txt in the Samba
documentation directory docs/ shipped with the source code.


In order for encrypted passwords to work correctly smbd must either have
access to a local smbpasswd (5) file (see the smbpasswd (8) program for
information on how to set up and maintain this file), or set the security=
parameter to either "server" or "domain" which causes smbd to authenticate
against another server.


(The description is from the man page for smb.conf. )

As you can see any current Windows version is using encrypted passwords. No
plain text passwords will go over the wire. But this requires a extra file,
because the unix password system and the windows password system are
different. You need update passwords in two files, if you use encyrypted
passwords.

"Someone's" statment was correct, if you use plain text passwords. But the
Windows workstation deliver this passwords to the samba server. And if you
use a sniffer and have plain text passwords, anyone can read the passwords.

But the default for any current windows version is to use encrypted
passwords. If you are in a domain, the windows workstation must use
encrypted passwords anyway, because the windows nt pdc wants that.


I hope i dont wrote to much, but i think it is important to give people some
background information.

Cu


--

Lars Kneschke
http://www.kneschke.de

More information about the samba-ntdom mailing list