passwords

[Michael S. Hulet]

You disable encrypted passwords on one of your workstations and make new
users log into that machine.  You can also have a unique
smb.conf.unsafe_machine configuration that has update encrypted = yes 
OR you can setup a secure website, behind a firewall, accessible only from
your local network, etc where users can change their passwords.  We have a
button for NT (samba), unix, or both.  It uses their unix password for
authentication so you can make the samba password whatever you want.  The
web idea was suggested on this list a couple of years ago.  Since almost
anyone can navigate a web page, it works for us.

Sorry Luke I haven't tracked the /etc/group thing down on the DEC Alpha
4.0D but I've been busy with a billion other things.  Good thing since
samba-tng-alpha.1.2 is already out.  You write code faster than I can
compile.

Michael Hulet
Network System Administrator
ITTC, University of Kansas


On Thu, 23 Mar 2000, Sander Striker wrote:

> >On Thu, 23 Mar 2000, Sander Striker wrote:
> >
> >> Hmmm, interesting point. Let's do some creative thinking.
> >> Is there a way to set the password in smbpasswd (or the
> >> samr db) the first time a user ever logs in? Meaning that
> >> if a user is marked [first time user], his password is
> >> checked in an alternative way(using pam?), and setting the
> >> password to this value if it is correct. Luke?
> 
> >> There is a transitional fase parameter built into samba
> >> [...]
> 
> >added to samba at least 2 years ago: update encrypted password in
> >smb.conf. It means you have to disable encypted password on the windows
> >box as you need the clear text password to check against anything other
> >than the NT/LM hashes.
> 
> Yep, that was what I was thinking about, or at least trying to remember.
> It is still enabled then. Might me an option.
> I think however that disabling encryption in the clients is considered
> more of a hassle. People tend to loosen their security policy for a
> 'short' interval if they can get away with temporary centralized
> modifications ie. on the server. :-)
> This gave me another idea though, which isn't very nice, but could/would
> do the trick. Whenever the 'first time user' (which has ofcourse to be
> defined and not disabled) logs in, the NT/LM hash is stored and used
> for further reference. This is a major security risk and should be done
> in a controlled environment. Also the time window for this should be very
> limited. If you don't trust everyone/anyone you can put the newly set hashes
> in a queue for nightly evaluation (or any other (idle) time for that
> matter),
> to crack the hash and check the password against /etc/passwd or equivalent.
> You would have to find a tool that does this for you... or write one :-)
> 
> Hmmm, there was something in this department some time ago on samba-tech,
> let's see:
>