plaintext to smbpasswd

Andrew Bartlett abartlet at
Sat Aug 4 09:40:15 GMT 2001

Tim Potter wrote:
> I notice that in Andrew Bartlett's authentication the default for
> the 'plaintext to smbpasswd' parameter is False.  I'm just
> wondering whether a better default would be to True if 'encrypt
> passwords' is set to True.
> Tim.

I'd better document that:

For the record here, this parameter checks plain text passwords against
smbpasswd, not PAM/shadow.  The only reason not to do this is if PAM is
expected to do something interesting with these passwords, but that
requires 'obey pam restrictions = yes' in any case.  

Furthermore, I'm not sure how it handles clients that sent UPPER case
passwords - win9X :-(.  My guess is that it would generate an invalid
NTLM hash, we would compare that and fail the authentication.  When I
get a chance, I'll look into changing the code to be case insensitive
for the older protocols.  (That is, I will only generate the LM hash,
making us case insensitive).

Changing the default would certainly be the 'path of least suprise' for
new administrators, but changes existing behavior.  Probably worth it
once the bugs are fixed.

Andrew Bartlett

Andrew Bartlett
abartlet at
abartlet at

More information about the samba-technical mailing list