Two stage login
Andrew Tridgell
tridge at samba.org
Wed Feb 14 12:38:14 GMT 2001
> > Is it possible (in protocol) to use first encrypted password and if
> > autorization fail use plain password?
>
> Nope. The encryption enabled bit is set in the negprot response
> sent from the server. The SMBsessetup comes after this which
> is where either the clear text or 24 byte response goes. So you
> would need to tear down the connection and reissue a negprot
> request and get the server to not set this bit the second time.
actually, the client can do this. That bit from the server is the
"encryption supported" bit and the server is supposed to honour
non-encrypted passwords if the client sends them. So the client can
send a encrypted password then if it fails it can send a non-encrypted
one.
It doesn't gain us anything though. The MS clients don't do this, so
for Samba as a server it is useless and when Samba is the client its
useless because if the client knows the plain text password then the
encryption try won't fail (as its a simple mapping from plain text to
encrypted).
Cheers, Tridge
More information about the samba-technical
mailing list