Summary of [Re: Default encrypted passwords = yes?]

Andrew Bartlett abartlet at pcug.org.au
Fri Sep 28 17:14:02 GMT 2001 

Jay Ts wrote:
> 
> >
> > On Thu, 27 Sep 2001, Jay Ts wrote:
> >
> > > - documentation: make sure it is clear to new admins that
> > >   encrypted passwords need to be used unless there are
> > >   "legacy" Win95, WinNT or older systems on the net.
> >
> > Sorry. This is one of my pet peeves.  All MS clients
> > can use NTLMv1.
> 
> I apologize if I touched a sore nerve.  I wasn't writing
> as clearly as I could have (or maybe I simply don't know
> what I'm talking about! ;-)  What I meant was that encrypted
> passwords are used _by_default_ in the contemporary Windows
> releases, and so it is necessary to configure Samba for them.
> I am calling Win95 and WinNT "legacy" because Win95 is getting
> severely old, and WinNT 4.0, although still useful, really (= IMO ;-)
> should be patched with a Service Pack that includes Y2K fixes,
> all of which (SP 4-6) include the encrypted password update,
> same as in SP3.  (So "legacy NT" here means NT 4.0 SP2 or earlier.)
> 
> That is correct, or am I missing something?  To get newer
> Windows releases to use the NTLMv1 system, is that the
> same (identical) as needing to change the registry to
> enable plaintext passwords?  Or is there something different
> here that you are referring to?  ** slightly confused **

Older windows releases would downgrade a connection to plaintext if
requested, new releases require a registry hack to enable this
downgrade.

> Somewhere in here my point is that _new_admins_ shouldn't
> be directed to make registry changes to enable plaintext
> passwords unless they really, really have to, to support
> those older Windows/DOS versions.  I think a much better
> documentation strategy would be to point them to the service
> pack or other update that will enable encrypted passwords,
> and only use the registry mods as a last-resort fallback.

Back to *very* early versions of the procol encrypted passwords are
supported, and even then my AuthRewrite code allows them to be
'encrypted' on the server, and compared as if the client was indeed
encrypting.
 
> Any argument there?  Because if there is, I must be missing
> something really basic, and I'd like to know what...
> 
> - Jay Ts
> jayts at iname.com

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Samba Team member, Build Farm maintainer        abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list