Encrypted Passwords & Restricting Logon Attempts

Steve Langasek vorlon at netexpress.net
Wed Nov 27 15:16:55 GMT 2002

On Wed, Nov 27, 2002 at 08:51:44AM -0600, Jim Morris wrote:

> >It would also prevent domain logons, and exposes bugs in other parts of
> >Microsoft's client.

> The domain in this case is controlled by Samba. Most of the clients are 
> Windows 95/98 clients, and testing with Windows 98 seems to show that 
> it can do a 'domain logon'. For the record, I know that this is not 
> quite the same as the domain logon that Windows 2000 or NT clients will 
> do, and I have yet to test one of those clients.  (I spent a LOT of 
> time working through the domain logon stuff a couple of years ago when 
> working on those chapters of 'Special Edition, Using Samba' with 
> Richard Sharpe).  Anyway, I would only consider this switch to 
> plaintext passwords a temporary measure while I come up with something 
> better.

With Win95/98 it might not be such an issue.  If you have any member
servers in your domain, it IS an issue, because the only way to get
recent versions of Windows to negotiate plaintext auth is for the server
to say it does NOT support encrypted passwords, and a server that doesn't
support encrypted passwords cannot be a DC.

There really is no way to do this with PAM that will work for most
people.  You'd need some other sort of hook into the Samba authentication
system to achieve the effect.  PAM is not suitable, because the
authentication can't be handed off to PAM, and nothing in PAM will know
the result of this authentication unless PAM *performed* the

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20021127/29a661a7/attachment.bin

More information about the samba-technical mailing list