[PROPOSAL] Remove password level (or all plaintext passwords?) for 4.1

yaberger at ca.ibm.com yaberger at ca.ibm.com
Thu May 23 08:09:44 MDT 2013


We are using Samba 3.6.x on AIX.
We use Samba mainly for its file-server feature to share DFS, GPFS and 
JFS2 filesystems.
We need users to authenticate with DCE to be able to access their DFS 
To do so, we buid Samba 3.x with pam (--with-pam).
Our /etc/pam.conf has samba entries to use /usr/lib/security/pam_aix.
Password encryption needs to be disabled on both the Samba server and on 
the clients.

We are currently in a transition from DFS to GPFS and from DCE to a 
LDAP/KRB5 solution using TDS/NAS.
But until the are completely out of DCE/DFS, we need to keep our Samba 
file-server with "encrypt passwords = no" (maybe even "client lanman auth 
= Yes" and "client plaintext auth = Yes") and our clients set the same 

We will be looking in the upcoming months/years (before you stop providing 

security fixes for 3.6) to upgrade to Samba 4.x (file-server only) so we 
hope to be able to use it in our current environment if we're not done 
with our DCE/DFS migration.

My understanding is that your proposal will remove the possibility to use 
non-encrypted password and pam (maybe pam has already been removed from 
Samba 4.0.x, I've haven't looked yet).
So the impact will depend on how long Samba 3.6 and/or Samba 4.0 will be 
supported for security fixes.

Best regards,

Yannick Bergeron
450 534-7711
yaberger at ca.ibm.com
Advisory IT Specialist

Never say never, say "it depends" / Ne jamais dire jamais, dites "ca 

More information about the samba-technical mailing list