[PROPOSAL] Remove password level (or all plaintext passwords?) for 4.1

yaberger at ca.ibm.com yaberger at ca.ibm.com
Mon May 27 05:39:51 MDT 2013


Hi Andrew,

Here is a first list of clients that are using our Samba file service.
There will be a few more under "Other network devices" that I'll send in 
another email once I'll have received it.
I should also know which DOS flavor/version is being used in the upcoming 
days.

Workstations:
Windows XP SP3 (migrated to Windows 7 by the end of the year)
Windows 7 SP1
RHEL 6 (6.4)

Servers:
Windows 2003 Server
Windows 2008 Server
Windows 2012 Server (soon)

Other network devices:
Windows 2000
Windows XP
Windows 7

Backup/restore process:
LiveCD running BartPE (based on Windows XP).
Floppy running DOS



Best regards,

Yannick Bergeron
450 534-7711
yaberger at ca.ibm.com
Advisory IT Specialist

Never say never, say "it depends" / Ne jamais dire jamais, dites "ca 
dépend"



From:   Andrew Bartlett <abartlet at samba.org>
To:     yaberger at ca.ibm.com, 
Cc:     samba-technical at lists.samba.org
Date:   05/23/2013 06:21 PM
Subject:        Re: [PROPOSAL] Remove password level (or all plaintext 
passwords?) for 4.1



On Thu, 2013-05-23 at 10:09 -0400, yaberger at ca.ibm.com wrote:
> Hi,
> 
> We are using Samba 3.6.x on AIX.
> We use Samba mainly for its file-server feature to share DFS, GPFS and 
> JFS2 filesystems.
> We need users to authenticate with DCE to be able to access their DFS 
> resources.
> To do so, we buid Samba 3.x with pam (--with-pam).
> Our /etc/pam.conf has samba entries to use /usr/lib/security/pam_aix.
> Password encryption needs to be disabled on both the Samba server and on 

> the clients.
> 
> We are currently in a transition from DFS to GPFS and from DCE to a 
> LDAP/KRB5 solution using TDS/NAS.
> But until the are completely out of DCE/DFS, we need to keep our Samba 
> file-server with "encrypt passwords = no" (maybe even "client lanman 
auth 
> = Yes" and "client plaintext auth = Yes") and our clients set the same 
> 
> way.
> We will be looking in the upcoming months/years (before you stop 
providing 
> 
> security fixes for 3.6) to upgrade to Samba 4.x (file-server only) so we 

> hope to be able to use it in our current environment if we're not done 
> with our DCE/DFS migration.
> 
> Conclusion
> My understanding is that your proposal will remove the possibility to 
use 
> non-encrypted password and pam (maybe pam has already been removed from 
> Samba 4.0.x, I've haven't looked yet).
> So the impact will depend on how long Samba 3.6 and/or Samba 4.0 will be 

> supported for security fixes.

Thanks for the background.  Your site is one of the few that I'm aware
of using plaintext passwords, and it's helpful to know you still need
it.  What are your clients in this case, and do you use the password
level parameter, or expect samba to upper or lower case the password for
you?

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org





More information about the samba-technical mailing list