Authentication Problems (PR#2147)

Andrew Tridgell samba-bugs at
Mon Dec 1 01:27:06 GMT 1997

> I have a few questions regarding this;
> 1) Is the Windows SMB encryption approved for for export,  a' la ITAR?
> 2) If not, is WinNT40SP3 available outside the US/CA.
> 3) Relative to 2), is this version of RedHat available outside US/CA?
> 4) How does MS distribute SP3 outside US/CA?

Here are some facts that I think will make it all clear:

1) All MS clients/servers have SMB password encryption build in, regardless
of what country they come from and what version they are.

2) Samba 1.9.17 needed a general purpose DES library in order to support
password encryption. To avoid ITAR problems we distributed Samba without
a DES library. (we didn't want to cause trouble for US mirrors of Samba)

3) WinNTSP3 and also the latest patches to Win95 change the behaviour of their
SMB clients so that they refuse to connect to a non-encrypting SMB server
by default. You can change this by changing a registry entry. We supply
.reg files for Win95 and WinNT so that changing this registry entry
is just a matter of double clicking on the supplied file then rebooting.

4) Samba 1.9.18 (currently in alpha test) takes advantage of the fact that
SMB password encryption uses DES in a unusual way, so that it is actually
a hash algorithm, not reversible encryption. We have implemented the necessary
SMB password encryption code in such a way that it cannot be used for general 
purpose encryption. This makes our new code exportable from the US under ITAR
rules. We have confirmed this with a US lawyer. 

5) All versions of Samba 1.9.18 will have SMB encryption available by default.
You can enable it at runtime using the "encrypt passwords = yes" option.


More information about the samba mailing list