SAMBA digest 1518

Benny Holmgren benny at HGS.SE
Wed Dec 10 08:11:01 GMT 1997

On 8 Dec 1997, Luke Kenneth Casson Leighton wrote:

> On 8 Dec 1997, Stefan Nehlsen wrote:                 

> > 1. Making "nis homedir (G)" work with NIS+.
> if you explain to me how it works, i will look at it.

This should be pretty easy and shouldn't take too long to implement.

> > 2. Mapping the smbpasswd file to a NIS+ table. (Does this really
> >    make sense?)

I've actually done this. The code is currently in what you could call beta
state and i plan to do a few cleanups, especially in the code for the
smbpasswd command. The logic for accessing NIS+ tables and files isn't quite
the same. I've been running it on a few testservers for a month or so with
no problems. You can find a patch to 1.9.17p4 at 

> yes it does, except remember that the stupid microsoft idiots (who caused
> us to have to create the smbpasswd file by using 16 byte password hashes)
> forgot to make their password algorithm a one-way comparison system.
> in other words, the 16 byte hashes are clear-text equivalent.  storing
> them in a NIS+ table is therefore not a particularly good idea, unless
> you add a level of obfuscation (oh dear, i've done it now: mentioning
> obfuscation.  i hate obfuscation.  i can't even pronounce it).
> distribution).

NIS+ is not like NISv2 in the way that anyone can read anything so the crucial
issue here is to keep the table permissions strict. I'm sure there are ways
to bypass security in NIS+ as well but it's probably just as easy/hard to hack
root access on a machine in which case you can read the smbpasswd file anyway.

What I did was to create a table called smbpasswd. I also created a special 
NIS+ group which I populated with the Samba servers. The 16 bytes hash values
in that table can only be read by it's owner and the group. Every row is then
owned by the user it refers to and the group is the special samba group. 
This means only the owner of the row and the group members (the samba servers)
can access the hash fields. Anyone else will see *NP* instead. 

The result is as long as you keep the permissions strict this NIS+ approach
should be as secure as NIS+ itself. If you don't trust NIS+ enough for your
site you shouldn't use this patch (and probably not any MS products either).
If you feel I missed something out securitywise, please tell me.



Benny Holmgren                                      email: benny at
University College of Gavle/Sandviken.          phone: +46-(0)26-648887
Sweden                                        mobile: +46-(0)70-6338298

More information about the samba mailing list