Encrypted and cleartext at the same time?

Luke Kenneth Casson Leighton lkcl at switchboard.net
Sun Oct 12 11:53:36 GMT 1997

On Sun, 12 Oct 1997, Leslie Mikesell wrote:

> Is it possible to make samba accept both cleartext and encrypted
> passwords, and continue to match the cleartext against the
> unix password file?

well... you could _possibly_ do it by ip address or by some form of hack
based on the "hosts allow" code (@netgroup) like this: 

	encrypt hosts = @group_1


	cleartext hosts = @group_2

you cannot select by username, the reason being that the negotiation SMBs 
incidate encrypted or cleartext password capability _before_ a session 
setup SMB, which indicates username and password.


an alternative would be to have two NetBIOS names for your server.  have 
"include = smb.conf.%M", and in smb.conf.SERVER_ENC have one line 
"encrypted passwords = yes".

then ask people to use the other NetBIOS name when connecting from NT 
SP3.  apart from anything, they'll find that they _can't_ connect to the 
old name.

alternatively, you could create deliberate inconvenience for your users by 
renaming your server to SERVER_CLR.  if people didn't want to rename 
their shares, then they could upgrade to SP3.

this has the advantage that by the time your users have finished 
upgrading, your server name doesn't change: you can just get rid of 
smb.conf.SERVER_CLR (with a single entry of "encrypted passwords = no").


>  I'd like to add the encrypted capability
> but not force everyone to updated their password on the same
> day.  What would be ideal would be if samba could automatically
> create/update the new-style encrypted entry after validating a
> clear text password against the unix password file.

oo!  hey, i _like_ this idea!!!! "migrate passwords = yes" automatically 
generates entries in smbpasswd.  once verified, you still have the 
clear-text password, from which you can generate an smbpasswd entry.

you still have the problem above (you would have to have your users
connecting for a day or two, which gives you the chance to auto-generate
the smbpasswd entries) namely that you have to ask users to connect to a 
different netbios name to _use_ encrypted passwords.

intriguing and thought-provoking, les.  thanks.

<a href="mailto:lkcl at switchboard.net"  > Luke Kenneth Casson Leighton </a>
<a href="http://mailhost.cb1.com/~lkcl"> Lynx2.7-friendly Home Page   </a>
<br><b>  "Apply the Laws of Nature to your environment before your
          environment applies the Laws of Nature to you"              </b>

More information about the samba mailing list