Encrypted and cleartext at the same time?
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Sun Oct 12 11:53:36 GMT 1997
On Sun, 12 Oct 1997, Leslie Mikesell wrote:
> Is it possible to make samba accept both cleartext and encrypted
> passwords, and continue to match the cleartext against the
> unix password file?
well... you could _possibly_ do it by ip address or by some form of hack
based on the "hosts allow" code (@netgroup) like this:
encrypt hosts = @group_1
cleartext hosts = @group_2
you cannot select by username, the reason being that the negotiation SMBs
incidate encrypted or cleartext password capability _before_ a session
setup SMB, which indicates username and password.
an alternative would be to have two NetBIOS names for your server. have
"include = smb.conf.%M", and in smb.conf.SERVER_ENC have one line
"encrypted passwords = yes".
then ask people to use the other NetBIOS name when connecting from NT
SP3. apart from anything, they'll find that they _can't_ connect to the
alternatively, you could create deliberate inconvenience for your users by
renaming your server to SERVER_CLR. if people didn't want to rename
their shares, then they could upgrade to SP3.
this has the advantage that by the time your users have finished
upgrading, your server name doesn't change: you can just get rid of
smb.conf.SERVER_CLR (with a single entry of "encrypted passwords = no").
> I'd like to add the encrypted capability
> but not force everyone to updated their password on the same
> day. What would be ideal would be if samba could automatically
> create/update the new-style encrypted entry after validating a
> clear text password against the unix password file.
oo! hey, i _like_ this idea!!!! "migrate passwords = yes" automatically
generates entries in smbpasswd. once verified, you still have the
clear-text password, from which you can generate an smbpasswd entry.
you still have the problem above (you would have to have your users
connecting for a day or two, which gives you the chance to auto-generate
the smbpasswd entries) namely that you have to ask users to connect to a
different netbios name to _use_ encrypted passwords.
intriguing and thought-provoking, les. thanks.
<a href="mailto:lkcl at switchboard.net" > Luke Kenneth Casson Leighton </a>
<a href="http://mailhost.cb1.com/~lkcl"> Lynx2.7-friendly Home Page </a>
<br><b> "Apply the Laws of Nature to your environment before your
environment applies the Laws of Nature to you" </b>
More information about the samba