Encrypted and cleartext at the same time?

Geza Makay makayg at math.u-szeged.hu
Mon Oct 13 09:09:02 GMT 1997

At 06:03 PM 10/13/97 +1000, you wrote:
>>  I'd like to add the encrypted capability
>> but not force everyone to updated their password on the same
>> day.  What would be ideal would be if samba could automatically
>> create/update the new-style encrypted entry after validating a
>> clear text password against the unix password file.
>oo!  hey, i _like_ this idea!!!! "migrate passwords = yes" automatically 
>generates entries in smbpasswd.  once verified, you still have the 
>clear-text password, from which you can generate an smbpasswd entry.

Are you talking about wishes here, or an already included option? I did not
find this "migrate passwords" option, and my testparm (v.1.9.17p2)
complains about it if I put it in the smb.conf file.

I would certainly agree with an option like this. I could imagine it in the
following way:
1. An option like
	require encryption = yes/no
to specify if you allow only encrypted authentication or clear text too.
2. If "require encryption = no", then smbd would authenticate against
smbpasswd first, if there is no entry for the user in smbpasswd then tries
to authenticate using standard Unix passwords and fill in the appropriate
the smbpasswd file entry, and if this fails then rejects then connection.
Of course it would work only if you compiled Samba with -DUSE_LIBDES option
(and others), and have
	encrypt passwords = yes
in smb.conf.

This would work transparently to the user, if you set "require encryption =
1. If the user already has a valid password entry in the smbpasswd file,
then authentication is done using encrypted passwords.
2. If the user does not have a valid password entry in the smbpasswd file,
then authentication is done using standard Unix passwords, smbd fills out
the password entry in the smbpasswd file, and any time after that the
authentication will work according to 1.

Summary: An administrator could allow "require encryption = no" for a
couple of days/weeks so that the entries in the smbpasswd file are filled
in as the users are using Samba, then setting "require encryption = yes"
would work as it works now with "encrypt passwords = yes": only allowing
encypted authentication.

What do you think?


*           Name: Geza Makay                                            *
*      Institute: Jozsef Attila University of Szeged                    *
*           Mail: Bolyai Institute, Aradi vertanuk tere 1.              *
*                 H-6720, Szeged, Hungary                               *
*            Tel: (62) 454-091 (Hungary's code: 36)                     *
*    Fax/Message: (62) 326-246 (Hungary's code: 36)                     *
*         E-mail: makayg at math.u-szeged.hu                               *
* World Wide Web: http://www.math.u-szeged.hu/                          *
* "To err is human, but to really mess things up you need a computer."  *

More information about the samba mailing list