Encrypted and cleartext at the same time? (PR#902)

Andrew Tridgell samba-bugs at samba.anu.edu.au
Fri Oct 17 01:27:58 GMT 1997

>> Note that the "I want encryption" bit does not exclude the client sending 
>> non-encrypted passwords, it just means that they are supported. The client
>> is free to send non-encrypted passwords if it wants to and the server will
>> do the encryption once it arrives.
> OK, that's the quick fix!  Can you make samba continue to accept
> non-encrypted passwords and use its original scheme in addition
> to handling encrypted ones so all the old clients don't fail just
> because I need to support the new ones?  If we can migrate automatically

Samba already does that. It's a required part of the specification.

"old" clients, meaning clients that don't support encryption at all, will
work no matter what you put in smb.conf. Perhaps you don't realise that
all versions of Windows95 and WindowsNT support encryption? Not just the recent
patches. The change that Microsoft made in the SP3 patch to NT and in recent
patches to Win95 is that by default the client refuses to talk to servers
that don't support encryption. Earlier versions would just obey the "support
encryption" bit of the negprot response and act accordingly. 

The possible "solutions" to this problem are:

1) modify the registry on your clients so that they will talk to 
non-encrypting servers again. This isn't as painful as it sounds 
as you can just double-click on the supplied Win95_PlainPassword.reg
or NT4_PlainPassword.reg files that come with Samba.


2) add encryption support to Samba and convert all your users to encrypted
passwords. We will be trying to make this option less painful in the future.
In 1.9.18 the encryption code is standard in the main source code and will
be compiled in by default. You just need to enable it in smb.conf. We also
hope to add a automatic migration system at some stage, as has been 
discussed here before.


3) Use a "password server" and security=server


4) Give your Samba server two names (on the one machine), with different 
configuration files. One config file will support encryption and the other 
won't. Users that haven't converted yet can use the non-encrypting server
name. Use the "include = /etc/smb.conf.%m" syntax to implement this.


config file 

More information about the samba mailing list