Synchonisation between NIS and encrypted SMBPASSWD

Rainer Hauck hauck at nm.informatik.uni-muenchen.de
Mon Dec 7 16:47:39 GMT 1998


> Date: Sun, 06 Dec 1998 11:50:55 -0800
> From: Jeremy Allison <jallison at cthulhu.engr.sgi.com>
> To: samba at samba.org
> Subject: Re: Synchonisation between NIS and encrypted SMBPASSWD
> Message-ID: <366AE01F.18496F63 at engr.sgi.com>
>
> Rainer wrote :
>
> > To my opinion the only (sensible) solution to this problem is to include
> > the support for the old password (%o) in smbpasswd. I know it's not done
> > due to compatibility reasons but maybe it could be integrated as an
> > option?
> >
>
> No it's not done because it's impossible without storing
> the plaintext passwords in smbpasswd.
>
> The Windows clients will send the plaintext of the new
> password (encrypted) to the password change server, but
> they don't possess the plaintext of the old password,
> just the Lanman or NT hash of it (which is of no use
> for NIS passwords).
>
> Sorry, but that's the real reason why %o cannot be
> supported when using encrypted password change support.

Jeremy,I do understand that it's not possible to get the old password from a
windows client. However, in our environment there's no need to change passwords
from windows. We only change them from UNIX.

Correct me if I'm wrong but to my opinion it works the following way:
A user calls smbpasswd and is authenticated by his old password. Then he enters a
new password. Both passwords are available in plaintext to smbpasswd. Smbpasswd
then somehow calls the local passwd-program as defined through passwd chat. It
provides the new password to the passwd command but it doesn't provide the old
password. I think that if the new password is available there's no reason why the
old one shouldn't be aswell (except for compatibility with windows clients).
That's why I suggested to add the %o on demand through a special option in
smbpasswd.

Thanks+best regards
Rainer

--
        _  _ _  _ _  _          RAINER HAUCK
        |\/| |\ | |\/|          Institut fuer Informatik / Dept. of CS
        |  | | \| |  |          Ludwig-Maximilians-University Munich
     ======= TEAM =======       Oettingenstr. 67, 80538 Munich, Germany
Munich Network Management Team  Room D01,Phone +49-89-2178-2155,Fax-2262
Muenchner Netz-Management Team  email: hauck at informatik.uni-muenchen.de





More information about the samba mailing list