Win2K and Samba

Peter Samuelson peter at cadcamlab.org
Wed Feb 2 11:21:12 GMT 2000


[Keith G. Murphy]
> I think I finally understand, after your message and rereading
> ENCRYPTION.TXT:
> 
> (1) Samba never sees a cleartext password coming from a Windows box

Not when you log in, no.  (See below.)

> (2) It sees the hashed password, but can't store this in /etc/passwd,
> because a different hashing scheme is used than what Unix/Linux uses.

Right.

> (3) So it has to keep it in smbpasswd, necessitating keeping stuff in
> sync.

Right.

> Only thing I see that would integrate the two would be Samba entering
> the thing into passwd (maybe an extra field?) and Unix login being
> able to deal with the Windows hashing scheme.  Wonder if anyone's
> worked on that?

Remember the `unix password sync' smb.conf option.  When the user on
the 'doze box wants to *change* his password, I think what gets sent
over the wire is the new password hashed by some sort of shared secret,
so Samba can derive cleartext at this point.  Thus Samba can run
/bin/passwd (or /usr/bin/yppasswd or whatever) and update the Unix
password file at the same time as the smbpasswd file.

To make this solution complete, though, it would have to be symmetric,
i.e. /bin/passwd or /usr/sbin/rpc.yppasswdd would have to include a
similar hook, so that when a luser changes his password from Unix it
propagages to the smbpasswd file as well.  I don't know if *this* has
been done or not, although one can imagine that the replacements would
not be hard to write.  Note also that you need to avoid hook loops....

Peter


More information about the samba mailing list