samba PDC with NIS, or other solution?
Alexander Lazarevich
alazarev at hera.itg.uiuc.edu
Fri Nov 9 10:04:03 GMT 2001
we can allow cleartext, no problem (we've been using nis for years). and i
can't/won't crack 600 passwords. i just want to avoid telling 600 people
that they have to re-enter their passwords, and i think i get the idea
that it's possible, but i just dont understand it yet.
if there is no way to get encrypted passwords into the smbpasswd file,
then, if what im what to do is possible, there must be some other way to
get cleartext passwords into the smbpasswd file.
so how do i get my encrypted NIS file -> cleartext -> smbpasswd?
wait a second, i just read your email again and i think i got it:
i use that script to generate the smbpasswd file (minus the passwords).
then i set the smb.conf with 'update encrypted = yes'. then force all my
clients to send cleartext passwords. will this do what i want? if so, then
how does samba validate a user who is loging on if that user's password is
not in the smbpasswd file? if it works this way, then anyone could login
(assuming they know a user alias name), submit any password they want and
take control over that persons logon. it must not work this way. that
would be a huge security hole. what am i misunderstanding?
or do i just have to make all my users re-enter their passwords? once
that's done, i would be set to go...
thanks as always,
alex
--- ---
Alex Lazarevich | Systems | Imaging Technology Group
alazarev at itg.uiuc.edu | (217)244-1565 | www.itg.uiuc.edu
--- ---
On Fri, 9 Nov 2001, Todd Pfaff wrote:
> On Fri, 9 Nov 2001, Alexander Lazarevich wrote:
>
> > im still unclear as to how, or if, i can get the current /etc/passwd file
> > from the current NIS master onto the new samba PDC (which will become
> > the new NIS master). in one of your emails you mentioned something about a
> > script that comes with the samba source that will create the smbpasswd
> > from disabled accounts. what is this script called? is there an man/docs
> > on it? will this script take an /etc/passwd file from an NIS master an
> > create a smbpasswd file from it? that seems too good to be true...
>
> The script that he mentions is for populating your smbpasswd file with
> all existing account information except for the encrypted password field.
> I don't know what the name of the script is that Christian is referring to
> but I've attached the one I wrote myself, and you could probably write
> such a script yourself. I also run a linux server as an NIS master and a
> samba PDC. I call the attached script from my NIS makefile to update the
> smbpasswd file whenever I modify passwd and run an NIS make.
>
> There is no way to directly convert the unix encrypted passwords to smb
> encrypted passwords other than cracking each password to get the
> cleartext equivalent and then creating the smbpasswd encrypted
> equivalent. Of course, this may not work for all passwords.
>
> The alternative method provided by samba relies on several things...
> - your smb client will use cleartext passwords if the server allows
> - the samba server has been configured to allow cleartext passwords
> - you have set 'update encrypted' appropriately in smb.conf
>
> Read the docs to figure out how to ensure the above conditions.
>
> If you can't allow cleartext passwords on your network then this method
> will not work for you.
>
> --
> Todd Pfaff \ Email: pfaff at mcmaster.ca
> Computing and Information Services \ Voice: (905) 525-9140 x22920
> ABB 132 \ FAX: (905) 528-3773
> McMaster University \
> Hamilton, Ontario, Canada L8S 4M1 \
>
More information about the samba
mailing list