samba PDC with NIS, or other solution?

MCCALL,DON (HP-USA,ex1) don_mccall at
Fri Nov 9 10:21:06 GMT 2001

Hi Alexander,
The way update encrypted works is that your windows users, when they attempt
to access your samba server, negotiate cleartext password in the smb
negotiate protocol call that the client makes.  So the username and password
that the user has is sent cleartext to samba; samba then encrypts the
password in standard unix 1way encryption and validates it against the
/etc/passwd file password.  If this matches, it allows access, AND then
encrypts the plaintext password it now has into the lm and nt password
hashes that go into the smbpasswd file.
Once all of your users have successfully accessed samba, and thus have their
encrypted passwords in smbpassword, you can then turn OFF update encrypted,
and change encrypt passwords from NO to YES.
Hope this helps,

-----Original Message-----
From: Alexander Lazarevich [mailto:alazarev at]
Sent: Friday, November 09, 2001 1:03 PM
To: Todd Pfaff
Cc: Christian Barth; samba at
Subject: Re: samba PDC with NIS, or other solution?

we can allow cleartext, no problem (we've been using nis for years). and i
can't/won't crack 600 passwords. i just want to avoid telling 600 people
that they have to re-enter their passwords, and i think i get the idea
that it's possible, but i just dont understand it yet.

if there is no way to get encrypted passwords into the smbpasswd file,
then, if what im what to do is possible, there must be some other way to
get cleartext passwords into the smbpasswd file.

so how do i get my encrypted NIS file -> cleartext -> smbpasswd?

wait a second, i just read your email again and i think i got it:

i use that script to generate the smbpasswd file (minus the passwords). 
then i set the smb.conf with 'update encrypted = yes'. then force all my
clients to send cleartext passwords. will this do what i want? if so, then
how does samba validate a user who is loging on if that user's password is
not in the smbpasswd file? if it works this way, then anyone could login
(assuming they know a user alias name), submit any password they want and
take control over that persons logon. it must not work this way. that
would be a huge security hole. what am i misunderstanding?

or do i just have to make all my users re-enter their passwords? once
that's done, i would be set to go...

thanks as always,

---                                                        ---
   Alex Lazarevich | Systems | Imaging Technology Group
   alazarev at | (217)244-1565 |
---                                                        ---

On Fri, 9 Nov 2001, Todd Pfaff wrote:

> On Fri, 9 Nov 2001, Alexander Lazarevich wrote:
> > im still unclear as to how, or if, i can get the current /etc/passwd
> > from the current NIS master onto the new samba PDC (which will become
> > the new NIS master). in one of your emails you mentioned something about
> > script that comes with the samba source that will create the smbpasswd
> > from disabled accounts. what is this script called? is there an man/docs
> > on it? will this script take an /etc/passwd file from an NIS master an
> > create a smbpasswd file from it? that seems too good to be true...
> The script that he mentions is for populating your smbpasswd file with
> all existing account information except for the encrypted password field.
> I don't know what the name of the script is that Christian is referring to
> but I've attached the one I wrote myself, and you could probably write
> such a script yourself.  I also run a linux server as an NIS master and a
> samba PDC.  I call the attached script from my NIS makefile to update the
> smbpasswd file whenever I modify passwd and run an NIS make.
> There is no way to directly convert the unix encrypted passwords to smb
> encrypted passwords other than cracking each password to get the
> cleartext equivalent and then creating the smbpasswd encrypted 
> equivalent.  Of course, this may not work for all passwords.
> The alternative method provided by samba relies on several things...
> - your smb client will use cleartext passwords if the server allows
> - the samba server has been configured to allow cleartext passwords
> - you have set 'update encrypted' appropriately in smb.conf
> Read the docs to figure out how to ensure the above conditions.
> If you can't allow cleartext passwords on your network then this method
> will not work for you.
> --
> Todd Pfaff                         \  Email: pfaff at
> Computing and Information Services  \ Voice: (905) 525-9140 x22920
> ABB 132                              \  FAX: (905) 528-3773
> McMaster University                   \
> Hamilton, Ontario, Canada  L8S 4M1     \

To unsubscribe from this list go to the following URL and read the

More information about the samba mailing list