samba PDC with NIS, or other solution?

Todd Pfaff pfaff at edge.cis.mcmaster.ca
Fri Nov 9 10:27:04 GMT 2001 

i don't know the entire process because i've never had to use the
'update encrypted' feature myself.  however, i can imagine that once the
smb client is using cleartext, samba can encrypt and authenticate against
the unix password file.  maybe that is the key.

Todd

On Fri, 9 Nov 2001, Alexander Lazarevich wrote:

> we can allow cleartext, no problem (we've been using nis for years). and i
> can't/won't crack 600 passwords. i just want to avoid telling 600 people
> that they have to re-enter their passwords, and i think i get the idea
> that it's possible, but i just dont understand it yet.
> 
> if there is no way to get encrypted passwords into the smbpasswd file,
> then, if what im what to do is possible, there must be some other way to
> get cleartext passwords into the smbpasswd file.
> 
> so how do i get my encrypted NIS file -> cleartext -> smbpasswd?
> 
> wait a second, i just read your email again and i think i got it:
> 
> i use that script to generate the smbpasswd file (minus the passwords). 
> then i set the smb.conf with 'update encrypted = yes'. then force all my
> clients to send cleartext passwords. will this do what i want? if so, then
> how does samba validate a user who is loging on if that user's password is
> not in the smbpasswd file? if it works this way, then anyone could login
> (assuming they know a user alias name), submit any password they want and
> take control over that persons logon. it must not work this way. that
> would be a huge security hole. what am i misunderstanding?
> 
> or do i just have to make all my users re-enter their passwords? once
> that's done, i would be set to go...
> 
> thanks as always,
> 
> alex
> ---                                                        ---
>    Alex Lazarevich | Systems | Imaging Technology Group
>    alazarev at itg.uiuc.edu | (217)244-1565 | www.itg.uiuc.edu
> ---                                                        ---
> 
> On Fri, 9 Nov 2001, Todd Pfaff wrote:
> 
> > On Fri, 9 Nov 2001, Alexander Lazarevich wrote:
> > 
> > > im still unclear as to how, or if, i can get the current /etc/passwd file
> > > from the current NIS master onto the new samba PDC (which will become
> > > the new NIS master). in one of your emails you mentioned something about a
> > > script that comes with the samba source that will create the smbpasswd
> > > from disabled accounts. what is this script called? is there an man/docs
> > > on it? will this script take an /etc/passwd file from an NIS master an
> > > create a smbpasswd file from it? that seems too good to be true...
> > 
> > The script that he mentions is for populating your smbpasswd file with
> > all existing account information except for the encrypted password field.
> > I don't know what the name of the script is that Christian is referring to
> > but I've attached the one I wrote myself, and you could probably write
> > such a script yourself.  I also run a linux server as an NIS master and a
> > samba PDC.  I call the attached script from my NIS makefile to update the
> > smbpasswd file whenever I modify passwd and run an NIS make.
> > 
> > There is no way to directly convert the unix encrypted passwords to smb
> > encrypted passwords other than cracking each password to get the
> > cleartext equivalent and then creating the smbpasswd encrypted 
> > equivalent.  Of course, this may not work for all passwords.
> > 
> > The alternative method provided by samba relies on several things...
> > - your smb client will use cleartext passwords if the server allows
> > - the samba server has been configured to allow cleartext passwords
> > - you have set 'update encrypted' appropriately in smb.conf
> > 
> > Read the docs to figure out how to ensure the above conditions.
> > 
> > If you can't allow cleartext passwords on your network then this method
> > will not work for you.
> > 
> > --
> > Todd Pfaff                         \  Email: pfaff at mcmaster.ca
> > Computing and Information Services  \ Voice: (905) 525-9140 x22920
> > ABB 132                              \  FAX: (905) 528-3773
> > McMaster University                   \
> > Hamilton, Ontario, Canada  L8S 4M1     \
> > 
> 
> 

--
Todd Pfaff                         \  Email: pfaff at mcmaster.ca
Computing and Information Services  \ Voice: (905) 525-9140 x22920
ABB 132                              \  FAX: (905) 528-3773
McMaster University                   \
Hamilton, Ontario, Canada  L8S 4M1     \

More information about the samba mailing list