Summary of "encrypted and cleartext password in the same time" issue.
Martin Rusko
rusko at kam.vm.stuba.sk
Sat Jan 12 07:26:17 GMT 2002
Hi all,
this is an attempt to cover all possibilities, how to access samba server with
clients sending cleartext password (CP clients) (original Win95, WinNT until
SP3) and clients sending encrypted password (EP clients) (Win98, Win2k,
....) at the same time. Any feedback, comments, questions or improvements
are very welcome. :-)
One, who wants to setup environment to use both type of clients (sending
cleartext and encrypted passwords) has tree options:
1.) All clients will send cleartext password and therefore we have to force
clients which are sending encrypted passwords to use cleartext passwords.
2.) Some clients will send cleartext password, others encrypted passwords.
Then it is in place to synchronize unix passwords with smbpassword file.
3.) All clients will send encrypted password and therefore we have to force
clients which are sending cleartext password to use encrypted passwords.
(At least, with win95 it is possible, other clients I don't know)
And now, look at our three options more deeper:
1.) All clients using cleartext passwords.
This could be done by changing some registry entries on windows client.
Which one, I will refer you, dear reader, to look into samba/docs/registry
directory in samba sources. There are some files with *.reg extension. Just
double-clicking on suitable file within windows should import needed settings
into windows registry.
2.) Mixed passwords.
No changes are need to be made on windows clients. Just a little bit more
complicated setup on samba. First of all, we need to have different config file
entries for EP clients and CP clients.
For EP clients we need in smb.conf:
[global]
encrypt passwords = yes
For CP clients we need in smb.conf:
[global]
encrypt passwords = no
Of course, the question is how to do that in one config file? Answer is to
include one config file to another. Have a look on this:
---- smb.conf -----
[global]
encrypt passwords = yes
include = /etc/samba/smb.conf.%m
-----------------------
---- smb.conf.[netbios name of our win95 machine] ----
[global]
encrypt passwords = no
-----------------------------------------------------------------------------
So we have to write for each win95 machine own config file. But what, if we
have tens of such clients? Maybe, we could write only something like
/etc/samba/smb.conf.win95 file, and just symlinks others to them. But, when
users change their machine name, they won't be able to login/map network
drives.
And we should also with mixed passwords setup in configuration file
password synchronization:
--- smb.conf ------
unix password sync = yes
-----------------------
See also "passwd program", "passwd chat" or "pam password change"
parameters in 'man smb.conf'. Without these correctly set up, it won't work!
Syncing passwords is good, because if one user change his password
sitting behind EP clients and then try to log in from CT client, it will fail for
him.
3.) Third solution is to force all clients using encrypted passwords, and thus
to have only EP clients. It is simple. What you really need to do is to
download some win95 patches from Microsoft or from numerous others
places on the Net. The patches are different for original Win95,Win95 OSR1
and Win95 OSR2. For win95 and win95 osr1 we use secupd.exe. For win95
osr2 we should use secupd2.exe. It seems to be, that these patches are
fixing security hole about storing cleartext password in memory. But after
updating, win95 are also sending encrypted passwords over network, which
is great!! ;-) To find these patches, just enter 'secupd.exe site:microsoft.com'
in Google, or use microsoft knowledge base to find more info.
At the end, I recommend to read 'man smb.conf', and various documents in
samba/docs directory, which are very helpful.
Which solution is the best for you, dear reader, is up to you. ;-)
mARTin Rusko
--
Martin Rusko
PhD student
Slovak Technical University
Faculty of Mechanical Engineering
Department of Automation
--
e-mail: rusko at kam.vm.stuba.sk
mobile: +421 903 246698
--
motto: We are Microsoft! Resistance is futile.
Open your source code and prepare for assimilation.
More information about the samba
mailing list