Summary of "encrypted and cleartext password in the same time" issue.

Martin Rusko rusko at kam.vm.stuba.sk
Sat Jan 12 07:26:17 GMT 2002 

Hi all,
this is an attempt to cover all possibilities, how to access samba server with 
clients sending cleartext password (CP clients) (original Win95, WinNT until 
SP3) and clients sending encrypted password (EP clients) (Win98, Win2k, 
....) at the same time. Any feedback, comments, questions or improvements 
are very welcome. :-)

One, who wants to setup environment to use both type of clients (sending 
cleartext and encrypted passwords) has tree options:
1.) All clients will send cleartext password and therefore we have to force 
clients which are sending encrypted passwords to use cleartext passwords.
2.) Some clients will send cleartext password, others encrypted passwords. 
Then it is in place to synchronize unix passwords with smbpassword file.
3.) All clients will send encrypted password and therefore we have to force 
clients which are sending cleartext password to use encrypted passwords. 
(At least, with win95 it is possible, other clients I don't know)

And now, look at our three options more deeper:
1.) All clients using cleartext passwords.
This could be done by changing some registry entries on windows client. 
Which one, I will refer you, dear reader, to look into samba/docs/registry 
directory in samba sources. There are some files with *.reg extension. Just 
double-clicking on suitable file within windows should import needed settings 
into windows registry.

2.) Mixed passwords.
No changes are need to be made on windows clients. Just a little bit more 
complicated setup on samba. First of all, we need to have different config file 
entries for EP clients and CP clients. 
For EP clients we need in smb.conf:
[global]
  encrypt passwords = yes
For CP clients we need in smb.conf:
[global]
  encrypt passwords = no
Of course, the question is how to do that in one config file? Answer is to 
include one config file to another. Have a look on this:
---- smb.conf -----
[global]
  encrypt passwords = yes
  include = /etc/samba/smb.conf.%m
-----------------------

---- smb.conf.[netbios name of our win95 machine] ----
[global]
  encrypt passwords = no
-----------------------------------------------------------------------------

So we have to write for each win95 machine own config file. But what, if we 
have tens of such clients? Maybe, we could write only something like 
/etc/samba/smb.conf.win95 file, and just symlinks others to them. But, when 
users change their machine name, they won't be able to login/map network 
drives.
And we should also with mixed passwords setup in configuration file 
password synchronization:
--- smb.conf ------
  unix password sync = yes
-----------------------
See also "passwd program", "passwd chat"  or "pam password change" 
parameters in 'man smb.conf'. Without these correctly set up, it won't work! 
Syncing passwords is good, because if one user change his password 
sitting behind EP clients and then try to log in from CT client, it will fail for 
him. 

3.) Third solution is to force all clients using encrypted passwords, and thus 
to have only EP clients. It is simple. What you really need to do is to 
download some win95 patches from Microsoft or from numerous others 
places on the Net. The patches are different for original Win95,Win95 OSR1 
and Win95 OSR2. For win95 and win95 osr1 we use secupd.exe. For win95 
osr2 we should use secupd2.exe. It seems to be, that these patches are 
fixing security hole about storing cleartext password in memory. But after 
updating, win95 are also sending encrypted passwords over network, which 
is great!! ;-) To find these patches, just enter 'secupd.exe site:microsoft.com' 
in Google, or use microsoft knowledge base to find more info.

At the end, I recommend to read 'man smb.conf', and various documents in 
samba/docs directory, which are very helpful.
Which solution is the best for you, dear reader, is up to you. ;-)


        mARTin Rusko

--
Martin Rusko
PhD student
Slovak Technical University
Faculty of Mechanical Engineering
Department of Automation
--
e-mail: rusko at kam.vm.stuba.sk
mobile: +421 903 246698
--
motto: We are Microsoft! Resistance is futile. 
       Open your source code and prepare for assimilation.

More information about the samba mailing list