Summary of "encrypted and cleartext password in the same time" issue.

Yan Seiner yan at cardinalengineering.com
Sat Jan 12 14:23:02 GMT 2002


Could this possibly be used to provide different workgroups to different
clients?

That would be very cool.  I would really like to have one server serving
5 distinct workgroups on the same physical lan, each with its own
subnet.

Right now, everyone is a member of the same domain and all the machines
are in NetNeigh.  Some are browsable, some are not, depending on the
subnets.

Can this be done?

--Yan

Martin Rusko wrote:
> 
> Hi all,
> this is an attempt to cover all possibilities, how to access samba server with
> clients sending cleartext password (CP clients) (original Win95, WinNT until
> SP3) and clients sending encrypted password (EP clients) (Win98, Win2k,
> ....) at the same time. Any feedback, comments, questions or improvements
> are very welcome. :-)
> 
> One, who wants to setup environment to use both type of clients (sending
> cleartext and encrypted passwords) has tree options:
> 1.) All clients will send cleartext password and therefore we have to force
> clients which are sending encrypted passwords to use cleartext passwords.
> 2.) Some clients will send cleartext password, others encrypted passwords.
> Then it is in place to synchronize unix passwords with smbpassword file.
> 3.) All clients will send encrypted password and therefore we have to force
> clients which are sending cleartext password to use encrypted passwords.
> (At least, with win95 it is possible, other clients I don't know)
> 
> And now, look at our three options more deeper:
> 1.) All clients using cleartext passwords.
> This could be done by changing some registry entries on windows client.
> Which one, I will refer you, dear reader, to look into samba/docs/registry
> directory in samba sources. There are some files with *.reg extension. Just
> double-clicking on suitable file within windows should import needed settings
> into windows registry.
> 
> 2.) Mixed passwords.
> No changes are need to be made on windows clients. Just a little bit more
> complicated setup on samba. First of all, we need to have different config file
> entries for EP clients and CP clients.
> For EP clients we need in smb.conf:
> [global]
>   encrypt passwords = yes
> For CP clients we need in smb.conf:
> [global]
>   encrypt passwords = no
> Of course, the question is how to do that in one config file? Answer is to
> include one config file to another. Have a look on this:
> ---- smb.conf -----
> [global]
>   encrypt passwords = yes
>   include = /etc/samba/smb.conf.%m
> -----------------------
> 
> ---- smb.conf.[netbios name of our win95 machine] ----
> [global]
>   encrypt passwords = no
> -----------------------------------------------------------------------------
> 
> So we have to write for each win95 machine own config file. But what, if we
> have tens of such clients? Maybe, we could write only something like
> /etc/samba/smb.conf.win95 file, and just symlinks others to them. But, when
> users change their machine name, they won't be able to login/map network
> drives.
> And we should also with mixed passwords setup in configuration file
> password synchronization:
> --- smb.conf ------
>   unix password sync = yes
> -----------------------
> See also "passwd program", "passwd chat"  or "pam password change"
> parameters in 'man smb.conf'. Without these correctly set up, it won't work!
> Syncing passwords is good, because if one user change his password
> sitting behind EP clients and then try to log in from CT client, it will fail for
> him.
> 
> 3.) Third solution is to force all clients using encrypted passwords, and thus
> to have only EP clients. It is simple. What you really need to do is to
> download some win95 patches from Microsoft or from numerous others
> places on the Net. The patches are different for original Win95,Win95 OSR1
> and Win95 OSR2. For win95 and win95 osr1 we use secupd.exe. For win95
> osr2 we should use secupd2.exe. It seems to be, that these patches are
> fixing security hole about storing cleartext password in memory. But after
> updating, win95 are also sending encrypted passwords over network, which
> is great!! ;-) To find these patches, just enter 'secupd.exe site:microsoft.com'
> in Google, or use microsoft knowledge base to find more info.
> 
> At the end, I recommend to read 'man smb.conf', and various documents in
> samba/docs directory, which are very helpful.
> Which solution is the best for you, dear reader, is up to you. ;-)
> 
>         mARTin Rusko
> 
> --
> Martin Rusko
> PhD student
> Slovak Technical University
> Faculty of Mechanical Engineering
> Department of Automation
> --
> e-mail: rusko at kam.vm.stuba.sk
> mobile: +421 903 246698
> --
> motto: We are Microsoft! Resistance is futile.
>        Open your source code and prepare for assimilation.
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

-- 
Daddy, did all the hair that fell off your head stick to your arms?
Akari, age 4
 ... 
 oberon.cardhome.lan: 5:15pm up 6 days, 21:34, 7 users, load average:
0.39, 0.18, 0.24




More information about the samba mailing list