Summary of "encrypted and cleartext password in the same time" issue.

[Andrew Bartlett]

"Barker, Brian W." wrote:
> 
> I have been also trying to get my UNIX Samba to work with
> both win95 and win2000 and have had this problem with
> encrypted vs. not. I don't understand this answer. You
> say "All the listed clients will send an encrypted password
> if 'encrypt passwords = yes'". But the 'encrypt passwords = yes'
> is in the config file on my Unix machine, are you saying that
> this will automatically make my Win95 machine send an encrypted
> password? I find this hard to believe but maybe it is so. 

I'll say it again.  Win9X (and everything including DOS clients I
beleive) support LANMAN encrypted passwords.  This takes a (weak) DES
hash of the uppercased password and encrypts it with a server supplied
challange.

> What do you
> mean the clients will permit a security downgrade if the server
> requests it? Can you elaborate? Maybe Martin understands...

However, becouse not all servers (like samba in some early days - like
pre 2.0) supported this form of password encryption many clients
(including Samba) allow the server not to supply a challange.  The
clients then send the password in plaintext.  

This is serious security risk, becouse anyone could be listining to the
connection.  

Becouse of this, Microsoft decided that it would mandate use of
encrypted passwords.  This is done by simply disconnecting from any
server that doesn't issue the required challange.

This causes the 'this account is not authorised to log in from this
station' error.

Microsoft was able to do this becouse all their clients and servers (of
relevence anyway) have always supported encrypted passwords.  

Andrew Bartlett
-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net