[Samba] SMB passthrough authentication and Encrypted passwords

Beau Hunter beau at wedgetailtechs.com
Wed Mar 26 21:17:59 GMT 2003


Hey all first post,
    I recently set up an Apple Xserve running Mac OS X server v. 10.2.4 as a
SMB file server for a network of mixed win2k, win98, and Mac (classic) boxes
(samba version 2.2.3).  I currently have Open Directory setup to pull Active
Directory users and groups via ldap from the PDC, as well as SMB pass
through authentication (so winbindd is not needed).  Everything is currently
up and running, the main problem I have is that I can only get passthrough
authentication to run if I have encrypt passwords=NO setup in my smb.conf
file.  This obviously creates the hassle of both using unencrypted
passwords, and having to go to every 98 box and modify the registry to use
plaintext passwords.  If I switch encrypt passwords=YES, then from every
machine I try, be it 98, 2k, or xp, I receive an invalid password error.
There's obviously something I'm missing here, but I've scrounged the net and
archives and have found very little documentation on this.  My guess is that
the problem is due to a misconfiguration on the PDC end involving security
settings, but I've mucked about as much as I can on that, and not been able
to solve the issue.  Here's the relevant section of my smb.conf file:



        client code page = 437
        coding system = utf8
        guest account = unknown
        encrypt passwords = NO
        local master = NO
        inherent permissions= YES
        max smbd processes = 0
        server string = XServe
        log file = /Library/Logs/WindowsServices/WindowsFileService.log
        wins support = NO
        wins server = 10.2.0.43
        domain master = NO
        workgroup = WORK
        password server= SVR_PASSWD

(wg and pass server names changed)

I've joined the domain using smbpasswd -j WORK -r SVR_PASSWD -u Admin

The machine is showing as a member from my pdc.

With this conf, it works fine, but the second I change it to encrypt
passwords = yes, SMB authent is broken.

Anyone come across this before? Any suggestions?

TIA,
Beau Hunter




----------------------------------------------------------------------------
"The only thing necessary for evil to triumph is for good men to do
nothing."


-unknown





More information about the samba mailing list