[Samba] DOMAIN level security with smbpasswd???

John H Terpstra jht at samba.org
Tue May 6 16:57:52 GMT 2003


Jeremy,

MS Windows NT4/200x/XPPro can not participate in a Domain (as members with
a machine trust account) unless Microsoft encrypted passwords are enabled.

Microsoft encrytped passwords are hashed using and entirely different
algorithm from Unix Crypt. There is no mechanism for converting from Unix
Crypt to Microsoft's hashing mechanism - it can be done only from the
clear text password itself.

If you elect to use just your unix system user and password database then
you can not run Samba as a domain controller for your MS Windows clients.
Also, you must re-enable plain text password support in the registry of
all your clients. This has the side effect that every time the MS Windows
client closes an idle connection (which it can do after 5 - 15 minutes of
inactivity) when it goes to restore the connection it will use the MS
encrypted password (it does not cache the plain text password).

The account mapping is only to allow MS Windows user names like "Jack
Frost" to be mapped in a sensible manner to a unix account name.

- John T.

On Tue, 6 May 2003, Jeremy Nix wrote:

> I'm a bit confused on several points of the security infrastructure of
> Samba.  First, and simplest, why (and is it necessary) do we need to
> keep a smbpasswd file when the Linux/Unix passwd file could be suffice?
> I like the idea of mapping particular users to a given UNIX account via
> the username map option, but I see no reason in specifying a separate
> password file for these same UNIX users.
>
> Secondly, and more to the point, why (again, and is it necessary) do we
> need this smbpasswd file if we are authenticating against a domain?
>
> Ideally, I'd like to be able to authenticate against the NT domain, and
> then map users to particular accounts.  Users who are not mapped to a
> given account will be mapped to a generic guest account with security
> tightened and access limited if even available.
>
> _________________
> Jeremy Nix
> Senior Application Developer
> Southwest Financial Ltd.
> Jeremy.Nix at sfsltd.com
> (513) 621-6699 ext 1158
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

-- 
John H Terpstra
Email: jht at samba.org


More information about the samba mailing list