[Samba] Windows 95, encrypted passwords, and secure channel communications

Andrew Bartlett abartlet at samba.org
Fri Jun 25 00:10:57 GMT 2004

On Fri, 2004-06-25 at 00:45, Jonathan Johnson wrote:
> First of all, let me say "I know it's been fixed in Samba 3." That's
> for those of you who think I'm talking about the requiresignorseal
> registry hack in Windows XP. I'm not.
> I ran into an issue when using Windows 95 clients with a Windows 2003
> server. (Why not Samba? The customer needs terminal services for some
> windows-only programs.) Because Windows 2003, by policy, implements
> tighter security including encrypted passwords and communications,
> Windows 95 will NOT communicate with a Windows 2003 server. (If I'm
> wrong about the encrypted passwords, someone please correct me.)
> David Lechnyr's Unofficial Samba HOW-TO states in part, "Windows 95
> doesn't use encrypted passwords, so this option must be disabled in
> your smb.conf to support these clients... Verify that your smb.conf
> file includes the parameter "encrypt passwords = yes" unless you are
> using Win95/Win95a or have disabled encrypted passwords in your other
> Windows clients (not a good idea)."

This is misleading and dangerous information.  There is no MS client
that I know of (even DOS) that requires plaintext passwords.   

All MS clients support and allow encrypted passwords, at least at the
'lanman' level (pathetic, but encrypted).

> It turns out that Microsoft provided a patch for Windows 95, 98, and
> NT4 called "Active Directory Client Extension" which provides "NTLM
> version 2 authentication". At least under Windows 2003 it seems to
> work, allowing my Win95 clients access to the 2003 server.

The patch includes NTLM1 and NTLMv2 support, which are more secure
encrypted password forms than the old LM.  This may allow access to more
stringent domains.

>   I'm wondering if this patch will work on Windows 95 against a Samba
>   server, allowing one to leave "encrypted passwords = yes" set. I
>   don't have an available testbed to try it on right now.

You could always have 'encrypt passwords = yes' set.  This should (and
I've not played with it) allow you to also set 'lanman auth = no', which
is my preferred option for security.

Andrew Bartlett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040625/2a66b1b6/attachment.bin

More information about the samba mailing list