[Samba] Can someone explain SMB passwords?

Volker Lendecke Volker.Lendecke at SerNet.DE
Sun Jul 21 00:41:35 MDT 2013


On Sat, Jul 20, 2013 at 10:41:31PM -0700, Paul D. DeRocco wrote:
> I've read what I can find about SMB passwords, but I don't get what they
> are. Are they Unix passwords or an alternative to them? If I have a file
> share, and the underlying file system requires some sort of credentials to
> access it, what is the relationship between that and an SMB password?
> 
> If a client tries to access the share, using a user account that is listed
> in the smbpasswd file, does the client have to provide a password that
> matches the SMB password in order for the server to allow the access, and
> having done that, does it then not need to know the Unix password? Or is the
> SMB password the Unix password that the server will use to access the share,
> so that the client doesn't have to supply a password at all?
> 
> I don't even understand if the SMB server runs as root, and can therefore
> access anything, or if it can't access local files unless it is given a
> password somehow. The smbpasswd(5) and smbpasswd(8) man pages, and
> everything else I've read, seem to assume that whoever is reading them
> already knows the answers to these questions.

The Samba server never sees the plaintext password. The
Samba password is a one-way hashed version of the plaintext
password, that is all Samba needs to do its
challenge-response authentication. If Samba is a domain
member, it does not even have the hash, it has nothing but
trusts the domain controller to have it and check it
properly.

What file system is this? If it happens to be AFS, then
there's the fake_kaserver functionality. The basic trick is
that this makes the file server the KDC. A blatant violation
of any security policy, but that's the only way.

With best regards,

Volker Lendecke

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de


More information about the samba mailing list