Hello Does anyone know why normal users can set a blank samba password with the smbpasswd kommand by inserting <CR> twice after inserting the old passwd: ben@amo:% /opt/samba/bin/smbpasswd Old SMB password:<oldpasswd> New SMB password:<CR> Retype new SMB password:<CR> Password changed for user ben After that the user can map the samba shares with a blank password even if: null passwords = No and guest ok = No in the smb.conf Thanks in advance Imed -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ NEU: Mit GMX ins Internet. Rund um die Uhr f?r 1 ct/ Min. surfen!
On Mon, 7 Oct 2002 imed@gmx.ch wrote:> Does anyone know why normal users can set a blank samba password with the > smbpasswd kommand by inserting <CR> twice after inserting the old passwd: > > ben@amo:% /opt/samba/bin/smbpasswd > Old SMB password:<oldpasswd> > New SMB password:<CR> > Retype new SMB password:<CR> > Password changed for user ben > > After that the user can map the samba shares with a blank password even if: > > null passwords = No > > and > > guest ok = No > > in the smb.confOf the top of my head i would say that "\n" is not being recognized as "NO PASSWORDXXXXX". Check the smbpasswd file. cheers, jerry --------------------------------------------------------------------- Hewlett-Packard http://www.hp.com SAMBA Team http://www.samba.org -- http://www.plainjoe.org "SAMS Teach Yourself Samba in 24 Hours" 2ed. ISBN 0-672-32269-2 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--
Hi Jerry Thanks for the answer!> Of the top of my head i would say that "\n" is not being > recognized as > "NO PASSWORDXXXXX". Check the smbpasswd file. >I can see this attitude on all Solaris Server using samba > 2.0, with different installations. In the smbpasswd file there is no NO PASSWORDXXXXX for the specified user, see bleow: ben:781:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0:[UX ]:LCT-3DA3119B: What does that mean now ("\n" is not being recognized as...)? Is the smbpasswd binay buggy, or am I doing something wrong? Thanks in Advance! Imed -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ NEU: Mit GMX ins Internet. Rund um die Uhr f?r 1 ct/ Min. surfen!
Hi there,> No password is different from the password "" (an empty password). > "" is actually hashed as an empty string and is a valid password, > NO PASSWORD is treated differently.That not very consistent! With SWAT it's not possible for the user user to set an empty password, this is Unix like. No password is just allowed for root, that's ok, because it's under root's control. An empty password is possible for all user and this really bad, because you don't have any control on the user passwords, even not in the smb.conf file! In addition, with the old samba versions < 2.0 it wasn't possible even for root to set an empty password! Is there any cogent reason, why should "" (an empty password) now be a valid password? Thanks for hints! regards, Imed -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ NEU: Mit GMX ins Internet. Rund um die Uhr f?r 1 ct/ Min. surfen!
Hi Jerry Thanks for the answer!> UNIX does not prevent you from setting an empty password. > Maybe you PAM stack does.With UNIX I meant Solrais 2.x (default), I don't know exactly how it is for linux (I suppose it's similiar) -> man passwd: SunOS 5.8 Last change: 21 Oct 1999 1 User Commands passwd(1) Passwords must be constructed to meet the following require- ments: o Each password must have PASSLENGTH characters, where PASSLENGTH is defined in /etc/default/passwd and is set to 6. Only the first eight characters are signifi- cant. o Each password must contain at least two alphabetic characters and at least one numeric or special charac- ter. In this case, "alphabetic" refers to all upper or lower case letters.> Try using pam_smbpass.so and the pam_crack.so library for controlling > password strength.Thanks for the tip, I'll do it, pitty that Samba dosen't do it out of the box.> Samba just gives you the bullet. If you shoot yourself in the foot, > we can't stop that.... If you want, modify smbpasswd so that > > if ( !lp_null_passwords() && !strlen(new_passwd) ) > fail;The bullet is ok for root but not for the normal users, or do your users have the root password in your environment? I'll try to change the code too, but it's not Samba standard anymore!> As of this moment, we are not planning on changing the current > behavior.That's really pitty! Anyway can you please tell me why did the attitude of smbpasswd change between the versions before and after 2.0 (just concerning the empty string not the whole concept)? Is that not a sort of a downgrade? Thanks for the discussion! Regards, Imed -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ NEU: Mit GMX ins Internet. Rund um die Uhr f?r 1 ct/ Min. surfen!