Hello Why is it necessary to specify encrypt passwords = no to make Samba server start using solely /etc/passwd? Isn't it possible to tell Samba server that on the way between a client and the server, the passwords sould be encrypted, and after decryption, they will be checked against /etc/passwd and not smbpasswd, tdb or whatever backend? Cl<
On 31 Aug 2004 , Karel Kulhavy entreated about
"[Samba] encrypted passwords and /etc/passwd":
} Isn't it possible to tell Samba server that on the way between a
} client and the server, the passwords sould be encrypted, and after
} decryption, they will be checked against /etc/passwd and not
} smbpasswd, tdb or whatever backend?
passwords are never decrypted since they use a one way hash function.
in other words, the CANNOT be decrypted, for good security reasons.
when a server stores your password, it stores the encrypted version,
and can only check an encrypted password against that.
Windows and Unix use different password encryption
therefore, in order to use the Unix encrypted hash in the
/etc/passwd, the unix box needs to receive the plain text password
from Windows so it can encrypt it itself. Windows encrypted
passwords are stored in smbpasswd and are incompatible with the
/etc/passwd format
--
DA Fo rsyth Network Supervisor
Principal Technical Officer -- Institute for Water Research
http://www.ru.ac.za/institutes/iwr/
> On 31 Aug 2004 , Karel Kulhavy entreated about > "[Samba] encrypted passwords and /etc/passwd": > > } Isn't it possible to tell Samba server that on the way between a > } client and the server, the passwords sould be encrypted, and after > } decryption, they will be checked against /etc/passwd and not > } smbpasswd, tdb or whatever backend? > > passwords are never decrypted since they use a one way hash function. > in other words, the CANNOT be decrypted, for good security reasons. > when a server stores your password, it stores the encrypted version, > and can only check an encrypted password against that. > > Windows and Unix use different password encryption > > therefore, in order to use the Unix encrypted hash in the > /etc/passwd, the unix box needs to receive the plain text password > from Windows so it can encrypt it itself. Windows encrypted > passwords are stored in smbpasswd and are incompatible with the > /etc/passwd formatThanks, I completely understand it now. I didn't get this idea reading man smb.conf, the entry about encrypt passwords =. The manpage says that setting encrypt passwords = yes requires usage of smbpasswd. However it doesn't say why. Shouldn't the explanation why be also part of the manpage? Should I file a bugreport against the manpage? The manpage omits also one fact: that when encrypt passwords = no, then the server won't try to access smbpasswd file and will use /etc/passwd directly. I thinks this should be added too. It can't be deduced from what is in the manpage currently. Should I file this also as a bugreport against the man smb.conf manpage? Cl<> > > -- > DA Fo rsyth Network Supervisor > Principal Technical Officer -- Institute for Water Research > http://www.ru.ac.za/institutes/iwr/ > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba
> On 1 Sep 2004 , Karel Kulhavy entreated about > "Re: [Samba] encrypted passwords and /etc/passwd": > > Hiya > > } > passwords are stored in smbpasswd and are incompatible with the > } > /etc/passwd format > } > } Thanks, I completely understand it now. > } > } I didn't get this idea reading man smb.conf, the entry about encrypt > } passwords =. The manpage says that setting encrypt passwords = yes > } requires usage of smbpasswd. However it doesn't say why. Shouldn't the > } explanation why be also part of the manpage? Should I file a bugreport > } against the manpage? > > must say I never got the idea of using plaintext passwords to bypass > the smbpasswd either, but then I'm not looking for that at all, I'dfor what? bypassing smbpasswd, or using plaintext passwords? Cl<> much prefer my Samba users to be unable to login to the *nix part of > the box. My security model goes "they don't need to, therefore > prevent them" (-: > > } Should I file this also as a bugreport against the man smb.conf > } manpage? > > I don't know what a bugreport all entails so it's your call there. > I'd say that if you can put all the facts together, with references, > and just send that as a HOWTO to the list, and maybe a bugreport, > that would achieve a lot. > > > > -- > DA Fo rsyth Network Supervisor > Principal Technical Officer -- Institute for Water Research > http://www.ru.ac.za/institutes/iwr/ > >