Hello, does somebody have a tool to convert a /etc/passwd to a smbpasswd with getting a valid Lan Manager and NT hash. or does anybody have a trick, how I can synchronise the /etc/passwd with the smbpasswd without changing a unix passwd twice (passwd,smbpasswd). Thanks, Martin *********************************************************************** ** Martin Schuster ** Nortel DASA Network Systems GmbH & C0. KG, Germany ** IT-Service ** Abt. / Dept. ND762 ** 88039 Friedrichshafen ** ** Phone +49-7545-967765 ESN: 565-7765 ** Fax: +49-7545-967621 ESN: 565-7621 ** E-MAIL: Martin.Schuster@Nortel-Dasa.de ***********************************************************************
>Hello, > >does somebody have a tool to convert a /etc/passwd to a smbpasswd withgetting>a valid Lan Manager and NT hash. >or does anybody have a trick, how I can synchronise the /etc/passwdwith the>smbpasswd without changing a unix passwd twice (passwd,smbpasswd). > >Thanks, > >MartinMartin that's exactly what I need aswell. The problem is that NIS-passwd commands require the old password, even when called by root which is not given by smbpasswd (you can use %o in your chat script but it never gets transmitted). We already tried to write shell-scripts to be called by smbpasswd which directly change the entry in the /etc/passwd file but stopped this due to security considerations. To my opinion the only (sensible) solution to this problem is to include the support for the old password (%o) in smbpasswd. I know it's not done due to compatibility reasons but maybe it could be integrated as an option? Rainer -- _ _ _ _ _ _ RAINER HAUCK |\/| |\ | |\/| Institut fuer Informatik / Dept. of CS | | | \| | | Ludwig-Maximilians-University Munich ======= TEAM ======= Oettingenstr. 67, 80538 Munich, Germany Munich Network Management Team Room D01,Phone +49-89-2178-2155,Fax-2262 Muenchner Netz-Management Team email: hauck@informatik.uni-muenchen.de
my NIS master server is also my samba password server and I use the following to sync passwords: security = user unix password sync = yes passwd program = /bin/passwd -r files %u; cd /var/yp; /usr/ccs/bin/make passwd passwd chat = *New\spassword:* "%n\n" *new\spassword:* "%n\n" *updated\spasswd* . *pushed\spasswd* #passwd chat debug = true #debug level = 100 note that this will only work on the NIS master server, but this allows you to use the passwd '-r' option and the yp make which overcomes the problem of needing the old password. On Sun, 6 Dec 1998 samba@samba.org wrote:> Date: Fri, 04 Dec 1998 18:17:21 +0100 > From: Rainer Hauck <hauck@nm.informatik.uni-muenchen.de> > To: Samba@samba.org > Subject: Re: Synchonisation between NIS and encrypted SMBPASSWD > Message-ID: <36681921.820D9FAD@nm.informatik.uni-muenchen.de> > > >Hello, > > > >does somebody have a tool to convert a /etc/passwd to a smbpasswd with > getting > >a valid Lan Manager and NT hash. > >or does anybody have a trick, how I can synchronise the /etc/passwd > with the > >smbpasswd without changing a unix passwd twice (passwd,smbpasswd). > > > >Thanks, > > > >Martin > > Martin > > that's exactly what I need aswell. The problem is that NIS-passwd > commands require the old password, even when called by root which is not > given by smbpasswd (you can use %o in your chat script but it never gets > transmitted). > > We already tried to write shell-scripts to be called by smbpasswd which > directly change the entry in the /etc/passwd file but stopped this due > to security considerations. > > To my opinion the only (sensible) solution to this problem is to include > the support for the old password (%o) in smbpasswd. I know it's not done > due to compatibility reasons but maybe it could be integrated as an > option? > > Rainer > > -- > _ _ _ _ _ _ RAINER HAUCK > |\/| |\ | |\/| Institut fuer Informatik / Dept. of CS > | | | \| | | Ludwig-Maximilians-University Munich > ======= TEAM ======= Oettingenstr. 67, 80538 Munich, Germany > Munich Network Management Team Room D01,Phone +49-89-2178-2155,Fax-2262 > Muenchner Netz-Management Team email: hauck@informatik.uni-muenchen.de-- Todd Pfaff \ Email: pfaff@mcmaster.ca Computing and Information Services \ Voice: (905) 525-9140 x22920 ABB 132 \ FAX: (905) 528-3773 McMaster University \ Hamilton, Ontario, Canada L8S 4M1 \
Rainer wrote :> To my opinion the only (sensible) solution to this problem is to include > the support for the old password (%o) in smbpasswd. I know it's not done > due to compatibility reasons but maybe it could be integrated as an > option? >No it's not done because it's impossible without storing the plaintext passwords in smbpasswd. The Windows clients will send the plaintext of the new password (encrypted) to the password change server, but they don't possess the plaintext of the old password, just the Lanman or NT hash of it (which is of no use for NIS passwords). Sorry, but that's the real reason why %o cannot be supported when using encrypted password change support. Regards, Jeremy Allison, Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. --------------------------------------------------------
> Date: Sun, 06 Dec 1998 11:50:55 -0800 > From: Jeremy Allison <jallison@cthulhu.engr.sgi.com> > To: samba@samba.org > Subject: Re: Synchonisation between NIS and encrypted SMBPASSWD > Message-ID: <366AE01F.18496F63@engr.sgi.com> > > Rainer wrote : > > > To my opinion the only (sensible) solution to this problem is to include > > the support for the old password (%o) in smbpasswd. I know it's not done > > due to compatibility reasons but maybe it could be integrated as an > > option? > > > > No it's not done because it's impossible without storing > the plaintext passwords in smbpasswd. > > The Windows clients will send the plaintext of the new > password (encrypted) to the password change server, but > they don't possess the plaintext of the old password, > just the Lanman or NT hash of it (which is of no use > for NIS passwords). > > Sorry, but that's the real reason why %o cannot be > supported when using encrypted password change support.Jeremy,I do understand that it's not possible to get the old password from a windows client. However, in our environment there's no need to change passwords from windows. We only change them from UNIX. Correct me if I'm wrong but to my opinion it works the following way: A user calls smbpasswd and is authenticated by his old password. Then he enters a new password. Both passwords are available in plaintext to smbpasswd. Smbpasswd then somehow calls the local passwd-program as defined through passwd chat. It provides the new password to the passwd command but it doesn't provide the old password. I think that if the new password is available there's no reason why the old one shouldn't be aswell (except for compatibility with windows clients). That's why I suggested to add the %o on demand through a special option in smbpasswd. Thanks+best regards Rainer -- _ _ _ _ _ _ RAINER HAUCK |\/| |\ | |\/| Institut fuer Informatik / Dept. of CS | | | \| | | Ludwig-Maximilians-University Munich ======= TEAM ======= Oettingenstr. 67, 80538 Munich, Germany Munich Network Management Team Room D01,Phone +49-89-2178-2155,Fax-2262 Muenchner Netz-Management Team email: hauck@informatik.uni-muenchen.de