Hello, I need an answer to the following problem: I have a Samba server with domain logons enabled and with encrypt passwords=no. So I don't use the smbpasswd file, only the Unix password files. When I try to logon with a Win95 client (client for Microsoft Networks, logging on to a domain), people with mixed-case passwords cannot logon to the Samba logon server. Those with a password in lower case can logon without any problem. I can solve this issue by using the "password level" parameter but I don't want to do this since it puts a greater load on the server and decreases security. Does anyone know why the Win9x-clients do not support mixed-case passwords when logging to a domain? Does anyone know a solution or recognizes the problem? When I sniff the connection with tcpdump-smb I see something like: CaseInsensitivePasswordLength=[000] 53 44 45 53 44 45 00 00 00 00 00 00 00 00 57 45 SDESDE.. ......WE The cleartext password was: sdeSDE. Any information would be greatly appreciated! Thanks alot, Werner Maes KULeuven PS: I have Samba 2.0.7 on RH 6.2.
Greg Williamson wrote:> Werner Maes wrote: > > > I can solve this issue by using the "password level" parameter but I > > don't want to > > do this since it puts a greater load on the server and decreases > > security. > > But it will fix the problem. It only increases the load for people with > mixed-case passwords. It does decrease security, which is why people > may be better off having different LAN/Unix passwords. > > > Does anyone know why the Win9x-clients do not support mixed-case > > passwords > > when logging to a domain? Does anyone know a solution or recognizes the > > problem? > > Win9x sends the password in uppercase. By default, samba converts to > lowercase, tries in upper case, then works through the password > capitalising up to "password level" letters. > > If you were to use an smbpasswd file it would fix the problem too. You > could also try playing with encrypt passwords and update encrypted to > help generate/populate/maintain your smbpasswd file a bit more easily. >Yes, but I have 25.000 users which means I cannot use the smbpasswd file since this is very slow (it is a non-indexed file). I am forced to use passwd (or rather a databased version of passwd). Isn't there a patch available which enables Win9x to send the passwords in mixed-case? Kind regards, Werner Maes KULeuven.
On Wed, 21 Jun 2000, Werner Maes wrote:> I have a Samba server with domain logons enabled and with > encrypt passwords=no. So I don't use the smbpasswd file, only > the Unix password files. > When I try to logon with a Win95 client (client for Microsoft Networks, > logging on to a domain), people with mixed-case passwords cannot logon > to the Samba logon server. Those with a password in lower case can logon > without any problem.As you have already found with your tcpdump trace, Windows machines that are using cleartext password authentication convert the password to upper case before sending it over the network. As far as I know, there is *nothing* that can be done to prevent Windows from doing this. If you are going to stick with cleartext passwords then your ideally your users need to adopt single case passwords. Mixed case passwords are one of the (many) advantages that you would gain if you were to adopt encrypted authentication on your Samba server (and yes, I realize that encrypted auth and maintaining an smbpasswd file a pain in many other respects). Regards, -- Neil Hoggarth Departmental Computer Officer <neil.hoggarth@physiol.ox.ac.uk> Laboratory of Physiology http://www.physiol.ox.ac.uk/~njh/ University of Oxford, UK
Werner Maes wrote:> > I can solve this issue by using the "password level" > parameter but I don't want to do this since it puts a greater > load on the server and decreases security. > > Does anyone know why the Win9x-clients do not > support mixed-case passwords when logging to a domain? Does > anyone know a solution or recognizes the problem?On a decent server, my experience has been that the load is actually small for password server = 4. I say small in comparison to performance. The UPPER casing of passwords is simply a Windows 9x client issue and there is no way of getting around it. Of course, other posts have already mentioned the possibility of using password encryption, but you rpelied this was not an option. Sorry for the bad news, jerry ---------------------------------------------------------------------- /\ Gerald (Jerry) Carter Professional Services \/ http://www.valinux.com VA Linux Systems gcarter@valinux.com http://www.samba.org SAMBA Team jerry@samba.org http://www.eng.auburn.edu/~cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 )
On Wed, 21 Jun 2000, Werner Maes wrote:> I have a Samba server with domain logons enabled and with > encrypt passwords=no. So I don't use the smbpasswd file, only > the Unix password files. > When I try to logon with a Win95 client (client for Microsoft Networks, > logging on to a domain), people with mixed-case passwords cannot logon > to the Samba logon server. Those with a password in lower case can logon > without any problem.As you're using a special version of the passwd program, add an option to do case-insensitive matches, and pass it in calls from samba only. Should takeabout three lines of code... plus one in Samba itself. --dave -- David Collier-Brown, | Always do right. This will gratify some people 185 Ellerslie Ave., | and astonish the rest. -- Mark Twain Willowdale, Ontario | //www.oreilly.com/catalog/samba/author.html Work: (905) 415-2849 Home: (416) 223-8968 Email: davecb@canada.sun.com