Martin Rusko
2002-Jan-12 07:26 UTC
Summary of "encrypted and cleartext password in the same time" issue.
Hi all,
this is an attempt to cover all possibilities, how to access samba server with
clients sending cleartext password (CP clients) (original Win95, WinNT until
SP3) and clients sending encrypted password (EP clients) (Win98, Win2k,
....) at the same time. Any feedback, comments, questions or improvements
are very welcome. :-)
One, who wants to setup environment to use both type of clients (sending
cleartext and encrypted passwords) has tree options:
1.) All clients will send cleartext password and therefore we have to force
clients which are sending encrypted passwords to use cleartext passwords.
2.) Some clients will send cleartext password, others encrypted passwords.
Then it is in place to synchronize unix passwords with smbpassword file.
3.) All clients will send encrypted password and therefore we have to force
clients which are sending cleartext password to use encrypted passwords.
(At least, with win95 it is possible, other clients I don't know)
And now, look at our three options more deeper:
1.) All clients using cleartext passwords.
This could be done by changing some registry entries on windows client.
Which one, I will refer you, dear reader, to look into samba/docs/registry
directory in samba sources. There are some files with *.reg extension. Just
double-clicking on suitable file within windows should import needed settings
into windows registry.
2.) Mixed passwords.
No changes are need to be made on windows clients. Just a little bit more
complicated setup on samba. First of all, we need to have different config file
entries for EP clients and CP clients.
For EP clients we need in smb.conf:
[global]
encrypt passwords = yes
For CP clients we need in smb.conf:
[global]
encrypt passwords = no
Of course, the question is how to do that in one config file? Answer is to
include one config file to another. Have a look on this:
---- smb.conf -----
[global]
encrypt passwords = yes
include = /etc/samba/smb.conf.%m
-----------------------
---- smb.conf.[netbios name of our win95 machine] ----
[global]
encrypt passwords = no
-----------------------------------------------------------------------------
So we have to write for each win95 machine own config file. But what, if we
have tens of such clients? Maybe, we could write only something like
/etc/samba/smb.conf.win95 file, and just symlinks others to them. But, when
users change their machine name, they won't be able to login/map network
drives.
And we should also with mixed passwords setup in configuration file
password synchronization:
--- smb.conf ------
unix password sync = yes
-----------------------
See also "passwd program", "passwd chat" or "pam
password change"
parameters in 'man smb.conf'. Without these correctly set up, it
won't work!
Syncing passwords is good, because if one user change his password
sitting behind EP clients and then try to log in from CT client, it will fail
for
him.
3.) Third solution is to force all clients using encrypted passwords, and thus
to have only EP clients. It is simple. What you really need to do is to
download some win95 patches from Microsoft or from numerous others
places on the Net. The patches are different for original Win95,Win95 OSR1
and Win95 OSR2. For win95 and win95 osr1 we use secupd.exe. For win95
osr2 we should use secupd2.exe. It seems to be, that these patches are
fixing security hole about storing cleartext password in memory. But after
updating, win95 are also sending encrypted passwords over network, which
is great!! ;-) To find these patches, just enter 'secupd.exe
site:microsoft.com'
in Google, or use microsoft knowledge base to find more info.
At the end, I recommend to read 'man smb.conf', and various documents in
samba/docs directory, which are very helpful.
Which solution is the best for you, dear reader, is up to you. ;-)
mARTin Rusko
--
Martin Rusko
PhD student
Slovak Technical University
Faculty of Mechanical Engineering
Department of Automation
--
e-mail: rusko@kam.vm.stuba.sk
mobile: +421 903 246698
--
motto: We are Microsoft! Resistance is futile.
Open your source code and prepare for assimilation.
Yan Seiner
2002-Jan-12 14:23 UTC
Summary of "encrypted and cleartext password in the same time" issue.
Could this possibly be used to provide different workgroups to different clients? That would be very cool. I would really like to have one server serving 5 distinct workgroups on the same physical lan, each with its own subnet. Right now, everyone is a member of the same domain and all the machines are in NetNeigh. Some are browsable, some are not, depending on the subnets. Can this be done? --Yan Martin Rusko wrote:> > Hi all, > this is an attempt to cover all possibilities, how to access samba server with > clients sending cleartext password (CP clients) (original Win95, WinNT until > SP3) and clients sending encrypted password (EP clients) (Win98, Win2k, > ....) at the same time. Any feedback, comments, questions or improvements > are very welcome. :-) > > One, who wants to setup environment to use both type of clients (sending > cleartext and encrypted passwords) has tree options: > 1.) All clients will send cleartext password and therefore we have to force > clients which are sending encrypted passwords to use cleartext passwords. > 2.) Some clients will send cleartext password, others encrypted passwords. > Then it is in place to synchronize unix passwords with smbpassword file. > 3.) All clients will send encrypted password and therefore we have to force > clients which are sending cleartext password to use encrypted passwords. > (At least, with win95 it is possible, other clients I don't know) > > And now, look at our three options more deeper: > 1.) All clients using cleartext passwords. > This could be done by changing some registry entries on windows client. > Which one, I will refer you, dear reader, to look into samba/docs/registry > directory in samba sources. There are some files with *.reg extension. Just > double-clicking on suitable file within windows should import needed settings > into windows registry. > > 2.) Mixed passwords. > No changes are need to be made on windows clients. Just a little bit more > complicated setup on samba. First of all, we need to have different config file > entries for EP clients and CP clients. > For EP clients we need in smb.conf: > [global] > encrypt passwords = yes > For CP clients we need in smb.conf: > [global] > encrypt passwords = no > Of course, the question is how to do that in one config file? Answer is to > include one config file to another. Have a look on this: > ---- smb.conf ----- > [global] > encrypt passwords = yes > include = /etc/samba/smb.conf.%m > ----------------------- > > ---- smb.conf.[netbios name of our win95 machine] ---- > [global] > encrypt passwords = no > ----------------------------------------------------------------------------- > > So we have to write for each win95 machine own config file. But what, if we > have tens of such clients? Maybe, we could write only something like > /etc/samba/smb.conf.win95 file, and just symlinks others to them. But, when > users change their machine name, they won't be able to login/map network > drives. > And we should also with mixed passwords setup in configuration file > password synchronization: > --- smb.conf ------ > unix password sync = yes > ----------------------- > See also "passwd program", "passwd chat" or "pam password change" > parameters in 'man smb.conf'. Without these correctly set up, it won't work! > Syncing passwords is good, because if one user change his password > sitting behind EP clients and then try to log in from CT client, it will fail for > him. > > 3.) Third solution is to force all clients using encrypted passwords, and thus > to have only EP clients. It is simple. What you really need to do is to > download some win95 patches from Microsoft or from numerous others > places on the Net. The patches are different for original Win95,Win95 OSR1 > and Win95 OSR2. For win95 and win95 osr1 we use secupd.exe. For win95 > osr2 we should use secupd2.exe. It seems to be, that these patches are > fixing security hole about storing cleartext password in memory. But after > updating, win95 are also sending encrypted passwords over network, which > is great!! ;-) To find these patches, just enter 'secupd.exe site:microsoft.com' > in Google, or use microsoft knowledge base to find more info. > > At the end, I recommend to read 'man smb.conf', and various documents in > samba/docs directory, which are very helpful. > Which solution is the best for you, dear reader, is up to you. ;-) > > mARTin Rusko > > -- > Martin Rusko > PhD student > Slovak Technical University > Faculty of Mechanical Engineering > Department of Automation > -- > e-mail: rusko@kam.vm.stuba.sk > mobile: +421 903 246698 > -- > motto: We are Microsoft! Resistance is futile. > Open your source code and prepare for assimilation. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba-- Daddy, did all the hair that fell off your head stick to your arms? Akari, age 4 ... oberon.cardhome.lan: 5:15pm up 6 days, 21:34, 7 users, load average: 0.39, 0.18, 0.24
Andrew Bartlett
2002-Jan-12 17:42 UTC
Summary of "encrypted and cleartext password in the same time" issue.
Martin Rusko wrote:> > Hi all, > this is an attempt to cover all possibilities, how to access samba server with > clients sending cleartext password (CP clients) (original Win95, WinNT until > SP3) and clients sending encrypted password (EP clients) (Win98, Win2k, > ....) at the same time. Any feedback, comments, questions or improvements > are very welcome. :-)All the listed clients will send an encrypted password if 'encrypt passwords = yes'. The 'CP' clients you list are only different in that they will *permit* a security downgrade if the server requests it. Later clients do not permit this downgrade without a registry hack (for security reasons). Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
Barker, Brian W.
2002-Jan-14 05:31 UTC
Summary of "encrypted and cleartext password in the same time" issue.
I have been also trying to get my UNIX Samba to work with both win95 and win2000 and have had this problem with encrypted vs. not. I don't understand this answer. You say "All the listed clients will send an encrypted password if 'encrypt passwords = yes'". But the 'encrypt passwords = yes' is in the config file on my Unix machine, are you saying that this will automatically make my Win95 machine send an encrypted password? I find this hard to believe but maybe it is so. What do you mean the clients will permit a security downgrade if the server requests it? Can you elaborate? Maybe Martin understands... Brian W. Barker SAIC Rosslyn, VA -----Original Message----- From: Andrew Bartlett [mailto:abartlet@pcug.org.au] Sent: Saturday, January 12, 2002 8:13 PM To: Martin Rusko Cc: samba@lists.samba.org; Barker, Brian W. Subject: Re: Summary of "encrypted and cleartext password in the same time" issue. Martin Rusko wrote:> > Hi all, > this is an attempt to cover all possibilities, how to access samba serverwith> clients sending cleartext password (CP clients) (original Win95, WinNTuntil> SP3) and clients sending encrypted password (EP clients) (Win98, Win2k, > ....) at the same time. Any feedback, comments, questions or improvements > are very welcome. :-)All the listed clients will send an encrypted password if 'encrypt passwords = yes'. The 'CP' clients you list are only different in that they will *permit* a security downgrade if the server requests it. Later clients do not permit this downgrade without a registry hack (for security reasons). Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
Martin Rusko
2002-Jan-14 11:46 UTC
Summary of "encrypted and cleartext password in the same time" issue.
No, no extra configuration at win95 side is needed. Just use "encrypt
passwords = yes", because others won't work (without registry hack).
;-)
I was three years thinking, that something is needed!!!! And what really
scared me is, that I don't know why I thought it. Because it is working
without any changes on win95. ;-((
I should drink less. ;-)))
mARTin
On 14 Jan 02, at 11:04, Gaurang Pandya wrote:
>
> Ok, then is there any extra configuration needed at Windows 95 side to
either send
> passwds in plain text or encrypted fomat. Or it just behaves in the way its
specified in smb.conf file?
> Gaurang.
> Martin Rusko <rusko@kam.vm.stuba.sk> wrote: No, it was completely
my fault.
> Windows 95 are able to send encrypted password and if needed also are
> able to send password in plain text form.
> Win2k will never send cleartext password, until changed in registry.
>
> So Brian, probably will have another problem. Because with "encrypt
> password = yes" it should work for both type of clients, also in the
same
> workgroup/domain. ;-)
>
> mARTin
> On 14 Jan 02, at 10:02, Gaurang Pandya wrote:
>
> >
> > I have been seeing this discussion from quite a long time.
> > So thought let me to jump into it. So till now what i have understood
is that
> > win95 sends unexcrypted passwords and W2K clients send it encrypted.
> > and thats what makes problem when they are in same domain.
> > Am I wrong?
> > Any way if that is the case i think I have a solution to this problem.
> > Its quiet simple (but not sure whether it will work or not need to
test it out)
> > in [global] configuration have multiple netbois names registered by
the Domain Controller (DC).
> > with following entry
> > netbios alias = dcw95 dcw2k
> > then we can call the config based on the client call to it. But in
this case may be new machine
accounts need to > > be created atleast for W95 clients. And that can be performed by
including following line in co
nfig file.> > config file = /etc/samba/smb.conf.%L
> > on the whole the smb.conf file will contain only those two lines. And
rest of the things shold
be handeled by> > smb.conf.dcw95 and smb.conf.dcw2k.
> > According to documents this config should work. But needs a test I
think.
> > Please let me know if i am wrong any where.
> > Thanks.
> > Gaurang.
> > "Barker, Brian W."
> wrote: I have been also trying to get my UNIX Samb
> a to work with
> > both win95 and win2000 and have had this problem with
> > encrypted vs. not. I don't understand this answer. You
> > say "All the listed clients will send an encrypted password
> > if 'encrypt passwords = yes'". But the 'encrypt
passwords = yes'
> > is in the config file on my Unix machine, are you saying that
> > this will automatically make my Win95 machine send an encrypted
> > password? I find this hard to believe but maybe it is so. What do you
> > mean the clients will permit a security downgrade if the server
> > requests it? Can you elaborate? Maybe Martin understands...
> >
> > Brian W. Barker
> > SAIC
> > Rosslyn, VA
> >
> > -----Original Message-----
> > From: Andrew Bartlett [mailto:abartlet@pcug.org.au]
> > Sent: Saturday, January 12, 2002 8:13 PM
> > To: Martin Rusko
> > Cc: samba@lists.samba.org; Barker, Brian W.
> > Subject: Re: Summary of "encrypted and cleartext password in the
same
> > time" issue.
> >
> >
> > Martin Rusko wrote:
> > >
> > > Hi all,
> > > this is an attempt to cover all possibilities, how to access
samba server
> > with
> > > clients sending cleartext password (CP clients) (original Win95,
WinNT
> > until
> > > SP3) and clients sending encrypted password (EP clients) (Win98,
Win2k,
> > > ....) at the same time. Any feedback, comments, questions or
improvements
> > > are very welcome. :-)
> >
> > All the listed clients will send an encrypted password if 'encrypt
> > passwords = yes'.
> >
> > The 'CP' clients you list are only different in that they will
*permit*
> > a security downgrade if the server requests it. Later clients do not
> > permit this downgrade without a registry hack (for security reasons).
> >
> > Andrew Bartlett
> >
> > --
> > Andrew Bartlett abartlet@pcug.org.au
> > Manager, Authentication Subsystems, Samba Team abartlet@samba.org
> > Student Network Administrator, Hawker College abartlet@hawkerc.net
> > http://samba.org http://build.samba.org http://hawkerc.net
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: http://lists.samba.org/mailman/listinfo/samba
> >
> >
> > ---------------------------------
> > Do You Yahoo!?
> > Send FREE video emails in Yahoo! Mail.
>
>
> --
> Martin Rusko
> PhD student
> Slovak Technical University
> Faculty of Mechanical Engineering
> Department of Automation
> --
> e-mail: rusko@kam.vm.stuba.sk
> mobile: +421 903 246698
> --
> motto: We are Microsoft! Resistance is futile.
> Open your source code and prepare for assimilation.
>
>
> ---------------------------------
> Do You Yahoo!?
> Send FREE video emails in Yahoo! Mail.
--
Martin Rusko
PhD student
Slovak Technical University
Faculty of Mechanical Engineering
Department of Automation
--
e-mail: rusko@kam.vm.stuba.sk
mobile: +421 903 246698