samba - Jun 2004 - Windows 95, encrypted passwords, and secure channel communications

First of all, let me say "I know it's been fixed in Samba 3."
That's
for those of you who think I'm talking about the requiresignorseal
registry hack in Windows XP. I'm not.

I ran into an issue when using Windows 95 clients with a Windows 2003
server. (Why not Samba? The customer needs terminal services for some
windows-only programs.) Because Windows 2003, by policy, implements
tighter security including encrypted passwords and communications,
Windows 95 will NOT communicate with a Windows 2003 server. (If I'm
wrong about the encrypted passwords, someone please correct me.)

David Lechnyr's Unofficial Samba HOW-TO states in part, "Windows 95
doesn't use encrypted passwords, so this option must be disabled in
your smb.conf to support these clients... Verify that your smb.conf
file includes the parameter "encrypt passwords = yes" unless you are
using Win95/Win95a or have disabled encrypted passwords in your other
Windows clients (not a good idea)."

It turns out that Microsoft provided a patch for Windows 95, 98, and
NT4 called "Active Directory Client Extension" which provides
"NTLM
version 2 authentication". At least under Windows 2003 it seems to
work, allowing my Win95 clients access to the 2003 server.

  I'm wondering if this patch will work on Windows 95 against a Samba
  server, allowing one to leave "encrypted passwords = yes" set. I
  don't have an available testbed to try it on right now.

More info:
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adextension.asp

Note: the ADCE for 9x is on the Windows 2000 CD, but not the Windows
2003 CD, and is not downloadable from Microsoft.

--Jon Johnson
Sutinen Consulting, Inc.
jon@sutinen.com

On Fri, 2004-06-25 at 00:45, Jonathan Johnson wrote:
> First of all, let me say "I know it's been fixed in Samba 3."
That's
> for those of you who think I'm talking about the requiresignorseal
> registry hack in Windows XP. I'm not.
> 
> I ran into an issue when using Windows 95 clients with a Windows 2003
> server. (Why not Samba? The customer needs terminal services for some
> windows-only programs.) Because Windows 2003, by policy, implements
> tighter security including encrypted passwords and communications,
> Windows 95 will NOT communicate with a Windows 2003 server. (If I'm
> wrong about the encrypted passwords, someone please correct me.)
> 
> David Lechnyr's Unofficial Samba HOW-TO states in part, "Windows
95
> doesn't use encrypted passwords, so this option must be disabled in
> your smb.conf to support these clients... Verify that your smb.conf
> file includes the parameter "encrypt passwords = yes" unless you
are
> using Win95/Win95a or have disabled encrypted passwords in your other
> Windows clients (not a good idea)."
This is misleading and dangerous information.  There is no MS client
that I know of (even DOS) that requires plaintext passwords.   

All MS clients support and allow encrypted passwords, at least at the
'lanman' level (pathetic, but encrypted).
> It turns out that Microsoft provided a patch for Windows 95, 98, and
> NT4 called "Active Directory Client Extension" which provides
"NTLM
> version 2 authentication". At least under Windows 2003 it seems to
> work, allowing my Win95 clients access to the 2003 server.
The patch includes NTLM1 and NTLMv2 support, which are more secure
encrypted password forms than the old LM.  This may allow access to more
stringent domains.
>   I'm wondering if this patch will work on Windows 95 against a Samba
>   server, allowing one to leave "encrypted passwords = yes" set.
I
>   don't have an available testbed to try it on right now.
You could always have 'encrypt passwords = yes' set.  This should (and
I've not played with it) allow you to also set 'lanman auth = no',
which
is my preferred option for security.

Andrew Bartlett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20040625/2a66b1b6/attachment.bin