samba - Jun 2020 - SAMBA using existing users and passwords on Linux

I apologize for forgetting to pass on all the information.
In fact, this problem is occurring because of the migration from a VM with
Oracle SunOS to another VM with Oracle Linux 7.
This old VM is for production and runs the CACH? database, so we decided to
create a new VM and migrate everything to it.
We have already migrated the database and users without problems.
Only on each machine of these more than 40 users there is a script pointing
to a SAMBA map of the old machine, passing username and password.
With a change in the DNS we will point to the new VM, solving the name
resolution problem.
But if I register each user on SAMBA with a different password, these
mappings will not work.
I would have to go through each user's machine and change this script.

Em ter., 2 de jun. de 2020 ?s 11:54, Reindl Harald <h.reindl at
thelounge.net>
escreveu:
>
>
> Am 02.06.20 um 16:47 schrieb Fernando Gon?alves via samba:
> > This is very problematic for me!
> > In this LINUX VM I have registered more than 40 users for over 10
years.
> > I wouldn't even bother having to register everyone on SAMBA, the
question
> > is the passwords of these users.
>
> how does that matter?
> smbpasswd -a username
>
> you are asked for a samba-password which has no link to the unix
> password at all and you are done, the unix user just needs to exist for
> a uid
>
> it's the same for over 10 years, at least 12
>
> > Em seg., 1 de jun. de 2020 ?s 20:09, Andrew Bartlett <abartlet at
samba.org
> >
> > escreveu:
> >
> >> On Mon, 2020-06-01 at 19:02 -0300, Fernando Gon?alves via samba
wrote:
> >>> Good afternoon.
> >>> I really need some help.
> >>> I have a VM running Oracle Linux version 7 and samba version
4.10.4.
> >>> I want samba to use local Linux users and passwords (/ etc /
passwd
> >>> and /
> >>> etc / shadow).
> >>> As I researched on the internet it would be enough to
configure samba
> >>> to
> >>> not encrypt passwords, through the item:
> >>>
> >>> encrypt passwords = no
> >>
> >> This option very rarely works and requires SMB1 when it does. 
Most
> >> clients refuse to send a plaintext password, and when they do they
> >> refuse the reconnect transperently so the user experience is
horrible.
> >>
> >> Sorry, but you essentially must use encrypted passwords or
Kerberos.
>
>

So that it doesn't end without a conclusion I will inform you what has been
accomplished.
As our time was short to complete the migration I decided to install the
same version of SAMBA that was already running on the old machine (3.6.6).
After the migration is complete, I will have more time to update the SAMBA
and insert it into our AD domain, thus changing the entire login and
mapping system.
I am very grateful to everyone who responded and helped me in this decision
making.
I wish everyone health.

<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Livre
de v?rus. www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>.
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

Em ter., 2 de jun. de 2020 ?s 12:34, Fernando Gon?alves <
fernandolmg at gmail.com> escreveu:
> I apologize for forgetting to pass on all the information.
> In fact, this problem is occurring because of the migration from a VM with
> Oracle SunOS to another VM with Oracle Linux 7.
> This old VM is for production and runs the CACH? database, so we decided
> to create a new VM and migrate everything to it.
> We have already migrated the database and users without problems.
> Only on each machine of these more than 40 users there is a script
> pointing to a SAMBA map of the old machine, passing username and password.
> With a change in the DNS we will point to the new VM, solving the name
> resolution problem.
> But if I register each user on SAMBA with a different password, these
> mappings will not work.
> I would have to go through each user's machine and change this script.
>
> Em ter., 2 de jun. de 2020 ?s 11:54, Reindl Harald <h.reindl at
thelounge.net>
> escreveu:
>
>>
>>
>> Am 02.06.20 um 16:47 schrieb Fernando Gon?alves via samba:
>> > This is very problematic for me!
>> > In this LINUX VM I have registered more than 40 users for over 10
years.
>> > I wouldn't even bother having to register everyone on SAMBA,
the
>> question
>> > is the passwords of these users.
>>
>> how does that matter?
>> smbpasswd -a username
>>
>> you are asked for a samba-password which has no link to the unix
>> password at all and you are done, the unix user just needs to exist for
>> a uid
>>
>> it's the same for over 10 years, at least 12
>>
>> > Em seg., 1 de jun. de 2020 ?s 20:09, Andrew Bartlett <
>> abartlet at samba.org>
>> > escreveu:
>> >
>> >> On Mon, 2020-06-01 at 19:02 -0300, Fernando Gon?alves via
samba wrote:
>> >>> Good afternoon.
>> >>> I really need some help.
>> >>> I have a VM running Oracle Linux version 7 and samba
version 4.10.4.
>> >>> I want samba to use local Linux users and passwords (/ etc
/ passwd
>> >>> and /
>> >>> etc / shadow).
>> >>> As I researched on the internet it would be enough to
configure samba
>> >>> to
>> >>> not encrypt passwords, through the item:
>> >>>
>> >>> encrypt passwords = no
>> >>
>> >> This option very rarely works and requires SMB1 when it does. 
Most
>> >> clients refuse to send a plaintext password, and when they do
they
>> >> refuse the reconnect transperently so the user experience is
horrible.
>> >>
>> >> Sorry, but you essentially must use encrypted passwords or
Kerberos.
>>
>>

On Wed, 2020-06-03 at 18:41 -0300, Fernando Gon?alves via samba
wrote:
> So that it doesn't end without a conclusion I will inform you what
> has been
> accomplished.
> As our time was short to complete the migration I decided to install
> the
> same version of SAMBA that was already running on the old machine
> (3.6.6).
> After the migration is complete, I will have more time to update the
> SAMBA
> and insert it into our AD domain, thus changing the entire login and
> mapping system.
> I am very grateful to everyone who responded and helped me in this
> decision
> making.
> I wish everyone health.
Please be aware that this is essentially the same as not having a
username or password set, as this old Samba version is missing many
important security patches, including likely some remote-root issues.

Sorry!

Andrew Bartlett

-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba

On 03/06/2020 22:41, Fernando Gon?alves via samba wrote:
> So that it doesn't end without a conclusion I will inform you what has
been
> accomplished.
> As our time was short to complete the migration I decided to install the
> same version of SAMBA that was already running on the old machine (3.6.6).
> After the migration is complete, I will have more time to update the SAMBA
> and insert it into our AD domain, thus changing the entire login and
> mapping system.
> I am very grateful to everyone who responded and helped me in this decision
> making.
> I wish everyone health.
I cannot help but think that was a BAD decision, Samba 3.6.6 is totally 
unsupported and is very insecure, ever heard of 'wanacry' ?

If you must use it, then can I urge you to not connect your network to 
the internet in any way.

I cannot stop you using 3.6.6, it is your network and you control it, 
but you also get to pick up the pieces when it goes wrong.

One last thought, do the people who run your AD know you are doing this 
very insecure thing ?

Rowland