mirror of
https://github.com/samba-team/samba.git
synced 2025-02-01 05:47:28 +03:00
190 lines
6.9 KiB
Plaintext
190 lines
6.9 KiB
Plaintext
<chapter id="pwencrypt">
|
|
|
|
|
|
<chapterinfo>
|
|
<author>
|
|
<firstname>Jeremy</firstname><surname>Allison</surname>
|
|
<affiliation>
|
|
<orgname>Samba Team</orgname>
|
|
<address>
|
|
<email>jra@samba.org</email>
|
|
</address>
|
|
</affiliation>
|
|
</author>
|
|
|
|
<author>
|
|
<firstname>Jelmer</firstname><surname>Vernooij</surname>
|
|
<affiliation>
|
|
<orgname>Samba Team</orgname>
|
|
<address>
|
|
<email>jelmer@samba.org</email>
|
|
</address>
|
|
</affiliation>
|
|
</author>
|
|
|
|
<pubdate>4 November 2002</pubdate>
|
|
</chapterinfo>
|
|
|
|
<title>LanMan and NT Password Encryption in Samba</title>
|
|
|
|
|
|
<sect1>
|
|
<title>Introduction</title>
|
|
|
|
<para>Newer windows clients send encrypted passwords over
|
|
the wire, instead of plain text passwords. The newest clients
|
|
will only send encrypted passwords and refuse to send plain text
|
|
passwords, unless their registry is tweaked.</para>
|
|
|
|
<para>These passwords can't be converted to unix style encrypted
|
|
passwords. Because of that you can't use the standard unix
|
|
user database, and you have to store the Lanman and NT hashes
|
|
somewhere else. For more information, see the documentation
|
|
about the <command>passdb backend = </command> parameter.
|
|
</para>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Important Notes About Security</title>
|
|
|
|
<para>The unix and SMB password encryption techniques seem similar
|
|
on the surface. This similarity is, however, only skin deep. The unix
|
|
scheme typically sends clear text passwords over the network when
|
|
logging in. This is bad. The SMB encryption scheme never sends the
|
|
cleartext password over the network but it does store the 16 byte
|
|
hashed values on disk. This is also bad. Why? Because the 16 byte hashed
|
|
values are a "password equivalent". You cannot derive the user's
|
|
password from them, but they could potentially be used in a modified
|
|
client to gain access to a server. This would require considerable
|
|
technical knowledge on behalf of the attacker but is perfectly possible.
|
|
You should thus treat the smbpasswd file as though it contained the
|
|
cleartext passwords of all your users. Its contents must be kept
|
|
secret, and the file should be protected accordingly.</para>
|
|
|
|
<para>Ideally we would like a password scheme which neither requires
|
|
plain text passwords on the net or on disk. Unfortunately this
|
|
is not available as Samba is stuck with being compatible with
|
|
other SMB systems (WinNT, WfWg, Win95 etc). </para>
|
|
|
|
<warning>
|
|
<para>Note that Windows NT 4.0 Service pack 3 changed the
|
|
default for permissible authentication so that plaintext
|
|
passwords are <emphasis>never</emphasis> sent over the wire.
|
|
The solution to this is either to switch to encrypted passwords
|
|
with Samba or edit the Windows NT registry to re-enable plaintext
|
|
passwords. See the document WinNT.txt for details on how to do
|
|
this.</para>
|
|
|
|
<para>Other Microsoft operating systems which also exhibit
|
|
this behavior includes</para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para>MS DOS Network client 3.0 with
|
|
the basic network redirector installed</para></listitem>
|
|
|
|
<listitem><para>Windows 95 with the network redirector
|
|
update installed</para></listitem>
|
|
|
|
<listitem><para>Windows 98 [se]</para></listitem>
|
|
|
|
<listitem><para>Windows 2000</para></listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis>Note :</emphasis>All current release of
|
|
Microsoft SMB/CIFS clients support authentication via the
|
|
SMB Challenge/Response mechanism described here. Enabling
|
|
clear text authentication does not disable the ability
|
|
of the client to participate in encrypted authentication.</para>
|
|
</warning>
|
|
|
|
<sect2>
|
|
<title>Advantages of SMB Encryption</title>
|
|
|
|
<itemizedlist>
|
|
<listitem><para>plain text passwords are not passed across
|
|
the network. Someone using a network sniffer cannot just
|
|
record passwords going to the SMB server.</para>
|
|
</listitem>
|
|
|
|
<listitem><para>WinNT doesn't like talking to a server
|
|
that isn't using SMB encrypted passwords. It will refuse
|
|
to browse the server if the server is also in user level
|
|
security mode. It will insist on prompting the user for the
|
|
password on each connection, which is very annoying. The
|
|
only things you can do to stop this is to use SMB encryption.
|
|
</para></listitem>
|
|
</itemizedlist>
|
|
</sect2>
|
|
|
|
|
|
<sect2>
|
|
<title>Advantages of non-encrypted passwords</title>
|
|
|
|
<itemizedlist>
|
|
<listitem><para>plain text passwords are not kept
|
|
on disk. </para></listitem>
|
|
|
|
<listitem><para>uses same password file as other unix
|
|
services such as login and ftp</para></listitem>
|
|
|
|
<listitem><para>you are probably already using other
|
|
services (such as telnet and ftp) which send plain text
|
|
passwords over the net, so sending them for SMB isn't
|
|
such a big deal.</para></listitem>
|
|
</itemizedlist>
|
|
</sect2>
|
|
</sect1>
|
|
|
|
|
|
<sect1>
|
|
<title>The smbpasswd Command</title>
|
|
|
|
<para>The smbpasswd command maintains the two 32 byte password fields
|
|
in the smbpasswd file. If you wish to make it similar to the unix
|
|
<command>passwd</command> or <command>yppasswd</command> programs,
|
|
install it in <filename>/usr/local/samba/bin/</filename> (or your
|
|
main Samba binary directory).</para>
|
|
|
|
<para><command>smbpasswd</command> now works in a client-server mode
|
|
where it contacts the local smbd to change the user's password on its
|
|
behalf. This has enormous benefits - as follows.</para>
|
|
|
|
<para><command>smbpasswd</command> now has the capability
|
|
to change passwords on Windows NT servers (this only works when
|
|
the request is sent to the NT Primary Domain Controller if you
|
|
are changing an NT Domain user's password).</para>
|
|
|
|
<para>To run smbpasswd as a normal user just type :</para>
|
|
|
|
<para><prompt>$ </prompt><userinput>smbpasswd</userinput></para>
|
|
<para><prompt>Old SMB password: </prompt><userinput><type old value here -
|
|
or hit return if there was no old password></userinput></para>
|
|
<para><prompt>New SMB Password: </prompt><userinput><type new value>
|
|
</userinput></para>
|
|
<para><prompt>Repeat New SMB Password: </prompt><userinput><re-type new value
|
|
</userinput></para>
|
|
|
|
<para>If the old value does not match the current value stored for
|
|
that user, or the two new values do not match each other, then the
|
|
password will not be changed.</para>
|
|
|
|
<para>If invoked by an ordinary user it will only allow the user
|
|
to change his or her own Samba password.</para>
|
|
|
|
<para>If run by the root user smbpasswd may take an optional
|
|
argument, specifying the user name whose SMB password you wish to
|
|
change. Note that when run as root smbpasswd does not prompt for
|
|
or check the old password value, thus allowing root to set passwords
|
|
for users who have forgotten their passwords.</para>
|
|
|
|
<para><command>smbpasswd</command> is designed to work in the same way
|
|
and be familiar to UNIX users who use the <command>passwd</command> or
|
|
<command>yppasswd</command> commands.</para>
|
|
|
|
<para>For more details on using <command>smbpasswd</command> refer
|
|
to the man page which will always be the definitive reference.</para>
|
|
</sect1>
|
|
|
|
</chapter>
|