summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Terpstra <jht@samba.org>2003-04-04 05:19:59 +0000
committerJohn Terpstra <jht@samba.org>2003-04-04 05:19:59 +0000
commit36803da8f9e9fb2b646d49584384c938c1e706d7 (patch)
treee47eb38388e10129917fa47fdfe223c660fa1fdf
parente0040e6960eec303c19d4bc45bc39bf7894840e4 (diff)
downloadsamba-36803da8f9e9fb2b646d49584384c938c1e706d7.tar.gz
samba-36803da8f9e9fb2b646d49584384c938c1e706d7.tar.bz2
samba-36803da8f9e9fb2b646d49584384c938c1e706d7.zip
Superceded files
(This used to be commit 8db911098513f5cab3e423279f743c04f3bd2c27)
-rw-r--r--docs/docbook/projdoc/CVS-Access.sgml157
-rw-r--r--docs/docbook/projdoc/ENCRYPTION.sgml189
2 files changed, 0 insertions, 346 deletions
diff --git a/docs/docbook/projdoc/CVS-Access.sgml b/docs/docbook/projdoc/CVS-Access.sgml
deleted file mode 100644
index 98ef925f20..0000000000
--- a/docs/docbook/projdoc/CVS-Access.sgml
+++ /dev/null
@@ -1,157 +0,0 @@
-<chapter id="cvs-access">
-
-
-<chapterinfo>
- <author>
- <affiliation>
- <orgname>Samba Team</orgname>
- </affiliation>
- </author>
-
-
- <pubdate> (22 May 2001) </pubdate>
-</chapterinfo>
-
-<title>HOWTO Access Samba source code via CVS</title>
-
-<sect1>
-<title>Introduction</title>
-
-<para>
-Samba is developed in an open environment. Developers use CVS
-(Concurrent Versioning System) to "checkin" (also known as
-"commit") new source code. Samba's various CVS branches can
-be accessed via anonymous CVS using the instructions
-detailed in this chapter.
-</para>
-
-<para>
-This document is a modified version of the instructions found at
-<ulink url="http://samba.org/samba/cvs.html">http://samba.org/samba/cvs.html</ulink>
-</para>
-
-</sect1>
-
-
-<sect1>
-<title>CVS Access to samba.org</title>
-
-<para>
-The machine samba.org runs a publicly accessible CVS
-repository for access to the source code of several packages,
-including samba, rsync and jitterbug. There are two main ways of
-accessing the CVS server on this host.
-</para>
-
-<sect2>
-<title>Access via CVSweb</title>
-
-<para>
-You can access the source code via your
-favourite WWW browser. This allows you to access the contents of
-individual files in the repository and also to look at the revision
-history and commit logs of individual files. You can also ask for a diff
-listing between any two versions on the repository.
-</para>
-
-<para>
-Use the URL : <ulink
-url="http://samba.org/cgi-bin/cvsweb">http://samba.org/cgi-bin/cvsweb</ulink>
-</para>
-</sect2>
-
-<sect2>
-<title>Access via cvs</title>
-
-<para>
-You can also access the source code via a
-normal cvs client. This gives you much more control over you can
-do with the repository and allows you to checkout whole source trees
-and keep them up to date via normal cvs commands. This is the
-preferred method of access if you are a developer and not
-just a casual browser.
-</para>
-
-<para>
-To download the latest cvs source code, point your
-browser at the URL : <ulink url="http://www.cyclic.com/">http://www.cyclic.com/</ulink>.
-and click on the 'How to get cvs' link. CVS is free software under
-the GNU GPL (as is Samba). Note that there are several graphical CVS clients
-which provide a graphical interface to the sometimes mundane CVS commands.
-Links to theses clients are also available from http://www.cyclic.com.
-</para>
-
-<para>
-To gain access via anonymous cvs use the following steps.
-For this example it is assumed that you want a copy of the
-samba source code. For the other source code repositories
-on this system just substitute the correct package name
-</para>
-
-<orderedlist>
-<listitem>
- <para>
- Install a recent copy of cvs. All you really need is a
- copy of the cvs client binary.
- </para>
-</listitem>
-
-
-<listitem>
- <para>
- Run the command
- </para>
-
- <para>
- <command>cvs -d :pserver:cvs@samba.org:/cvsroot login</command>
- </para>
-
- <para>
- When it asks you for a password type <userinput>cvs</userinput>.
- </para>
-</listitem>
-
-
-<listitem>
- <para>
- Run the command
- </para>
-
- <para>
- <command>cvs -d :pserver:cvs@samba.org:/cvsroot co samba</command>
- </para>
-
- <para>
- This will create a directory called samba containing the
- latest samba source code (i.e. the HEAD tagged cvs branch). This
- currently corresponds to the 3.0 development tree.
- </para>
-
- <para>
- CVS branches other HEAD can be obtained by using the <parameter>-r</parameter>
- and defining a tag name. A list of branch tag names can be found on the
- "Development" page of the samba web site. A common request is to obtain the
- latest 2.2 release code. This could be done by using the following command.
- </para>
-
- <para>
- <command>cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba</command>
- </para>
-</listitem>
-
-<listitem>
- <para>
- Whenever you want to merge in the latest code changes use
- the following command from within the samba directory:
- </para>
-
- <para>
- <command>cvs update -d -P</command>
- </para>
-</listitem>
-</orderedlist>
-
-</sect2>
-</sect1>
-
-</chapter>
diff --git a/docs/docbook/projdoc/ENCRYPTION.sgml b/docs/docbook/projdoc/ENCRYPTION.sgml
deleted file mode 100644
index f903d7d334..0000000000
--- a/docs/docbook/projdoc/ENCRYPTION.sgml
+++ /dev/null
@@ -1,189 +0,0 @@
-<chapter id="pwencrypt">
-
-
-<chapterinfo>
- <author>
- <firstname>Jeremy</firstname><surname>Allison</surname>
- <affiliation>
- <orgname>Samba Team</orgname>
- <address>
- <email>jra@samba.org</email>
- </address>
- </affiliation>
- </author>
-
- <author>
- <firstname>Jelmer</firstname><surname>Vernooij</surname>
- <affiliation>
- <orgname>Samba Team</orgname>
- <address>
- <email>jelmer@samba.org</email>
- </address>
- </affiliation>
- </author>
-
- <pubdate>4 November 2002</pubdate>
-</chapterinfo>
-
-<title>LanMan and NT Password Encryption in Samba</title>
-
-
-<sect1>
- <title>Introduction</title>
-
- <para>Newer windows clients send encrypted passwords over
- the wire, instead of plain text passwords. The newest clients
- will only send encrypted passwords and refuse to send plain text
- passwords, unless their registry is tweaked.</para>
-
- <para>These passwords can't be converted to unix style encrypted
- passwords. Because of that you can't use the standard unix
- user database, and you have to store the Lanman and NT hashes
- somewhere else. For more information, see the documentation
- about the <command>passdb backend = </command> parameter.
- </para>
-
-</sect1>
-
-<sect1>
- <title>Important Notes About Security</title>
-
- <para>The unix and SMB password encryption techniques seem similar
- on the surface. This similarity is, however, only skin deep. The unix
- scheme typically sends clear text passwords over the network when
- logging in. This is bad. The SMB encryption scheme never sends the
- cleartext password over the network but it does store the 16 byte
- hashed values on disk. This is also bad. Why? Because the 16 byte hashed
- values are a "password equivalent". You cannot derive the user's
- password from them, but they could potentially be used in a modified
- client to gain access to a server. This would require considerable
- technical knowledge on behalf of the attacker but is perfectly possible.
- You should thus treat the smbpasswd file as though it contained the
- cleartext passwords of all your users. Its contents must be kept
- secret, and the file should be protected accordingly.</para>
-
- <para>Ideally we would like a password scheme which neither requires
- plain text passwords on the net or on disk. Unfortunately this
- is not available as Samba is stuck with being compatible with
- other SMB systems (WinNT, WfWg, Win95 etc). </para>
-
- <warning>
- <para>Note that Windows NT 4.0 Service pack 3 changed the
- default for permissible authentication so that plaintext
- passwords are <emphasis>never</emphasis> sent over the wire.
- The solution to this is either to switch to encrypted passwords
- with Samba or edit the Windows NT registry to re-enable plaintext
- passwords. See the document WinNT.txt for details on how to do
- this.</para>
-
- <para>Other Microsoft operating systems which also exhibit
- this behavior includes</para>
-
- <itemizedlist>
- <listitem><para>MS DOS Network client 3.0 with
- the basic network redirector installed</para></listitem>
-
- <listitem><para>Windows 95 with the network redirector
- update installed</para></listitem>
-
- <listitem><para>Windows 98 [se]</para></listitem>
-
- <listitem><para>Windows 2000</para></listitem>
- </itemizedlist>
-
- <para><emphasis>Note :</emphasis>All current release of
- Microsoft SMB/CIFS clients support authentication via the
- SMB Challenge/Response mechanism described here. Enabling
- clear text authentication does not disable the ability
- of the client to participate in encrypted authentication.</para>
- </warning>
-
- <sect2>
- <title>Advantages of SMB Encryption</title>
-
- <itemizedlist>
- <listitem><para>plain text passwords are not passed across
- the network. Someone using a network sniffer cannot just
- record passwords going to the SMB server.</para>
- </listitem>
-
- <listitem><para>WinNT doesn't like talking to a server
- that isn't using SMB encrypted passwords. It will refuse
- to browse the server if the server is also in user level
- security mode. It will insist on prompting the user for the
- password on each connection, which is very annoying. The
- only things you can do to stop this is to use SMB encryption.
- </para></listitem>
- </itemizedlist>
- </sect2>
-
-
- <sect2>
- <title>Advantages of non-encrypted passwords</title>
-
- <itemizedlist>
- <listitem><para>plain text passwords are not kept
- on disk. </para></listitem>
-
- <listitem><para>uses same password file as other unix
- services such as login and ftp</para></listitem>
-
- <listitem><para>you are probably already using other
- services (such as telnet and ftp) which send plain text
- passwords over the net, so sending them for SMB isn't
- such a big deal.</para></listitem>
- </itemizedlist>
- </sect2>
-</sect1>
-
-
-<sect1>
- <title>The smbpasswd Command</title>
-
- <para>The smbpasswd command maintains the two 32 byte password fields
- in the smbpasswd file. If you wish to make it similar to the unix
- <command>passwd</command> or <command>yppasswd</command> programs,
- install it in <filename>/usr/local/samba/bin/</filename> (or your
- main Samba binary directory).</para>
-
- <para><command>smbpasswd</command> now works in a client-server mode
- where it contacts the local smbd to change the user's password on its
- behalf. This has enormous benefits - as follows.</para>
-
- <para><command>smbpasswd</command> now has the capability
- to change passwords on Windows NT servers (this only works when
- the request is sent to the NT Primary Domain Controller if you
- are changing an NT Domain user's password).</para>
-
- <para>To run smbpasswd as a normal user just type :</para>
-
- <para><prompt>$ </prompt><userinput>smbpasswd</userinput></para>
- <para><prompt>Old SMB password: </prompt><userinput>&lt;type old value here -
- or hit return if there was no old password&gt;</userinput></para>
- <para><prompt>New SMB Password: </prompt><userinput>&lt;type new value&gt;
- </userinput></para>
- <para><prompt>Repeat New SMB Password: </prompt><userinput>&lt;re-type new value
- </userinput></para>
-
- <para>If the old value does not match the current value stored for
- that user, or the two new values do not match each other, then the
- password will not be changed.</para>
-
- <para>If invoked by an ordinary user it will only allow the user
- to change his or her own Samba password.</para>
-
- <para>If run by the root user smbpasswd may take an optional
- argument, specifying the user name whose SMB password you wish to
- change. Note that when run as root smbpasswd does not prompt for
- or check the old password value, thus allowing root to set passwords
- for users who have forgotten their passwords.</para>
-
- <para><command>smbpasswd</command> is designed to work in the same way
- and be familiar to UNIX users who use the <command>passwd</command> or
- <command>yppasswd</command> commands.</para>
-
- <para>For more details on using <command>smbpasswd</command> refer
- to the man page which will always be the definitive reference.</para>
-</sect1>
-
-</chapter>