diff options
author | John Terpstra <jht@samba.org> | 2003-04-04 05:19:59 +0000 |
---|---|---|
committer | John Terpstra <jht@samba.org> | 2003-04-04 05:19:59 +0000 |
commit | 36803da8f9e9fb2b646d49584384c938c1e706d7 (patch) | |
tree | e47eb38388e10129917fa47fdfe223c660fa1fdf | |
parent | e0040e6960eec303c19d4bc45bc39bf7894840e4 (diff) | |
download | samba-36803da8f9e9fb2b646d49584384c938c1e706d7.tar.gz samba-36803da8f9e9fb2b646d49584384c938c1e706d7.tar.bz2 samba-36803da8f9e9fb2b646d49584384c938c1e706d7.zip |
Superceded files
(This used to be commit 8db911098513f5cab3e423279f743c04f3bd2c27)
-rw-r--r-- | docs/docbook/projdoc/CVS-Access.sgml | 157 | ||||
-rw-r--r-- | docs/docbook/projdoc/ENCRYPTION.sgml | 189 |
2 files changed, 0 insertions, 346 deletions
diff --git a/docs/docbook/projdoc/CVS-Access.sgml b/docs/docbook/projdoc/CVS-Access.sgml deleted file mode 100644 index 98ef925f20..0000000000 --- a/docs/docbook/projdoc/CVS-Access.sgml +++ /dev/null @@ -1,157 +0,0 @@ -<chapter id="cvs-access"> - - -<chapterinfo> - <author> - <affiliation> - <orgname>Samba Team</orgname> - </affiliation> - </author> - - - <pubdate> (22 May 2001) </pubdate> -</chapterinfo> - -<title>HOWTO Access Samba source code via CVS</title> - -<sect1> -<title>Introduction</title> - -<para> -Samba is developed in an open environment. Developers use CVS -(Concurrent Versioning System) to "checkin" (also known as -"commit") new source code. Samba's various CVS branches can -be accessed via anonymous CVS using the instructions -detailed in this chapter. -</para> - -<para> -This document is a modified version of the instructions found at -<ulink url="http://samba.org/samba/cvs.html">http://samba.org/samba/cvs.html</ulink> -</para> - -</sect1> - - -<sect1> -<title>CVS Access to samba.org</title> - -<para> -The machine samba.org runs a publicly accessible CVS -repository for access to the source code of several packages, -including samba, rsync and jitterbug. There are two main ways of -accessing the CVS server on this host. -</para> - -<sect2> -<title>Access via CVSweb</title> - -<para> -You can access the source code via your -favourite WWW browser. This allows you to access the contents of -individual files in the repository and also to look at the revision -history and commit logs of individual files. You can also ask for a diff -listing between any two versions on the repository. -</para> - -<para> -Use the URL : <ulink -url="http://samba.org/cgi-bin/cvsweb">http://samba.org/cgi-bin/cvsweb</ulink> -</para> -</sect2> - -<sect2> -<title>Access via cvs</title> - -<para> -You can also access the source code via a -normal cvs client. This gives you much more control over you can -do with the repository and allows you to checkout whole source trees -and keep them up to date via normal cvs commands. This is the -preferred method of access if you are a developer and not -just a casual browser. -</para> - -<para> -To download the latest cvs source code, point your -browser at the URL : <ulink url="http://www.cyclic.com/">http://www.cyclic.com/</ulink>. -and click on the 'How to get cvs' link. CVS is free software under -the GNU GPL (as is Samba). Note that there are several graphical CVS clients -which provide a graphical interface to the sometimes mundane CVS commands. -Links to theses clients are also available from http://www.cyclic.com. -</para> - -<para> -To gain access via anonymous cvs use the following steps. -For this example it is assumed that you want a copy of the -samba source code. For the other source code repositories -on this system just substitute the correct package name -</para> - -<orderedlist> -<listitem> - <para> - Install a recent copy of cvs. All you really need is a - copy of the cvs client binary. - </para> -</listitem> - - -<listitem> - <para> - Run the command - </para> - - <para> - <command>cvs -d :pserver:cvs@samba.org:/cvsroot login</command> - </para> - - <para> - When it asks you for a password type <userinput>cvs</userinput>. - </para> -</listitem> - - -<listitem> - <para> - Run the command - </para> - - <para> - <command>cvs -d :pserver:cvs@samba.org:/cvsroot co samba</command> - </para> - - <para> - This will create a directory called samba containing the - latest samba source code (i.e. the HEAD tagged cvs branch). This - currently corresponds to the 3.0 development tree. - </para> - - <para> - CVS branches other HEAD can be obtained by using the <parameter>-r</parameter> - and defining a tag name. A list of branch tag names can be found on the - "Development" page of the samba web site. A common request is to obtain the - latest 2.2 release code. This could be done by using the following command. - </para> - - <para> - <command>cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba</command> - </para> -</listitem> - -<listitem> - <para> - Whenever you want to merge in the latest code changes use - the following command from within the samba directory: - </para> - - <para> - <command>cvs update -d -P</command> - </para> -</listitem> -</orderedlist> - -</sect2> -</sect1> - -</chapter> diff --git a/docs/docbook/projdoc/ENCRYPTION.sgml b/docs/docbook/projdoc/ENCRYPTION.sgml deleted file mode 100644 index f903d7d334..0000000000 --- a/docs/docbook/projdoc/ENCRYPTION.sgml +++ /dev/null @@ -1,189 +0,0 @@ -<chapter id="pwencrypt"> - - -<chapterinfo> - <author> - <firstname>Jeremy</firstname><surname>Allison</surname> - <affiliation> - <orgname>Samba Team</orgname> - <address> - <email>jra@samba.org</email> - </address> - </affiliation> - </author> - - <author> - <firstname>Jelmer</firstname><surname>Vernooij</surname> - <affiliation> - <orgname>Samba Team</orgname> - <address> - <email>jelmer@samba.org</email> - </address> - </affiliation> - </author> - - <pubdate>4 November 2002</pubdate> -</chapterinfo> - -<title>LanMan and NT Password Encryption in Samba</title> - - -<sect1> - <title>Introduction</title> - - <para>Newer windows clients send encrypted passwords over - the wire, instead of plain text passwords. The newest clients - will only send encrypted passwords and refuse to send plain text - passwords, unless their registry is tweaked.</para> - - <para>These passwords can't be converted to unix style encrypted - passwords. Because of that you can't use the standard unix - user database, and you have to store the Lanman and NT hashes - somewhere else. For more information, see the documentation - about the <command>passdb backend = </command> parameter. - </para> - -</sect1> - -<sect1> - <title>Important Notes About Security</title> - - <para>The unix and SMB password encryption techniques seem similar - on the surface. This similarity is, however, only skin deep. The unix - scheme typically sends clear text passwords over the network when - logging in. This is bad. The SMB encryption scheme never sends the - cleartext password over the network but it does store the 16 byte - hashed values on disk. This is also bad. Why? Because the 16 byte hashed - values are a "password equivalent". You cannot derive the user's - password from them, but they could potentially be used in a modified - client to gain access to a server. This would require considerable - technical knowledge on behalf of the attacker but is perfectly possible. - You should thus treat the smbpasswd file as though it contained the - cleartext passwords of all your users. Its contents must be kept - secret, and the file should be protected accordingly.</para> - - <para>Ideally we would like a password scheme which neither requires - plain text passwords on the net or on disk. Unfortunately this - is not available as Samba is stuck with being compatible with - other SMB systems (WinNT, WfWg, Win95 etc). </para> - - <warning> - <para>Note that Windows NT 4.0 Service pack 3 changed the - default for permissible authentication so that plaintext - passwords are <emphasis>never</emphasis> sent over the wire. - The solution to this is either to switch to encrypted passwords - with Samba or edit the Windows NT registry to re-enable plaintext - passwords. See the document WinNT.txt for details on how to do - this.</para> - - <para>Other Microsoft operating systems which also exhibit - this behavior includes</para> - - <itemizedlist> - <listitem><para>MS DOS Network client 3.0 with - the basic network redirector installed</para></listitem> - - <listitem><para>Windows 95 with the network redirector - update installed</para></listitem> - - <listitem><para>Windows 98 [se]</para></listitem> - - <listitem><para>Windows 2000</para></listitem> - </itemizedlist> - - <para><emphasis>Note :</emphasis>All current release of - Microsoft SMB/CIFS clients support authentication via the - SMB Challenge/Response mechanism described here. Enabling - clear text authentication does not disable the ability - of the client to participate in encrypted authentication.</para> - </warning> - - <sect2> - <title>Advantages of SMB Encryption</title> - - <itemizedlist> - <listitem><para>plain text passwords are not passed across - the network. Someone using a network sniffer cannot just - record passwords going to the SMB server.</para> - </listitem> - - <listitem><para>WinNT doesn't like talking to a server - that isn't using SMB encrypted passwords. It will refuse - to browse the server if the server is also in user level - security mode. It will insist on prompting the user for the - password on each connection, which is very annoying. The - only things you can do to stop this is to use SMB encryption. - </para></listitem> - </itemizedlist> - </sect2> - - - <sect2> - <title>Advantages of non-encrypted passwords</title> - - <itemizedlist> - <listitem><para>plain text passwords are not kept - on disk. </para></listitem> - - <listitem><para>uses same password file as other unix - services such as login and ftp</para></listitem> - - <listitem><para>you are probably already using other - services (such as telnet and ftp) which send plain text - passwords over the net, so sending them for SMB isn't - such a big deal.</para></listitem> - </itemizedlist> - </sect2> -</sect1> - - -<sect1> - <title>The smbpasswd Command</title> - - <para>The smbpasswd command maintains the two 32 byte password fields - in the smbpasswd file. If you wish to make it similar to the unix - <command>passwd</command> or <command>yppasswd</command> programs, - install it in <filename>/usr/local/samba/bin/</filename> (or your - main Samba binary directory).</para> - - <para><command>smbpasswd</command> now works in a client-server mode - where it contacts the local smbd to change the user's password on its - behalf. This has enormous benefits - as follows.</para> - - <para><command>smbpasswd</command> now has the capability - to change passwords on Windows NT servers (this only works when - the request is sent to the NT Primary Domain Controller if you - are changing an NT Domain user's password).</para> - - <para>To run smbpasswd as a normal user just type :</para> - - <para><prompt>$ </prompt><userinput>smbpasswd</userinput></para> - <para><prompt>Old SMB password: </prompt><userinput><type old value here - - or hit return if there was no old password></userinput></para> - <para><prompt>New SMB Password: </prompt><userinput><type new value> - </userinput></para> - <para><prompt>Repeat New SMB Password: </prompt><userinput><re-type new value - </userinput></para> - - <para>If the old value does not match the current value stored for - that user, or the two new values do not match each other, then the - password will not be changed.</para> - - <para>If invoked by an ordinary user it will only allow the user - to change his or her own Samba password.</para> - - <para>If run by the root user smbpasswd may take an optional - argument, specifying the user name whose SMB password you wish to - change. Note that when run as root smbpasswd does not prompt for - or check the old password value, thus allowing root to set passwords - for users who have forgotten their passwords.</para> - - <para><command>smbpasswd</command> is designed to work in the same way - and be familiar to UNIX users who use the <command>passwd</command> or - <command>yppasswd</command> commands.</para> - - <para>For more details on using <command>smbpasswd</command> refer - to the man page which will always be the definitive reference.</para> -</sect1> - -</chapter> |