SAMBA Project Documentation
Prev		Next

Chapter 4. LanMan and NT Password Encryption in Samba

4.1. Introduction

Newer windows clients send encrypted passwords over - the wire, instead of plain text passwords. The newest clients - will only send encrypted passwords and refuse to send plain text - passwords, unless their registry is tweaked.

These passwords can't be converted to unix style encrypted - passwords. Because of that you can't use the standard unix - user database, and you have to store the Lanman and NT hashes - somewhere else. For more information, see the documentation - about the passdb backend = parameter. -

4.2. Important Notes About Security

The unix and SMB password encryption techniques seem similar - on the surface. This similarity is, however, only skin deep. The unix - scheme typically sends clear text passwords over the network when - logging in. This is bad. The SMB encryption scheme never sends the - cleartext password over the network but it does store the 16 byte - hashed values on disk. This is also bad. Why? Because the 16 byte hashed - values are a "password equivalent". You cannot derive the user's - password from them, but they could potentially be used in a modified - client to gain access to a server. This would require considerable - technical knowledge on behalf of the attacker but is perfectly possible. - You should thus treat the smbpasswd file as though it contained the - cleartext passwords of all your users. Its contents must be kept - secret, and the file should be protected accordingly.

Ideally we would like a password scheme which neither requires - plain text passwords on the net or on disk. Unfortunately this - is not available as Samba is stuck with being compatible with - other SMB systems (WinNT, WfWg, Win95 etc).

Note that Windows NT 4.0 Service pack 3 changed the - default for permissible authentication so that plaintext - passwords are never sent over the wire. - The solution to this is either to switch to encrypted passwords - with Samba or edit the Windows NT registry to re-enable plaintext - passwords. See the document WinNT.txt for details on how to do - this.

Other Microsoft operating systems which also exhibit - this behavior includes

MS DOS Network client 3.0 with - the basic network redirector installed
Windows 95 with the network redirector - update installed
Windows 98 [se]
Windows 2000

Note :All current release of - Microsoft SMB/CIFS clients support authentication via the - SMB Challenge/Response mechanism described here. Enabling - clear text authentication does not disable the ability - of the client to participate in encrypted authentication.

4.2.1. Advantages of SMB Encryption

plain text passwords are not passed across - the network. Someone using a network sniffer cannot just - record passwords going to the SMB server.
WinNT doesn't like talking to a server - that isn't using SMB encrypted passwords. It will refuse - to browse the server if the server is also in user level - security mode. It will insist on prompting the user for the - password on each connection, which is very annoying. The - only things you can do to stop this is to use SMB encryption. -

4.2.2. Advantages of non-encrypted passwords

plain text passwords are not kept - on disk.
uses same password file as other unix - services such as login and ftp
you are probably already using other - services (such as telnet and ftp) which send plain text - passwords over the net, so sending them for SMB isn't - such a big deal.

4.3. The smbpasswd Command

The smbpasswd command maintains the two 32 byte password fields - in the smbpasswd file. If you wish to make it similar to the unix - passwd or yppasswd programs, - install it in /usr/local/samba/bin/ (or your - main Samba binary directory).

smbpasswd now works in a client-server mode - where it contacts the local smbd to change the user's password on its - behalf. This has enormous benefits - as follows.

smbpasswd now has the capability - to change passwords on Windows NT servers (this only works when - the request is sent to the NT Primary Domain Controller if you - are changing an NT Domain user's password).

To run smbpasswd as a normal user just type :

$ smbpasswd

Old SMB password: <type old value here - - or hit return if there was no old password>

New SMB Password: <type new value> -

Repeat New SMB Password: <re-type new value -

If the old value does not match the current value stored for - that user, or the two new values do not match each other, then the - password will not be changed.

If invoked by an ordinary user it will only allow the user - to change his or her own Samba password.

If run by the root user smbpasswd may take an optional - argument, specifying the user name whose SMB password you wish to - change. Note that when run as root smbpasswd does not prompt for - or check the old password value, thus allowing root to set passwords - for users who have forgotten their passwords.

smbpasswd is designed to work in the same way - and be familiar to UNIX users who use the passwd or - yppasswd commands.

For more details on using smbpasswd refer - to the man page which will always be the definitive reference.

Prev	Home	Next
Quick Cross Subnet Browsing / Cross Workgroup Browsing guide	Up	User information database