From e657bccd25a33a7382c0a9a355b37c8dd3c1d536 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 18 Feb 2003 20:12:20 +0000 Subject: Update introduction (This used to be commit 46c99ff855ba273568785f118cd19a2788430c1e) --- docs/docbook/projdoc/passdb.sgml | 102 ++++++++++++++++++++++++--------------- 1 file changed, 64 insertions(+), 38 deletions(-) (limited to 'docs') diff --git a/docs/docbook/projdoc/passdb.sgml b/docs/docbook/projdoc/passdb.sgml index e058439388..4e0ee93a55 100644 --- a/docs/docbook/projdoc/passdb.sgml +++ b/docs/docbook/projdoc/passdb.sgml @@ -37,18 +37,32 @@ Introduction + + Old windows clients send plain text passwords over the wire. + Samba can check these passwords by crypting them and comparing them + to the hash stored in the unix user database. + - Newer windows clients send encrypted passwords over + + Newer windows clients send encrypted passwords (so-called + Lanman and NT hashes) over the wire, instead of plain text passwords. The newest clients will only send encrypted passwords and refuse to send plain text - passwords, unless their registry is tweaked. + passwords, unless their registry is tweaked. + These passwords can't be converted to unix style encrypted passwords. Because of that you can't use the standard unix user database, and you have to store the Lanman and NT hashes - somewhere else. Also, windows stores some data for each user - that is not stored by unix. Thus, samba has it's own user database. - This user database is maintained by a "passdb backend". Commonly + somewhere else. + + Next to a differently encrypted passwords, + windows also stores certain data for each user + that is not stored in a unix user database, e.g. + workstations the user may logon from, the location where his/her + profile is stored, etc. + Samba retrieves and stores this information using a "passdb backend". + Commonly available backends are LDAP, plain text file, MySQL and nisplus. For more information, see the documentation about the passdb backend = parameter. @@ -68,7 +82,8 @@ password from them, but they could potentially be used in a modified client to gain access to a server. This would require considerable technical knowledge on behalf of the attacker but is perfectly possible. - You should thus treat the smbpasswd file as though it contained the + You should thus treat the data stored in whatever + passdb backend you use (smbpasswd file, ldap, mysql) as though it contained the cleartext passwords of all your users. Its contents must be kept secret, and the file should be protected accordingly. @@ -89,17 +104,17 @@ Other Microsoft operating systems which also exhibit this behavior includes - - MS DOS Network client 3.0 with - the basic network redirector installed + + MS DOS Network client 3.0 with + the basic network redirector installed - Windows 95 with the network redirector - update installed + Windows 95 with the network redirector + update installed - Windows 98 [se] + Windows 98 [se] - Windows 2000 - + Windows 2000 + Note :All current release of Microsoft SMB/CIFS clients support authentication via the @@ -111,38 +126,37 @@ Advantages of SMB Encryption - - plain text passwords are not passed across + + plain text passwords are not passed across the network. Someone using a network sniffer cannot just - record passwords going to the SMB server. - + record passwords going to the SMB server. - WinNT doesn't like talking to a server + WinNT doesn't like talking to a server that isn't using SMB encrypted passwords. It will refuse to browse the server if the server is also in user level security mode. It will insist on prompting the user for the password on each connection, which is very annoying. The only things you can do to stop this is to use SMB encryption. - - + + Advantages of non-encrypted passwords - - plain text passwords are not kept - on disk. + + plain text passwords are not kept + on disk. - uses same password file as other unix - services such as login and ftp + uses same password file as other unix + services such as login and ftp - you are probably already using other + you are probably already using other services (such as telnet and ftp) which send plain text passwords over the net, so sending them for SMB isn't - such a big deal. - + such a big deal. + @@ -150,17 +164,16 @@ The smbpasswd Command - The smbpasswd command maintains the two 32 byte password fields - in the smbpasswd file. If you wish to make it similar to the unix - passwd or yppasswd programs, - install it in /usr/local/samba/bin/ (or your - main Samba binary directory). FIXME + The smbpasswd utility is a utility similar to the + passwd or yppasswd programs. + It maintains the two 32 byte password fields + in the passdb backend. - smbpasswd now works in a client-server mode + smbpasswd works in a client-server mode where it contacts the local smbd to change the user's password on its behalf. This has enormous benefits - as follows. - smbpasswd now has the capability + smbpasswd has the capability to change passwords on Windows NT servers (this only works when the request is sent to the NT Primary Domain Controller if you are changing an NT Domain user's password). @@ -205,7 +218,20 @@ FIXME Plain text -FIXME + +Older versions of samba retrieved user information from the unix user database +and eventually some other fields from the file /etc/samba/smbpasswd +or /etc/smbpasswd. When password encryption is disabled, no +data is stored at all. + + + + +TDB +Samba can also store the user data in a "TDB" (Trivial Database). Using this backend +doesn't require any additional configuration. This backend is recommended for new installations who +don't require LDAP. + @@ -759,7 +785,7 @@ ntPassword: 878D8014606CDA29677A44EFA1353FC7 -Passdb MySQL plugin +MySQL Building -- cgit