Chapter 4. LanMan and NT Password Encryption in Samba

4.1. Introduction

Newer windows clients send encrypted passwords over the wire, instead of plain text passwords. The newest clients will only send encrypted passwords and refuse to send plain text passwords, unless their registry is tweaked.

These passwords can't be converted to unix style encrypted passwords. Because of that you can't use the standard unix user database, and you have to store the Lanman and NT hashes somewhere else. For more information, see the documentation about the passdb backend = parameter.

4.2. Important Notes About Security

The unix and SMB password encryption techniques seem similar on the surface. This similarity is, however, only skin deep. The unix scheme typically sends clear text passwords over the network when logging in. This is bad. The SMB encryption scheme never sends the cleartext password over the network but it does store the 16 byte hashed values on disk. This is also bad. Why? Because the 16 byte hashed values are a "password equivalent". You cannot derive the user's password from them, but they could potentially be used in a modified client to gain access to a server. This would require considerable technical knowledge on behalf of the attacker but is perfectly possible. You should thus treat the smbpasswd file as though it contained the cleartext passwords of all your users. Its contents must be kept secret, and the file should be protected accordingly.

Ideally we would like a password scheme which neither requires plain text passwords on the net or on disk. Unfortunately this is not available as Samba is stuck with being compatible with other SMB systems (WinNT, WfWg, Win95 etc).

Warning

Note that Windows NT 4.0 Service pack 3 changed the default for permissible authentication so that plaintext passwords are never sent over the wire. The solution to this is either to switch to encrypted passwords with Samba or edit the Windows NT registry to re-enable plaintext passwords. See the document WinNT.txt for details on how to do this.

Other Microsoft operating systems which also exhibit this behavior includes

  • MS DOS Network client 3.0 with the basic network redirector installed

  • Windows 95 with the network redirector update installed

  • Windows 98 [se]

  • Windows 2000

Note :All current release of Microsoft SMB/CIFS clients support authentication via the SMB Challenge/Response mechanism described here. Enabling clear text authentication does not disable the ability of the client to participate in encrypted authentication.

4.2.1. Advantages of SMB Encryption

  • plain text passwords are not passed across the network. Someone using a network sniffer cannot just record passwords going to the SMB server.

  • WinNT doesn't like talking to a server that isn't using SMB encrypted passwords. It will refuse to browse the server if the server is also in user level security mode. It will insist on prompting the user for the password on each connection, which is very annoying. The only things you can do to stop this is to use SMB encryption.

4.2.2. Advantages of non-encrypted passwords

  • plain text passwords are not kept on disk.

  • uses same password file as other unix services such as login and ftp

  • you are probably already using other services (such as telnet and ftp) which send plain text passwords over the net, so sending them for SMB isn't such a big deal.

4.3. The smbpasswd Command

The smbpasswd command maintains the two 32 byte password fields in the smbpasswd file. If you wish to make it similar to the unix passwd or yppasswd programs, install it in /usr/local/samba/bin/ (or your main Samba binary directory).

smbpasswd now works in a client-server mode where it contacts the local smbd to change the user's password on its behalf. This has enormous benefits - as follows.

smbpasswd now has the capability to change passwords on Windows NT servers (this only works when the request is sent to the NT Primary Domain Controller if you are changing an NT Domain user's password).

To run smbpasswd as a normal user just type :

$ smbpasswd

Old SMB password: <type old value here - or hit return if there was no old password>

New SMB Password: <type new value>

Repeat New SMB Password: <re-type new value

If the old value does not match the current value stored for that user, or the two new values do not match each other, then the password will not be changed.

If invoked by an ordinary user it will only allow the user to change his or her own Samba password.

If run by the root user smbpasswd may take an optional argument, specifying the user name whose SMB password you wish to change. Note that when run as root smbpasswd does not prompt for or check the old password value, thus allowing root to set passwords for users who have forgotten their passwords.

smbpasswd is designed to work in the same way and be familiar to UNIX users who use the passwd or yppasswd commands.

For more details on using smbpasswd refer to the man page which will always be the definitive reference.