1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
|
<chapter id="pwencrypt">
<chapterinfo>
<author>
<firstname>Jeremy</firstname><surname>Allison</surname>
<affiliation>
<orgname>Samba Team</orgname>
<address>
<email>jra@samba.org</email>
</address>
</affiliation>
</author>
<author>
<firstname>Jelmer</firstname><surname>Vernooij</surname>
<affiliation>
<orgname>Samba Team</orgname>
<address>
<email>jelmer@samba.org</email>
</address>
</affiliation>
</author>
<pubdate>4 November 2002</pubdate>
</chapterinfo>
<title>LanMan and NT Password Encryption in Samba</title>
<sect1>
<title>Introduction</title>
<para>Newer windows clients send encrypted passwords over
the wire, instead of plain text passwords. The newest clients
will only send encrypted passwords and refuse to send plain text
passwords, unless their registry is tweaked.</para>
<para>These passwords can't be converted to unix style encrypted
passwords. Because of that you can't use the standard unix
user database, and you have to store the Lanman and NT hashes
somewhere else. For more information, see the documentation
about the <command>passdb backend = </command> parameter.
</para>
</sect1>
<sect1>
<title>Important Notes About Security</title>
<para>The unix and SMB password encryption techniques seem similar
on the surface. This similarity is, however, only skin deep. The unix
scheme typically sends clear text passwords over the network when
logging in. This is bad. The SMB encryption scheme never sends the
cleartext password over the network but it does store the 16 byte
hashed values on disk. This is also bad. Why? Because the 16 byte hashed
values are a "password equivalent". You cannot derive the user's
password from them, but they could potentially be used in a modified
client to gain access to a server. This would require considerable
technical knowledge on behalf of the attacker but is perfectly possible.
You should thus treat the smbpasswd file as though it contained the
cleartext passwords of all your users. Its contents must be kept
secret, and the file should be protected accordingly.</para>
<para>Ideally we would like a password scheme which neither requires
plain text passwords on the net or on disk. Unfortunately this
is not available as Samba is stuck with being compatible with
other SMB systems (WinNT, WfWg, Win95 etc). </para>
<warning>
<para>Note that Windows NT 4.0 Service pack 3 changed the
default for permissible authentication so that plaintext
passwords are <emphasis>never</emphasis> sent over the wire.
The solution to this is either to switch to encrypted passwords
with Samba or edit the Windows NT registry to re-enable plaintext
passwords. See the document WinNT.txt for details on how to do
this.</para>
<para>Other Microsoft operating systems which also exhibit
this behavior includes</para>
<itemizedlist>
<listitem><para>MS DOS Network client 3.0 with
the basic network redirector installed</para></listitem>
<listitem><para>Windows 95 with the network redirector
update installed</para></listitem>
<listitem><para>Windows 98 [se]</para></listitem>
<listitem><para>Windows 2000</para></listitem>
</itemizedlist>
<para><emphasis>Note :</emphasis>All current release of
Microsoft SMB/CIFS clients support authentication via the
SMB Challenge/Response mechanism described here. Enabling
clear text authentication does not disable the ability
of the client to participate in encrypted authentication.</para>
</warning>
<sect2>
<title>Advantages of SMB Encryption</title>
<itemizedlist>
<listitem><para>plain text passwords are not passed across
the network. Someone using a network sniffer cannot just
record passwords going to the SMB server.</para>
</listitem>
<listitem><para>WinNT doesn't like talking to a server
that isn't using SMB encrypted passwords. It will refuse
to browse the server if the server is also in user level
security mode. It will insist on prompting the user for the
password on each connection, which is very annoying. The
only things you can do to stop this is to use SMB encryption.
</para></listitem>
</itemizedlist>
</sect2>
<sect2>
<title>Advantages of non-encrypted passwords</title>
<itemizedlist>
<listitem><para>plain text passwords are not kept
on disk. </para></listitem>
<listitem><para>uses same password file as other unix
services such as login and ftp</para></listitem>
<listitem><para>you are probably already using other
services (such as telnet and ftp) which send plain text
passwords over the net, so sending them for SMB isn't
such a big deal.</para></listitem>
</itemizedlist>
</sect2>
</sect1>
<sect1>
<title>The smbpasswd Command</title>
<para>The smbpasswd command maintains the two 32 byte password fields
in the smbpasswd file. If you wish to make it similar to the unix
<command>passwd</command> or <command>yppasswd</command> programs,
install it in <filename>/usr/local/samba/bin/</filename> (or your
main Samba binary directory).</para>
<para><command>smbpasswd</command> now works in a client-server mode
where it contacts the local smbd to change the user's password on its
behalf. This has enormous benefits - as follows.</para>
<para><command>smbpasswd</command> now has the capability
to change passwords on Windows NT servers (this only works when
the request is sent to the NT Primary Domain Controller if you
are changing an NT Domain user's password).</para>
<para>To run smbpasswd as a normal user just type :</para>
<para><prompt>$ </prompt><userinput>smbpasswd</userinput></para>
<para><prompt>Old SMB password: </prompt><userinput><type old value here -
or hit return if there was no old password></userinput></para>
<para><prompt>New SMB Password: </prompt><userinput><type new value>
</userinput></para>
<para><prompt>Repeat New SMB Password: </prompt><userinput><re-type new value
</userinput></para>
<para>If the old value does not match the current value stored for
that user, or the two new values do not match each other, then the
password will not be changed.</para>
<para>If invoked by an ordinary user it will only allow the user
to change his or her own Samba password.</para>
<para>If run by the root user smbpasswd may take an optional
argument, specifying the user name whose SMB password you wish to
change. Note that when run as root smbpasswd does not prompt for
or check the old password value, thus allowing root to set passwords
for users who have forgotten their passwords.</para>
<para><command>smbpasswd</command> is designed to work in the same way
and be familiar to UNIX users who use the <command>passwd</command> or
<command>yppasswd</command> commands.</para>
<para>For more details on using <command>smbpasswd</command> refer
to the man page which will always be the definitive reference.</para>
</sect1>
</chapter>
|