summaryrefslogtreecommitdiff
path: root/docs/htmldocs/pwencrypt.html
blob: 0ce1bd037e4e92a384dd83c31aeed914d02f6971 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>LanMan and NT Password Encryption in Samba</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
REL="HOME"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
TITLE="General installation"
HREF="introduction.html"><LINK
REL="PREVIOUS"
TITLE="Quick Cross Subnet Browsing / Cross Workgroup Browsing guide"
HREF="browsing-quick.html"><LINK
REL="NEXT"
TITLE="Type of installation"
HREF="type.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>SAMBA Project Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="browsing-quick.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="type.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="PWENCRYPT"
></A
>Chapter 5. LanMan and NT Password Encryption in Samba</H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN473"
></A
>5.1. Introduction</H1
><P
>Newer windows clients send encrypted passwords over 
	the wire, instead of plain text passwords. The newest clients 
	will only send encrypted passwords and refuse to send plain text 
	passwords, unless their registry is tweaked.</P
><P
>These passwords can't be converted to unix style encrypted 
	passwords. Because of that you can't use the standard unix 
	user database, and you have to store the Lanman and NT hashes 
	somewhere else. For more information, see the documentation 
	about the <B
CLASS="COMMAND"
>passdb backend = </B
> parameter.
	</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN478"
></A
>5.2. Important Notes About Security</H1
><P
>The unix and SMB password encryption techniques seem similar 
	on the surface. This similarity is, however, only skin deep. The unix 
	scheme typically sends clear text passwords over the network when 
	logging in. This is bad. The SMB encryption scheme never sends the 
	cleartext password over the network but it does store the 16 byte 
	hashed values on disk. This is also bad. Why? Because the 16 byte hashed 
	values are a "password equivalent". You cannot derive the user's 
	password from them, but they could potentially be used in a modified 
	client to gain access to a server. This would require considerable 
	technical knowledge on behalf of the attacker but is perfectly possible. 
	You should thus treat the smbpasswd file as though it contained the 
	cleartext passwords of all your users. Its contents must be kept 
	secret, and the file should be protected accordingly.</P
><P
>Ideally we would like a password scheme which neither requires 
	plain text passwords on the net or on disk. Unfortunately this 
	is not available as Samba is stuck with being compatible with 
	other SMB systems (WinNT, WfWg, Win95 etc). </P
><DIV
CLASS="WARNING"
><P
></P
><TABLE
CLASS="WARNING"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="/docbook-dsssl/warning.gif"
HSPACE="5"
ALT="Warning"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>Note that Windows NT 4.0 Service pack 3 changed the 
		default for permissible authentication so that plaintext 
		passwords are <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>never</I
></SPAN
> sent over the wire. 
		The solution to this is either to switch to encrypted passwords 
		with Samba or edit the Windows NT registry to re-enable plaintext 
		passwords. See the document WinNT.txt for details on how to do 
		this.</P
><P
>Other Microsoft operating systems which also exhibit 
		this behavior includes</P
><P
></P
><UL
><LI
><P
>MS DOS Network client 3.0 with 
			the basic network redirector installed</P
></LI
><LI
><P
>Windows 95 with the network redirector 
			update installed</P
></LI
><LI
><P
>Windows 98 [se]</P
></LI
><LI
><P
>Windows 2000</P
></LI
></UL
><P
><SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>Note :</I
></SPAN
>All current release of 
		Microsoft SMB/CIFS clients support authentication via the
		SMB Challenge/Response mechanism described here.  Enabling
		clear text authentication does not disable the ability
		of the client to participate in encrypted authentication.</P
></TD
></TR
></TABLE
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN497"
></A
>5.2.1. Advantages of SMB Encryption</H2
><P
></P
><UL
><LI
><P
>plain text passwords are not passed across 
			the network. Someone using a network sniffer cannot just 
			record passwords going to the SMB server.</P
></LI
><LI
><P
>WinNT doesn't like talking to a server 
			that isn't using SMB encrypted passwords. It will refuse 
			to browse the server if the server is also in user level 
			security mode. It will insist on prompting the user for the 
			password on each connection, which is very annoying. The
			only things you can do to stop this is to use SMB encryption.
			</P
></LI
></UL
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN504"
></A
>5.2.2. Advantages of non-encrypted passwords</H2
><P
></P
><UL
><LI
><P
>plain text passwords are not kept 
			on disk. </P
></LI
><LI
><P
>uses same password file as other unix 
			services such as login and ftp</P
></LI
><LI
><P
>you are probably already using other 
			services (such as telnet and ftp) which send plain text 
			passwords over the net, so sending them for SMB isn't 
			such a big deal.</P
></LI
></UL
></DIV
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN513"
></A
>5.3. The smbpasswd Command</H1
><P
>The smbpasswd command maintains the two 32 byte password fields 
	in the smbpasswd file. If you wish to make it similar to the unix 
	<B
CLASS="COMMAND"
>passwd</B
> or <B
CLASS="COMMAND"
>yppasswd</B
> programs, 
	install it in <TT
CLASS="FILENAME"
>/usr/local/samba/bin/</TT
> (or your 
	main Samba binary directory).</P
><P
><B
CLASS="COMMAND"
>smbpasswd</B
> now works in a client-server mode 
	where it contacts the local smbd to change the user's password on its 
	behalf. This has enormous benefits - as follows.</P
><P
><B
CLASS="COMMAND"
>smbpasswd</B
> now has the capability 
	to change passwords on Windows NT servers (this only works when 
	the request is sent to the NT Primary Domain Controller if you 
	are changing an NT Domain user's password).</P
><P
>To run smbpasswd as a normal user just type :</P
><P
><TT
CLASS="PROMPT"
>$ </TT
><TT
CLASS="USERINPUT"
><B
>smbpasswd</B
></TT
></P
><P
><TT
CLASS="PROMPT"
>Old SMB password: </TT
><TT
CLASS="USERINPUT"
><B
>&lt;type old value here - 
	or hit return if there was no old password&gt;</B
></TT
></P
><P
><TT
CLASS="PROMPT"
>New SMB Password: </TT
><TT
CLASS="USERINPUT"
><B
>&lt;type new value&gt;
	</B
></TT
></P
><P
><TT
CLASS="PROMPT"
>Repeat New SMB Password: </TT
><TT
CLASS="USERINPUT"
><B
>&lt;re-type new value
	</B
></TT
></P
><P
>If the old value does not match the current value stored for 
	that user, or the two new values do not match each other, then the 
	password will not be changed.</P
><P
>If invoked by an ordinary user it will only allow the user 
	to change his or her own Samba password.</P
><P
>If run by the root user smbpasswd may take an optional 
	argument, specifying the user name whose SMB password you wish to 
	change.  Note that when run as root smbpasswd does not prompt for 
	or check the old password value, thus allowing root to set passwords 
	for users who have forgotten their passwords.</P
><P
><B
CLASS="COMMAND"
>smbpasswd</B
> is designed to work in the same way 
	and be familiar to UNIX users who use the <B
CLASS="COMMAND"
>passwd</B
> or 
	<B
CLASS="COMMAND"
>yppasswd</B
> commands.</P
><P
>For more details on using <B
CLASS="COMMAND"
>smbpasswd</B
> refer 
	to the man page which will always be the definitive reference.</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="browsing-quick.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="type.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="introduction.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Type of installation</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>