summaryrefslogtreecommitdiff
path: root/docs/textdocs/Passwords.txt
blob: cf08024e64d9d50fc2dbf5d11d042c731a71d026 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
!==
!== Passwords.txt for Samba release 1.9.18alpha13 16 Dec 1997
!==
Contributor:	Unknown
Date:		Unknown
Status:		Current

Subject:	NOTE ABOUT PASSWORDS
=============================================================================

Unix systems use a wide variety of methods for checking the validity
of a password. This is primarily controlled with the Makefile defines
mentioned in the Makefile.

Also note that some clients (notably WfWg) uppercase the password
before sending it. The server tries the password as it receives it and
also after lowercasing it.

The Samba server can also be configured to try different
upper/lowercase combinations. This is controlled by the [global]
parameter "password level". A level of N means to try all combinations
up to N uppercase characters in the password. A high value can chew a
fair bit of CPU time and can lower the security of your system. Do not
use this options unless you really need it - the time taken for
password checking can become so high that clients time out. 

If you do use the "password level" option then you might like to use
-DUFC_CRYPT in your Makefile. On some machine this makes password
checking _much_ faster. This is also useful if you use the @group
syntax in the user= option.

If your site uses AFS (the Andrew File System), you can use the AFS section
in the Makefile.  This will first attempt to authenticate a username and
password to AFS.  If that succeeds, then the associated AFS rights will be
granted.  Otherwise, the password checking routine falls back to whatever
Unix password checking method you are using.  Note that the AFS code is
only written and tested for AFS 3.3 and later.


SECURITY = SERVER
=================

Samba can use a remote server to do its username/password
validation. This allows you to have one central machine (for example a
NT box) control the passwords for the Unix box.

See the section on "security =" in smb.conf(5) for details.