Samba and password encryption

 

 

 

 

 

Introduction

This page is another sequel to the original Samba page, and provides some information about setting up Samba so that it accepts encrypted passwords from Windows NT and Windows 2000.

It is based on Windows NT and Windows 2000 running on the workstations.

 

Windows and encrypted passwords

 

For Windows NT

Windows NT does not in itself use encrypted passwords. However from Service Pack 4 upwards, Microsoft added the default setting which means that NT sends out passwords in encrypted form.

This has presumably been done in the interests of security, so that hackers monitoring network traffic cannot read passwords as they pass across the network.

Unfortunately, it also stops NT being able to authenticate to Samba on Linux.

There is however a registry setting which can be set, and which results in NT reverting to the NT default of sending out un-encrypted passwords.

The setting is

  


[HKEY_LOCAL_MACHINE 



\SYSTEM 



\CurrentControlSet 



\Services 



\Rdr 



\Parameters] 



"EnablePlainTextPassword"=dword:00000001

If this registry setting is made, then NT with service packs 4, 5, 6, 6a will all send out un-encrypted passwords, and the pc can communicate with Samba on Linux.

 

For Windows 2000

By default, Windows 2000 sends out encrypted passwords, but as with NT, there is a registry setting which allows 2000 to send out un-encrypted passwords. The setting is

  


[HKEY_LOCAL_MACHINE 



\SYSTEM 



\CurrentControlSet 



\Services 



\LanManWorkstation 



\Parameters] 



"EnablePlainTextPassword"=dword:00000001

And this registry setting, as with NT, means that Windows 2000 can communicate with Samba on Linux.

 

Modyfing Samba to allow encrypted passwords.

As an alternative to changing the registry settings on Windows NT and Windows 2000 to allow them to send un-encrypted passwords, it is also possible to configure Samba so that it can utilise encrypted passwords.

This is done through the configuration file called "smb.conf", and which is, in Caldera Linux 1.3, found in the /etc/samba.d/ directory.

It is the same configuration file that is discussed in the first webpage on Samba - the page called "Samba" in the Linux index page.

The changes are made to the Global Settings part of the file, and involve the inclusion of two lines
  


#================== Global Settings =====================

[global]

   .
   
   .

   encrypt passwords = yes

   smb passwd file = /etc/samba.d/smbpasswd
   
   .
   
   .

#====================== Share Definitions ==============

The first line tells Samba to accept encrypted passwords.

The second line tells Samba where to find the encrypted passwords that it has been set up to recognise and respond to.

It is worth noting that the "man smb.conf" page has warnings about the security implications of adding the second line shown above.

The path specified in the second line is the default path anyway, so it may be advisable to omit it. As long as the information is contained within this file in the default path, then Samba works fine without this line being inserted into the smb.conf file.

 

Setting up the encrypted passwords

The first requirement is that each user name for Samba must be a fully functioning user in the underlying Linux system. So that has to be done first.

Next, only the root user has the rights to create the users within Samba that are going to use encrypted passwords.

The names of the users that are going to use encrypted passwords have to be written into the smbpasswd file. This is done using the smbpasswd command at the command prompt, ie,

smbpasswd -a username

Samba will respond by asking for you to type in the new password, and then to retype the new password. Samba does not then tell you that it has been done okay, it only tells you if it hasn`t.

Having done this, Samba will then accept encrypted passwords from Windows NT and Windows 2000 based workstations.

 

The effects of enabling encrypted passwords

The primary thing to note is that once Samba has been set up to accept encrypted passwords, it does not mean that the use of encrypted passwords is mandatory.

Samba will still respond to un-encrypted passwords, and so enables the users or the operating systems to have a choice as to whether to use encrypted passwords or unencrypted passwords.

Which is very useful.

There may be users who require to communicate with more than one version of Samba, on more than one server. If say one Samba installation on a Unix server does not accept encrypted passwords, but another installation of Samba on a Linux server is set up so that it does accept encrypted passwords, then the workstation could be set to send un-encrypted passwords, and the user can communicate with both servers.

 

© 2002 Ron Turner

Return to the Linux index page