Subject: Re: samba, netbsd and internal network
To: None <firstname.lastname@example.org>
From: Steven M. Bellovin <email@example.com>
Date: 10/09/2002 17:28:28
In message <firstname.lastname@example.org>, emre@u
>Once upon a time Jeremy C. Reedsaid:
>> The hash is different and since can't be decrypted can be reused.
>> Some admins use plain text for a while as they automatically collect
>> passwords and generate new password file. Then they silently switch
>> over to encrypted passwords. Look at docs for "update encrypted".
>> Also, you can have wrapper for adduser (or whatever) to do both at same
>Yeah, it would be nice if samba had that option; to use unix
>authentication instead of its own authentication mechanism. Maybe such
>thing already exists and im not looking hard enough :D
Fundamentally, it can't really do that.
Unix stores a one-way hash of the typed password in /etc/master.passwd.
To authenticate, the user has to supply the plaintext; the system
hashes it and sees if it matches what's stored. But that means that
the system has to receive the password in the clear -- possibly over an
encrypted channel, but ultimately in the clear.
Windows uses (I believe) a challenge/response scheme. While I don't
recall the details, these generally involve sending the client a random
number. The client computes a hash of that number and its password,
and sends along the result. The server does the same thing, and
compares the answers. Note that the server can't do that without a
cleartext copy of the password.
The two schemes are optimized against different threat models. The
classical Unix scheme was designed to avoid the need for plaintext
passwords to be stored on the system -- see the classic Morris and
Thompson paper for an explanation of why. The Windows scheme was
designed for a secure server attached to an insecure network -- and the
Unix scheme wasn't designed for networks at all.
Anyway -- you can't do what you want. If your users have shell
accounts, I suggest writing a little wrapper that will let them run
'smbpasswd -a' themselves, so they can set their own samba passwords.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)