RE: [SLUG] samba and encrypted passwords

From: Grantham, Patrick (Patrick.Grantham@vacationclub.com)
Date: Tue Feb 12 2002 - 12:49:07 EST


That was quite a response. Thanks!

-----Original Message-----
From: Ben Ostrowsky [mailto:ostrowb@tblc.org]
Sent: Tuesday, February 12, 2002 10:40 AM
To: slug@nks.net
Subject: Re: [SLUG] samba and encrypted passwords

On Tue, 2002-02-12 at 00:17, Patrick Grantham wrote:
> what the key to success to having samba work with win clients using
> encrypted passwords?

Here's an excerpt from "Using Samba" by Eckstein, Collier-Brown and
Kelly (O'Reilly, 2000).

Passwords

Passwords are a thorny issue with Samba. So much so, in fact, that they
are almost always the first major problem that users encounter when they
install Samba, and generate by far the most questions sent to Samba
support groups. In previous chapters, we've gotten around the need for
passwords by placing the guest ok option in each of our configuration
files, which allows connections without authenticating passwords.
However, at this point, we need to delve deeper into Samba to discover
what is happening on the network.

Passwords sent from individual clients can be either encrypted or
non-encrypted. Encrypted passwords are, of course, more secure. A
non-encrypted password can be easily read with a packet sniffing
program, such as the modified tcpdump program for Samba that we used in
Chapter 3, Configuring Windows Clients. Whether passwords are encrypted
depends on the operating system that the client is using to connect to
the Samba server. Table 6-5 lists which Windows operating systems
encrypt their passwords before sending them to the primary domain
controller for authentication. If your client is not Windows, check the
system documentation to see if SMB passwords are encrypted.

Table 6-5. Windows Operating Systems with Encrypted Passwords

Operating System Encrypted or Non-encrypted
Windows 95 Non-encrypted
Windows 95 with SMB Update Encrypted
Windows 98 Encrypted
Windows NT 3.x Non-encrypted
Windows NT 4.0 before SP 3 Non-encrypted
Windows NT 4.0 after SP 3 Encrypted

There are actually two different encryption methods used: one for
Windows 95 and 98 clients that reuses Microsoft's LAN Manager encryption
style, and a separate one for Windows NT clients and servers. Windows 95
and 98 use an older encryption system inherited from the LAN Manager
network software, while Windows NT clients and servers use a newer
encryption system.

If encrypted passwords are supported, Samba stores the encrypted
passwords in a file called smbpasswd. By default, this file is located
in the private directory of the Samba distribution
(/usr/local/samba/private ). At the same time, the client stores an
encrypted version of a user's password on its own system. The plaintext
password is never stored on either system. Each system encrypts the
password automatically using a known algorithm when the password is set
or changed.

When a client requests a connection to an SMB server that supports
encrypted passwords (such as Samba or Windows NT), the two computers
undergo the following negotiations:

1. The client attempts to negotiate a protocol with the server.

2. The server responds with a protocol and indicates that it supports
encrypted passwords. At this time, it sends back a randomly-generated
8-byte challenge string.

3. The client uses the challenge string as a key to encrypt its already
encrypted password using an algorithm predefined by the negotiated
protocol. It then sends the result to the server.

4. The server does the same thing with the encrypted password stored in
its database. If the results match, the passwords are equivalent and the
user is authenticated.

Note that even though the original passwords are not involved in the
authentication process, you need to be very careful that the encrypted
passwords located inside of the smbpasswd file are guarded from
unauthorized users. If they are compromised, an unauthorized user can
break into the system by replaying the steps of the previous algorithm.
The encrypted passwords are just as sensitive as the plaintext
passwords—this is known as plaintext-equivalent data in the cryptography
world. Of course, you should also ensure that the clients safeguard
their plaintext-equivalent passwords as well.

You can configure Samba to accept encrypted passwords with the following
global additions to smb.conf. Note that we explicitly name the location
of the Samba password file:

[global]
    security = user
    encrypt passwords = yes
    smb passwd file = /usr/local/samba/private/smbpasswd

Samba, however, will not accept any users until the smbpasswd file has
been initialized.

Disabling encrypted passwords on the client

While Unix authentication has been in use for decades, including the use
of telnet and rlogin access across the Internet, it embodies well-known
security risks. Plaintext passwords are sent over the Internet and can
be retrieved from TCP packets by malicious snoopers. However, if you
feel that your network is secure and you wish to use standard Unix
/etc/passwd authentication for all clients, you can do so, but you must
disable encrypted passwords on those Windows clients that default to
using them.

In order to do this, you must modify the Windows registry by installing
two files on each system. Depending on the platform involved, the files
are either NT4_PlainPassword.reg or Win95_PlainPassword.reg. You can
perform this installation by copying the appropriate .reg files from the
Samba distribution's /docs directory to a DOS floppy, and running it
from the Run menu item on the client's Start Menu button. Incidentally,
the Windows 95 .reg file works fine on Windows 98 as well.

After you reboot the machine, the client will not encrypt its hashed
passwords before sending them to the server. This means that the
plaintext-equivalent passwords can been seen in the TCP packets that are
broadcast across the network. Again, we encourage you not to do this
unless you are absolutely sure that your network is secure.
If passwords are not encrypted, you can indicate as much in your Samba
configuration file:

[global]
    security = user
    encrypt passwords = no



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:01:14 EDT