[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Samba and PAM

On Wed, Nov 22, 2000 at 11:41:25AM +0100, Josep Llauradó Selvas wrote:
> Hi, I have installed the Samba package in a Debian 2.2 Potato and runs
> well, but I wanna know how can I use PAM for the authentification method,
> 'cos currently it uses the /etc/samba/smbpasswd file, and I don't know
> what parameter is needed to change the authentification to PAM.
> The package is compiled with the '--with-pam' option, as described in the
> README.Debian file, and all seems to be correct.

yes samba does indeed use pam to authenticate, however in order to do
that it needs to take a cleartext password and make a hash of it using
the salt from /etc/passwd or /etc/shadow.  the problem is ever since
Win98 (and i think later versions of win95), and WinNT sp4 (iirc)
Windows refuses to login to a server with a cleartext passwd, instead
it sends a weak unsalted hash of the passwd to the server, which then
compares the hash with the hash it has in its passwd file.

so what is happening for samba is the MS client sends a hash, and
samba compares it with the hash in /etc/samba/smbpasswd if they match
access is granted, if not access is denied.  but the original password
cannot be quickly derived from the MS hash to a real password so
authenticating against hashed unix passwords is impossible.  

so you can either live with the awful /etc/samba/smbpasswd nonsense or
apply a registry patch to all your win98 and NT sp4+ clients so they
will send cleartext passwords, then you can remove
/etc/samba/smbpasswd and all authentication will go to /etc/passwd

keeping smbpasswd and /etc/passwd syncronized is a total nightmare. i
would just hack the windows boxes to use cleartext passwords.  this
lame `encryption' hack MS came up with is not any more secure then
cleartext anyway.  (you sniff a hash instead of a passwd, but you can
use the hash itself to authenticate to a windows server! besides the
hash is weak and unsalted meaning its very easy to brute force crack)

Ethan Benson

Attachment: pgp22wFK_F23c.pgp
Description: PGP signature

Reply to: