1 <!DOCTYPE HTML PUBLIC
"-//W3C//DTD HTML 4.01 Transitional//EN">
5 >LanMan and NT Password Encryption in Samba
</TITLE
8 CONTENT=
"Modular DocBook HTML Stylesheet Version 1.76b+
11 TITLE=
"SAMBA Project Documentation"
12 HREF=
"samba-howto-collection.html"><LINK
14 TITLE=
"General installation"
15 HREF=
"introduction.html"><LINK
17 TITLE=
"Quick Cross Subnet Browsing / Cross Workgroup Browsing guide"
18 HREF=
"browsing-quick.html"><LINK
20 TITLE=
"Type of installation"
21 HREF=
"type.html"></HEAD
32 SUMMARY=
"Header navigation table"
41 >SAMBA Project Documentation
</TH
49 HREF=
"browsing-quick.html"
76 NAME=
"PWENCRYPT">Chapter
4. LanMan and NT Password Encryption in Samba
</H1
82 NAME=
"AEN457">4.1. Introduction
</H1
84 >Newer windows clients send encrypted passwords over
85 the wire, instead of plain text passwords. The newest clients
86 will only send encrypted passwords and refuse to send plain text
87 passwords, unless their registry is tweaked.
</P
89 >These passwords can't be converted to unix style encrypted
90 passwords. Because of that you can't use the standard unix
91 user database, and you have to store the Lanman and NT hashes
92 somewhere else. For more information, see the documentation
104 NAME=
"AEN462">4.2. Important Notes About Security
</H1
106 >The unix and SMB password encryption techniques seem similar
107 on the surface. This similarity is, however, only skin deep. The unix
108 scheme typically sends clear text passwords over the network when
109 logging in. This is bad. The SMB encryption scheme never sends the
110 cleartext password over the network but it does store the
16 byte
111 hashed values on disk. This is also bad. Why? Because the
16 byte hashed
112 values are a
"password equivalent". You cannot derive the user's
113 password from them, but they could potentially be used in a modified
114 client to gain access to a server. This would require considerable
115 technical knowledge on behalf of the attacker but is perfectly possible.
116 You should thus treat the smbpasswd file as though it contained the
117 cleartext passwords of all your users. Its contents must be kept
118 secret, and the file should be protected accordingly.
</P
120 >Ideally we would like a password scheme which neither requires
121 plain text passwords on the net or on disk. Unfortunately this
122 is not available as Samba is stuck with being compatible with
123 other SMB systems (WinNT, WfWg, Win95 etc).
</P
138 SRC=
"../images/warning.gif"
145 >Note that Windows NT
4.0 Service pack
3 changed the
146 default for permissible authentication so that plaintext
153 > sent over the wire.
154 The solution to this is either to switch to encrypted passwords
155 with Samba or edit the Windows NT registry to re-enable plaintext
156 passwords. See the document WinNT.txt for details on how to do
159 >Other Microsoft operating systems which also exhibit
160 this behavior includes
</P
166 >MS DOS Network client
3.0 with
167 the basic network redirector installed
</P
171 >Windows
95 with the network redirector
190 >All current release of
191 Microsoft SMB/CIFS clients support authentication via the
192 SMB Challenge/Response mechanism described here. Enabling
193 clear text authentication does not disable the ability
194 of the client to participate in encrypted authentication.
</P
204 NAME=
"AEN481">4.2.1. Advantages of SMB Encryption
</H2
210 >plain text passwords are not passed across
211 the network. Someone using a network sniffer cannot just
212 record passwords going to the SMB server.
</P
216 >WinNT doesn't like talking to a server
217 that isn't using SMB encrypted passwords. It will refuse
218 to browse the server if the server is also in user level
219 security mode. It will insist on prompting the user for the
220 password on each connection, which is very annoying. The
221 only things you can do to stop this is to use SMB encryption.
231 NAME=
"AEN488">4.2.2. Advantages of non-encrypted passwords
</H2
237 >plain text passwords are not kept
242 >uses same password file as other unix
243 services such as login and ftp
</P
247 >you are probably already using other
248 services (such as telnet and ftp) which send plain text
249 passwords over the net, so sending them for SMB isn't
260 NAME=
"AEN497">4.3. The smbpasswd Command
</H1
262 >The smbpasswd command maintains the two
32 byte password fields
263 in the smbpasswd file. If you wish to make it similar to the unix
273 >/usr/local/samba/bin/
</TT
275 main Samba binary directory).
</P
280 > now works in a client-server mode
281 where it contacts the local smbd to change the user's password on its
282 behalf. This has enormous benefits - as follows.
</P
287 > now has the capability
288 to change passwords on Windows NT servers (this only works when
289 the request is sent to the NT Primary Domain Controller if you
290 are changing an NT Domain user's password).
</P
292 >To run smbpasswd as a normal user just type :
</P
306 >Old SMB password:
</TT
310 ><type old value here -
311 or hit return if there was no old password
></B
317 >New SMB Password:
</TT
321 ><type new value
>
328 >Repeat New SMB Password:
</TT
332 ><re-type new value
337 >If the old value does not match the current value stored for
338 that user, or the two new values do not match each other, then the
339 password will not be changed.
</P
341 >If invoked by an ordinary user it will only allow the user
342 to change his or her own Samba password.
</P
344 >If run by the root user smbpasswd may take an optional
345 argument, specifying the user name whose SMB password you wish to
346 change. Note that when run as root smbpasswd does not prompt for
347 or check the old password value, thus allowing root to set passwords
348 for users who have forgotten their passwords.
</P
353 > is designed to work in the same way
354 and be familiar to UNIX users who use the
<B
363 >For more details on using
<B
367 to the man page which will always be the definitive reference.
</P
375 SUMMARY=
"Footer navigation table"
386 HREF=
"browsing-quick.html"
395 HREF=
"samba-howto-collection.html"
414 >Quick Cross Subnet Browsing / Cross Workgroup Browsing guide
</TD
420 HREF=
"introduction.html"
428 >Type of installation
</TD