app_head merge for get_friendly_nt_err()

[Samba/gbeck.git] / docs / htmldocs / pwencrypt.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>LanMan and NT Password Encryption in Samba</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
REL="HOME"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
TITLE="General installation"
HREF="introduction.html"><LINK
REL="PREVIOUS"
TITLE="Quick Cross Subnet Browsing / Cross Workgroup Browsing guide"
HREF="browsing-quick.html"><LINK
REL="NEXT"
TITLE="Type of installation"
HREF="type.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>SAMBA Project Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="browsing-quick.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="type.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="PWENCRYPT"
></A
>Chapter 5. LanMan and NT Password Encryption in Samba</H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN473"
></A
>5.1. Introduction</H1
><P
>Newer windows clients send encrypted passwords over 
        the wire, instead of plain text passwords. The newest clients 
        will only send encrypted passwords and refuse to send plain text 
        passwords, unless their registry is tweaked.</P
><P
>These passwords can't be converted to unix style encrypted 
        passwords. Because of that you can't use the standard unix 
        user database, and you have to store the Lanman and NT hashes 
        somewhere else. For more information, see the documentation 
        about the <B
CLASS="COMMAND"
>passdb backend = </B
> parameter.
        </P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN478"
></A
>5.2. Important Notes About Security</H1
><P
>The unix and SMB password encryption techniques seem similar 
        on the surface. This similarity is, however, only skin deep. The unix 
        scheme typically sends clear text passwords over the network when 
        logging in. This is bad. The SMB encryption scheme never sends the 
        cleartext password over the network but it does store the 16 byte 
        hashed values on disk. This is also bad. Why? Because the 16 byte hashed 
        values are a "password equivalent". You cannot derive the user's 
        password from them, but they could potentially be used in a modified 
        client to gain access to a server. This would require considerable 
        technical knowledge on behalf of the attacker but is perfectly possible. 
        You should thus treat the smbpasswd file as though it contained the 
        cleartext passwords of all your users. Its contents must be kept 
        secret, and the file should be protected accordingly.</P
><P
>Ideally we would like a password scheme which neither requires 
        plain text passwords on the net or on disk. Unfortunately this 
        is not available as Samba is stuck with being compatible with 
        other SMB systems (WinNT, WfWg, Win95 etc). </P
><DIV
CLASS="WARNING"
><P
></P
><TABLE
CLASS="WARNING"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="/docbook-dsssl/warning.gif"
HSPACE="5"
ALT="Warning"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>Note that Windows NT 4.0 Service pack 3 changed the 
                default for permissible authentication so that plaintext 
                passwords are <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>never</I
></SPAN
> sent over the wire. 
                The solution to this is either to switch to encrypted passwords 
                with Samba or edit the Windows NT registry to re-enable plaintext 
                passwords. See the document WinNT.txt for details on how to do 
                this.</P
><P
>Other Microsoft operating systems which also exhibit 
                this behavior includes</P
><P
></P
><UL
><LI
><P
>MS DOS Network client 3.0 with 
                        the basic network redirector installed</P
></LI
><LI
><P
>Windows 95 with the network redirector 
                        update installed</P
></LI
><LI
><P
>Windows 98 [se]</P
></LI
><LI
><P
>Windows 2000</P
></LI
></UL
><P
><SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>Note :</I
></SPAN
>All current release of 
                Microsoft SMB/CIFS clients support authentication via the
                SMB Challenge/Response mechanism described here.  Enabling
                clear text authentication does not disable the ability
                of the client to participate in encrypted authentication.</P
></TD
></TR
></TABLE
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN497"
></A
>5.2.1. Advantages of SMB Encryption</H2
><P
></P
><UL
><LI
><P
>plain text passwords are not passed across 
                        the network. Someone using a network sniffer cannot just 
                        record passwords going to the SMB server.</P
></LI
><LI
><P
>WinNT doesn't like talking to a server 
                        that isn't using SMB encrypted passwords. It will refuse 
                        to browse the server if the server is also in user level 
                        security mode. It will insist on prompting the user for the 
                        password on each connection, which is very annoying. The
                        only things you can do to stop this is to use SMB encryption.
                        </P
></LI
></UL
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN504"
></A
>5.2.2. Advantages of non-encrypted passwords</H2
><P
></P
><UL
><LI
><P
>plain text passwords are not kept 
                        on disk. </P
></LI
><LI
><P
>uses same password file as other unix 
                        services such as login and ftp</P
></LI
><LI
><P
>you are probably already using other 
                        services (such as telnet and ftp) which send plain text 
                        passwords over the net, so sending them for SMB isn't 
                        such a big deal.</P
></LI
></UL
></DIV
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN513"
></A
>5.3. The smbpasswd Command</H1
><P
>The smbpasswd command maintains the two 32 byte password fields 
        in the smbpasswd file. If you wish to make it similar to the unix 
        <B
CLASS="COMMAND"
>passwd</B
> or <B
CLASS="COMMAND"
>yppasswd</B
> programs, 
        install it in <TT
CLASS="FILENAME"
>/usr/local/samba/bin/</TT
> (or your 
        main Samba binary directory).</P
><P
><B
CLASS="COMMAND"
>smbpasswd</B
> now works in a client-server mode 
        where it contacts the local smbd to change the user's password on its 
        behalf. This has enormous benefits - as follows.</P
><P
><B
CLASS="COMMAND"
>smbpasswd</B
> now has the capability 
        to change passwords on Windows NT servers (this only works when 
        the request is sent to the NT Primary Domain Controller if you 
        are changing an NT Domain user's password).</P
><P
>To run smbpasswd as a normal user just type :</P
><P
><TT
CLASS="PROMPT"
>$ </TT
><TT
CLASS="USERINPUT"
><B
>smbpasswd</B
></TT
></P
><P
><TT
CLASS="PROMPT"
>Old SMB password: </TT
><TT
CLASS="USERINPUT"
><B
>&lt;type old value here - 
        or hit return if there was no old password&gt;</B
></TT
></P
><P
><TT
CLASS="PROMPT"
>New SMB Password: </TT
><TT
CLASS="USERINPUT"
><B
>&lt;type new value&gt;
        </B
></TT
></P
><P
><TT
CLASS="PROMPT"
>Repeat New SMB Password: </TT
><TT
CLASS="USERINPUT"
><B
>&lt;re-type new value
        </B
></TT
></P
><P
>If the old value does not match the current value stored for 
        that user, or the two new values do not match each other, then the 
        password will not be changed.</P
><P
>If invoked by an ordinary user it will only allow the user 
        to change his or her own Samba password.</P
><P
>If run by the root user smbpasswd may take an optional 
        argument, specifying the user name whose SMB password you wish to 
        change.  Note that when run as root smbpasswd does not prompt for 
        or check the old password value, thus allowing root to set passwords 
        for users who have forgotten their passwords.</P
><P
><B
CLASS="COMMAND"
>smbpasswd</B
> is designed to work in the same way 
        and be familiar to UNIX users who use the <B
CLASS="COMMAND"
>passwd</B
> or 
        <B
CLASS="COMMAND"
>yppasswd</B
> commands.</P
><P
>For more details on using <B
CLASS="COMMAND"
>smbpasswd</B
> refer 
        to the man page which will always be the definitive reference.</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="browsing-quick.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="type.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="introduction.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Type of installation</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>