1 <chapter id="pwencrypt">
6 <firstname>Jeremy</firstname><surname>Allison</surname>
8 <orgname>Samba Team</orgname>
10 <email>jra@samba.org</email>
16 <firstname>Jelmer</firstname><surname>Vernooij</surname>
18 <orgname>Samba Team</orgname>
20 <email>jelmer@samba.org</email>
25 <pubdate>4 November 2002</pubdate>
28 <title>LanMan and NT Password Encryption in Samba</title>
32 <title>Introduction</title>
34 <para>Newer windows clients send encrypted passwords over
35 the wire, instead of plain text passwords. The newest clients
36 will only send encrypted passwords and refuse to send plain text
37 passwords, unless their registry is tweaked.</para>
39 <para>These passwords can't be converted to unix style encrypted
40 passwords. Because of that you can't use the standard unix
41 user database, and you have to store the Lanman and NT hashes
42 somewhere else. For more information, see the documentation
43 about the <command>passdb backend = </command> parameter.
49 <title>Important Notes About Security</title>
51 <para>The unix and SMB password encryption techniques seem similar
52 on the surface. This similarity is, however, only skin deep. The unix
53 scheme typically sends clear text passwords over the network when
54 logging in. This is bad. The SMB encryption scheme never sends the
55 cleartext password over the network but it does store the 16 byte
56 hashed values on disk. This is also bad. Why? Because the 16 byte hashed
57 values are a "password equivalent". You cannot derive the user's
58 password from them, but they could potentially be used in a modified
59 client to gain access to a server. This would require considerable
60 technical knowledge on behalf of the attacker but is perfectly possible.
61 You should thus treat the smbpasswd file as though it contained the
62 cleartext passwords of all your users. Its contents must be kept
63 secret, and the file should be protected accordingly.</para>
65 <para>Ideally we would like a password scheme which neither requires
66 plain text passwords on the net or on disk. Unfortunately this
67 is not available as Samba is stuck with being compatible with
68 other SMB systems (WinNT, WfWg, Win95 etc). </para>
71 <para>Note that Windows NT 4.0 Service pack 3 changed the
72 default for permissible authentication so that plaintext
73 passwords are <emphasis>never</emphasis> sent over the wire.
74 The solution to this is either to switch to encrypted passwords
75 with Samba or edit the Windows NT registry to re-enable plaintext
76 passwords. See the document WinNT.txt for details on how to do
79 <para>Other Microsoft operating systems which also exhibit
80 this behavior includes</para>
83 <listitem><para>MS DOS Network client 3.0 with
84 the basic network redirector installed</para></listitem>
86 <listitem><para>Windows 95 with the network redirector
87 update installed</para></listitem>
89 <listitem><para>Windows 98 [se]</para></listitem>
91 <listitem><para>Windows 2000</para></listitem>
94 <para><emphasis>Note :</emphasis>All current release of
95 Microsoft SMB/CIFS clients support authentication via the
96 SMB Challenge/Response mechanism described here. Enabling
97 clear text authentication does not disable the ability
98 of the client to participate in encrypted authentication.</para>
102 <title>Advantages of SMB Encryption</title>
105 <listitem><para>plain text passwords are not passed across
106 the network. Someone using a network sniffer cannot just
107 record passwords going to the SMB server.</para>
110 <listitem><para>WinNT doesn't like talking to a server
111 that isn't using SMB encrypted passwords. It will refuse
112 to browse the server if the server is also in user level
113 security mode. It will insist on prompting the user for the
114 password on each connection, which is very annoying. The
115 only things you can do to stop this is to use SMB encryption.
122 <title>Advantages of non-encrypted passwords</title>
125 <listitem><para>plain text passwords are not kept
126 on disk. </para></listitem>
128 <listitem><para>uses same password file as other unix
129 services such as login and ftp</para></listitem>
131 <listitem><para>you are probably already using other
132 services (such as telnet and ftp) which send plain text
133 passwords over the net, so sending them for SMB isn't
134 such a big deal.</para></listitem>
141 <title>The smbpasswd Command</title>
143 <para>The smbpasswd command maintains the two 32 byte password fields
144 in the smbpasswd file. If you wish to make it similar to the unix
145 <command>passwd</command> or <command>yppasswd</command> programs,
146 install it in <filename>/usr/local/samba/bin/</filename> (or your
147 main Samba binary directory).</para>
149 <para><command>smbpasswd</command> now works in a client-server mode
150 where it contacts the local smbd to change the user's password on its
151 behalf. This has enormous benefits - as follows.</para>
153 <para><command>smbpasswd</command> now has the capability
154 to change passwords on Windows NT servers (this only works when
155 the request is sent to the NT Primary Domain Controller if you
156 are changing an NT Domain user's password).</para>
158 <para>To run smbpasswd as a normal user just type :</para>
160 <para><prompt>$ </prompt><userinput>smbpasswd</userinput></para>
161 <para><prompt>Old SMB password: </prompt><userinput><type old value here -
162 or hit return if there was no old password></userinput></para>
163 <para><prompt>New SMB Password: </prompt><userinput><type new value>
165 <para><prompt>Repeat New SMB Password: </prompt><userinput><re-type new value
168 <para>If the old value does not match the current value stored for
169 that user, or the two new values do not match each other, then the
170 password will not be changed.</para>
172 <para>If invoked by an ordinary user it will only allow the user
173 to change his or her own Samba password.</para>
175 <para>If run by the root user smbpasswd may take an optional
176 argument, specifying the user name whose SMB password you wish to
177 change. Note that when run as root smbpasswd does not prompt for
178 or check the old password value, thus allowing root to set passwords
179 for users who have forgotten their passwords.</para>
181 <para><command>smbpasswd</command> is designed to work in the same way
182 and be familiar to UNIX users who use the <command>passwd</command> or
183 <command>yppasswd</command> commands.</para>
185 <para>For more details on using <command>smbpasswd</command> refer
186 to the man page which will always be the definitive reference.</para>