6 byte hashed password (read from the smbpasswd file - described later) and the challenge value that it kept from the negotiate protocol reply. It then checks to see if the 24 byte value it calculates matches the 24 byte value returned to it from the client. If these values match exactly, then the client knew the correct password (or the 16 byte hashed value - see security note below) and is this allowed access. If not then the client did not know the correct password and is denied access. Note that the Samba server never knows or stores the cleartext of the users password - just the 16 byte hashed function derived from it. Also note that the cleartext password or 16 byte hashed value are never transmitted over the network - thus increasing security. IMPORTANT NOTE ABOUT SECURITY ----------------------------- The unix and SMB password encryption techniques seem similar on the surface. This similarity is, however, only skin deep. The unix scheme typically sends clear text passwords over the nextwork when logging in. This is bad. The SMB encryption scheme never sends the cleartext password over the network but it does store the 16 byte hashed value on disk. This is also bad. Why? Because the 16 byte hashed value is a "password equivalent". You cannot derive the users password from it, but it could potentially be used in a modified client to gain access to a server. This would require considerable technical knowledge on behalf of the attacker but is perfectly possible. You should thus treat the smbpasswd file as though it contained the cleartext passwords of all your users. Its contents must be kept secret, and the file should be protected accordingly. Ideally we would like a password scheme which neither requires plain text passwords on the net or on disk. Unfortunately this is not available as Samba is stuck with being compatible with other SMB systems (WinNT, WfWg, Win95 etc). PROS AND CONS ------------- There are advantages and disadvantages to both schemes. Advantages of SMB Encryption: ----------------------------- - plain text passwords are not passed across the network. Someone using a network sniffer cannot just record passwords going to the SMB server. - WinNT doesn't like talking to a server that isn't using SMB encrypted passwords. It will refuse to browse the server if the server is also in user level security mode. It will insist on promting the user for the password on each connection, which is very annoying. The only things you can do to stop this is to use SMB encryption. Advantages of non-encrypted passwords: -------------------------------------- - plain text passwords are not kept on disk. - uses same password file as other unix services such as login and ftp - you are probably already using other services (such as telnet and ftp) which send plain text passwords over the net, so not sending them for SMB isn't such a big deal. - the SMB encryption code in Samba is new and has only had limited testing. We have tried hard to make it secure but in any new implementation of a password scheme there is the possability of an error. The smbpasswd file. ------------------- In order for Samba to participate in the above protocol it must be able to look up the 16 byte hashed value given a user name. Unfortunately, as the UNIX password value is also a one way hash function (ie. it is impossible to retrieve the cleartext of the users password given the UNIX hash of it) then a separate password file containing this 16 byte value must be kept. To minimise problems with these two password files, getting out of sync, the UNIX /etc/passwd and the smbpasswd file, a utility, mksmbpasswd.sh, is provided to generate a smbpasswd file from a UNIX /etc/passwd file. To generate the smbpasswd file from your /etc/passwd file use the following command :- cat /etc/passwd | mksmbpasswd.sh >/usr/local/samba/private/smbpasswd If you are running on a system that uses NIS, use ypcat passwd | mksmbpasswd.sh >/usr/local/samba/private/smbpasswd The mksmbpasswd.sh program is found in the Samba source directory. By default, the smbpasswd file is stored in :- /usr/local/samba/private/smbpasswd The owner of the /usr/local/s