Command. ---------------------- The smbpasswd command maintains the 32 byte password field in the smbpasswd file. If you wish to make it similar to the unix passwd or yppasswd programs, install it in /usr/local/samba/bin (or your main Samba binary directory) and make it setuid root. Note that if you do not do this then the root user will have to set all users passwords. To set up smbpasswd as setuid root, change to the Samba binary install directory and then type (as root) : chown root smbpasswd chmod 4555 smbpasswd If smbpasswd is installed as setuid root then you would use it as follows. smbpasswd Old SMB password: New SMB Password: < type new value > Repeat New SMB Password: < re-type new value > If the old value does not match the current value stored for that user, or the two new values do not match each other, then the password will not be changed. If invoked by an ordinary user it will only allow the user to change his or her own Samba password. If run by the root user smbpasswd may take an optional argument, specifying the user name whose SMB password you wish to change. Note that when run as root smbpasswd does not prompt for or check the old password value, thus allowing root to set passwords for users who have forgotten their passwords. smbpasswd is designed to work in the same way and be familiar to UNIX users who use the passwd or yppasswd commands. NOTE. As smbpasswd is designed to be installed as setuid root I would appreciate it if everyone examined the source code to look for potential security flaws. A setuid program, if not written properly can be an open door to a system cracker. Please help make this program secure by reporting all problems to me (the author, Jeremy Allison). My email address is :- jra@vantive.com Setting up Samba to support LanManager Encryption. -------------------------------------------------- This is a very brief description on how to setup samba to support password encryption. More complete instructions will probably be added later. 1) get and compile the libdes libraries. the source is available from nimbus.anu.edu.au in pub/tridge/libdes/libdes.tar.92-10-13.gz 2) enable the encryption stuff in the Samba makefile, making sure you point it to the libdes library and include file (it needs des.h) The entries you need to uncomment are the four lines after the comment :- # This is for SMB encrypted (lanman) passwords. Note that you may have to change the variable DES_BASE to point at the place where you installed the DES library. 3) compile and install samba as usual 4) f your system can't compile the module getsmbpass.c then remove the -DSMBGETPASS define from the Makefile. 5) enable encrypted passwords in smb.conf by adding the line "encrypt passwords = yes" in the [global] section 6) create the initial smbpasswd password file in the place you specified in the Makefile. A simple way to do this based on your existing Makefile (assuming it is in a reasonably standard format) is like this: cat /etc/passwd | mksmbpasswd.sh > /usr/local/samba/private/smbpasswd Change ownership of private and smbpasswd to root. chown -R root /usr/local/samba/private Set the correct permissions on /usr/local/samba/private chmod 500 /usr/local/samba/private Set the correct permissions on /usr/local/samba/private/smbpasswd chmod 600 /usr/local/samba/private/smbpasswd note that the mksmbpasswd.sh script is in the samba source directory. If this fails then you will find that you will need entries that look like this: # SMB password file. tridge:148:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:Andrew Tridgell:/home/tridge:/bin/tcsh note that the uid and username fields must be right. Also, you must get the number of X's right (there should be 32). If you wish, install the smbpasswd program as suid root. chown root /usr/local/samba/bin/smbpasswd chmod 4555 /usr/local/samba/bin/smbpasswd 7) set the passwords for users using the smbpasswd command. For example, as root you could do "smbpasswd tridge" 8) try it out! Note that you can test things using smbclient, as it also now supports encryption. NOTE TO USA Sites that Mirror Samba ----------------------------------- The DES library is considered a munition in the USA. Under US Law it is illegal to export this software, or to put it in a freely available ftp site. Please do not mirror the DES directory from the site on nimbus.anu.edu.au Thank you, Jeremy Allison. Here are some random hints that you may find useful. These really should be incorporated in the main docs someday. ---------------------- HINT: Always test your smb.conf with testparm before using it If your smb.conf file is invalid then samba will fail to load. Run testparm over it before you install it just to make sure there aren't any basic syntax or logical errors. ---------------------- HINT: Try printing with smbclient first If you have problems printing, test with smbclient first. Just connect using "smbclient '\\server\printer' -P" and use the "print" command. Once this works, you know that Samba is setup correctly for printing, and you should be able to get it to work from your PCs. This particularly helps in getting the "print command" right. ---------------------- HINT: Mount cdroms with conv=binary Some OSes (notably Linux) default to auto detection of file type on cdroms and do cr/lf translation. This is a very bad idea when use with Samba. It causes all sorts of stuff ups. To overcome this problem use conv=binary when mounting the cdrom before exporting it with Samba. ---------------------- HINT: Convert between unix and dos text formats Jim barry has written an excellent drag-and-drop cr/lf converter for windows. Just drag your file onto the icon and it converts the file. Get it from ftp://nimbus.anu.edu.au/pub/tridge/samba/contributed/fixcrlf.zip ---------------------- HINT: Use the "username map" option If the usernames used on your PCs don't match those used on the unix server then you will find the "username map" option useful. ----------------------- HINT: Use "security = user" in [global] If you have the same usernames on the unix box and the PCs or have mapped them with the "username map" option then choose "security = user" in the [global] section of smb.conf. This will mean your password is checked only when you first connect, and subsequent connections to printers, disks etc will go more smoothly and much faster. The main problem with "security = user" if you use WfWg is that you will ONLY be able to connect as the username that you log into WfWg with. This is because WfWg silently ignores the password field in the connect drive dialog box if the server is in user security mode. ------------------------ HINT: Make your printers not "guest ok" If your printers are not "guest ok" and you are using "security = user" and have matching unix and PC usernames then you will attach to the printer without trouble as your own username. This will mean you will be able to delete print jobs (in 1.8.06 and above) and printer accounting will be possible. ----------------------- HINT: Use a sensible "guest" account Even if all your services are not available to "guest" you will need a guest account. This is because the browsing is done as guest. In many cases setting "guest account = ftp" will do the trick. Using the default guest account or "guest account = nobody" will give problems on many unixes. If in doubt create another account with minimal privilages and use it instead. Your users don't need to know the password of the guest account. ----------------------- HINT: Use the latest TCP/IP stack from microsoft if you use Windows for workgroups. The early TCP/IP stacks