From owner-freebsd-questions@FreeBSD.ORG Mon Jun 30 23:05:55 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E425437B401 for ; Mon, 30 Jun 2003 23:05:55 -0700 (PDT) Received: from stjohn.stjohn.ac.th (stjohn.stjohn.ac.th [202.21.144.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 28C9C43F85 for ; Mon, 30 Jun 2003 23:05:46 -0700 (PDT) (envelope-from mcrogerm@stjohn.ac.th) Received: from tulip.stjohn.ac.th ([203.151.134.104]) by stjohn.stjohn.ac.th (8.9.3+Sun/8.9.3) with ESMTP id NAA04173; Tue, 1 Jul 2003 13:03:19 +0700 (ICT) Message-Id: <5.2.0.9.0.20030701125515.00a0cec0@127.0.0.1> X-Sender: stjohn.stjohn.ac.th:mcrogerm@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Tue, 01 Jul 2003 13:05:30 +0700 To: freebsd-questions@FreeBSD.ORG From: Roger Merritt In-Reply-To: <20030701043337.GA25092@kongemord.krig.net> References: <20030701044822.L645@small.pukruppa.de> <20030701002557.GB17249@kongemord.krig.net> <20030701044822.L645@small.pukruppa.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: Bob Hall Subject: Re: Samba passwords X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Jul 2003 06:05:56 -0000 At 11:33 AM 7/1/03, you wrote: >On Tue, Jul 01, 2003 at 04:54:33AM +0200, P. U. Kruppa wrote: > > On Mon, 30 Jun 2003, Bob Hall wrote: > > > > > samba-2.2.8a > > > FreeBSD 4.8 > > > > > > I'm trying to get samba running on my FBSD server. I've done this > > > previously with another server, but I can't seem to get it to > > > work this time. If I turn off password encryption, then I pass > > > all the tests in the DIAGNOSIS file, but Win2k obviously won't > > > allow the connection without encrypted passwords. If I turn > > > encryption on, I pass any test that doesn't involve a password. > > Did you change the registry entry on you win2k machine > > (i.e. did you apply > > /usr/local/share/doc/samba/Registry/Win2000_PlainPassword.reg)? > >Thanks for responding, but I need a more secure solution. The point >of setting up a samba password file is to avoid sending passwords in >plain text. I was able to pass encrypted passwords in the earlier >version of Samba. There should be a way of doing it with this version. > >What I'm hoping is that the ENCRYPTION file that was dropped from >this port (or this version, whichever) was replaced with another file >that documents how encrypted passwords are currently handled. Since >the sh script mentioned in the ENCRYPTION file has been replaced with >the undocumented make_smbpasswd file, I'm hoping that there actually is >some documentation that explains it all, as the ENCRYPTION file once did. >The documentation included with the port doesn't do the trick, and >the tests in the DIAGNOSIS file seem to indicate that I've got everything >except the encrypted passwords set up correctly. Google hasn't led to >anything, nor has searching the archives. > >Alternately, if someone who has set up encrypted passwords successfully >using the old instructions would let me know, that would help also. >Knowing that I'm an idiot would give me a more accurate basis for >proceeding. I don't know how helpful this will be, because I didn't follow through on it, but among the docfiles is one that talks about modifying /etc/pam.conf so that for certain categories of login pam uses the smbpasswd program to authenticate. It seems NT/Win2K/etc. use a cryptographic protocol that's inconsistent with the rest of the world (setting the industry standard ;-) ). Ah, take a look at /usr/local/share/doc/samba/htmldocs/PAM-Authentication-And-Samba.html. I found it hard to understand and the pam man page even worse. I played with it once because I was getting so many pam authencication errors, but I got scared and in the next upgrade I just overwrote my edited pam.conf with the vanilla distribution one and dropped back to plain-text passwords. I'm still using Win98, too. Hope this helps. -- Roger