Passwords

Connections between Windows clients and Samba servers have been further complicated by the implementation of password encryption on Microsoft networks. Current versions of Windows operating systems, including upgraded versions of Windows NT, 2000, 98, and 95, now require the use of encrypted passwords by default. Samba, on the other hand, uses unencrypted passwords by default. To enable communication between Samba servers and Windows clients, you have to either change Windows clients to use unencrypted passwords or change the Samba server to use encrypted passwords. The more secure course is to implement encrypted passwords on Samba servers, though this entails more administrative work. Though not distributed by default, Samba can be built with SSL support. This SSL- enabled Samba provides support for encrypted SSL network communications. SSL-enabled Samba includes several SSL-specific configuration options, each preceded by the term ssl. For example, ssl cipher lets you determine the ciphers that can be used, and ssl CA certFile specifies the certificates file.

Samba also provides its own Samba password PAM module, pam_smbpass.o. With this module, you provide PAM authentication support for Samba passwords, enabling the use of Windows hosts on a PAM-controlled network. The module could be used for authentication and password management in your PAM samba file. The following entries in the PAM samba file would implement PAM authentication and passwords using the Samba password database:

auth required pam_smbpass.so nodelay password required pam_smbpass.so nodelay

Be sure to enable PAM in the smb.conf file:

obey pam restrictions = yes

Samba Encrypted Passwords: smbpasswd

Encrypted passwords come into play if you are using a user-level security instead of share- level security. With user-level security, access to Samba server resources by a Windows client is allowed only to users on that client. Each user on the Windows client has to have a corresponding user account on the Samba server. A user logs in to their Windows account, and can then log into their Samba server account. Users have to log in providing their username and password. Their username and password have to be registered with the Samba server in the /etc/samba/smbpasswd file. You use the smbpasswd command to add these passwords.

Creating a Samba Password File

To implement encrypted passwords on Samba, the Samba server then needs to maintain an encrypted version of user passwords that can be used by Windows clients. This file of encrypted passwords is /etc/samba/smbpasswd. Samba passwords can be added or changed for different users with the smbpasswd command. Initially, you should generate the Samba password file so that it will have entries for all your current Samba users. For this task, you use the mksmbpasswd.sh script. You input to this script the contents of the Samba server's /etc/passwd file, and it generates entries that can be used for encrypted passwords. You use redirection (>) to create the encrypted file. In the following example, an /etc/samba/smbpasswd file is initially generated by the mksmbpasswd script. The cat command with a pipe operation is used to input the contents of the /etc/passwd file to the mksmbpasswd.sh script:

cat /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd

If your users and their passwords are being managed by NIS, you would use the ypcat command to access the user passwords, as shown here:

ypcat passwd | mksmbpasswd.sh > /etc/samba/smbpasswd

You then need to change the permissions on this file to protect it from unauthorized access. The 600 option allows only read and write access by the root user:

chmod 600 /etc/samba/smbpasswd

Adding and Changing Passwords

At this point, /etc/samba/smbpasswd will contain entries for all your current users with dummy fields for the passwords. You then use the smbpasswd command to add, or later change, encrypted passwords. To add a password for a particular user, you use the smbpasswd command with the username:

# smbpasswd dylan New SMB Password: new-password Repeat New SMB Password: new-password 

Users can use smbpasswd to change their own password. The following example shows how you would use smbpasswd to change your Samba password. If the user has no Samba password, they can just press the ENTER key.

$ smbpasswd Old SMB password: old-password New SMB Password: new-password Repeat New SMB Password: new-password 

Configuring Encrypted Passwords

You also have to make sure that Samba is configured to use encrypted passwords. Set the encrypt passwords option to yes and specify the SMB password file. These options are already set in the /etc/samba/smb.conf file (described in the following section), but they are commented with a preceding ; symbol. Just locate the lines and remove the ; symbols at the beginnings of the lines:

encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd

You can also use SWAT to make this change. In the GLOBALS page, select Yes from the pop-up menu for the Encrypt Password entry. Then save your changes by clicking the Commit Changes button.

Be sure to restart the Samba server with the following command:

service smb restart