On Wed, Nov 22, 2000 at 11:41:25AM +0100, Josep Llauradó Selvas wrote: > > Hi, I have installed the Samba package in a Debian 2.2 Potato and runs > well, but I wanna know how can I use PAM for the authentification method, > 'cos currently it uses the /etc/samba/smbpasswd file, and I don't know > what parameter is needed to change the authentification to PAM. > > The package is compiled with the '--with-pam' option, as described in the > README.Debian file, and all seems to be correct.
yes samba does indeed use pam to authenticate, however in order to do that it needs to take a cleartext password and make a hash of it using the salt from /etc/passwd or /etc/shadow. the problem is ever since Win98 (and i think later versions of win95), and WinNT sp4 (iirc) Windows refuses to login to a server with a cleartext passwd, instead it sends a weak unsalted hash of the passwd to the server, which then compares the hash with the hash it has in its passwd file. so what is happening for samba is the MS client sends a hash, and samba compares it with the hash in /etc/samba/smbpasswd if they match access is granted, if not access is denied. but the original password cannot be quickly derived from the MS hash to a real password so authenticating against hashed unix passwords is impossible. so you can either live with the awful /etc/samba/smbpasswd nonsense or apply a registry patch to all your win98 and NT sp4+ clients so they will send cleartext passwords, then you can remove /etc/samba/smbpasswd and all authentication will go to /etc/passwd automatically. keeping smbpasswd and /etc/passwd syncronized is a total nightmare. i would just hack the windows boxes to use cleartext passwords. this lame `encryption' hack MS came up with is not any more secure then cleartext anyway. (you sniff a hash instead of a passwd, but you can use the hash itself to authenticate to a windows server! besides the hash is weak and unsalted meaning its very easy to brute force crack) -- Ethan Benson http://www.alaska.net/~erbenson/
pgp7SgLqxR11n.pgp
Description: PGP signature
