Next Previous Contents

4. Passwords

4.1 Encrypted password required

This boolean parameter controls whether encrypted passwords will be negotiated with the client. Note that Windows NT 4.0 SP3 and above will, by default, expect encrypted passwords unless a registry entry is changed. To use encrypted passwords in Samba see the file docs/ENCRYPTION.txt.

4.2 Authentication mode

4.3 Password server

By specifying the name of another SMB server (such as a WinNT box) with this option, and using "security = server", you can get Samba to do all its username/password validation via a remote server.

This option sets the name of the password server to use. It must be a netbios name, so if the machine's netbios name is different from its Internet name, then you may have to add its netbios name to /etc/hosts.

Note that with Samba 1.9.18p4 and above, the name of the password server is looked up using the parameter "name resolve order=" and so may be resolved by any method and order described in that parameter.

The password server must be a machine capable of using the "LM1.2X002" or the "LM NT 0.12" protocol, and it must be in user level security mode.

NOTE: Using a password server means your UNIX box (running Samba) is only as secure as your password server. DO NOT CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST.

Never point a Samba server at itself for password serving. This will cause a loop and could lock up your Samba server!

The name of the password server takes the standard substitutions, but probably the only useful one is %m, which means the Samba server will use the incoming client as the password server. If you use this then you better trust your clients, and you better restrict them with allow hosts!

If you list several hosts in the "password server" option then smbd will try each in turn until it finds one that responds. This is useful in case your primary server goes down.

If you are using a WindowsNT server as your password server then you will have to ensure that your users are able to login from the Samba server, as the network logon will appear to come from there, rather than from the user's workstation.

4.4 Password level

Some client/server combinations have difficulty with mixed-case passwords. One offending client is Windows for Workgroups, which for some reason forces passwords to be in upper case when using the LANMAN1 protocol, but leaves them alone when using COREPLUS!

This parameter defines the maximum number of characters that may be upper case in passwords.

For example, say the password given was "FRED". If password level is set to 1 (one), the following combinations would be tried if "FRED" failed: "Fred", "fred", "fRed", "frEd", "freD". If password level was set to 2 (two), the following combinations would also be tried: "FRed", "FrEd", "FreD", "fREd", "fReD", "frED". And so on.

The higher value this parameter is set to, the more likely it is that a mixed case password will be matched against a single case password. However, you should be aware that usage of this parameter reduces security and increases the time taken to process a new connection.

A value of zero will cause only two attempts to be made -- the password as is and the password in all-lower case.

If you find the connections are taking too long with this option, then you probably have a slow crypt() routine. Samba now comes with a fast "ufc crypt" that you can select in the Makefile. You should also make sure the PASSWORD_LENGTH option is correct for your system in local.h and includes.h. On most systems, only the first eight characters of a password are significant so PASSWORD_LENGTH should be 8, but on some systems, longer passwords are significant. The includes.h file tries to select the right length for your system.

Default: 0

Example: 4

4.5 Passwd program

The name of a program that can be used to set user passwords.

This is only available if you have enabled remote password changing at compile time (see the comments in the Makefile for details). Any occurrences of %u will be replaced with the username. The username is checked for existence before calling the password-changing program.

Also note that many passwd programs insist on a "reasonable" password, such as a minimum length, or the inclusion of mixed case characters and digits. This can pose a problem because some clients, (such as Windows for Workgroups) change characters to uppercase before sending the password.

Note that if the Synchronize Linux and SMB Passwords parameter is set to true, then this sequence is called *AS ROOT* when the SMB password in the smbpasswd file is being changed. If the "Synchronize Linux and SMB Passwords" parameter is set, this parameter MUST USE ABSOLUTE PATHS for ALL programs called, and must be examined for security implications.

See also Synchronize Linux from SMB Passwords.

Default: /bin/passwd %percnt;u

Example: /bin/passwd %u

4.6 Allow null passwords account

Allow or disallow access to accounts that have null passwords.

Default: Off

Next Previous Contents