Am Dienstag 16 März 2010 02:20:18 schrieb Michael Lueck: > Felix Miata wrote: > > OS/2 takes that plus two more: > > > > client lanman auth = [Yes,True] > > client plaintext auth = [Yes,True] > > Interesting... I do use OS/2 on occasion, I have neither of those in my > smb.conf, and it worked while on the Debian Sarge / 2.0.26a configuration. > > I have not tried since migrating, so perhaps I will get bit when I do, so > thanks in advance! ;-) > > Sincerely, >
Some additions/clarifications, client lanman auth = [Yes,True] client plaintext auth = [Yes,True] As the names already imply, both options are only used when samba _client_ applications - like smbclient - are used to access a remote smb server of any kind (mostly legacy servers). client plaintext auth = [Yes,True] is _not_ necessary to access OS/2 or win98/me, so should only be used with great care! Note, that the cifs vfs kernel module, used to mount remote smb shares, does _not_ use smb.conf at all. ------------------------------ The samba _server_ related option is lanman auth = [Yes,True] Due to security reasons the internal default setting has been changed to "No" (afair in 3.2.x). When lanman auth = No is used, by default or explicitly set, the lanman hash is no longer generated inside the passdb backend when a samba user is added/modified with smbpasswd or pdbedit ! So only a later smb.conf change to lanman auth = Yes does _not_ work! The lanman hash (also the nt hash) must be newly created with smbpasswd or pdbedit. When "lanman auth = Yes" is active and you use (as root) 'pdbedit -Lw test' and get something like: test:1004:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:CDB6947B067797BF2A82807973B89556:[U ]:LCT-4999D2A5: you know that the leftmost lanman hash has not been generated at all! Btw - NEVER EVER post your lanman or NT hashes to the public, they are like plaintext passwords! The current inner workings of samba is a bit more complex regarding this issue. Just one sample: Assuming one has created all the samba users with a pre-3.2.x samba version. So both the lanman and the NT hash are stored inside the passdb backend. After upgrading to a more recent samba version - and assuming that "lanman auth = No" is now active via new default - pdbedit -Lw will automatically hide the still stored lanman hash like XXXXXXXXXXXXX.... (In case smbpasswd is used as the backend, one can still read its complete ASCII content). A problem arises when a client user (from win98/me, OS/2, ...) is now requesting lanman auth for login. The samba server rejects the login with "access denied" and behind the scenes it _deletes_ (!) the lanman hash for (only) this connecting user in the passdb backend! Anyway - the stored state of the lanman hash for all users can be examined with root privs: pdbedit -Lw (assuming " lanman auth = Yes" is set when doing so....) :-) Cheers, Günter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba