Lemur zaprasza
Linux: A Network Solution for Your Office ContentsIndex Chapter 13: File Services for Windows: Samba: Samba and Encryption Previous ChapterNext Chapter Sections in this Chapter: What Can Samba Do? Configuring Shared Directories Using Samba Setting Up Samba Configuring Shared Printers Summary Global Configuration Settings Samba and Encryption Manual Pages Previous SectionNext Section Samba and Encryption The Problem with Windows NT SMB Passwords As mentioned earlier in this chapter, Samba supports encrypted Windows passwords. This feature becomes especially important if your network has machines running Windows NT Service Pack 3 or later from which you are trying to access a Samba server. The Problem with Windows NT Starting with Windows NT Service Pack 3, Microsoft modified the behavior of Windows NT systems on a LAN. Previously, when a Windows NT system accessed a shared resource across the network, it attempted to communicate password information in encrypted form first, but if failed, it re-sent the password without encryption. Beginning with the Service Pack 3, Windows NT no longer behaves this way; instead, it reports an authentication failure if the encrypted password cannot be used to access the desired resource. The reason for this change was improved security, preventing passwords from being transmitted in cleartext form without the user's knowledge. Unfortunately, this was bad news for Samba users. Until recently, Samba did not support encrypted passwords unless you acquired an extension module and recompiled the software yourself. In essence, this meant that it was no longer possible to access a Samba shared resource from Windows NT without reconfiguring Windows NT or going through the non-trivial process of compiling your own patched version of Samba. As it turns out, changing the behavior of Windows NT is fairly easy; all you need to do is to set the Registry value EnablePlainTextPassword under the Registry key HKEY_LOCAL_MACHINE\CurrentControlSet\Services\Rdr\Parameters to a value of 1 (a DWORD value). However, you might want to take advantage of the encrypted password facility instead. After all, it is never a bad idea to protect passwords in any way you can! SMB Passwords Enabling encryption is easy with newer versions of Samba. These versions support encrypted passwords "out of the box," with no need for patching or recompiling the software. All you need to do is change a few settings in the configuration file and create a Samba password file. Here are, once again, the settings that are used to enable encrypted passwords: encrypt passwords = yes smb passwd file = location of password file username map = location of user name map file The password and username map files require a special format. The password file contains one line for each user who can access Samba resources using a password. Although some versions of the smbpasswd utility program can create entries in the password file, most of the time it is still the case that entries must be added by hand initially. A typical blank password file entry will look like this: user:uid:NO PASSWORD:NO PASSWORD::: The user field contains the name that the user will use to log on to the Samba server. The uid field must correspond with a valid numeric user identifier as found in the /etc/passwd file. Immediately after these entries are created, you should use the smbpasswd utility to set the new users' passwords to some meaningful initial value. Without this step, the new accounts will remain passwordless, allowing access by anyone. The smbpasswd utility replaces the two occurrences of the NO PASSWORD string with 32-digit numeric values that represent the password using two different forms of encryption. Warning - Unauthorized access to the Samba password file must not be allowed; once the password file is obtained, the encrypted passwords found within are immediately usable with the proper software tools. For this reason, always make sure that this file is readable to the root user only! (Use chmod 0700 smbpasswd and chown root.root smbpasswd to set this file's permissions.) The username map file can be used to create aliases for any user identifier on the system. As mentioned earlier, this file can be used to resolve differences in usernames on Linux and Windows systems. The format of the file is simple: Each line contains a Linux user identifier, followed by the equal sign, and a list of Windows usernames separated by spaces: userid = username1 username2 ... On my test system, the Samba password file, located at /etc/samba.d/smbpasswd, contains the following: # Samba SMB password file vttoth:100:00000000000000000000000000000000:00000000000000000000000000000000::: The first line, beginning with the pound sign ( #), is a comment line that will be ignored by Samba. The second line contains my user identifier and password. The username map file, /etc/samba.d/smbusers, on this system looks like this: # Unix_name = SMB_name1 SMB_name2 ... vttoth = administrator admin nobody = guest pcguest smbguest Once again, the first line is a comment. The second line allows me to log on using my own user identifier, even when I am connecting from a Windows NT system on which I am the administrator. The third line identifies the designated guest user identifier ( nobody) with guest usernames that are often used under Windows networking. Linux: A Network Solution for Your Office ContentsIndex Chapter 13: File Services for Windows: Samba: Samba and Encryption Previous ChapterNext Chapter Sections in this Chapter: What Can Samba Do? Configuring Shared Directories Using Samba Setting Up Samba Configuring Shared Printers Summary Global Configuration Settings Samba and Encryption Manual Pages Previous SectionNext Section © Copyright Macmillan USA. All rights reserved. |