|
Getting Samba to work with Windows Encryption
I've used samba since I started out using Linux, and I've gotten better at configuring it as time has passed. Newer distributions have also greatly improved the ease of which someone can configure Samba on their home system. I recently assembled a new system to use as a file server with the goal of each user having his/her own file space as well as a public directory that everyone could share. I'm not using printer sharing because I have a deskjet 882c and the open source drivers just aren't quite there yet. If you're interested in configuring Samba, there's a great howto located in the documents section of www.linux.org. The howto is great until they get the part about using Windows machines to access your samba server. The problem the most users run into is that Windows by default sends its passwords in an encrypted format over the network to the SMB server. Since samba by default is not equipped to handle those passwords, user authentication fails. The howto shows the user how to hack the registry on their windows machines to send plain text passwords over the network, since that's easier to do, but they don't lead on to how easy it is to setup encryption either! Configuring Samba for encrypted passwords is not included in the howto but they refer you to a file called encryption.txt (usually not linked in the howto). I'll condense the article into what you need to know to get it to work. The file is a good read, however because it discusses the pro and cons of using SMB encryption on your machine. For this article, I'll assume you've got samba mostly set up, but you've started the smb server and tried to connect with a windows machine which has failed. You've decided to go with encrypted passwords instead of editing the registry on your windows box. If you've looked at your smb.conf file (usually in /etc/samba/) you've probably noticed an entry like this:
encrypt passwords = yes Since encryption is turned on, why should you worry? Well for starters, go look for that smbpasswd file. You won't find it. You'll also notice that you can't authenticate using a windows machine. You want to use encrypted passwords so where do you begin? The smb passwd file is analogous to the passwd file on your machine. If you've ever popped that open you'll notice that it lists all the user accounts on the machine as well as other properties associated with those accounts. In the same way the smbpasswd file contains the users with access to smb network drives. Since no base smbpasswd file exists, one needs to be created. Included in the samba suite is a script called mksmbpasswd.sh. We'll use that to generate the file. Log into your machine as root and run the following command: cat /etc/passwd | mksmbpasswd.sh & gt;/path/to/smbpasswd The "/path/to/smbpasswd" should be the same as what's specified in your smb.conf file. This script takes all the users on your machine and makes a template for the smbpasswd file. The passwords are stored in the smbpasswd file in hash form, but they have not been transferred by the script. If you open t he smbpasswd file, you'll see something like this: username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[Account type]:LCT- <last-change-time>:Long name The XXXXXXXX is where the hash of the password goes. So all we need to do is set the passwords (which don't have to be the same as the user's password for the machine. You should take steps to secure the smbpasswd file, set the permissions of the file to 600. chmod 600 /path/to/smbpasswd While you are still root you can set the passwords (when the passwords are set to XXXXXXX logging in as that user and changing the password will not work). You can use the command smbpasswd to accomplish this task and in order for this program to work, you must have the SMB service up and running. Use the command: smbpasswd -a username The program will ask you to input the password for the user. Once you've entered the passwords you should be set! Try switching to your windows machine and log in. Now you don't have to fumble around with the registry on your windows machine and any new windows box that you add to your network will a utomatically work with your file server! If you find a mistake on this page or if I've defined or explained something incorrectly, feel free to email me at webmaster@oculon.org Updated 2/6/04 |