- Features and Benefits
- Server Types
- Samba Security Modes
- Password Checking
- Common Errors
3.4 Password Checking
MS Windows clients may use encrypted passwords as part of a challenge/response authentication model (a.k.a. NTLMv1 and NTLMv2) or alone, or cleartext strings for simple password-based authentication. It should be realized that with the SMB protocol, the password is passed over the network either in plain-text or encrypted, but not both in the same authentication request.
When encrypted passwords are used, a password that has been entered by the user is encrypted in two ways:
-
An MD4 hash of the unicode of the password string. This is known as the NT hash.
-
The password is converted to upper case, and then padded or truncated to 14 bytes. This string is then appended with 5 bytes of NULL characters and split to form two 56-bit DES keys to encrypt a "magic" 8-byte value. The resulting 16 bytes form the LanMan hash.
MS Windows 95 pre-service pack 1, MS Windows NT versions 3.x and version 4.0 pre-service pack 3 will use either mode of password authentication. All versions of MS Windows that follow these versions no longer support plain text passwords by default.
MS Windows clients have a habit of dropping network mappings that have been idle for 10 minutes or longer. When the user attempts to use the mapped drive connection that has been dropped, the client re-establishes the connection using a cached copy of the password.
When Microsoft changed the default password mode, support was dropped for caching of the plain-text password. This means that when the registry parameter is changed to re-enable use of plain-text passwords it appears to work, but when a dropped service connection mapping attempts to revalidate, this will fail if the remote authentication server does not support encrypted passwords. It is definitely not a good idea to re-enable plain-text password support in such clients.
The following parameters can be used to work around the issue of Windows 9x/Me clients upper-casing usernames and passwords before transmitting them to the SMB server when using cleartext authentication:
password level = integer username level = integer
By default Samba will convert to lower case the username before attempting to lookup the user in the database of local system accounts. Because UNIX usernames conventionally only contain lower-case characters, the username level parameter is rarely needed.
However, passwords on UNIX systems often make use of mixed-case characters. This means that in order for a user on a Windows 9x/Me client to connect to a Samba server using cleartext authentication, the password level must be set to the maximum number of upper case letters that could appear in a password. Note that if the server OS uses the traditional DES version of crypt(), a password level of 8 will result in case insensitive passwords as seen from Windows users. This will also result in longer login times as Samba has to compute the permutations of the password string and try them one by one until a match is located (or all combinations fail).
The best option to adopt is to enable support for encrypted passwords wherever Samba is used. Most attempts to apply the registry change to re-enable plain-text passwords will eventually lead to user complaints and unhappiness.