Here's the *official* workaround from the "horses mouth"... Doing this -
modifying the registry will switch the system back to using "clear text"
passwords...
Run the Registry Editor (on NT4, Start/Run and enter REGEDT32.EXE)
1. From HKEY_LOCAL_MACHINE, go to the key
\system\currentcontrolset\services\rdr\parameters
(this is a tree structure, much like Explorer - go to each one in the tree,
until you find "parameters" - then continue below)
2. Go to EDIT, then ADD VALUE. Then add the following entries:
Value: EnablePlainTextPassword
Data Type: REG_DWORD
Data: 1
3. Click OK to confirm, close the registry editor, then reboot the system.
Note that this works ONLY for Windows NT 4.0 with Service Pack 3, where
password encryption was added by default. This should fix the problem with
Samba/iX as well as a host of other applications such as various flavors of
NFS out there.
Good Luck,
Joe
----------------------------------------------------------------------------
----
Joe Geiser
CSI Business Solutions, LLC
140 Bristol-Oxford Valley Road, Suite 102
Langhorne, PA 19047-3083 USA
Phone: +1 (215) 945-8100 Fax: +1 (215) 943-8408
E-mail: [log in to unmask] http://www.csillc.com
----------------------------------------------------------------------------
----
-----Original Message-----
From: Lars Appel <[log in to unmask]>
To: [log in to unmask] <[log in to unmask]>
Date: Thursday, July 24, 1997 6:22 PM
Subject: Re: Recommended Samba/iX Config Settings?
>At 20:19 11.07.1997 GMT, Curtis wrote:
>>Also, I keep running into a bug where, although a public share works just
>>fine, a secured share won't.
>>I keep getting a password requestor which doesn't accept anything as
valid.
>>As I understand it, this is due to a security issue(?) between Samba & NT
>>regarding encrypted password tokens and non-encrypted tokens. (Samba
>>doesn't encrypt 'em and NT wants 'em to be encrypted.) If my
understanding
>>is correct, when will a newer version of Samba/iX arrive which plays
>>completely nice w/NT?
>
>As Michael already mentioned, the issue regarding NT using/requesting
>encrypted passwords only exists with Service Pack 3 or later(?). I am
>not a PC guru, I guess Service Pack is something like PowerPatch in
>the MPE world. My "unpatched" -oops- Service Pack 1 NT 4.0 Workstation
>PC works nicely with guest and validated Samba shares (q.e.d.)
>
>If you are not suffering the "Service Pack issue" then you might want
>to check if you are using the default setup that Samba/iX 0.7 delivers.
>
>The SMBD program checks if it is run under a PM or non-PM user, the
>latter being the default setup (JSMB.SAMBA.SYS logs on as MGR.SAMBA).
>
>Under a non-PM user the server process does not attempt password
>validation or setuid() i.e. AIFCHANGELOGON calls. This results in
>only guest-shares working. This choice has been taken for security
>reasons and to give you more flexibility in Samba setup.
>
>Under a PM user the server process does perform password validation
>and setuid() i.e. AIFCHANGELOGON calls. This should make non-guest
>shares work properly, too. The priv mode routines technically need
>just the PM program cap; testing the PM user cap is just to give the
>system manager a "switch" to control Samba behaviour.
>
>So, if you are using the default Samba/iX 0.7 setup then try an
>ALTUSER MGR.SAMBA;CAP=+PM and try re-streaming the JSMB server job.
>Make sure to set proper passwords to protect the new PM user/acct.
>
>There should be some details regarding the different options of PM
>usage in the ReadMe file. Check for "full fat", "low fat", "fat free"
>as keywords.
>
>Hope this helps (unless Service Pack issue hit you).
>
>Lars.
>
>By the way, if I recall the Samba/Unix documentation correctly, it
>should be possible to compile and link Samba with some DES encryption
>library and thereby allow it to handle encrypted passwords as well
>as use an NT server for user validation (instead of checking the local
>users in /etc/passwd).
>
>I have never spent time on this because I'm not a lawyer to check all
>those ugly legal aspects of encryption software. If I have too much
>leisure time at hand some day, I might try this stuff myself, but then
>I would possibly only be able to supply how-to instructions instead of
>source and compiled code (I would not want to place potentially illegal
>stuff on Chris Bartrams ftp server!).
>
>But as I'm currently evaluating various pieces of trial software that
>allow editing MPE text files (NON-bytestream) with a PC editor and/or
>file/group/account management GUIs, it might probably take quite long
>until I find the time to spend on version 0.8 of Samba/iX. Things like
>Java are also on my todo list, so if someone else wants to give Samba
>and encryption a try... feel free (I'd help where I can, of course).
>
>Lars (whew, that was a long PS)
>
|
