MS Windows clients may use encrypted passwords as part of a challenge/response
authentication model (a.k.a. NTLMv1 and NTLMv2) or alone, or clear-text strings for simple
password-based authentication. It should be realized that with the SMB protocol,
the password is passed over the network either in plaintext or encrypted, but
not both in the same authentication request.
When encrypted passwords are used, a password that has been entered by the user
is encrypted in two ways:
-
An MD4 hash of the unicode of the password
string. This is known as the NT hash.
-
The password is converted to uppercase,
and then padded or truncated to 14 bytes. This string is
then appended with 5 bytes of NULL characters and split to
form two 56-bit DES keys to encrypt a "magic" 8-byte value.
The resulting 16 bytes form the LanMan hash.
MS Windows 95 pre-service pack 1 and MS Windows NT versions 3.x and version 4.0 pre-service pack 3 will use
either mode of password authentication. All versions of MS Windows that follow these versions no longer
support plain-text passwords by default.
MS Windows clients have a habit of dropping network mappings that have been idle
for 10 minutes or longer. When the user attempts to use the mapped drive
connection that has been dropped, the client re-establishes the connection using
a cached copy of the password.
When Microsoft changed the default password mode, support was dropped for caching
of the plaintext password. This means that when the registry parameter is changed
to re-enable use of plaintext passwords, it appears to work, but when a dropped
service connection mapping attempts to revalidate, this will fail if the remote
authentication server does not support encrypted passwords. It is definitely not
a good idea to re-enable plaintext password support in such clients.
The following parameters can be used to work around the issue of Windows 9x/Me clients
uppercasing usernames and passwords before transmitting them to the SMB server
when using clear-text authentication:
password level
|
username level
|
By default Samba will convert to lowercase the username before attempting to lookup the user
in the database of local system accounts. Because UNIX usernames conventionally
only contain lowercase characters, the
username-level parameter
is rarely needed.
However, passwords on UNIX systems often make use of mixed-case characters. This means that in order for a
user on a Windows 9x/Me client to connect to a Samba server using clear-text authentication, the
password level must be set to the maximum number of uppercase letters that
could
appear in a password. Note that if the Server OS uses the traditional DES version
of crypt(), a
password level of 8 will result in case-insensitive passwords as seen
from Windows users. This will also result in longer login times because Samba has to compute the permutations
of the password string and try them one by one until a match is located (or all combinations fail).
The best option to adopt is to enable support for encrypted passwords wherever
Samba is used. Most attempts to apply the registry change to re-enable plaintext
passwords will eventually lead to user complaints and unhappiness.
|