Old Windows clients send plaintext passwords over the wire. Samba can check these
passwords by encrypting them and comparing them to the hash stored in the UNIX user database.
Newer Windows clients send encrypted passwords (LanMan and NT hashes) instead of plaintext passwords over
the wire. The newest clients will send only encrypted passwords and refuse to send plaintext passwords unless
their registry is tweaked.
Many people ask why Samba cannot simply use the UNIX password database. Windows requires
passwords that are encrypted in its own format. The UNIX passwords can't be converted to
UNIX-style encrypted passwords. Because of that, you can't use the standard UNIX user
database, and you have to store the LanMan and NT hashes somewhere else.
In addition to differently encrypted passwords, Windows also stores certain data for each
user that is not stored in a UNIX user database: for example, workstations the user may logon from,
the location where the user's profile is stored, and so on. Samba retrieves and stores this
information using a
passdb backend. Commonly available backends are LDAP,
tdbsam, and plain text file. For more information, see the man page for
smb.conf regarding the
passdb backend parameter.
Figure10.1.IDMAP: Resolution of SIDs to UIDs.
The resolution of SIDs to UIDs is fundamental to correct operation of Samba. In both cases shown, if winbindd
is not running or cannot be contacted, then only local SID/UID resolution is possible. See
resolution of SIDs to UIDs and
resolution of UIDs
to SIDs diagrams.
Figure10.2.IDMAP: Resolution of UIDs to SIDs.