[Pkg-samba-maint] Bug#459941: Bug#459941: samba: security=share does not work any more

Thu Jan 10 10:15:07 UTC 2008

>> >    However, if you need to connect to a Samba server that does not have
>> >    encrypted password support enabled, or to another server that does not
>> >    support NTLM authentication, you will need to set
>> >    "client plaintext auth = yes" and "client lanman auth = yes" in smb.conf.
>
>> Among the many tests that I have made before writing this bug report, I
>> also tried those settings, without any observable change.
>
>But those are the settings that affect samba's behavior as a /client/.  Did
>you also test with 'lanman auth = yes'?

I just tried and in fact it works, thanks.

I think that the text of the release note is not clear enough for those
that have a superficial knowledge of Samba.  For one, I do not even know
what lanman is.  Appended is the original release note with suggestions
for improvement.  However, I have no idea where security=share should be
mentioned.  I see that using it or not makes in fact a difference.

THank you for working on this.

>===File /doc/samba/NEWS.Debian.gz===========================
>samba (3.0.27a-2) unstable; urgency=low
>
>  * Weak authentication methods are disabled by default

This is the title of the note.  It means that its contents is related to
"weak authentication".

>    Beginning with this version, plaintext authentication is disabled for
>    clients and lanman authentication is disabled for both clients and
>    servers.  Lanman authentication is not needed for Windows
>    NT/2000/XP/Vista, Mac OS X or Samba, but if you still have Windows
>    95/98/ME clients (or servers) you may need to set lanman auth (or client
>    lanman auth) to yes in your smb.conf.

While I now see that this is correct and complete, I could not
understand before.  Maybe writing it ike this would be more clear to the
semi-ignorant:

Beginning with this version, plaintext authentication is disabled for
clients and lanman authentication is disabled for both clients and
servers.

As far as plaintext authentication is concerned, you can reenable it
when using Samba as a client by setting xxxx=yes.  This is needed when
accessing Windows servers that use plaintext authentication, like ...

As far as lanman authentication is concerned, you can reenable it for
Samba servers by setting "lanman auth = yes" in smb.conf.  This is
needed for Windows 95/98/ME clients using ...

>    The "lanman auth = no" setting 

, which is now the default,

>				    will also cause lanman password hashes to
>    be deleted from smbpasswd and prevent new ones from being written, so
>    that these can't be subjected to brute-force password attacks.  This
>    means that re-enabling lanman auth after it has been disabled is more
>    difficult; it is therefore advisable that you re-enable the option as
>    soon as possible if you think you will need to support Win9x clients.

If you read this note after your Samba server has been restarted, and
you want to reenable lanman auth, you should...

>    Client support for plaintext passwords is not needed for recent Windows
>    servers, and in fact this behavior change makes the Samba client behave
>    in a manner consistent with all Windows clients later than Windows 98.
>    However, if you need to connect to a Samba server that does not have
>    encrypted password support enabled, or to another server that does not
>    support NTLM authentication, you will need to set
>    "client plaintext auth = yes" and "client lanman auth = yes" in smb.conf.
>
> -- Steve Langasek <vorlon at debian.org>  Sat, 24 Nov 2007 00:23:37 -0800
>============================================================

-- 
Francesco Potortì (ricercatore)        Voice: +39 050 315 3058 (op.2111)
ISTI - Area della ricerca CNR          Fax:   +39 050 315 2040
via G. Moruzzi 1, I-56124 Pisa         Email: Potorti at isti.cnr.it
Web: http://fly.isti.cnr.it/           Key:   fly.isti.cnr.it/public.key