[Pkg-samba-maint] Bug#459941: Bug#459941: samba: security=share does not work any more

Steve Langasek vorlon at debian.org
Thu Jan 17 07:40:54 UTC 2008 

On Thu, Jan 10, 2008 at 11:15:07AM +0100, Francesco Potorti` wrote:
> >> >    However, if you need to connect to a Samba server that does not have
> >> >    encrypted password support enabled, or to another server that does not
> >> >    support NTLM authentication, you will need to set
> >> >    "client plaintext auth = yes" and "client lanman auth = yes" in smb.conf.

> >> Among the many tests that I have made before writing this bug report, I
> >> also tried those settings, without any observable change.

> >But those are the settings that affect samba's behavior as a /client/.  Did
> >you also test with 'lanman auth = yes'?

> I just tried and in fact it works, thanks.

> I think that the text of the release note is not clear enough for those
> that have a superficial knowledge of Samba.  For one, I do not even know
> what lanman is.  Appended is the original release note with suggestions
> for improvement.  However, I have no idea where security=share should be
> mentioned.  I see that using it or not makes in fact a difference.

Hrm, in what sense does using security=share make a difference?  Your bug
report never mentions that you tried security=user or got different results
with it, nor would I expect the results to be any different: this problem
would equally affect servers with security=user, because it affects all
Win9x clients.

> >===File /doc/samba/NEWS.Debian.gz===========================
> >samba (3.0.27a-2) unstable; urgency=low
> >
> >  * Weak authentication methods are disabled by default

> This is the title of the note.  It means that its contents is related to
> "weak authentication".

Yes, which is precisely what they are.

> >    Beginning with this version, plaintext authentication is disabled for
> >    clients and lanman authentication is disabled for both clients and
> >    servers.  Lanman authentication is not needed for Windows
> >    NT/2000/XP/Vista, Mac OS X or Samba, but if you still have Windows
> >    95/98/ME clients (or servers) you may need to set lanman auth (or client
> >    lanman auth) to yes in your smb.conf.

> While I now see that this is correct and complete, I could not
> understand before.  Maybe writing it ike this would be more clear to the
> semi-ignorant:

> Beginning with this version, plaintext authentication is disabled for
> clients and lanman authentication is disabled for both clients and
> servers.

> As far as plaintext authentication is concerned, you can reenable it
> when using Samba as a client by setting xxxx=yes.  This is needed when
> accessing Windows servers that use plaintext authentication, like ...

> As far as lanman authentication is concerned, you can reenable it for
> Samba servers by setting "lanman auth = yes" in smb.conf.  This is
> needed for Windows 95/98/ME clients using ...

I'm open to changing the text so that it's more understandable, but I don't
think this particular suggestion achieves that goal.  The original clearly
states the relevance of lanman authentication in the first paragraph, since
that is the most important change.  Also, there are no Windows servers that
use plaintext authentication by default, so that's not relevant.

> >    The "lanman auth = no" setting 

> , which is now the default,

Right, good point; I'll happily accept this improvement.

> >				    will also cause lanman password hashes to
> >    be deleted from smbpasswd and prevent new ones from being written, so
> >    that these can't be subjected to brute-force password attacks.  This
> >    means that re-enabling lanman auth after it has been disabled is more
> >    difficult; it is therefore advisable that you re-enable the option as
> >    soon as possible if you think you will need to support Win9x clients.

> If you read this note after your Samba server has been restarted, and
> you want to reenable lanman auth, you should...

Well.  the steps for reenabling lanman auth are still the same, but some of
your user accounts will be without lanman password hashes which can only be
restored by manually using a password tool for each of those accounts.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org

More information about the Pkg-samba-maint mailing list