LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 02-13-2015, 07:52 PM   #1
ron7000
Member
 
Registered: Nov 2007
Location: CT
Posts: 248

Rep: Reputation: 26
possible to make samba use /etc/passwd ?


using samba, i've always done smbpasswd -a <username> to get samba working, and then users would reset their samba password.

is there a way to samba point to the local /etc/passwd and /etc/shadow file on the system instead?
 
Old 02-13-2015, 08:06 PM   #2
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 19,465
Blog Entries: 28

Rep: Reputation: 6177Reputation: 6177Reputation: 6177Reputation: 6177Reputation: 6177Reputation: 6177Reputation: 6177Reputation: 6177Reputation: 6177Reputation: 6177Reputation: 6177
Given that /etc/passwd contains much more than users, such daemons and services, I would counsel against trying this; it gives me security shivers. There is also a question as to whether one would wish to give all local users in a multi-user system access to samba shares.

A web search for "samba /etc/passwd" will turn up a number of articles about how to pop users from /etc/passwd into /etc/samba/smbpasswd.
 
Old 02-13-2015, 08:16 PM   #3
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,347

Rep: Reputation: Disabled
Quote:
Originally Posted by ron7000 View Post
is there a way to samba point to the local /etc/passwd and /etc/shadow file on the system instead?
No, because the hashing algorithm used by SMB/CIFS is incompatible with the password hashes in /etc/shadow.
 
1 members found this post helpful.
Old 02-13-2015, 08:26 PM   #4
ron7000
Member
 
Registered: Nov 2007
Location: CT
Posts: 248

Original Poster
Rep: Reputation: 26
good point, but this is what i was thinking:

first, user has to have a valid account in /etc/passwd and shadow.
then, for any user to have samba access to a samba share, their account name needs to be in the smbpasswd file... or wherever samba wants to put it. so when accessing a samba share for a given user account, the account has to both be valid in /etc/passwd and shadow AND the account name has to be listed in the samba smbpasswd file... if so then the windows password where the user is accessing samba from is checked against the linux system password for the account. I'm looking for a way around having to enter passwords twice... I want one password for the user used for both system account login and for samba share from that system. Can samba do this?
I'm thinking it should, because when i use tightvnc for instance to log in remotely i'm using my /etc/shadow password for that to log in. And other remote login software works the same way, I don't have a separate password file for those programs they all reference /etc/shadow.

Last edited by ron7000; 02-13-2015 at 08:27 PM.
 
Old 02-13-2015, 08:32 PM   #5
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 19,465
Blog Entries: 28

Rep: Reputation: 6177Reputation: 6177Reputation: 6177Reputation: 6177Reputation: 6177Reputation: 6177Reputation: 6177Reputation: 6177Reputation: 6177Reputation: 6177Reputation: 6177
Thanks, Ser Olmy. I learned something.
 
Old 02-13-2015, 08:40 PM   #6
ron7000
Member
 
Registered: Nov 2007
Location: CT
Posts: 248

Original Poster
Rep: Reputation: 26
reading about samba password hashing now, unfortunately everything that seems to come up is dated 1998 or 2005. Nothing really current.
Can someone elaborate on samba password hashing,
is using samba safe and secure?
the articles talk about samba using DES encryption, and generally whenever "DES" is mentioned results in an automatic "no it's not safe don't use it" response. And it also talks about LanManager and NT encryption, I don't know or remember enough about those so if someone can give me a quick summary that would be great. thanks.
 
Old 02-13-2015, 09:20 PM   #7
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,347

Rep: Reputation: Disabled
The SMB protocol has gone through numerous revisions since the first product using it, LAN Manager, was launched in the late 1980s. Like many network protocols, security came much as an afterthought. LAN Manager used to send passwords in the clear across the network until a weak LAN Manager hash mechanism was introduced. This in turn was replaced by NTLM, and then improved upon with NTLM v2.

In a network without a centralized account database, a "workgroup" in Windows terms, the NTLM v2 mechanism is still used for authentication, and that's why Samba needs a separate password database. (Samba actually makes use of the user database in /etc/passwd, it's just the passwords that must be stored separately.)

When a client PC attempts to access a SMB/CIFS share which requires authentication, the password is never sent over the network. Instead, a challenge/response mechanism is used, which involves creating a password hash and subjecting it to various mathematical operations. The server sends a "challenge" number, the client returns the result of a certain mathematical algorithm involving this number and the password hash, and the server performs the exact same operation and compares the results.

For this to work, both the server and the client must have access to either the unencrypted password (which a server should never store for security reasons), or a 128-bit MD4 password hash of that password. Since the hashes in /etc/shadow aren't MD4 hashes, they are of no use to Samba, hence the need for a second password hash database. (DES hashes can be used as well, but since that algorithm is seriously outdated, the NTLM protocol in all modern Windows OSes will refuse to accept them unless specifically reconfigured to do so.)

Maintaining two separate password databases is indeed a hassle. It might be possible to configure PAM in such a way that smbpasswd is called automatically whenever an account password is created or changed, but an even better idea would be to eliminate the need for two password databases. Linux can authenticate against just about anything via PAM, so if you configure Samba to be a so-called "Domain Controller" for either an old-style Windows NT Domain or an Active Directory Domain, both Linux and Samba can use that database for authentication.

As a bonus, you would then be able to log on to any computer in the network, be they Windows or Linux systems, using the credentials from the Windows Domain database. If you were to set up several Samba Domain Controllers, the entire account database would automatically be replicated to every Samba DC, passwords and all.

Oh, and if you go for an Active Directory Domain, the somewhat vulnerable MD4-based NTLM protocol is replaced by Kerberos, which has no known security vulnerabilities. Both Samba and Windows will fall back to NTLM v2 if a non-domain member is involved or if a resource is accessed via an IP address rather than a hostname, but you can disable that fallback mechanism if you so wish.

Last edited by Ser Olmy; 02-13-2015 at 09:29 PM.
 
Old 02-14-2015, 08:10 AM   #8
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,757
Blog Entries: 4

Rep: Reputation: 3968Reputation: 3968Reputation: 3968Reputation: 3968Reputation: 3968Reputation: 3968Reputation: 3968Reputation: 3968Reputation: 3968Reputation: 3968Reputation: 3968
I strongly counsel that your Samba, your Windows, and your Linux-itself, should all be referencing one, central, authentication / authorization authority: LDAP, nee Microsoft OpenDirectory. This should also be the source of web-site authorization and authentication. All of these technologies and interfaces already exist.

Within any organization, there should be "one Source of Truth." One, centrally managed, uniform, authority that all systems consult and conform to. You should not program, nor permit, any system to deviate from this.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Make samba use systems passwd def_bond Linux - Server 1 01-29-2008 10:35 AM
Using /etc/passwd in Samba paragkalra Linux - Networking 5 01-23-2008 08:41 AM
Swat uses PAM but changes linux passwd not samba passwd Peter@KKVS Linux - Networking 0 11-26-2006 04:20 AM
how make change passwd with squiremail ? dudulz Linux - Networking 2 02-23-2005 03:23 AM
Samba blew my passwd? oneiltj Linux - Software 2 01-18-2003 12:47 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 04:23 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration