Jimmy's weblog

11/10/2011

Upgrading Samba from plaintext passwords to encrypted passwords

Filed under: — jimmy @ 5:23 pm

Recently I had to upgrade a samba installation which was using plaintext passwords. This is not as rare as one might think because some companies couldn’t upgrade from win95 PCs as those were coupled to machines which didn’t support newer versions. For plaintext passwords samba uses /etc/passwd and /etc/shadow to find out usernames and passwords. With encrypted passwords samba uses its own database with the tdbsam backend. There was also a smbpasswd backend which is now deprecated. But it’s very handy if you want to upgrade to encrypted passwords without having every user to enter her password again to fill the new database. There is the global option “update encrypted = yes” which replaces a plaintext password with an encrypted one when the user logs in. The plaintext password is written to the smbpasswd file defined in smb.conf (This does not work with the tdbsam backend but you can migrate from smbpasswd to tdbsam easily afterwards). So before we let the users login again we have to generate a smbpasswd file. One way to achive this is to run this command:

cat /etc/passwd | mksmbpasswd >> /etc/samba/smbpasswd

(assuming that “passdb backend = smbpasswd:/etc/samba/smbpasswd” is in your smb.conf)
After all users have logged in (check smbpasswd file for filled in passwords) you can disable plaintext auth.

Watch out for bug in WinXP SP3 with plaintext auth!
When I made this migration it happened that this procedure was working great for some clients where others completely failed to login. I found out that Win7 clients and WinXP clients with SP2 worked, but WinXP clients with SP3 were failing. The reason is simply a bug caused by patch KB2536276. You can find the full story in bugzilla of samba: Windows security patch KB2536276 prevents access to shares
In my case I was lost and had to ask the users to type in their passwords again but there seems to be a workaround if you read the last comments in the bugreport (changing domain name)

Leave a Reply