Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
22.2.3. Encrypted Passwords
Encrypted passwords are enabled by default because it is more secure. If encrypted passwords are not used, plain text passwords are used, which can be intercepted by someone using a network packet sniffer. It is recommended that encrypted passwords be used.
The Microsoft SMB Protocol originally used plain text passwords. However, Windows NT 4.0 with Service Pack 3 or higher, Windows 98, Windows 2000, Windows ME, and Windows XP require encrypted Samba passwords. To use Samba between a Linux system and a system running one of these Windows operating systems, you can either edit your Windows registry to use plaintext passwords or configure Samba on your Linux system to use encrypted passwords. If you choose to modify your registry, you must do so for all of your Windows machines — this is risky and may cause further conflicts. It is recommended that you use encrypted passwords for better security.
To configure Samba to use encrypted passwords, follow these steps:
- Create a separate password file for Samba. To create one based on your existing
/etc/passwdfile, at a shell prompt, type the following command:cat /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd
cat /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswdCopy to Clipboard Copied! Toggle word wrap Toggle overflow If the system uses NIS, type the following command:ypcat passwd | mksmbpasswd.sh > /etc/samba/smbpasswd
ypcat passwd | mksmbpasswd.sh > /etc/samba/smbpasswdCopy to Clipboard Copied! Toggle word wrap Toggle overflow Themksmbpasswd.shscript is installed in your/usr/bindirectory with thesambapackage. - Change the permissions of the Samba password file so that only root has read and write permissions:
chmod 600 /etc/samba/smbpasswd
chmod 600 /etc/samba/smbpasswdCopy to Clipboard Copied! Toggle word wrap Toggle overflow - The script does not copy user passwords to the new file, and a Samba user account is not active until a password is set for it. For higher security, it is recommended that the user's Samba password be different from the user's system password. To set each Samba user's password, use the following command (replace username with each user's username):
smbpasswd username
smbpasswd usernamesmbpasswd usernameCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Encrypted passwords must be enabled. Since they are enabled by default, they do not have to be specifically enabled in the configuration file. However, they can not be disabled in the configuration file either. In the file
/etc/samba/smb.conf, verify that the following line does not exist:encrypt passwords = no
encrypt passwords = noCopy to Clipboard Copied! Toggle word wrap Toggle overflow If it does exist but is commented out with a semi-colon (;) at the beginning of the line, then the line is ignored, and encrypted passwords are enabled. If this line exists but is not commented out, either remove it or comment it out.To specifically enable encrypted passwords in the configuration file, add the following lines toetc/samba/smb.conf:encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd
encrypt passwords = yes smb passwd file = /etc/samba/smbpasswdCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Make sure the
smbservice is started by typing the commandservice smb restartat a shell prompt. - If you want the
smbservice to start automatically, use ntsysv,chkconfig, or the Services Configuration Tool to enable it at runtime. Refer to Chapter 19, Controlling Access to Services for details.
The
pam_smbpass PAM module can be used to sync users' Samba passwords with their system passwords when the passwd command is used. If a user invokes the passwd command, the password he uses to log in to the Red Hat Enterprise Linux system as well as the password he must provide to connect to a Samba share are changed.
To enable this feature, add the following line to
/etc/pam.d/system-auth below the pam_cracklib.so invocation:
password required /lib/security/pam_smbpass.so nullok use_authtok try_first_pass
password required /lib/security/pam_smbpass.so nullok use_authtok try_first_pass
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}