Bug 399 - Allow Samba to interact with AFS on large networks without Plain Text Passwords
Allow Samba to interact with AFS on large networks without Plain Text Passwords
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts
Other All
: P3 enhancement
: none
Assigned To: Gerald (Jerry) Carter
Depends on:
  Show dependency treegraph
Reported: 2003-09-03 18:23 UTC by Brian "netdragon" Bober
Modified: 2005-08-24 10:18 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Brian "netdragon" Bober 2003-09-03 18:23:25 UTC
AFS uses a different passwords scheme than Samba. That means you'll need two 
sets of password files in order to have Samba and AFS on the same network. 
Otherwise, you need to use plain text passwords. Isn't there a way to make AFS 
and Samba more transparent than it is? I know you didn't write AFS, but Samba 
is now deployed on a lot of AFS-run networks, and perhaps there is something 
that can be done to solve this issue even if it means working with AFS 
developers to do it on their end.

Instead of providing a summary beyond that simple one, I'll give a copy of an 
email available at the URL above that will explain things better. I imagine 
you have heard about this a million times, but I couldn't find a bug on it 
(probably because the server is so new):

Sent: Monday, December 18, 2000 


Question from student named Nate


I can understand the motivation for a decent computing department to require 
the use of ssh instead of straight telnet for all connections.  You are 
planning on implementing REQUIRED ssh even when students are ON campus, but it 
isn't even OPTIONAL to check one's email securely, or even connect to sambasrv 
securely, when it is the SAME PASSWORD!!!  Can you please explain the logic 
behind this?



Response from Alan Powell



Date: Mon, 11 Dec 2000 

From: Alan Powell <powela AT NOSPAM rpi DOT E DEE U>

Subject: Remote Access Servers, Sambasrv, Mail, etc...


Hi Nate,


I read your comments to consult and thought I'd answer you since I'm in a 
better position to offer comments than the consultants are. I maintain 
sambasrv and I am also a member of the CIS security team. 


I can readily understand why you might think that it's absurd for us to 
require ssh on the Remote Access Servers and yet allow the exposure of user 
passwords with other services. The reality, however, is that we do care about 
protecting user passwords (and data) but that this is not always an easy thing 
to do. Just because there is a difficulty with protecting passwords in one 
service, doesn't mean it's irrational to protect passwords in services where 
we can do this easily. Each service we protect is one less potential exposure 
of someone's password. I also believe that good networking architecture could 
go a long way towards making passwords and data more secure and that 
encryption by itself it not the complete answer.



At any rate, you mentioned several services and here are some comments on each 
of them:





I have maintained sambasrv for the last four years and I *am* concerned about 
sambasrv requiring plain text passwords. If the solution were simply a matter 
of turning on encryption in samba, I would have done it years ago. The 
complication is that sambasrv is really a gateway to AFS space and for a user 
to end up with a token which gives them access to AFS, samba needs their plain 
text password.

When a user connects to sambasrv, samba first authenticates them to a 
kaserver  (a kerberos server that is part of AFS); this gives them access to 
the samba share itself. In addition to simply authenticating the user, this 
process also gives the user a token which gains them access to their AFS 
space. If I turned on encrypted passwords on the sambasrv side, 1) sambasrv 
would need to have a password file containing the NT hash of all users, which 
is *really* ugly from a security point of view, or would need to authenticate 
to an external NT server (messy) and 2) samba would be unable to authenticate 
that user to AFS, because all it would have would be the (Windows) encrypted 


Long-term solutions:


Despite the general problem I explain above, I (and others) have come up with 
possible ways to turn on encryption and still allow users access to AFS space. 
At some point in the future, I do hope to be able to go to encrypted 
passwords.  But the reality is, that there is not a simple solution to this 
problem. I would also like to point out that turning on encryption in samba is 
not a large step forward security wise from using plain text passwords. The 
L0pht group has a program that can grab encrypted passwords from the network 
and use a dictionary attack against them with a very high success rate. 
Encrypted passwords would be a step forward, but are not the complete answer 
to a more secure environment...




The Remote Access Servers


I personally would have enforced SSH only on the Remote Access servers years 
ago, but Academic Computing had concerns about the availability of ssh clients.

One thing that is important to remember is that our primary job is to enable 
people to use RPI services, not get in their way. There is always a trade off 
between user needs and security. In the past, the decision was made that the 
trade off for enforcing ssh versus telnet was too great. Now that SSH clients 
are readily available and the RPI laptops all have SSH clients (and security 
incidents are getting worse), the decision was made to enforce SSH as the user 
burden would not be as great as it would have been in the past.






Email clients are a good example of why we just can't turn on encryption and 
be done with it.


There are really no standards for encrypting passwords via email clients. Yes, 
some clients support some mechanisms but there is no overall standard and this 
makes it difficult to ensure that everyone can check email securely. What you 
may not know is that we do offer some ways of securely checking email (at 
least in terms of not exposing passwords) and have tested several others but 
found them very cumbersome or insecure in a different way.


kpop - Mail pop'ed to your RCS accounts using kpop has used kerberos 
authentication since I started here more than four years ago. Your passwords 
are not exposed via this process.


Eudora on PC's & Macs - Eudora users have been able to check email using 
kerberos for almost two years. Some crude instructions on doing this are at:




I have been using this mechanism for a year and a half.



SSL tunneling, APOP - We have also tried other mechanisms for protecting user 
passwords but SSL tunneling was cumbersome and slow and APOP was a security 
risk in other ways.





CIS has not always moved as quickly as I like towards better security and

I personally would probably enforce greater security measures (like SSH on

Remote Access servers a long time ago) even if they were painful to users, but 
from the inside. I don't see this as a result of not caring or laziness, etc. 
I see it largely as 

1) a lack of real concern on the part of companies like Microsoft with regards 
to security combined with encryption laws which make providing secure services 
difficult and 

2) a consequence of an environment (things like AFS) which can make some 
things we might otherwise do difficult...






 Alan Powell, Sr. Systems Programmer     e-mail: powela AT NOSPAM rpi DOT E 

 Server Support Serv., RPI, 110 8th St.   Voice: (518) 276-2204

 Troy, New York 12180-3590                  FAX: (518) 276-2809
Comment 1 Tim Potter 2003-09-03 19:21:20 UTC
Samba 3 has a nice new authentication plugin system so it may be possible to
modify the AFS server to support NT password hashes and have it integrate nicely.  

Also, Microsoft have defined a new Kerberos encryption type which is basically
the NT password hash so perhaps the AFS developers can be convinced to support this.

BTW, the L0pht program only works on Lanman passwords.  If you turn on encrypted
passwords and turn off LM passwords (really only needed for Win9X support) then
you are pretty OK security wise.
Comment 2 Tim Potter 2003-09-03 19:21:47 UTC
cc me
Comment 3 Tim Potter 2003-09-05 17:33:08 UTC
There seems to be quite a bit of interest in AFS at the moment.  You might want
to start a discussion on samba-technical@lists.samba.org about Samba and AFS.
Comment 4 Tim Potter 2003-09-25 00:14:38 UTC
From IRC:

<vl> The solution for 399 is --with-fake-kaserver in 3.0

I have no idea what this does.  (-:
Comment 5 Volker Lendecke 2004-01-06 10:02:46 UTC
Fixed with the best possible way we can currently do.
--with-fake-kaserver in 3.0.0 and following does what is needed to have
encrypted passwords
as well as AFS services.
Comment 6 Gerald (Jerry) Carter 2005-02-07 07:57:28 UTC
originally reported against 3.0aph24.  Bugzilla spring cleaning.  
Removing old alpha versions.
Comment 7 Gerald (Jerry) Carter 2005-08-24 10:18:28 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.