SAMBA - Turning encryption on

1. Introduction
2. Turning encryption on
2.1. Step 1
2.1.1. Path 1
2.1.2. Path 2
2.1.3. Path 3 (encryption still off)
3. Afterwards

1. Introduction

This document is part of my Samba Documentation web-page.
If you run Samba and need to turn encryption on, this page gives you some clues as to how. It should be read in conjunction with the official 'ENCRYPTION' document.

2. Turning encryption on

See the 'Win95', 'WinNT' and 'ENCRYPTION' docs. Generally, there are three migration paths you can take. Two assume that encryption is there and you have to live with it, the other needs encryption to be off initially.

2.1. Step 1

Whichever path you decide to take, start here.

Use 'mksmbpasswd.sh' (a Perl script in the Samba source directory) to create smbpasswd as documented in 'ENCRYPTION' (the exact command is:
cat /etc/passwd | mksmbpasswd.sh >/directory/private/smbpasswd
unless you use 'NIS', look at the doc), and then remove all userids (such as root) that are not allowed to use Samba. Userids that are not in this file will be rejected, even if they use Plaintext passwords.
If you are running as root and still get 'permission denied' when executing the script, try 'chmod +x' on the script (!).

You now have all the userids you need, but not their passwords.

2.1.1. Path 1

Set the passwords up using the 'smbpasswd' command. This can either be done for all users by 'root' or the users can log onto the Unix-box and do their own.

2.1.2. Path 2

Set all passwords to NO PASSWORD as documented and let the users change them themselves via Samba under 'encrypt passwords = yes'

2.1.3. Path 3 (encryption still off)

Set the 'update encrypted = yes' parameter (this was first implemented in 1.9.19p5) while leaving encryption off at both ends. All userids should log on as normal, when they have done so, their passwords will all be in 'smbpasswd' - suitably encrypted.

You can (must) turn 'update encrypted' off, add 'encrypt passwords = yes' on the server and can then activate encryption on the MS clients.

This is actually the only migration path that I have tested (the rest is theory from the documentation) but it is the most complicated one and it works, even for MS clients incapable of encryption. . .

3. Afterwards

´man smbpasswd´ is a very useful resource. Look at it, it will save you a lot of time later.

I happily let /etc/passwd and smbpasswd get out of sync, the last thing I want is for my Samba users to actually start messing around on the Linux Server - most of them think it´s running NT anyway. For people who see things differently:

Under Samba 2.2.x, look at README.pam_smbpass
otherwise look at the following which has apparently been tested under RedHat 5.1; no, not by me.
unix passwd program = /usr/bin/passwd %u
passwd chat = *new*password* %n\n *new*password* %n\n *successfully*
password sync = yes
The original author of those lines also says that 'debug level' should be at least 100 to get the debug of the password chat, and that %u means %u and not %U. And so it should!

Go back to the top