!==
!== ENCRYPTION.txt for Samba release 2.0.5a 22 Jul 1999
!==
Ƽ: Jeremy Allison <samba-bugs@samba.org>
:	1999/04/19
:	WinNT.txt ⻲ȤΤ

:	ƣʸͥ <fumiya@cij.co.jp>
:	ⶶ <monyo@home.monyo.com>
:	1999/09/17

:	LanManager / Samba ѥɤΰŹ沽
============================================================================

Samba Ѥ LanManager  Windows NT ߴΥѥɰŹ沽
ȯˤäơSamba  LanManager  Windows NT Фȸ̩Ʊ
ˡǥ桼³ǧڤԤȤǤ롣

ʸϡSMB ѥɰŹ沽르ꥺबɤΤ褦˵ǽ뤫
ޤλѤɬפȤ뤫ɤξǵ󤲤ϲ
Ҥ롣տɤ٤Ǥ뤬ä˥ƥˤĤƤʬ 
ֻξ (PROS AND CONS)פդƤۤ

ɤΤ褦˵ǽ뤫?
---------------------

LanManager ΰŹ沽ϡUNIX ΥѥɰŹ沽Ȥ餫Ƥ롣
Фϡ桼Υѥɤϥå岽 (hashed) ͤޤե
Ѥ롣ͤˤϡޤ桼ʿʸ (plaintext) ѥɤ
ꡢʸˤơƬ 14 ХȤڤ(ޤ 14 ХȤ
ʤ褦 null ХȤͤ) 14 ХȤͤϡ8 ХȤ
֥ޥåͤŹ沽뤿 2 Ĥ 56 ӥå DES ȤƻѤ
ΤǡŹ沽ˤä줿 16 ХȤͤФȥ饤Ȥ
äݻ롣֥ͤϥå岽ѥ(hashed password)פ
ƤФ뤳ȤФƤ

Windows NT Υϥåϡ桼ѥɤ Unicode С
MD4 ϥåԤȤ롢⤤εǤ롣
Բĵդ 16 ХȤΥϥåͤФ

饤 (LanManagerWindows for WorkGroupsWindows 95 뤤
Windows NT)  Samba Υɥ饤(ޤ Samba ꥽)ΥޥȤ˾Ȥ
饤ȤϺǽ³׵ᤷơƥ饤ȤȥФѤ
ץȥ޾ (negotiate) 롣׵ФˤơSamba
Ф 8 ХȤդä롣ͤϡ
Samba Фݻ롣ͤϡָƤӤ (challenge)פȸƤФ롣

ƤӤͤϡ饤Ȥ³Ȥ˰ۤʤ롣

饤Ȥϥϥå岽줿ѥ(嵭褦 16 ХȤ)
Ѥơ3 Ĥ 56 ӥå DES ( 21 Х)ˤʤ褦 5 ХȤ
null ɲä줾ΥϸƤӤ줿 8 ХȤͤŹ沽
˻Ѥ롣Ź沽ˤ줿 24 ХȤͤϡֱ (response)
ȸƤФ롣

SMB  SMBsessionsetupX (桼٥Υƥ򤵤줿Ȥ)
ޤ SMBtconX (ͭ٥Υƥ򤵤줿Ȥ)θƤӽФ
äơ24 ХȤαϥ饤Ȥ Samba Ф֤롣
Windows NT Υץȥ롦٥Ǥϡ嵭η׻ LanManager 
Windows NT ξΥ桼ѥɤΥϥåͤˤƤʤ졢
ξα SMB ƤӽФ֤ơ2 Ĥ 24 Хͤ롣

Samba ФϡȤݻ 16 ХȤΥϥå岽ѥ
(smbpasswd ե뤫ɤ - )ͤȥץȥ޾פα
ݻƤƤӤ (challenge) ͤѤơ嵭η׻߽Ф
 Samba ׻ 24 ХȤͤ饤Ȥ֤줿
24 ХȤͤȰפ뤫ɤ򸡺롣

ͤ˰פʤ顢饤Ȥѥ(⤷
16 ХȤΥϥå - Υƥդ򻲾)ΤäƤ
ȤˤʤꡢĤ롣פ饤Ȥ
ѥɤΤäƤʤСϵݤ롣

Samba Фϥ桼ѥɤʿʸ (cleartext) Τäꡢ¸
⤷ʤդƤۤѥɤ 16 ХȤ
ϥåͤݻƤ롣ʿʸѥɡޤ 16 ХȤ
ϥåͤͥåȥž뤳Ȥʤˤա
Τ褦ˤƥƥݤƤ롣

ƥ˴ؤפ
------------------------------

UNIX  SMB ΥѥɰŹ沽εѤϡɽƱ褦˸롣
ɽǤ롣Ū UNIX ϥ
ͥåȥ̤ʿʸѥɤ롣Ϥޤ
SMB ΰŹ沽ιʿʸѥɤͥåȥ뤳Ȥ
ʤǥ 16 ХȤΥϥåͤǼ롣ޤ
ʤ? 16 ХȤΥϥåͤϡ֥ѥɤפǤ뤿
ͤ桼Υѥɤ뤳ȤϤǤʤä
饤Ȥ顢ФؤΥ뤿Ѥǽ롣

Ԥˤϡ (attacker) ȤƤΤʤεŪμɬפ
Ǥμ¤˼¹ԲǽǤ롣äơsmbpasswd ե
٤ƤΥ桼ʿʸѥɤäƤΤȤư٤Ǥ롣
Ȥϵ̩ݤʤФʤ餺椨˥եݸ
٤Ǥ롣

Ūˤϡͥåȥȥǥɤʿʸѥɤɬפ
ʤѥɵ˾ǤˤSamba ˤۤ SMB
ƥ(WinNTWfWgWin95Τۤ)Ȥθߴ餻뤿ˡ
ѤǤʤ


ξ (PROS AND CONS)
------------------------

ξεˤȷ롣

SMB Ź沽:
-----------------

- ʿʸѥɤϥͥåȥ̤Ϥʤͥåȥõδ
Ѥï SMB ФظѥɤϿ뤳Ȥꤨʤ

- WinNT  SMB Ź沽ѥɤѤƤʤФȤ̿򹥤ޤʤ
ξ塢Ф桼٥ΥƥǤȡФ
֥饦ݤ롣ˤꡢơ³ˤƥѥɤФ桼
μפ졢ݵƫɤˤǤͣˡϡ
SMB Ź沽Ѥ뤳ȤǤ롣

Ź沽ʤѥɤ:
-------------------------------

- ʿʸѥɤϥǥ¸ʤ

- login  ftp Τ褦ʤۤ UNIX ӥƱѥɡե
Ѥ뤳ȤǤ롣

- ֤󡢤ʤϴˤۤΥӥ(telnet  ftp ʤ)ѤƤꡢ
餬ͥåȥ̤ʿʸƥȤΥѥɤäƤ뤿ᡢ
SMB ǤʤƤ⤽ۤ礷̣Ϥʤ

դȤơWindows NT 4.0 Service Pack 3 ǤϡǵĤǧڤ
ѹơʿʸѥɤ*Ф*ͥåȥʤ褦ˤʤä
褹ˤϡSamba Ź沽ѥɤ򥵥ݡȤ褦Ѥ뤫
ʿʸѥɤƤͭˤʤ褦 Windows NT Υ쥸ȥԽ뤫
ɤ餫Ǥ롣ܺ٤ʤʸ WinNT.txt 򻲾ȤΤȡ

smbpasswd ե
------------------

Samba 嵭Υץȥ˻äˤϡ桼̾Ϳ줿 16 ХȤ
ϥåͤʤФʤʤǰʤ顢UNIX ѥɤͤ
ΥϥåؿǤ(ʤUNIX Υ桼ѥɤΥϥå
ͿʿʸΥ桼ѥɤ᤹ΤԲǽǤ)ᡢ
16 ХȤ̤ͤΥѥɡեݻʤФʤʤ
 2 ĤΥѥɡեˤä UNIX /etc/passwd  smbpasswd
ե뤬ƱʤǾˤ뤿ᡢ桼ƥƥ mksmbpasswd.sh
 UNIX /etc/passwd ե뤫 smbpasswd ե뤿
󶡤롣

/etc/passwd ե뤫 smbpasswd եˤϰʲΥޥɤ
Ѥ:

    cat /etc/passwd | mksmbpasswd.sh >/usr/local/samba/private/smbpasswd

ưƤ륷ƥ NIS ѤƤʤ:

    ypcat passwd | mksmbpasswd.sh >/usr/local/samba/private/smbpasswd

mksmbpasswd.sh ץ Samba Υǥ쥯ȥǸĤ롣
Ǥϡsmbpasswd եϤξ¸:

    /usr/local/samba/private/smbpasswd

/usr/local/samba/private ǥ쥯ȥΥʡ root ꤷ
(permission) ϼΤ褦ˤ٤Ǥ:

    r-x------

ޥ:

    chmod 500 /usr/local/samba/private

ϤŪ¹ԤǤ롣Ʊͤ private ǥ쥯ȥ smbpasswd ե
root ˽ͭơεĤ򼡤Τ褦ꤷۤ褤

    rw-------

ޥ:

    chmod 600 smbpasswd.

smbpasswd եη

    username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[Account type]:LCT-<last-change-time>:Long name

usernameuidXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX[Account type]
last-change-time ʬ̣Samba ɤǸ롣

2 ĤΡ:פδ֤ˤ XXX ʬ 32 ʸΡXפ϶ˤƽפǤ롣
smbpasswd  Samba ɤϡ:ʸ֤ 32 ʸäƤʤ
ȥǧڤ˼Ԥǽ XXX ʬ Lanman ѥѤ
ϥåǡܤ Windows NT СѤǤ롣

ѥɡե뤬줿Ǥϡ٤ƤΥ桼 32 ʸΡXפ
ޤѥɡȥäƤ롣ǤϡΤ褦ʥȥ
桼Υϵ䤵롣桼ѥɤĤȡXפ
32 Ĥ ASCII ʸˤ 16 ʿ (0-9A-F) Ѥ롣
桼ѥɤ 16 ХȤΥϥåͤ ASCII ɽ¸ߤ롣

桼ѥɤʤꤹ(ᤷʤ)ˤϡvi Ȥäƥե
Խǽ 11 ʸ򼡤 ASCII ƥȤ֤롣

    NO PASSWORD

ȤС桼 bob Υѥɤäˤϡ smbpasswd ե
ȥʲΤ褦ˤ:

    bob:100:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U          ]:LCT-00000000:Bob's full name:/bobhome:/bobshell

桼 smbpasswd ޥɤȤäƼʬΥѥɤꤹ뤳Ȥ
ĤƤʤ顢ǽ NO PASSWORD 桼ͿȻפ
뤳Ȥǡ桼ϿѥɤѹȤ˰Υѥɤ
ϤʤƤѤ(Ϥʤ) smbpasswd ץ
¸ˤϡsmbpasswd 桼Υѥɤʤ smbd ǡ
³Ǥ褦ˤʤФʤʤsmb.conf  [global] 
ʲιԤɲä:

    null passwords = true

嵭ʥꥪ侩ʤͳϤǤ롣ФǤͭˤʤƤ
Ѥ褦ˡǤкǽ˴Υѥɤ桼Ϳ褦ˤ褦

: ΥետݸʤФʤʤΥե
ï(ʬʥץȥμä) SMB ФؤΥ
뤳ȤǤ롣äơΥեɸŪ UNIX  /etc/passwd ե
⤵˼갷˿Ťפ롣

smbpasswd ޥ
------------------

smbpasswd ޥɤ smbpasswd եˤ 2 Ĥ 32 ХȤΥѥ
եɤݻ롣UNIX  passwd  yppasswd ץƱˤ
ʤ顢/usr/local/samba/bin (⤷ Samba Хʥμǥ쥯ȥ)
󥹥ȡ뤷褦

Samba 1.9.18p4 ǤϡΥץνͭԤ root ˤ setuid ӥåȤ
ΩƤƥ󥹥ȡ뤷ƤϤʤʤ(ۤΥץब root Ȥ
¹Ԥʤ褦ˡ smbpasswd ɤ¤ݤƤ)

ߤ smbpasswd ϥ饤/ư桼Υѥɤ
ѹ뤿˥ smbd ³(: Τ allow hosts
ѥ᡼ 127.0.0.1 ޤޤƤʤȡsmbpasswd ˤѥɤ
ѹϵݤƤޤ)ˤꡢʲΤ褦ʲä롣

1) ⤦ smbpasswd  setuid root ʤ
   ŪǹϰϤΥƥ꤬ʤʤ롣

2) smbpasswd  Windows NT ФΥѥɤѹ뵡ǽդ
   (NT Υץ饤ޥꡦɥᥤ󡦥ȥ׵ꡢ
    NT Υɥᥤ󡦥桼Υѥɤѹǽ)

̥桼 smbpasswd ¹ԤˤϰʲΤ褦Ϥ롣

    smbpasswd
    Old SMB password: <˸Ťͤ - Ťѥɤʤʤ꥿>
    New SMB Password: <ͤ>
    Repeat New SMB Password: <ͤ>

Ťͤ桼Ѥ¸Ƥ븽ߤͤȰפʤ䡢
2 Ĥοͤߤפʤ硢ѥɤѹʤ

̥桼鵯ưȡʬȤ Samba ѥɤѹǤ롣

root 桼¹ԤȤϡsmbpasswd ΰ SMB ѥɤ
ѹ桼̾ꤹ뤳ȤǤ롣root ˤ smbpasswd μ¹ԤǤ
ŤѥͤϤ긡ԤʤȤդƤۤ
äơroot ϥѥɤ˺Ƥޤä桼Υѥɤ
ꤹ뤳ȤǤ롣

smbpasswd  passwd  yppasswd ޥɤѤ UNIX 桼
褦ˡƱͼư褦ǥ󤵤Ƥ롣

smbpasswd Ѥݤξܺ٤ˤĤƤϥޥ˥奢򻲾ȤΤȡ
ޥ˥奢ˤϾ˺ǽŪʸڤƤ롣

Samba  LanManager Ź沽бˤ뤿
----------------------------------------------

ʲ Samba ѥɰŹ沽бꤹˡȤƤʷ
ҤΤǤ롣餯˴դä

1) ̾ɤ Samba 򥳥ѥ뤷󥹥ȡ뤹롣

2) ʤΥƥ getsmbpass.c ⥸塼򥳥ѥǤʤʤ
Makefile  -DSMBGETPASS 롣

3) Ź沽줿ѥɤǽˤ뤿 smb.conf  [global] 
ˡencrypt passwords = yesפɲä롣

4) Makefile ǻꤷ˽ smbpasswd ѥɡե
롣¸ Makefile (ɸŪʷǤꤹ)
ŤƤԤñˡϼΤ褦ˤʤ:

    cat /etc/passwd | mksmbpasswd.sh > /usr/local/samba/private/smbpasswd

private  smbpasswd νͭ root ѹ롣

    chown -R root /usr/local/samba/private

Ĥ /usr/local/samba/private ꤹ롣

    chmod 500 /usr/local/samba/private

Ĥ /usr/local/samba/private/smbpasswd ꤹ롣

    chmod 600 /usr/local/samba/private/smbpasswd

mksmbpasswd.sh ץȤ Samba Υǥ쥯ȥˤ뤳Ȥ
ФƤ

⤷ mksmbpasswd.sh Ԥʤ顢ʤϼΤ褦ʥȥɬפ
Ƥ뤳ȤФƤ:

    # SMB password file.
    tridge:148:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U          ]:LCT-00000000:Andrew Tridgell:/home/tridge:/bin/tcsh

桼̾ uid ŬڤˤʤФʤʤȤաޤX ο
뤳ȡ(32 ĤʤƤϤʤʤ)

5) smbpasswd ޥɤѤ桼˥ѥɤꤹ롣ȤС
root ˤʤäơsmbpasswd tridgeפ¹Ԥ뤳ȤǤ롣

6) äƤߤ褦!

ޤ smbclient Ź沽бƤ뤿ᡢsmbclient Ѥ
ƥȤǤ뤳Ȥա

==============================================================================
: WinNT.txt ⻲ȤΤ
: Win95.txt ⻲ȤΤ
