Samba - Plaintext Password Issues

From The System Administrator Zone

Plaintext Passwords - Win9x / WinME

For security reasons, Windows 98 will not allow you to send plain-text passwords. The password is encrypted by default. However, Samba servers can be configured to require plain-text passwords, so you will not be able to connect to Samba servers configured in this mode unless you change a Registry entry to enable plain-text passwords.

Caution: Enabling plain-text passwords could compromise security. We are doing it simply because of the problems related to maintaining two sets of passwords on the Unix side. The normal set and the Samba set.

To enable plain-text passwords, add the Registry entry for EnablePlainTextPassword (as a Dword) and set the value to 1 in the following Registry location:


Set the value for EnablePlainTextPassword to 1:

A reboot is necessary for the value to take effect.

Plaintext Passwords - Win2K

Key: HKLM\system\currentcontrolset\services\LanmanWorkStation\parameters Value name: EnablePlainTextPassword Data type: REG_DWORD Data: 1 (binary)

A reboot is necessary for the value to take effect.

Windows XP with a Samba Server

Login as local Administrator

  1. Run REGEDIT
  2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
  3. Modify the next string : "requiresignorseal" from value 1 to 0.

Samba and WinXP: the solution

Originally from by bendgrimes AT

Microsoft only recommends one registry editor tool. These are the applets in the control panel. The reason is simple. The applets will NOT make a mistake in editing the registry and they will also give you a clue about what setting is controlled by what value.. Plus they will let you know what the setting will actually do.

So, from one Unix head to another, here's the "Microsoft approved" network config changes that will allow you to use Samba as a Windows XP PDC. Log in as the local machine's administrator account and...

start -> control panel -> administrative tools -> local security policy

In the policy editor, open the 'Local Policy' tree, then the 'Security Options' branch. Find the following policy keys and set them to disabled (by double-clicking they key and hitting the 'disabled' radio button, followed by 'OK'). "Domain member: Digitally encrypt or sign secure channel data (always)", "Domain member: Digitally encrypy secure channel data (when possible)", "Domain member: Digitally sign secure channel data (when possible)", "Domain member: Require strong (Windows 2000 or later) session key",

On the Samba server, make sure these are present in your smb.conf: encrypt passwords = Yes, domain logons = Yes, domain master = Yes. Make sure you have added your users with 'smbpasswd -a ' AFTER the smb.conf settings are correct. If not, remove the existing users from the smbpasswd file, recreate them and try again.

A note here, you will need a machine name in your /etc/passwd that matches the computer name trying to connect with a "$" behind the username. For example: You have "XPcomp" trying to connect.. You will need "XPcomp$:!:1000:XP computer:/tmp:/bin/false" in the /etc/passwd.

Also, when you change from 'workgroup' to 'domain' networking in the network configs of the XP box, you are 'pushing on the network' the XP box. When asked for the username/password with privilage, enter your samba box's root account.