The
encrypt
passwords global option switches Samba from using plaintext passwords to encrypted passwords for authentication. Encrypted passwords will be expected from clients if the option is set to
yes:
encrypt passwords = yes
By default, Windows NT 4.0 with Service Pack 3 or above and Windows 98 transmit encrypted passwords over the network. If you are enabling encrypted passwords, you must have a valid
smbpasswd file in place and populated with usernames that will authenticate with encrypted passwords. (See the section
Section 6.4.2, The smbpasswd File," earlier in this chapter.) In addition, Samba must know the location of the
smbpasswd file; if it is not in the default location (typically
/usr/local/samba/private/smbpasswd), you can explicitly name it using the
smb
passwd
file option.
If you wish, you can use the
update
encrypted to force Samba to update the
smbpasswd file with encrypted passwords each time a client connects to a non-encrypted password.
A common strategy to ensure that hosts who need encrypted password authentication indeed receive it is with the
include option. With this, you can create individual configuration files that will be read in based on OS-type (
%a) or client name (
%m). These host-specific or OS-specific configuration files can contain an
encrypted
passwords
=
yes option that will activate only when those clients are connecting to the server.
