Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.5: Permissions and SMB shares in Leopard' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: Permissions and SMB shares in Leopard
Authored by: dezzie on Mar 08, '08 03:37:05AM

I think the tipster is wrong about not having to enable accounts for SMB. NTLM and Mac OS X use different password hashing algorithms. So when you provide your password to SMB, it cannot verify your NTLM hash directly against the Mac's user directory.

When you enable an account for SMB, the Mac stores the NTLM hash for the user's password - this is what OS X says is less secure, which I think is a reference to NTLM hashes having fewer bits c/f Mac OS X password hashes.

Try this command: sudo cat /var/db/shadow/hash/`dscl . read users/<Your username> GeneratedUID|cut -d' ' -f2`
This displays the password hashes for your account. If your account has not been enabled for SMB, you should see a bunch of zeroes, some non-zeroes, then a load more zeroes. Those non-zeroes are your Mac OS X password hash. Now enable your account for SMB, and re-run the command. You will now see another [shorter] hash - this is your NTLM password hash. Disabling your account for SMB again will remove the NTLM hash.

If the tipster was able to access an SMB share without enabling their account for SMB, then it is not their user ID that is logging in! Perhaps they are connecting as Guest? Or [if they are using Mac OS X as the client] maybe they are logging in using AFP, or transparently via Kerberos.



[ Reply to This | # ]