I think the tipster is wrong about not having to enable accounts for SMB. NTLM and Mac OS X use different password hashing algorithms. So when you provide your password to SMB, it cannot verify your NTLM hash directly against the Mac's user directory.

When you enable an account for SMB, the Mac stores the NTLM hash for the user's password - this is what OS X says is less secure, which I think is a reference to NTLM hashes having fewer bits c/f Mac OS X password hashes.

Try this command: sudo cat /var/db/shadow/hash/`dscl . read users/<Your username> GeneratedUID|cut -d' ' -f2`
This displays the password hashes for your account. If your account has not been enabled for SMB, you should see a bunch of zeroes, some non-zeroes, then a load more zeroes. Those non-zeroes are your Mac OS X password hash. Now enable your account for SMB, and re-run the command. You will now see another [shorter] hash - this is your NTLM password hash. Disabling your account for SMB again will remove the NTLM hash.

If the tipster was able to access an SMB share without enabling their account for SMB, then it is not their user ID that is logging in! Perhaps they are connecting as Guest? Or [if they are using Mac OS X as the client] maybe they are logging in using AFP, or transparently via Kerberos.

[ Reply to This | # ]