How do you compute sambaLMPassword/sambaNTPassword?

Andrew Bartlett abartlet at samba.org
Sun Mar 21 01:47:19 GMT 2004 

On Sun, 2004-03-21 at 11:47, Florin Jurcovici wrote:
> Hi.
> 
> I'm not sure this is the best place to send my question, it's about 
> development related to Samba, not about development of Samba itself, but I 
> couldn't think of a better place to ask the question.
> 
> Problem: making Domino's LDAP work with Samba, and doing all user 
> management in Domino.
> 
> Domino'S LDAP supports sasl, so Linux authentication can go directly to 
> Domino. The Windows authentication however doesn't send plain text 
> passwords, so it cannot be routed to LDAP. Therefore, user management 
> cannot be done entirely in Lotus Notes, you have to update user accounts 
> using Samba's user tools, or the fields sambaLMPassword and 
> sambaNTPassword in the account doc won't get set properly, and without 
> these fields being set from outside of Samba/Window user management tools 
> you're forced to use plain text authentication from Windows to Samba - or 
> am I wrong?

That sounds correct.

> In order to provide single signon and allow for complete user management 
> using Lotus/Domino, in combination with Samba, I need to fill in the two 
> fields by hand, when doing a password change in Lotus/Domino. So I need to 
> know either the exact algorithms used for hashing or where I can find the 
> funcs which do the hashing in the Samba code, then I'll be able to rebuild 
> the funcs.

There is mkntpwd (a standalone copy of Samba's smbencrypt.c and
associated routines), or perl's Crypt::SmbHash for two places to start.

> Since these ops I need to do both from a Windows station and potentially 
> when saving a user account document from a browser, if there are such 
> funcs, I'd rather call them directly from the libraries where they are. 
> Are there such funcs? If yes, where are they located? I suppose these 
> funcs must be available in the Windows dlls and in the Samba libs, so even 
> if the Domino server runs on Linux I can call them, if Samba is installed. 
> I had a little look at the code, it seems to me that it's quite some piece 
> of work to re-implement the two hashing algorithms, especially in such a 
> weak language like LotusScript (which is what Notes/Domino supports best).

It's only DES and MD4, can it be that hard ;-)

The functions you are looking for in Samba are E_deshash() and
E_md4hash().

> Can you please help me? Or should I send the question to another address?
> 
> Background of this problem: many companies use Lotus/Domino as a mail 
> system and as an application platform. Few would accept to switch from one 
> setup with two parallel directory systems to another setup with two 
> parallel directory systems - Windows PDCs + NT Domains/ADS + Domino 
> address book vs. Samba + OpenLDAP + Domino address book, since nothing 
> changes regarding the user management overhead. But switching from Windows 
> PDCs + NT Domains/ADS + Domino address book to Samba + Domino address book 
> only would be a compelling reason to switch, if further user mangement can 
> be done in Domino the same way you do user management for Domino users. 
> The Domino LDAP server is pretty good, and completely elliminating any 
> need of distinct user management tools for Samba/Windows and Domino is 
> possible, if only the NT/LM hashes could be set automatically from within 
> Notes/Domino.

Can you instead make Domino export the userPassword field, containing
the user's plaintext password?

I am quite happy to make a modification to Samba, where it will read the
plaintext password out of LDAP, and hash it internally.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040321/a740c001/attachment.bin

More information about the samba-technical mailing list