LDAP-SAM and Samba 2.2
Erik Persson
erik at roxen.com
Mon Dec 3 12:35:04 GMT 2001
On Mon, 3 Dec 2001, Tarjei Huse wrote:
> > * The lmPassword and ntPassword LDAP attributes contain suspicious data
> > after the join operation. If the initial passwords for "roadrunner$" was
> > DC12FFA682C3844D2E87078C29EC8618:63911FAC3D75FECB66C48A17A30C5F9D, samba
> > changes them to
> > 0029170800000000002E1E388B7B9D9B:0000000100000002002DF49000000000 during
> > the join operation. What's with all the zeroes?
> When joining the domain, the machine will change the pwd to a random value known
> by the machine and the pdc.
I figured as much. I was only questioning wether those hashes really are
sane. There are typically that many zeroes in the final (non working)
machine accounts and when feeding smbencrypt with a large number of
random passwords I don't get anything that looks like this.
> > * If i don't set acctFlags within the "add user script" script to
> > [W ], samba will set acctFlags to [DW ]. Is this a good
> > thing or a bad thing.
> Try setting them to w :)
Oh, is the lowercase important? I'll try that.
> > * How is the password generated that is used to generate the final lm/nt
> > hashes for the machine account? Where in the Samba code does this
> > happen?
> It happens on the client.
Sorry, I was more thinking about where in the samba source code this is
negotiated.
> Try getting tng-alpha. I've used the ldap support there in production for 7
> months without any trouble. Also read the docs (and links!) on ldap that you
> find here: www.samba-tng.org/docs.html
I will definitely try that.
Thanks,
/Erik
--
Erik Persson, System Manager <erik at roxen.com>
Roxen Internet Software Voice: +46 13 376817
More information about the samba-ntdom
mailing list