LDAP-SAM and Samba 2.2

Erik Persson erik at roxen.com
Mon Dec 3 12:35:04 GMT 2001

On Mon, 3 Dec 2001, Tarjei Huse wrote:

> > * The lmPassword and ntPassword LDAP attributes contain suspicious data
> >   after the join operation. If the initial passwords for "roadrunner$" was
> >   DC12FFA682C3844D2E87078C29EC8618:63911FAC3D75FECB66C48A17A30C5F9D, samba
> >   changes them to
> >   0029170800000000002E1E388B7B9D9B:0000000100000002002DF49000000000 during
> >   the join operation. What's with all the zeroes?
> When joining the domain, the machine will change the pwd to a random value known
> by the machine and the pdc.

I figured as much. I was only questioning wether those hashes really are
sane. There are typically that many zeroes in the final (non working)
machine accounts and when feeding smbencrypt with a large number of
random passwords I don't get anything that looks like this.

> > * If i don't set acctFlags within the "add user script" script to
> >   [W          ], samba will set acctFlags to [DW         ]. Is this a good
> >   thing or a bad thing.
> Try setting them to w :)

Oh, is the lowercase important? I'll try that.

> > * How is the password generated that is used to generate the final lm/nt
> >   hashes for the machine account? Where in the Samba code does this
> >   happen?
> It happens on the client.

Sorry, I was more thinking about where in the samba source code this is

> Try getting tng-alpha. I've used the ldap support there in production for 7
> months without any trouble. Also read the docs (and links!) on ldap that you
> find here: www.samba-tng.org/docs.html

I will definitely try that.


Erik Persson, System Manager            <erik at roxen.com>
Roxen Internet Software                 Voice:  +46 13 376817

More information about the samba-ntdom mailing list