Authentication ....

Peter Samuelson peter at
Wed Jan 24 15:30:29 GMT 2001

[Lee Taylor]
> I don't seem to understand the differences between M$-LM password
> storage and Unix Hash password storage ... I have read though the
> archives but don't seem to quite get the difference.

Different hash functions, and incompatible.

/hashfunctionexplanation (

  The Unix password encryption function goes like this: take the first
  8 characters of the password (pad with '\0' if necessary) and convert
  to a 56-bit number by using the low 7 bits of each.  This is your
  key.  Generate a random 16-bit value; this is your salt.  Next, take
  a known string and mutate it using the salt.  Encrypt the result with
  your 56-bit key.  Finally, convert the salt, followed the encrypted
  string, to printable ASCII using a base-64-like function.

  The LanManager hash is also based on DES.  Start with the password,
  cut it off at 14 characters and convert to uppercase.  Use all 8 bits
  of each character to derive two 56-bit keys.  DES-encrypt two known
  strings with the two keys.[1]  Store the 128-bit result as a 32-byte
  string of hex digits (in ASCII).

    [1] I'm not entirely sure about this step; corrections are welcome.

  Then there's the NT hash.  Take the password, cut it off at 128
  characters and convert to 16-bit Unicode.  Run this through the MD4
  digest function.  Store the 128-bit result the same way as LanManager.

  None of the three algorithms are reversible, i.e. you can't derive
  plaintext passwords from them without brute-forcing DES or MD4, and
  likewise you can't convert any of them to either of the other two.
  For all three functions, the way to check a user's password is to
  encrypt it and verify that the encrypted versions match.

) def

I have no idea what is used by Netware/Mars-NWE, but I assume it's yet
another variation on the above theme........

Now.  For your problem.  The thing you need to do is keep all your
passwords in sync.  Basically that means updating all passwords
whenever one of them is changed, and this can be accomplished with a
combination of smb.conf options (for changing the Unix password
whenever a client changes the LM/NT ones) and a PAM module such as
pam_smbpass (don't remember the download site) which does the converse.
Alternative schemes exist, such as keeping everything in LDAP, but you
still have to set things up to change all your password hashes at once.
Read the docs, and the archives.


More information about the samba-ntdom mailing list