password API needed

Jean-Francois Micouleau Jean-Francois.Micouleau at
Tue May 12 18:34:02 GMT 1998

On Wed, 13 May 1998, Luke Kenneth Casson Leighton wrote:

> the password system you have (putting the password in clear-text) is
> unfortunately not sufficient.  if we do one of the following:

you're right it's not sufficient, and there is something worse. The
communication between an ldap server and a client is in clear. So it
means when you have the ldap server on another machine than smbd you send
the password in 'clear-text' over the wire. 

> - create an ldap database from a private/smbpasswd file
> - create an ldap database from an NT PDC SAM registry (the holy grail that
>   really takes microsoft's biscuit - an NT -> Samba migration tool HAHA!)
> - add PDC / BDC replication, and support mixed NT / Samba PDC/BDC
> environments
> then we will need to put the 16 byte hashes in, not the plain-text
> password.  this is because the plain-text password, in the above
> scenarios, will not be available.

You have to make the distinction between users and trusts accounts. If
people go for ldap, it's because they probably want to have a single
database to store password.

We have 2 solutions to store the password in encrypted form:

	- follow luke howard rfc2037 and have 3 userPassword values by
	userPassword:{crypt}unix's crypt password
	userPassword:{lmHash}easy lmhashed password
	userPassword:{ntHash}less easy but crackable nthashed password		

	- follow microsoft NT5 schema. 
	I'm reading their web schema def and the one coming with NT5 beta
1, and I'm lost.
	looks like the DBCS-Pwd is used to store the lanman password and
they are storing the password in userPassword and in Unicode-Pwd

> so, if i add "ntPwdHash" and "lmPwdHash" to the ldap schema, you know why
> :-)

I don't like it, I prefer to follow RFC2037.

{lmHash} and {ntHash} are not define in the RFC, it's something I just

crypted password are better defined in ldap v3, but Umich slapd server is
ldap v2 only.

	Jean Francois

Pinky: "What are we going to do tonight, Brain?"
Brain: "The same thing we do every night, Pinky :
	try to install Windows NT !"

More information about the samba-technical mailing list