password API needed

Luke Kenneth Casson Leighton lkcl at
Tue May 12 19:46:52 GMT 1998

On Tue, 12 May 1998, Jean-Francois Micouleau wrote:
> > then we will need to put the 16 byte hashes in, not the plain-text
> > password.  this is because the plain-text password, in the above
> > scenarios, will not be available.
> You have to make the distinction between users and trusts accounts.

why?  not in my book you don't, and not in an NT SAM you don't.  trust
accounts _are_ SAM users, but just with a different ACB_xxxx value.

> If
> people go for ldap, it's because they probably want to have a single
> database to store password.

> > so, if i add "ntPwdHash" and "lmPwdHash" to the ldap schema, you know why
> > :-)
> I don't like it, I prefer to follow RFC2037.

wossat, then?  what's that say (in a nutshell)
> {lmHash} and {ntHash} are not define in the RFC, it's something I just
> invented.
> crypted password are better defined in ldap v3, but Umich slapd server is
> ldap v2 only.


then we will have to invent / use what microsoft does, which is to
obfuscate with a long-term session key.

More information about the samba-technical mailing list