decrypting samba-hashes

James Sutherland jas88 at
Wed Feb 9 17:50:37 GMT 2000

On Thu, 10 Feb 2000, Christian Engwer wrote:

> Hello,
> I have the Problem, that I need to authenticate against a normal
> Unixsystem and against AFS. For using AFS I compiled samba with
> AFS-support.
> No I have the Problem, that my NT-machines only want to authenticate
> against my sambaserver, if they are able to use encryptef
> passwords. But if I have encrypted passwords, I can't get an
> afs-token.
> Now I was wondering, wether I could decrypt the smbpassword, and then
> authenticate against my AFS-Server.

It is POSSIBLE to "decrypt" these passwords, but not quickly enough to
avoid the client timing out. In fact, it can take up to four days to crack
particularly tough passwords on a fairly powerful PC.

The simplest solution in this case would appear to be having BOTH sets of
password: Plaintext (for AFS) AND lanman/NT hashes (for Samba). Provided
you make sure the two are always synchronised, this shouldn't cause any
problems (although it is, of course, a security risk to have plaintext
passwords lying around, there is little practical difference between
LanMan/NT hashes and plaintext: a couple of hours of number crunching will
"decrypt" the hashes anyway...)

You need to do this sort of thing anyway (but with Samba and Unix
passwords) if you want accounts to match up, so someone out there should
know how to do this (WITHOUT using PAM and SMB auth!) :-)

James Sutherland.

More information about the samba-technical mailing list