NT Password Change Behavior

Matt Pavlovich mpav at algx.net
Tue Mar 19 15:33:06 GMT 2002


My goal is to write a quick and dirty patch to OpenLDAP to sync
passwords across all the password fields of a user.  This could also be
done easily with Netscape/iPlanet's pre-op plugin mechanism.

Let me see if I have this correctly.. 

1) There are multiple 'update password' methods
2) One passes the clear password to the PC
3) Another method passes the LM of the new password to the PDC
4) The last sends plaintext encrypted by hash (LM Hash?) of old password

So.. it is this correct:
1) The PDC will *not* always have access to the clear text of the
password being changed.  
2) There is no way to force all clients (9x,NT,2k,XP) to behave in the
same way (pass PDC clear text of new password)

This is really ugly.  This means that it is impossible to implement a
password synchronization service/function on the directory of a LDAP
backed Samba PDC, to synchronize b/w NT/LM hashes, and crypt|sha|md5.
Even when you have "interoperability", their implementation is so
hosered, you can't achieve true seemless integration.

Matt Pavlovich

On Tue, 2002-03-19 at 11:33, Jeremy Allison wrote:
> On Tue, Mar 19, 2002 at 11:17:23AM -0600, Matt Pavlovich wrote:
> > Quick question-
> > 
> > When a user updates their password from a local workstation on a Domain,
> > is the password hash generated on the client's computer, then passwd to
> > the PDC for storage, or is the clear password sent, and the PDC creates
> > the hash?
> Depends (doesn't it always with SMB :-). There are 3 different methods
> of changing a password. Probably more if you go into undocumented IDL
> territory :-).
> 1 uses plaintest only, one uses LM hash only but the one you probably
> want is the 3rd method that sends plaintext of new encrypted by hash
> of old.
> Jeremy.

More information about the samba-technical mailing list