NT Password Change Behavior

Matt Pavlovich mpav at algx.net
Wed Mar 20 09:20:03 GMT 2002

> The holdouts are cleints <= Win95.  I know Win98 will send the cleartext 
> (encrypted with the old hash).  The reason for this is that MS implements 
> (or allows others to implement) 'password filters' which are mainly to
> ensure password quality.  These need the plaintext at the server.  The other
> thing they need this for is when Win9X changes a password, it needs sombody to 
> make the NT hash (the client doen't do NT in this case)

Ok, makes more sense.
> Apart from Win9X and earleir clients (and I'm not 100% on exactly which versions)
> you should be able to implement this, either as a 'unix password sync' program 
> or a patch to passdb/pdb_get_set.c:pdb_set_plaintext_password() and to 
> passdb/pdb_ldap.c.  (That is, keep the paintext in the SAM_ACCOUNT, and
> just set the extra attributes in init_ldap_from_sam()).

Great!  Thanks for the code reference as well.  Samba is the real bugger
in trying to solve this problem, since most other apps can be modified
to auth via bind, but Samba needs the pesky hashes.  Implementing this
as a 'unix password sync' program may be the best option to accomodate
all the various hashes/attributes that people may use.

Thanks again for the clarification. 

Matt Pavlovich

More information about the samba-technical mailing list