Getting OpenLDAP to auth users against sambaNTPassword

Ronny Bremer rbremer at
Fri Jun 20 06:09:46 GMT 2003


in principle, what you can do is to pass on an NTLM password hash and
it will be compared with the stored value in the LDAP directory. As you
don't have the clear text password, you can't use a simple bind, so SASL
is the way to go. You provide the hash and NMAS will verify it. To add
to the confusion, there are also attributes defined for the NTPassword
and LMPassword hash values, whcih can be used to authenticate the user
without having the clear text passwords. These are updated automatically
if you perform a password change.

I will try to dig a better description up for you.


>>> Andrew Bartlett <abartlet at> 19.06.2003 08:22:32 >>>
On Thu, 2003-06-19 at 16:16, Ronny Bremer wrote:
> Which would also work when talking to Novell eDirectory. They have
> something called Novell Modular Authentication Services, so we can
> the NTLM hash straight to them and they will compare, works as a
> bind method via LDAP.

Is this for authenticating other things on Novell, Samba against
or Novell against samba's attribute in the Novell directory?

I'm a bit confused which interface this is.

For authenticating Samba users (domain logins/cifs connections), we
to do more than pass off the NTLM challenge-response - we need data
like the session key, and need to deal with NTLMv2 etc.

Andrew Bartlett

Andrew Bartlett                                 abartlet at 
Manager, Authentication Subsystems, Samba Team  abartlet at 
Student Network Administrator, Hawker College   abartlet at

More information about the samba-technical mailing list