Getting OpenLDAP to auth users against sambaNTPassword

Andrew Bartlett abartlet at
Fri Jun 20 06:31:34 GMT 2003

On Fri, 2003-06-20 at 16:09, Ronny Bremer wrote:
> Andrew,
> in principle, what you can do is to pass on an NTLM password hash and
> it will be compared with the stored value in the LDAP directory. As you
> don't have the clear text password, you can't use a simple bind, so SASL
> is the way to go. You provide the hash and NMAS will verify it. To add
> to the confusion, there are also attributes defined for the NTPassword
> and LMPassword hash values, whcih can be used to authenticate the user
> without having the clear text passwords. 

Firstly, I'm assuming you mean this to allow Samba to check incoming
CIFS users against the directory.

Does this work with the NTLM response?  We don't have the NTLM hash,
only the challenge-response value.  How does the Novell server trust us
that we can use these values?  How does it supply us with the session
key?  How does it work with NTLMv2?

> These are updated automatically
> if you perform a password change.

This is good news, given the previous sorry history in this area (I know
for ages a change of the Novell password would not update them).

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list