How do you compute sambaLMPassword/sambaNTPassword?

Florin Jurcovici flj at
Sun Mar 21 00:47:21 GMT 2004


I'm not sure this is the best place to send my question, it's about 
development related to Samba, not about development of Samba itself, but I 
couldn't think of a better place to ask the question.

Problem: making Domino's LDAP work with Samba, and doing all user 
management in Domino.

Domino'S LDAP supports sasl, so Linux authentication can go directly to 
Domino. The Windows authentication however doesn't send plain text 
passwords, so it cannot be routed to LDAP. Therefore, user management 
cannot be done entirely in Lotus Notes, you have to update user accounts 
using Samba's user tools, or the fields sambaLMPassword and 
sambaNTPassword in the account doc won't get set properly, and without 
these fields being set from outside of Samba/Window user management tools 
you're forced to use plain text authentication from Windows to Samba - or 
am I wrong?

In order to provide single signon and allow for complete user management 
using Lotus/Domino, in combination with Samba, I need to fill in the two 
fields by hand, when doing a password change in Lotus/Domino. So I need to 
know either the exact algorithms used for hashing or where I can find the 
funcs which do the hashing in the Samba code, then I'll be able to rebuild 
the funcs.

Since these ops I need to do both from a Windows station and potentially 
when saving a user account document from a browser, if there are such 
funcs, I'd rather call them directly from the libraries where they are. 
Are there such funcs? If yes, where are they located? I suppose these 
funcs must be available in the Windows dlls and in the Samba libs, so even 
if the Domino server runs on Linux I can call them, if Samba is installed. 
I had a little look at the code, it seems to me that it's quite some piece 
of work to re-implement the two hashing algorithms, especially in such a 
weak language like LotusScript (which is what Notes/Domino supports best).

Can you please help me? Or should I send the question to another address?

Background of this problem: many companies use Lotus/Domino as a mail 
system and as an application platform. Few would accept to switch from one 
setup with two parallel directory systems to another setup with two 
parallel directory systems - Windows PDCs + NT Domains/ADS + Domino 
address book vs. Samba + OpenLDAP + Domino address book, since nothing 
changes regarding the user management overhead. But switching from Windows 
PDCs + NT Domains/ADS + Domino address book to Samba + Domino address book 
only would be a compelling reason to switch, if further user mangement can 
be done in Domino the same way you do user management for Domino users. 
The Domino LDAP server is pretty good, and completely elliminating any 
need of distinct user management tools for Samba/Windows and Domino is 
possible, if only the NT/LM hashes could be set automatically from within 

Best regards,

Florin Jurcovici
Complex problems have simple, easy to understand wrong answers.

More information about the samba-technical mailing list