How do you compute sambaLMPassword/sambaNTPassword?

Andrew Bartlett abartlet at
Sun Mar 21 01:47:19 GMT 2004

On Sun, 2004-03-21 at 11:47, Florin Jurcovici wrote:
> Hi.
> I'm not sure this is the best place to send my question, it's about 
> development related to Samba, not about development of Samba itself, but I 
> couldn't think of a better place to ask the question.
> Problem: making Domino's LDAP work with Samba, and doing all user 
> management in Domino.
> Domino'S LDAP supports sasl, so Linux authentication can go directly to 
> Domino. The Windows authentication however doesn't send plain text 
> passwords, so it cannot be routed to LDAP. Therefore, user management 
> cannot be done entirely in Lotus Notes, you have to update user accounts 
> using Samba's user tools, or the fields sambaLMPassword and 
> sambaNTPassword in the account doc won't get set properly, and without 
> these fields being set from outside of Samba/Window user management tools 
> you're forced to use plain text authentication from Windows to Samba - or 
> am I wrong?

That sounds correct.

> In order to provide single signon and allow for complete user management 
> using Lotus/Domino, in combination with Samba, I need to fill in the two 
> fields by hand, when doing a password change in Lotus/Domino. So I need to 
> know either the exact algorithms used for hashing or where I can find the 
> funcs which do the hashing in the Samba code, then I'll be able to rebuild 
> the funcs.

There is mkntpwd (a standalone copy of Samba's smbencrypt.c and
associated routines), or perl's Crypt::SmbHash for two places to start.

> Since these ops I need to do both from a Windows station and potentially 
> when saving a user account document from a browser, if there are such 
> funcs, I'd rather call them directly from the libraries where they are. 
> Are there such funcs? If yes, where are they located? I suppose these 
> funcs must be available in the Windows dlls and in the Samba libs, so even 
> if the Domino server runs on Linux I can call them, if Samba is installed. 
> I had a little look at the code, it seems to me that it's quite some piece 
> of work to re-implement the two hashing algorithms, especially in such a 
> weak language like LotusScript (which is what Notes/Domino supports best).

It's only DES and MD4, can it be that hard ;-)

The functions you are looking for in Samba are E_deshash() and

> Can you please help me? Or should I send the question to another address?
> Background of this problem: many companies use Lotus/Domino as a mail 
> system and as an application platform. Few would accept to switch from one 
> setup with two parallel directory systems to another setup with two 
> parallel directory systems - Windows PDCs + NT Domains/ADS + Domino 
> address book vs. Samba + OpenLDAP + Domino address book, since nothing 
> changes regarding the user management overhead. But switching from Windows 
> PDCs + NT Domains/ADS + Domino address book to Samba + Domino address book 
> only would be a compelling reason to switch, if further user mangement can 
> be done in Domino the same way you do user management for Domino users. 
> The Domino LDAP server is pretty good, and completely elliminating any 
> need of distinct user management tools for Samba/Windows and Domino is 
> possible, if only the NT/LM hashes could be set automatically from within 
> Notes/Domino.

Can you instead make Domino export the userPassword field, containing
the user's plaintext password?

I am quite happy to make a modification to Samba, where it will read the
plaintext password out of LDAP, and hash it internally.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list