How do you compute sambaLMPassword/sambaNTPassword?
Andrew Bartlett
abartlet at samba.org
Sun Mar 21 01:47:19 GMT 2004
On Sun, 2004-03-21 at 11:47, Florin Jurcovici wrote:
> Hi.
>
> I'm not sure this is the best place to send my question, it's about
> development related to Samba, not about development of Samba itself, but I
> couldn't think of a better place to ask the question.
>
> Problem: making Domino's LDAP work with Samba, and doing all user
> management in Domino.
>
> Domino'S LDAP supports sasl, so Linux authentication can go directly to
> Domino. The Windows authentication however doesn't send plain text
> passwords, so it cannot be routed to LDAP. Therefore, user management
> cannot be done entirely in Lotus Notes, you have to update user accounts
> using Samba's user tools, or the fields sambaLMPassword and
> sambaNTPassword in the account doc won't get set properly, and without
> these fields being set from outside of Samba/Window user management tools
> you're forced to use plain text authentication from Windows to Samba - or
> am I wrong?
That sounds correct.
> In order to provide single signon and allow for complete user management
> using Lotus/Domino, in combination with Samba, I need to fill in the two
> fields by hand, when doing a password change in Lotus/Domino. So I need to
> know either the exact algorithms used for hashing or where I can find the
> funcs which do the hashing in the Samba code, then I'll be able to rebuild
> the funcs.
There is mkntpwd (a standalone copy of Samba's smbencrypt.c and
associated routines), or perl's Crypt::SmbHash for two places to start.
> Since these ops I need to do both from a Windows station and potentially
> when saving a user account document from a browser, if there are such
> funcs, I'd rather call them directly from the libraries where they are.
> Are there such funcs? If yes, where are they located? I suppose these
> funcs must be available in the Windows dlls and in the Samba libs, so even
> if the Domino server runs on Linux I can call them, if Samba is installed.
> I had a little look at the code, it seems to me that it's quite some piece
> of work to re-implement the two hashing algorithms, especially in such a
> weak language like LotusScript (which is what Notes/Domino supports best).
It's only DES and MD4, can it be that hard ;-)
The functions you are looking for in Samba are E_deshash() and
E_md4hash().
> Can you please help me? Or should I send the question to another address?
>
> Background of this problem: many companies use Lotus/Domino as a mail
> system and as an application platform. Few would accept to switch from one
> setup with two parallel directory systems to another setup with two
> parallel directory systems - Windows PDCs + NT Domains/ADS + Domino
> address book vs. Samba + OpenLDAP + Domino address book, since nothing
> changes regarding the user management overhead. But switching from Windows
> PDCs + NT Domains/ADS + Domino address book to Samba + Domino address book
> only would be a compelling reason to switch, if further user mangement can
> be done in Domino the same way you do user management for Domino users.
> The Domino LDAP server is pretty good, and completely elliminating any
> need of distinct user management tools for Samba/Windows and Domino is
> possible, if only the NT/LM hashes could be set automatically from within
> Notes/Domino.
Can you instead make Domino export the userPassword field, containing
the user's plaintext password?
I am quite happy to make a modification to Samba, where it will read the
plaintext password out of LDAP, and hash it internally.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040321/a740c001/attachment.bin
More information about the samba-technical
mailing list