sambaPasswordHistory LDAP Attrinbute

Jared Rich jrich at
Fri Nov 5 19:36:26 GMT 2004

That does not seem to work for me.

For a password of "password", this is what shows in sambaPasswordHistory:

8E36265C3B44B640CCB365040DE68E5A 4BF09D61C23AB4A0CC9D1866E1C69191

I added the space between the 2 16 byte values for clarity.  I got the MD4
hash of the unicode version of "password" by running this:

mkntpwd -N password

that retuned:  8846F7EAEE8FB117AD06BDD830B7586C

so, if I run: mkntpwd -N

which is mkntpwd -N [1st 16 bytes in sambaPasswordHistory+value from mkntpwd
-N password]

I should get the 2nd 16 byte value in sambaPasswordHistory...  but I don't.

was that supposed to say MD5 in your last post?? I did tried both MD4 and MD5
just to check, but nither gave me the right result.

What am I doing wrong here?


Jeremy Allison (jra at wrote:
> On Fri, Nov 05, 2004 at 01:58:32PM -0500, Jared Rich wrote:
> > i guess i'm not understanding this right...
> >
> > the first 16 bytes make up the salt (unhashed) and the last 16 bytes make up
> > the hash of the salt and the MD4 unicode password?
> >
> > how is the salt applied?
> Here is the algorithm.
> Hash = MD4(unicode password).
> Salt = 16 bytes random values.
> What is stored is :
> [Salt][MD5(Salt+Hash)]
> Where the + is a concatenation of the two 16 byte
> values.
> To check is a new password matches a history.
> For each entry in the history list, calculate :
> MD5(Salt + MD4(unicode new password)) and compare
> with the second 16 bytes stored. If it matches, then
> so did the new password.
> Jeremy.

More information about the samba-technical mailing list