sambaPasswordHistory LDAP Attrinbute

Jared Rich jrich at dev.creative-tech.com
Fri Nov 5 19:36:26 GMT 2004


That does not seem to work for me.

For a password of "password", this is what shows in sambaPasswordHistory:

8E36265C3B44B640CCB365040DE68E5A 4BF09D61C23AB4A0CC9D1866E1C69191

I added the space between the 2 16 byte values for clarity.  I got the MD4
hash of the unicode version of "password" by running this:

mkntpwd -N password

that retuned:  8846F7EAEE8FB117AD06BDD830B7586C

so, if I run: mkntpwd -N
8E36265C3B44B640CCB365040DE68E5A8846F7EAEE8FB117AD06BDD830B7586C

which is mkntpwd -N [1st 16 bytes in sambaPasswordHistory+value from mkntpwd
-N password]

I should get the 2nd 16 byte value in sambaPasswordHistory...  but I don't.

was that supposed to say MD5 in your last post?? I did tried both MD4 and MD5
just to check, but nither gave me the right result.

What am I doing wrong here?

Jared


Jeremy Allison (jra at samba.org) wrote:
>
> On Fri, Nov 05, 2004 at 01:58:32PM -0500, Jared Rich wrote:
> > i guess i'm not understanding this right...
> >
> > the first 16 bytes make up the salt (unhashed) and the last 16 bytes make up
> > the hash of the salt and the MD4 unicode password?
> >
> > how is the salt applied?
>
> Here is the algorithm.
>
> Hash = MD4(unicode password).
> Salt = 16 bytes random values.
>
> What is stored is :
>
> [Salt][MD5(Salt+Hash)]
>
> Where the + is a concatenation of the two 16 byte
> values.
>
> To check is a new password matches a history.
>
> For each entry in the history list, calculate :
>
> MD5(Salt + MD4(unicode new password)) and compare
> with the second 16 bytes stored. If it matches, then
> so did the new password.
>
> Jeremy.
>



More information about the samba-technical mailing list