sambaPasswordHistory LDAP Attrinbute

Jared Rich jrich at dev.creative-tech.com
Mon Nov 8 18:12:33 GMT 2004 

Your program works great for checking a new password against the history.

The PHP MD5 function I am using takes a string as an argument, so I don't
understand why what I am doing doesn't work.

Is it only the sambaPasswordHistory LDAP attribute that expects the password
and salt to be in byte form, or is that for all MD5 conversions?

For a password "password" and a history of:

8E36265C3B44B640CCB365040DE68E5A 4BF09D61C23AB4A0CC9D1866E1C69191

In this little php script below, $salted_hash should contain
"4BF09D61C23AB4A0CC9D1866E1C69191", but it doesn't

$passwd = "password";
$hash = shell_exec("mkntpwd -N $password");
$salt = "8E36265C3B44B640CCB365040DE68E5A";
$combo = $salt.$hash;
$salted_hash = md5($combo);

Well, anyway, your python program works fine for checking against the history.
 Now I just need to find a way to add a new entry to the history :)

Jared

Shahms King (shahms at shahms.com) wrote:
>
> On Fri, 2004-11-05 at 14:36 -0500, Jared Rich wrote:
> > That does not seem to work for me.
> >
> > For a password of "password", this is what shows in sambaPasswordHistory:
> >
> > 8E36265C3B44B640CCB365040DE68E5A 4BF09D61C23AB4A0CC9D1866E1C69191
> >
> > I added the space between the 2 16 byte values for clarity.  I got the MD4
> > hash of the unicode version of "password" by running this:
> >
> > mkntpwd -N password
> >
> > that retuned:  8846F7EAEE8FB117AD06BDD830B7586C
> >
> > so, if I run: mkntpwd -N
> > 8E36265C3B44B640CCB365040DE68E5A8846F7EAEE8FB117AD06BDD830B7586C
> >
> > which is mkntpwd -N [1st 16 bytes in sambaPasswordHistory+value from mkntpwd
> > -N password]
> >
> > I should get the 2nd 16 byte value in sambaPasswordHistory...  but I don't.
> >
> > was that supposed to say MD5 in your last post?? I did tried both MD4 and MD5
> > just to check, but nither gave me the right result.
> >
> > What am I doing wrong here?
> >
> > Jared
>
> Alternatively, attached is a small Python program which will compare a
> "sambaPasswordHistory" and "sambaNTPassword" string.  It will print
> 'BAD' to stdout and exit with status 1 if they don't match or print 'OK'
> and exit with status 0 if they do. I hope it's of some use to someone.
>
> --
> Shahms E. King <shahms at shahms.com>
> Multnomah ESD
>
> Public Key:
> http://shahms.mesd.k12.or.us/~sking/shahms.asc
> Fingerprint:
> 1612 054B CE92 8770 F1EA  AB1B FEAB 3636 45B2 D75B
>

More information about the samba-technical mailing list