trying to correctly handle account passwords via ldap
lukeh at padl.com
Tue Mar 28 00:32:50 GMT 2006
>On a classic AD instead we have the following attributes:
>unicodePwd write only attribute the password is specified
> as an ucs2 string enclosed in quotes
>ntPwdHistory NT hash history
>lmPwdHistory LM hash history
Note that "classic" AD does not store the UCS-2 cleartext password in
unicodePwd, even though it can be set that way. Rather, the NT OWF
is stored in the unicodePwd attribute, and the LM OWF in dBCSPwd. Both
these attributes are DES encrypted with the user's RID.
Package-specific credentials such as Kerberos keys and cleartext are
stored in supplementalCredentials.
You are correct about ntPwdHistory/lmPwdHistory.
More information about the samba-technical