trying to correctly handle account passwords via ldap

Luke Howard lukeh at
Tue Mar 28 00:32:50 GMT 2006

>On a classic AD instead we have the following attributes:
>unicodePwd		write only attribute the password is specified
>			as an ucs2 string enclosed in quotes
>ntPwdHistory		NT hash history
>lmPwdHistory		LM hash history

Note that "classic" AD does not store the UCS-2 cleartext password in
unicodePwd, even though it can be set that way. Rather, the NT OWF
is stored in the unicodePwd attribute, and the LM OWF in dBCSPwd. Both
these attributes are DES encrypted with the user's RID.

Package-specific credentials such as Kerberos keys and cleartext are
stored in supplementalCredentials.

You are correct about ntPwdHistory/lmPwdHistory.


-- Luke


More information about the samba-technical mailing list