trying to correctly handle account passwords via ldap

simo idra at
Tue Mar 28 00:39:11 GMT 2006

On Tue, 2006-03-28 at 10:32 +1000, Luke Howard wrote:
> >On a classic AD instead we have the following attributes:
> >
> >unicodePwd		write only attribute the password is specified
> >			as an ucs2 string enclosed in quotes
> >ntPwdHistory		NT hash history
> >lmPwdHistory		LM hash history
> Note that "classic" AD does not store the UCS-2 cleartext password in
> unicodePwd, even though it can be set that way. Rather, the NT OWF
> is stored in the unicodePwd attribute, and the LM OWF in dBCSPwd. Both
> these attributes are DES encrypted with the user's RID.

Do you mean that unicodePwd and dBCSPwd can be read out from an AD LDAP
server ?
I thought these were write only attributes.

> Package-specific credentials such as Kerberos keys and cleartext are
> stored in supplementalCredentials.

Is the format of supplmentalCredentials known ? Can it be read via


/trying to make our lbbsearch to work with SSL and without giving this
nice error:
<00002029: LdapErr: DSID-0C09016D, comment: Cannot start kerberos
signing/sealing when using TLS/SSL, data 0, vece> <>

Simo Sorce
Samba Team GPL Compliance Officer
email: idra at

More information about the samba-technical mailing list