Account with no lanman hash [ was Re: [Samba] Machine accounts, Samba 3, NT Domain migration

Andrew Bartlett abartlet at samba.org
Sat Mar 27 04:33:34 GMT 2004 

On Sat, 2004-03-27 at 13:12, Beast wrote:
> * Andrew Bartlett <abartlet at samba.org> menulis:
> 
> > > 1. Machine has valid passwords (NT+LANMAN) in PWDUMP but only 1
> > > NThash on rpc-Vampire, passwd is different.
> > > 2. Valid PWD, only NThash on VMP, but NTHASH in VMP is *same* as
> > > LANMANHASH in PWD.
> > > 3. No valid hash in PWD (only "****"), but has valid NTHASH in
> > > VMP. 4. Valid PWD, valid VMP and both are same.
> > >
> > > On rpc-vampire, from total of 638 machine, 448 are only having
> > > NTpassword hash entry.
> > > 
> > > Is it ok for machine account to have only one hash? (i can not try
> > > it right now because the site is on another city).
> > 
> > Only the NT password matters, except on 3.0.2 and 3.0.2a.  Later CVS
> > fixed an issue where the NT password not being present caused a bug
> > (account would be marked disabled).
> 
> 
> 1. In which tools we trust the output? pwdump or rpc vampire? why the
> output is different?

Well, I understand how 'net rpc vampire' functions, and as it makes
*exactly* the same calls that an NT BDC makes, I consider it to be the
'correct' output.  

I have not looked at the pwdump source, nor had any experience using it,
so I don't know why it's output would differ.

> 2. Is this mean I can not use 3.0.2 or 3.0.2a if I don't have LANMAN
> hash? 

This is correct.

> Note: this 'feature' is mark as 'bug' by jerry and has been fixed.
> Is it safe to have NT hash only on production?
> 
> http://lists.samba.org/archive/samba/2004-March/082989.html

It is safe to have NT hash only in production, on versions of Samba the
support this, because for many account types (machine accounts in
particular, also accounts with strlen(pw)> 14) the NT hash is the only
valid hash.

The practise (on machine accounts) of setting the NT and LM passwords to
the same value derives from the need to avoid having a NULL LM password,
where that might mean 'all passwords'.  Samba no longer makes those
assumptions, and has not for a long time, so in the very near future,
this will be removed.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040327/ea9c4866/attachment.bin

More information about the samba mailing list