Account with no lanman hash [ was Re: [Samba] Machine accounts, Samba 3, NT Domain migration

Andrew Bartlett abartlet at
Sat Mar 27 04:33:34 GMT 2004

On Sat, 2004-03-27 at 13:12, Beast wrote:
> * Andrew Bartlett <abartlet at> menulis:
> > > 1. Machine has valid passwords (NT+LANMAN) in PWDUMP but only 1
> > > NThash on rpc-Vampire, passwd is different.
> > > 2. Valid PWD, only NThash on VMP, but NTHASH in VMP is *same* as
> > > 3. No valid hash in PWD (only "****"), but has valid NTHASH in
> > > VMP. 4. Valid PWD, valid VMP and both are same.
> > >
> > > On rpc-vampire, from total of 638 machine, 448 are only having
> > > NTpassword hash entry.
> > > 
> > > Is it ok for machine account to have only one hash? (i can not try
> > > it right now because the site is on another city).
> > 
> > Only the NT password matters, except on 3.0.2 and 3.0.2a.  Later CVS
> > fixed an issue where the NT password not being present caused a bug
> > (account would be marked disabled).
> 1. In which tools we trust the output? pwdump or rpc vampire? why the
> output is different?

Well, I understand how 'net rpc vampire' functions, and as it makes
*exactly* the same calls that an NT BDC makes, I consider it to be the
'correct' output.  

I have not looked at the pwdump source, nor had any experience using it,
so I don't know why it's output would differ.

> 2. Is this mean I can not use 3.0.2 or 3.0.2a if I don't have LANMAN
> hash? 

This is correct.

> Note: this 'feature' is mark as 'bug' by jerry and has been fixed.
> Is it safe to have NT hash only on production?

It is safe to have NT hash only in production, on versions of Samba the
support this, because for many account types (machine accounts in
particular, also accounts with strlen(pw)> 14) the NT hash is the only
valid hash.

The practise (on machine accounts) of setting the NT and LM passwords to
the same value derives from the need to avoid having a NULL LM password,
where that might mean 'all passwords'.  Samba no longer makes those
assumptions, and has not for a long time, so in the very near future,
this will be removed.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba mailing list