Account with no lanman hash [ was Re: [Samba] Machine accounts, Samba 3, NT Domain migration

Beast indorama at
Sat Mar 27 04:55:41 GMT 2004

* Andrew Bartlett <abartlet at> menulis:

> > 1. In which tools we trust the output? pwdump or rpc vampire? why
> > the output is different?
> Well, I understand how 'net rpc vampire' functions, and as it makes
> *exactly* the same calls that an NT BDC makes, I consider it to be
> the'correct' output.  

Just a wishes, is it possible to get pwdump.exe version of net rpc
vampire? so we can get hashses output without installing full blown of
samba and *script? 
It then up to administrator what to do with the output, this is the
cleanest soulution if you already have existing account in ldap.

Also, net rpc vampire has few advantage over pwdump, it can retrieve
groups where pwdump can not.

> I have not looked at the pwdump source, nor had any experience using
> it, so I don't know why it's output would differ.
> > 2. Is this mean I can not use 3.0.2 or 3.0.2a if I don't have
> > LANMAN hash? 
> This is correct.

Sorry for asking again here, can I use samba 3.0.3pre1? sincei can't
use older version of samba. Just to make sure...

> > Note: this 'feature' is mark as 'bug' by jerry and has been fixed.
> > Is it safe to have NT hash only on production?
> > 
> >
> It is safe to have NT hash only in production, on versions of Samba
> the support this, because for many account types (machine accounts
> in particular, also accounts with strlen(pw)> 14) the NT hash is the
> only valid hash.
> The practise (on machine accounts) of setting the NT and LM
> passwords to the same value derives from the need to avoid having a
> NULL LM password, where that might mean 'all passwords'.  Samba no
> longer makes those assumptions, and has not for a long time, so in
> the very near future, this will be removed.

Thanks, you really save my life ;-)


More information about the samba mailing list