[Samba] smbpasswd produces INCORRECT sambaNTPasswd hash on ppc (yellowdog 4.0 on xserve G5)

Jarom jerovich at gmail.com
Sat Nov 20 03:39:14 GMT 2004

I'm having trouble setting up samba as a PDC on an apple xserve, using
yellowdog linux 4.0. After a lot of thrashing, I believe the problem
may be smbpasswd generating the wrong NT hash. Running smbpasswd on a
redhat box (intel architecture) produces the follow LDAP entry:

dn: uid=testuser2,ou=Users,dc=allstate,dc=network
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: testuser2
sn: testuser2
uid: testuser2
uidNumber: 1006
gidNumber: 513
homeDirectory: /home/testuser2
loginShell: /bin/bash
gecos: System User
description: System User
sambaSID: S-1-5-21-813279244-2815909583-2512609307-3012
sambaPrimaryGroupSID: S-1-5-21-813279244-2815909583-2512609307-513
displayName: System User
sambaPwdMustChange: 2147483647
sambaAcctFlags: [U          ]
sambaPwdCanChange: 1100885825
sambaLMPassword: 44EFCE164AB921CAAAD3B435B51404EE
sambaNTPassword: 32ED87BDB5FDC5E9CBA88547376818D4

Running smbpasswd on the Xserve produces the following entry:
dn: uid=testuser1,ou=Users,dc=allstate,dc=network
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: testuser1
sn: testuser1
uid: testuser1
uidNumber: 1000
gidNumber: 513
homeDirectory: /home/testuser1
loginShell: /bin/bash
gecos: System User
description: System User
sambaSID: S-1-5-21-471028381-1047030085-1551032810-3000
sambaPrimaryGroupSID: S-1-5-21-471028381-1047030085-1551032810-513
displayName: System User
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
sambaLMPassword: 44EFCE164AB921CAAAD3B435B51404EE
sambaPwdCanChange: 1100920198
sambaPwdMustChange: 2147483647
sambaNTPassword: CAE238A01BFF98AB2A465882B20D01B7
sambaPwdLastSet: 1100920198
sambaAcctFlags: [U          ]
userPassword:: e1NNRDV9Z09tN08zWjJ6TEpOQUNvdDVYN0FQTCs2NWM0PQ==

Notice that the sambaNTPassword: entries are different!  And if I run:
[root at localhost /]# smbclient -L localhost -U testuser1%123456
Domain=[ALLSTATE] OS=[Unix] Server=[Samba 3.0.8]
        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk
        public          Disk      Repertoire public
        IPC$            IPC       IPC Service (Samba Server 3.0.8)
        ADMIN$          IPC       IPC Service (Samba Server 3.0.8)
        testuser1       Disk      repertoire de testuser1, testuser1
Domain=[ALLSTATE] OS=[Unix] Server=[Samba 3.0.8]
        Server               Comment
        ---------            -------
        PDC-SMB3             Samba Server 3.0.8
        Workgroup            Master
        ---------            -------
        ALLSTATE             PDC-SMB3
        INDIANA              EWC-TECH

Seems to work just fine, but if I try that from the redhat box, (or
from a windows machine):
smbclient -L PDC-SMB3 -U testuser1%123456
added interface ip= bcast= nmask=
Got a positive name query response from ( )
session setup failed: NT_STATUS_LOGON_FAILURE

I thought I had resolved the problem by using smbldap-passwd, which
uses Crypt::SmbHash and produces the correct sambaNTPassword, I can
authenticate from the windows box and from the intel redhat box just
fine, even though smbclient -L localhost -U testuser1%123456 from the
Xserve fails, but alas when I try to add a windows XP box to the
domain I get an access denied error. I've done some googling, but
havent found the solution to this dilemma. Is anyone else trying this?
Is this a new bug, or am I RTFing the wrong Manual?

smb.conf follows:
# Global parameters
        workgroup = allstate
        netbios name = PDC-SMB3
        #interfaces =
        username map = /etc/samba/smbusers
        #admin users= @"Domain Admins"
        server string = Samba Server %v
        security = user
        encrypt passwords = Yes
        min passwd length = 3
        obey pam restrictions = No
        #unix password sync = Yes
        #passwd program = /usr/local/sbin/smbldap-passwd -u %u
 #passwd chat = "Changing password for*\nNew password*" %n\n "*Retype
new password*" %n\n"
        ldap passwd sync = Yes
        log level = 20
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 100000
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        mangling method = hash2
        Dos charset = 850
        Unix charset = ISO8859-1

        logon script = logon.bat
        logon drive = H:
        logon home =
        logon path =

        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        passdb backend = ldapsam:ldap://
        # passdb backend = ldapsam:"ldap:// ldap://slave.idealx.com"
 # ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
        #ldap admin dn = cn=samba,ou=DSA,dc=allstate,dc=network
	ldap admin dn =cn=Manager,dc=allstate,dc=network
        ldap suffix = dc=allstate,dc=network
        ldap group suffix = ou=Groups
        ldap user suffix = ou=Users
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=Users
        ldap ssl = off
        add user script = /usr/local/sbin/smbldap-useradd -m "%u"
        ldap delete dn = Yes
        #delete user script = /usr/local/sbin/smbldap-userdel "%u"
        add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
        add group script = /usr/local/sbin/smbldap-groupadd -p "%g" 
        #delete group script = /usr/local/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script =
/usr/local/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"

        # printers configuration
        printer admin = @"Print Operators"
        load printers = Yes
        create mask = 0640
        directory mask = 0750
        nt acl support = No
        printing = cups
        printcap name = cups
        deadtime = 10
        guest account = nobody
        #map to guest = Bad User
        dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
        show add printer wizard = yes
        ; to maintain capital letters in shortcuts in any of the
profile folders:
        preserve case = yes
        short preserve case = yes
        case sensitive = no

        comment = repertoire de %U, %u
        read only = No
        create mask = 0644
        directory mask = 0775
        browseable = No

        path = /home/netlogon/
 browseable = No
        read only = yes

        path = /home/profiles
        read only = no
        create mask = 0600
        directory mask = 0700
        browseable = No
        guest ok = Yes
        profile acls = yes
        csc policy = disable
        # next line is a great way to secure the profiles 
        force user = %U 
        # next line allows administrator to access all profiles 
        valid users = %U @"Domain Admins"

More information about the samba mailing list