[Samba] getting rid of lmhashes?

Mark Proehl M.Proehl at science-computing.de
Thu Mar 2 20:21:40 GMT 2006 

Hi Jerry,

thanks for your reply.

On Thu, Mar 02, 2006 at 11:17:58AM -0600, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Mark Proehl wrote:
> > Hi,
> > 
> > is there a way of disabling the creation of the (insecure) lm-hash in
> > the passdb backend of a samba3-pdc?
> 
> IIRC setting 'lanman auth = no' might do this.  Or
> alternatively just enforce password length > 14 characters.
> 

i've already tried 'lanman auth = no'. But the lm hashes still exist
in my backend, and are modified by user password changes. here is an example:

  myhost:~ # testparm -sv | grep lanman
  Load smb config files from /usr/local/samba/lib/smb.conf
  Processing section "[homes]"
  Loaded services file OK.
  WARNING: passdb expand explicit = yes is deprecated
  Server role: ROLE_DOMAIN_PDC
          lanman auth = No
          client lanman auth = No
  myhost:~ # smbpasswd -U mark
  New SMB password: [qwert]
  Retype new SMB password: [qwert]
  myhost:~ # 
  
  mark at myhost:~> ldapsearch -LLL  uid=mark sambaLMPassword sambaNTPassword
  SASL/GSSAPI authentication started
  SASL username: mark at EXAMPLE.COM
  SASL SSF: 56
  SASL installing layers
  dn: uid=mark,ou=people,dc=example,dc=com
  sambaLMPassword: 5422A4CDB0F1C794AAD3B435B51404EE
  sambaNTPassword: BB8DEE57B13255F1AA58846079D98447
  
  mark at myhost:~> 
  mark at myhost:~> smbpasswd
  Old SMB password: [qwert]
  New SMB password: [qwert123]
  Retype new SMB password: [qwert123]
  Password changed for user mark
  mark at myhost:~> 
  mark at myhost:~> ldapsearch -LLL  uid=mark sambaLMPassword sambaNTPassword
  SASL/GSSAPI authentication started
  SASL username: mark at EXAMPLE.COM
  SASL SSF: 56
  SASL installing layers
  dn: uid=mark,ou=people,dc=example,dc=com
  sambaLMPassword: 3E21EA326BDFFA1C1AA818381E4E281B
  sambaNTPassword: 02DD45A60E87ED15BA143B2A95A3D5DF
  
  mark at myhost:~> 

As you see, both ntlm and lm hash are modified after the user password
change. 

I am aware, that both hashes are equivalent to clear text passwords
and must be protected therefore. But cracking passwords with tools
like john is much faster, if the lm hashes are available, so i think
there should be an option to disable them.

Mark

More information about the samba mailing list