[Samba] getting rid of lmhashes?

Mark Proehl M.Proehl at science-computing.de
Thu Mar 2 20:52:47 GMT 2006

On Thu, Mar 02, 2006 at 02:35:50PM -0600, Gerald (Jerry) Carter wrote:
> Hash: SHA1
> Mark Proehl wrote:
> > I am aware, that both hashes are equivalent to clear text passwords
> > and must be protected therefore. But cracking passwords with tools
> > like john is much faster, if the lm hashes are available, so i think
> > there should be an option to disable them.
> If you use passwords >14 characters in length, I'm sure the
> lanman hashes are not generated.  I would need to dig through
> the code to remember how to prevent them from being generated
> in other scenarios.  Maybe later.

  mark at myhost:~> smbpasswd
  Old SMB password: [qwert123]
  New SMB password: [qwertzuiop12345]
  Retype new SMB password: [qwertzuiop12345]
  Password changed for user mark
  mark at myhost:~> ldapsearch -LLL  uid=mark sambaLMPassword sambaNTPassword
  SASL/GSSAPI authentication started
  SASL username: mark at EXAMPLE.COM
  SASL SSF: 56
  SASL installing layers
  dn: uid=mark,ou=people,dc=example,dc=com
  sambaNTPassword: 1A1B11A0FE8352FB618F1B59A7CA3D2B
  mark at myhost:~> 
cool! but forcing users to passwords > 14 chars is not that easy...

are you shure that there is no other way to disable lanman hashes?


More information about the samba mailing list