[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [PATCH] smbk5passwd module should uppercase the NT/LM hashes



Buchan Milne wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I was playing with smbk5passwd from HEAD built for 2.2, and I found that
>  it worked, but the alpha characters in the sambaNTPassword and
> sambaLMPassword attrbitutes were lower-cased (whereas previously they
> were upper-cased, as set by samba or other tools).
> 
> With this change, the module does the right thing (ie after a password
> change with ldappasswd I could authenticate to samba with the new password).

I'm experiencing very weird problems with samba passwords and it only happens 
when I use the smbk5pwd module.

The problem begins with LM hash generation, whilst sambaLMPassword and sambaNTPassword
values generated from perl migration scripts are:

cleartext password is "12345678"

sambaLMPassword: 0182BD0BD4444BF836077A718CCDF409
sambaNTPassword: 259745CB123A52AA2E693AAACCA2DB52

and they work perfectly with windows clients.
 
the values generarated when I use smbk5pwd are:

sambaLMPassword: 0182bd0bd4444bf8e1b79117b9cf8dc5
sambaNTPassword: 259745cb123a52aa2e693aaacca2db52

Buchan's patch only change the case:

sambaLMPassword: 0182BD0BD4444BF8E1B79117B9CF8DC5
sambaNTPassword: 259745CB123A52AA2E693AAACCA2DB52

do you note how the LM password differs??

because this all my win98 clients (they use the LM protocol)
are unable to authenticate agains the PDC.

I'd like to know if this might be a bug in smbk5pwd or 
in samba?

Thank you.

	/---------------/

entry generated by perl
=======================
dn: uid=usuario1,ou=personas,ou=cuentas,dc=fadesa,dc=es
objectClass: top
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: fadesaPerson
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: krb5Principal
objectClass: krb5KDCEntry
uid: usuario1
cn: usuario1@FADESA.ES
fadesaPersonStatus: activado
loginShell: /bin/false
sambaAcctFlags: [U          ]
sn: sadf
host: ende
host: ora9i
sambaSID: S-1-5-21-528226156-890416033-2029241632
sambaBadPasswordCount: 0
sambaBadPasswordTime: 0
gidNumber: 1000
uidNumber: 2000
homeDirectory: /samba/usuario1
description
gecos: am9zZSBtYW51ZWwgZmFuZGnxbyBwaXRh
sambaPwdCanChange: 1111000630
sambaPwdMustChange: 1111000630
sambaLMPassword: 0182BD0BD4444BF836077A718CCDF409
sambaNTPassword: 259745CB123A52AA2E693AAACCA2DB52
sambaPasswordHistory: 0
sambaPwdLastSet: 1111000630
krb5PrincipalName: usuario1@FADESA.ES
krb5KeyVersionNumber: 1
krb5KDCFlags: 126
mailLocalAddress: usuario1@fadesa.es
userPassword: MTIzNDU2Nzg=
fadesaPersonWebAccess: FALSE
fadesaPersonEmailAccess: TRUE

entry upadted by smbk5pwd
=========================
dn: uid=usuario1,ou=personas,ou=cuentas,dc=fadesa,dc=es
objectClass: top
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: fadesaPerson
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: krb5Principal
objectClass: krb5KDCEntry
uid: usuario1
cn: usuario de prueba
loginShell: /bin/bash
fadesaPersonStatus: activado
sn: sadf
structuralObjectClass: inetOrgPerson
entryUUID: 9e113ab0-e3a9-1028-8d3e-a7098d012c3f
creatorsName: cn=boss,dc=fadesa,dc=es
createTimestamp: 20041216122738Z
host: ora9i
sambaSID: S-1-5-21-528226156-890416033-2029241632
gidNumber: 1000
homeDirectory: /samba/usuario1
uidNumber: 613
description: oiohh
gecos: un user para realizar pruebas
krb5PrincipalName: usuario1@FADESA.ES
krb5KDCFlags: 126
sambaHomePath: /samba/usuario1
sambaAcctFlags: [U          ]
sambaBadPasswordCount: 0
sambaBadPasswordTime: 0
sambaPwdCanChange: 1112611448
sambaPwdMustChange: 2147483647
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
 00000000
userPassword:: MTIzNDU2Nzg=
sambaPwdLastSet: 1112611428
sambaLMPassword: 0182BD0BD4444BF8E1B79117B9CF8DC5
sambaNTPassword: 259745CB123A52AA2E693AAACCA2DB52
krb5KeyVersionNumber: 76
krb5Key:: MEagAwIBAaE/MD2gAwIBEKE2BDQhdSUdLwn0B6RIVypEi6Tlxz2zgz1DJp3cCKmtW6qJ
 IQF3AgHwMk3e7OWe3cePruuPkSlr
krb5Key:: MDagAwIBAaEvMC2gAwIBA6EmBCTQ+M9AGo5Szpxbw0zQDQovEP+G9BD0upP6H18ddsFK
 ssXILZw=
krb5Key:: MDagAwIBAaEvMC2gAwIBAqEmBCQC9DR0E/6KLoI0WuVaYCaDhadpDxOqcZf9+CLbHYfU
 RviNI8E=
krb5Key:: MDagAwIBAaEvMC2gAwIBAaEmBCQvU5X7qKbAyd/pbvadD80PXlz3kGvvQE9g2kY6xAbS
 ymC6hUE=
entryCSN: 20050404104348Z#000002#00#000000
modifiersName: cn=ora9i,ou=maquinas,ou=cuentas,dc=fadesa,dc=es
modifyTimestamp: 20050404104348Z

-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d- s+:+() a31 C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
G++ e- h+(++) !r !z
------END GEEK CODE BLOCK------