Understanding sambaLMPassword vs sambaNTPassword in Samba+LDAP Authentication


4 views

When integrating Samba with LDAP authentication, you'll encounter two distinct password fields in your directory:

  • sambaLMPassword: Stores the LAN Manager (LM) hash of the user's password
  • sambaNTPassword: Stores the NT hash (NTLMv1/NTLMv2 compatible)
dn: uid=jsmith,ou=People,dc=example,dc=com
objectClass: sambaSamAccount
sambaLMPassword: 44EFCE164AB921CAAAD3B435B51404EE
sambaNTPassword: 8846F7EAEE8FB117AD06BDD830B7586C

During authentication, Samba will attempt to use these hashes differently:

  1. For older clients (Windows 9x/ME), it uses LM hash
  2. For modern clients (Windows NT+), it primarily uses NT hash
  3. When both are present, the server will prefer NT hash

The LM hash is considered cryptographically weak because:

  • Converts password to uppercase before hashing
  • Splits into two 7-character chunks
  • Vulnerable to rainbow table attacks

Best practice is to disable LM hashes entirely in smb.conf:

[global]
  ntlm auth = yes
  lanman auth = no
  client ntlmv2 auth = yes

When setting up a new user in LDAP for Samba authentication, you should:

# Generate NT password only
smbpasswd -n username

# Or using ldapmodify for direct LDAP entry
dn: uid=newuser,ou=People,dc=example,dc=com
changetype: modify
add: sambaNTPassword
sambaNTPassword: E52CAC67419A9A22B222F34D35BD5D20

If you're transitioning from LM to NT-only hashes:

  1. Update smb.conf to disable LM auth
  2. Force password changes for all users
  3. Remove existing sambaLMPassword attributes

Verify authentication works with NT hashes only:

smbclient -L localhost -U username%password -m NT1

When integrating Samba with LDAP for user authentication, you'll encounter two crucial password fields: sambaLMPassword and sambaNTPassword. These represent different cryptographic representations of user credentials:

# Example LDAP entry showing both fields
dn: uid=jdoe,ou=Users,dc=example,dc=com
sambaLMPassword: 8846F7EAEE8FB117AD06BDD830B7586C
sambaNTPassword: 552902031BEDE9EFAAD3B435B51404EE

The sambaLMPassword stores the LAN Manager (LM) hash, while sambaNTPassword contains the NT hash. The key differences:

  • Algorithm: LM uses DES, NT uses MD4
  • Case sensitivity: LM converts to uppercase, NT preserves case
  • Security: LM is vulnerable to rainbow table attacks
  • Compatibility: NT works with modern Windows systems

For your home directory sharing setup, Samba's authentication follows this sequence:

1. Client attempts connection
2. Samba checks sambaNTPassword first (preferred method)
3. If NT fails or unavailable, falls back to sambaLMPassword
4. If both fail, authentication rejected

For modern security:

# In smb.conf to enforce NT-only authentication
[global]
   ntlm auth = yes
   lanman auth = no

To migrate from LM to NT hashes in LDAP:

# Use pdbedit to update hashes
pdbedit --modify --user=jdoe --set-nt-hash

Check which hash is being used with:

smbclient -L //server -U user%pass -d3 2>&1 | grep -i "got challenge"

Expected output showing NT authentication:

got challenge
got NTLMSSP neg_flags=0x628a8215