On Sat, 2004-03-27 at 13:12, Beast wrote: > * Andrew Bartlett <[EMAIL PROTECTED]> menulis: > > > > 1. Machine has valid passwords (NT+LANMAN) in PWDUMP but only 1 > > > NThash on rpc-Vampire, passwd is different. > > > 2. Valid PWD, only NThash on VMP, but NTHASH in VMP is *same* as > > > LANMANHASH in PWD. > > > 3. No valid hash in PWD (only "****"), but has valid NTHASH in > > > VMP. 4. Valid PWD, valid VMP and both are same. > > > > > > On rpc-vampire, from total of 638 machine, 448 are only having > > > NTpassword hash entry. > > > > > > Is it ok for machine account to have only one hash? (i can not try > > > it right now because the site is on another city). > > > > Only the NT password matters, except on 3.0.2 and 3.0.2a. Later CVS > > fixed an issue where the NT password not being present caused a bug > > (account would be marked disabled). > > > 1. In which tools we trust the output? pwdump or rpc vampire? why the > output is different?
Well, I understand how 'net rpc vampire' functions, and as it makes *exactly* the same calls that an NT BDC makes, I consider it to be the 'correct' output. I have not looked at the pwdump source, nor had any experience using it, so I don't know why it's output would differ. > 2. Is this mean I can not use 3.0.2 or 3.0.2a if I don't have LANMAN > hash? This is correct. > Note: this 'feature' is mark as 'bug' by jerry and has been fixed. > Is it safe to have NT hash only on production? > > http://lists.samba.org/archive/samba/2004-March/082989.html It is safe to have NT hash only in production, on versions of Samba the support this, because for many account types (machine accounts in particular, also accounts with strlen(pw)> 14) the NT hash is the only valid hash. The practise (on machine accounts) of setting the NT and LM passwords to the same value derives from the need to avoid having a NULL LM password, where that might mean 'all passwords'. Samba no longer makes those assumptions, and has not for a long time, so in the very near future, this will be removed. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
