Feature #1990


nsswitch support for NT password hashes

Added by Gordon Ross almost 12 years ago. Updated about 8 years ago.

cifs - CIFS server and client
Start date:
Due date:
% Done:


Estimated time:
nsswitch ldap
Gerrit CR:
External Bug:


Currently, the native CIFS service (smbsrv, smbd) "goes around" the name service switch mechanism (nsswitch) to get NT password hashes from /var/smb/smbpasswd, and does that only for users defined in local "files".

There have been requests for a way to fetch the NT password hashes using the nsswitch mechanism, so that for accounts defined in LDAP, we'll get the NT password hash from the "sambaNTPassword" element, etc.


ntpasswd.h (1.72 KB) ntpasswd.h Gordon Ross, 2012-01-17 01:38 AM
Actions #1

Updated by Gordon Ross almost 12 years ago

I did some investigations of what might be required to implement this. Basically, one needs to add a new "DB" lookup type similar to the "shadow" lookup. Here are some notes:

Design notes for adding a "get NT passwd" (hash),
similar to getspnam(3C).  API: getnpnam etc.
(Subst. /sp/ntpw/ in: getspnam, getspnam_r,
 getspent_r, setspent, endspent,
 fgetspent, fgetspent_r)

New DB file: /etc/ntpasswd

At first upgrade with this code, create
/etc/ntpasswd from /var/smb/smbpasswd
with updates to the format.  Old (smbpasswd) format:
    <user-name>:<user-id>:<LM hash>:<NTLM hash>
New (ntpasswd) format:
    <user-name>:<user-id>:<LM hash>:<NTLM hash>:
Both hashes, if present, are 32-byte hex strings.
Note that the "LM hash" is usually absent (because
accepting or storing the LM hash undesirable from a
security standpoint, and not used in modern systems).
Note ":" at the end, missing from smbpasswd.

There is code to parse the old smbpasswd format in:

New header:
  usr/src/head/ntpasswd.h  (like shadow.h)
  struct ntpw;  /* like shadow.h:spwd */
  (See sample ntpasswd.h)

Modify: usr/src/head/nss_dbdefs.h adding
#define    NSS_DBNAM_NTPASSWD    "ntpasswd" 
Add NTPASSWD defines like the SHADOW ones.

I _don't_ think we need a new NSS_DBOP_...
because shadow uses the DBOP for passwd.  See:
So just use NSS_DBOP_PASSWD_BYNAME with nss_search().

Add new libc files like getspent*.c etc.
The NSS DB lookup goes like this:

    _nss_initf_ntpaswd(nss_db_params_t *p)
        p->name    = NSS_DBNAM_NTPASSWD;
        /* Use config for "passwd" */
        p->config_name    = NSS_DBNAM_PASSWD;
        p->default_config = NSS_DEFCONF_PASSWD;

Add an NSS_MK_GETXYDBOPB() line to
for  "ntpasswd", again like the "shadow" one.
Careful with getXbyY_to_dbop[] - see the
comment above it about nss_dbop_search().

See "shadow" DB support in:
and add "ntpaswd" method constructors, etc.

I think we can simply not implement "ntpasswd" 
in the other back-ends, but have to check.
(Might need stubs, might not.)

The proposed new "ntpasswd.h" header file is attached.
It would go in usr/src/head/ntpasswd.h

Actions #2

Updated by Rich Lowe almost 12 years ago

getent support would be useful, if sufficiently privileged (that said, support for shadow isn't there).

Actions #3

Updated by Milan Jurik almost 12 years ago

Which backends do you plan to support except "files"? If you will add support for LDAP, do you plan to do some changes for idsconfig e.g.? sambaNTPassword is not standard attribute (at least unknown to RFC2307). How about NIS? What will the benefit be to add some application specific database to generic /etc/nsswitch.conf? Any plans to use this database in more generic way, e.g. as some source for users?

Actions #4

Updated by Gordon Ross almost 12 years ago

I would propose to implement this "ntpasswd" DB type for two "back ends": files, ldap.
The ldap backend might need some config settings somewhere, to allow for different
ldap schema, but that's a problem in general for the ldap back end.

The only current consumer would be smbsrv+smbd (and maybe getent).
Perhaps one could do this in smbd, but that gets ugly fast.

Actions #5

Updated by Milan Jurik almost 12 years ago

I am only thinking loudly here, both ways (smbd and nsswitch) will need some additional configuration. If it will go to nsswitch then it should be transparent as much as possible. Some additional switch in LDAP config can lead to common setup errors.

Actions #6

Updated by Gordon Ross about 8 years ago

  • Tags changed from needs-triage to nsswitch ldap
Actions #7

Updated by Gordon Ross about 8 years ago

  • Category set to cifs - CIFS server and client

Also available in: Atom PDF