PAP and NT-hashed password

sb superabx at
Tue Dec 30 16:58:13 CET 2014

On Tue, Dec 30, 2014 at 5:44 PM, Alan DeKok <aland at>

> On Dec 30, 2014, at 10:28 AM, sb <superabx at> wrote:
> > Yes, but how to prevent it? I have nothing about User-Password in
> freeradius configs:
>   Try version 2.2.6.  The PAP module has been updated to do a better job
> of discovering which password is where.

Thank you, Alan! I will try to upgrade to 2.2.6.

>   And you probably want to double-check the *format* of the passwords.
> You seem to have put the hashed version of the password into the
> userPassword field.  Then, taken that, turned it into hex, and put that
> into the ntPassword field in LDAP.  That’s wrong.

Actually we have no userPassword field in LDAP, the string

checkitem    Password-With-Header        userPassword

should be there from default config. I've commented it out, but got the
All that we have in LDAP:

sambaLMPassword: B4****************************************C6
sambaNTPassword: 1D****************************************9B

mapped to:

checkItem    LM-Password            sambaLmPassword
checkItem    NT-Password            sambaNtPassword

>   The userPassword field in LDAP should contain the clear-text password.
> e.g. “hello”, or “password”.  The ntPassword field in LDAP should contain
> the hex version of NT hashed password.  e.g. 01abcdef…  OR, the
> userPassword field in LDAP should contain "{nt}01abcdef…”  The {nt} prefix
> says that the rest of the password is the NT hash.

Possible I have to add {nt} prefix before the password?

"checkItem    User-Password            {nt}sambaNtPassword" - that won't
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list