[jcifs] Question about NT Domains

Steven French sfrench at us.ibm.com
Wed Jun 12 15:25:38 EST 2002 

There are four set password calls for SMB/CIFS (not counting the Kerberos
change password):
NetUserPasswordSet    (plain text)  which is RAP ordinal 58
NetUserPasswordSet2 (one way lanman hash of password)  115
NetUserPasswordSet3 (reversibly encrypted ie secure decryptable change
password) done by IBM       275
SAM_OEMChangePassword (same idea as above but done a few years later by
Microsoft)                      214

See
http://cvs.samba.org/cgi-bin/cvsweb/samba/source/include/rap.h?rev=1.4.2.1&content-type=text/x-cvsweb-markup

for a fairly complete list based on Microsoft's postings and documentation
(as well as IBM documentation on the IBM specific ones).    Jim and I added
this when we added the "net" utility to Samba last year and with it a lot
of RAP support.    There once was NetUserPassswordSet2 support in Samba
don't know if it is still there.   It may have been in the old PAM_SMB as
well.

Although the current Microsoft clients preferentially send
SAM_OEMChangePassword, they (and many others too)  will send
NetUserPasswordSet2 if the server doesn't support SAM_OEM and then some
will even fall back to the ancient plain text NetUserPasswordSet RAP call



Steve French
Senior Software Engineer
Linux Technology Center - IBM Austin
phone: 512-838-2294
email: sfrench at us.ibm.com


"Allen, Michael B (RSCH)" <Michael_B_Allen at ml.com> on 06/11/2002 10:16:22
PM

To:    "'Tony Thompson'" <tony.thompson at stone-ware.com>,
       "'jcifs at samba.org'" <jcifs at samba.org>, Steven
       French/Austin/IBM at IBMUS
cc:
Subject:    RE: [jcifs] Question about NT Domains





> -----Original Message-----
> From:     Tony Thompson [SMTP:tony.thompson at stone-ware.com]
> Sent:     Tuesday, June 11, 2002 10:51 PM
> To: Michael_B_Allen at ml.com
> Subject:  RE: [jcifs] Question about NT Domains
>
> OK, here is a trace from a Win98 machine.  It still looks different.  If
you look at packet #13,
> I am guessing that is where the password is set but, it looks completely
different from what
> I would expect.  According to the document you clued me in on, the
parameter descriptor
> string should be "zsT".  The descriptor in that packet is "zb16b16WW" (I
think).  I couldn't
> even find that in the cifsrap2.doc.
>
 Opps, that appears to be a another RAP call for changing your password. I
 have not heard of
 SetUserPassword (115). There are hundreds of RAP calls. I seem to be at a
 loss as to how
 to capture a SamOEMChangePassword call. I suppose an early version of
 smbclient might
 do it. You could probably get Win98 to do it too you just need to provoke
 it in the right way.
 Does anyone have an Ethereal pcap of SamOEMChangePassword or know exactly
 how Tony
 can get one?

> I am not sending the wrong password so, I must be building the request
incorrectly.
>
 You really need a pcap. You'll never get it right without one. At least I
 never could.

 Otherwise, your code looks really close,
 Mike

> I am attaching my source code as well.  I don't know if you can see
anything obviously wrong with that.
>
> Thanks for your help.
> Tony
>
> >>> "Allen, Michael B (RSCH)" <Michael_B_Allen at ml.com> 06/11/02 08:56PM
>>>
> Your password changing utility is using DCE/RPC which is why it looks
nothing like your other trace. The
> jcifs trace looks like a strait forward wrong password to me. Try
capturing a Win98 machine. It' can't do
> DCE/RPC.
>
> Mike
>
> > -----Original Message-----
> > From:   Tony Thompson [SMTP:tony.thompson at stone-ware.com]
> > Sent:   Tuesday, June 11, 2002 9:43 PM
> > To:     Michael_B_Allen at ml.com
> > Subject:      RE: [jcifs] Question about NT Domains
> >
> > I grabbed the BouncyCastle code.  There is an RC4 engine in there that
I can use.
> >
> > I am having an issue with trying to get this thing working.  Here is
the exception that I am getting:
> >
> > jcifs.smb.SmbException: Invalid operation for IPC service
> >         at jcifs.smb.SmbTree.send(SmbTree.java:86)
> >         at jcifs.smb.SmbFile.send(SmbFile.java:499)
> >         at jcifs.smb.SmbFile.changePassword(SmbFile.java:1420)
> >         at Test.main(Test.java:137)
> >
> > Attached are two Sniffer trace files.
> >
> > passwd.cap - is a trace of a command line utility that I grabbed off
the net to change my password (it works).
> >
> > jcifs_pass.cap - is a trace of the code I added to jCIFS.
> >
> > Can you point me to something specific in the trace (i.e. a packet #,
etc.) that I can use to compare the two traces to try and figure out what I
am doing wrong?  I haven't really dug into this
> > stuff at the wire level before so I am not quite sure what I am looking
for just yet.
> >
> > Thanks.
> > Tony
> >
> > >>> "Allen, Michael B (RSCH)" <Michael_B_Allen at ml.com> 06/10/02 07:52PM
>>>
> > RC4 is a very simple algorithm. A very simple search on google turned
up numerous RC4.java classes.
> >
> > > -----Original Message-----
> > > From: Tony Thompson [SMTP:tony.thompson at stone-ware.com]
> > > Sent: Monday, June 10, 2002 8:07 PM
> > > To:   miallen at eskimo.com
> > > Cc:   jcifs at samba.org
> > > Subject:    Re: [jcifs] Question about NT Domains
> > >
> > > It looks like the E() is what I need to do the one way transformation
(partially).  If the old password is longer than 8 bytes, I have to
concatenate several results from E().
> > >
> > > But, I still need to do RC4 encryption on the two passwords.  I don't
think that RC4 encryption is part of the JCE or, even if it was, that you
would want jCIFS dependent on the JCE.  What do
> the
> > > Samba "guys" do?  Is there anything that we can use to do this?
> > >
> > > >>> "Michael B. Allen" <miallen at eskimo.com> 06/07/02 08:10PM >>>
> > > On Fri, 07 Jun 2002 15:12:30 -0500
> > > "Tony Thompson" <tony.thompson at stone-ware.com> wrote:
> > >
> > > > I decided to try and tackle this but, I am having a couple of
issues.  According to the cifsrap2.doc, an RC4 encryption must be performed
on the old password before it is sent.  I didn't see
> > > anything hanging around in jCIFS that would do this.  Any
suggestions?
> > > >
> > > > A one way transformation must also be performed on the old
password.  The document describes the gyrations required to do this but,
one of the elements of the transformation is "an 8 byte
> string
> > > whose value is available from Microsoft upon request".  Any idea what
this string might be or how to get it?
> > > >
> > > > Is there something already in jCIFS that would do all of the above
for me (i.e. is this same type of thing used anywhere else)?  I know it is
a long shot but, I had to ask.
> > >
> > > Look  at  the  top  of jcifs/smb/SmbSession.java. You can in all
likelyhood
> > > just  use  the  E()  method.  It's  probably  very similar but i
don't know
> > > really.  It will take some fiddling and reasoning. You don't really
need to
> > > know much about encryption to do it but you might want to get a
capture and
> > > copy  out  the  encrypted  value  of  a known password so you can
test your
> > > encryption method.
> > >
> > > Mike
> > >
> > > --
> > > http://www.eskimo.com/~miallen/c/jus.c
> > >
> > >
> > >
> >
> >  << File: passwd.cap >>  << File: jcifs_pass.cap >>
>  << File: 98_pass.cap >>  << File: SamOemChangePasswordResponse.java >>
<< File: SamOemChangePassword.java >>

More information about the jcifs mailing list