[jcifs] Doesn't anyone have a SamOEMChangePassword capture?

Tony Thompson tony.thompson at stone-ware.com
Sat Jun 15 04:34:03 EST 2002 

I feel that I may be overstaying my welcome but, it seems like every time I make progress, I run into another wall.  I now have two traces that I can compare and they are definately different.

According to the cifsrap2.doc file, the things that I should be writing into the transaction request parameters section are:

- a 16 bit function number, in this case 214
- the parameter descriptor string "zsT"
- a null terminated ASCII string that represents the name of the user
- a word with a value of 532 representing the size of the data buffer

The problem is I think I also have to write in a data descriptor string "B516B16" even though it didn't say to in the document.  So, I have almost the same information that is in the Win98 pcap except the word with the value of 532.  The Win98 capture has a value of 814.

There are other things that are not the same in the traces that I don't know how to rectify.  In the Win98 pcap, it has a parameter count of 20.  In the jCIFS capture, it has a parameter count of 22.  There are several other things but some of them may dependent on each other (i.e. if I fix one thing the rest will correct themselves).

I am attaching two packet traces and my current source code.  Any input would be appreciated.

>>> "Michael B. Allen" <miallen at eskimo.com> 06/13/02 02:00PM >>>
On Thu, 13 Jun 2002 10:59:46 -0500
"Tony Thompson" <tony.thompson at stone-ware.com> wrote:

> From what I can tell by digging around in that code, I won't be able to
> do a straight comparison of the encrypted password data because the Samba
> code adds some random bytes into the new password buffer (I can probably
> do this too after everything works).  Does anyone have any suggestions?

Those  random  bytes  are  not  random.  They  can't be or the whole scheme
wouldn't  work.  That's  the  session  key  returned  in  SMB_COM_NEGOTIATE
response  and  also available from SmbTransport.client.sessionKey where you
can  get  the transport with SmbTransport.getSmbTransport() but you have to
use  the  transport before accessing the session key or the trransport will
not  have negotiated yet. But I don't recall seeing anything in the RAP doc
about  that. If it really is factoring in the sessionKey then that would be
pretty  important!  :~)  Regardless I've said it before and I say it again,
you  should  bother  doing  anything without a pcap. Now go find yourself a
Win98  machine,  tell  it  to  join the domain on your NT 4 server and then
change    your   password.   My   guess   is   that   will   show   you   a
SamOEMChangePassword.

You might try sending a message to the samba users mailing list asking very
nicely  for  someone  to  help you get a pcap. There are probably dozens of
users on there that could grab one in two shakes. 

Mike

-- 
http://www.eskimo.com/~miallen/c/jus.c 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: jcifs_pass2_good.cap
Type: application/octet-stream
Size: 2794 bytes
Desc: not available
Url : http://lists.samba.org/archive/jcifs/attachments/20020614/0bdf68b1/jcifs_pass2_good.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 98_pass_good.cap
Type: application/octet-stream
Size: 4732 bytes
Desc: not available
Url : http://lists.samba.org/archive/jcifs/attachments/20020614/0bdf68b1/98_pass_good.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SamOemChangePassword.java
Type: application/octet-stream
Size: 6759 bytes
Desc: not available
Url : http://lists.samba.org/archive/jcifs/attachments/20020614/0bdf68b1/SamOemChangePassword.obj

More information about the jcifs mailing list