CVS update: samba/source/rpc_server

Luke Leighton lkcl at samba.anu.edu.au
Wed Jan 5 22:28:20 EST 2000


Date:	Wednesday January 5, 2000 @ 22:28
Author:	lkcl

Update of /data/cvs/samba/source/rpc_server
In directory samba:/tmp/cvs-serv24685/rpc_server

Modified Files:
      Tag: SAMBA_TNG
	srv_netlog.c srv_pipe_srv.c 
Log Message:
finally got somewhere with encrypted msrpc.  i had to do some hacking about
of the network logon NetrSamLogon, would you believe it!   i finally
understand why microsoft return 8 bytes of the user's password in
NetrSamLogon (network logon), it's so that you can generate NTLMSSP
state.

NT4sp2 and below used to send 8 bytes of LM# in-the-clear, which was SO
stupid that paul ashton and i had to tell them about it, and they now
use some obfuscation based on the negotiated-NETLOGON-session-key.

i can't remember exactly what this obfuscation was, so i just guessed,
for now, and i'll test against an NT PDC, later, when i have one.

security-implications are that if you know a workstation's trust account
password (default to lower-case), you can watch network traffic and _still_
obtain first 8 bytes of user's LM# (generated from 1st 7 bytes uppercase
of user's cleartext password) from *network* NetrSamLogons.

no wonder microsoft want to replace this stuff with Kerberos 5.



More information about the samba-cvs mailing list