Samba PDC as a password server

Jeremy Allison jallison at
Tue Apr 28 17:42:34 GMT 1998

Paul Ashton wrote:
> Just one small problem. I never progressed the password
> change protocol from NT client to DC. I figured out how
> to disable the RC4 (?) encryption of the RPC by sending
> a certain type of NTLMSSP response, but not what the RC4
> key was. Have you gotten anywhere with that Jeremy?
> If the RPC isn't encrypted then I verified that the
> password change protocol is as documented, incidentally
> exposing a little hole in that the LM hash is used to
> encrypt the new password even if LM-FIX has been applied
> to disable the use of it.

Yes, I have that fixed and checked into the main branch
(domain client password changing). It's not an arc4 encrypt,
but a des encrypt with the 8 byte session key used as two
7 byte des keys (the second key is zero filled) to encrypt
the md4 hash of the new machine password. Look at the code
in api_net_srv_pwset() in lib/rpc/server/srv_netlog.c. The
relevent call is cred_hash3().

NT machines are happily changing their own passwords to
a Samba PDC :-).



Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.

More information about the samba-ntdom mailing list