NTDOM: pass-through authentication in NT Domains.

[Luke Kenneth Casson Leighton]

a few days ago, i posted a NETLOGON message - a SAM Logon packet which
uses "pass through" technology, but for NT / NT interaction, not non-NT /
NT interaction.  i asked if anyone knew anything about this, and whether
the data was encrypted.

well, after examining some surrounding traffic (SMBnegprot and
SMBsessionsetupX) it turns out that the SMBnegprot response (with the 8
byte challenge) and the SMBsessionsetupX request (with the LM and NT 24
byte responses) are not encrypted.

so, coding this up was pretty trivial.

as a result, a Samba PDC can now verify a user from one NT workstation (or
in fact _any_ smb client that uses NT / LM encrypted passwords) that
attempts to access a second workstation's shares, where the second
workstation is a member of the Samba PDC's domain.

client-side code is to follow.  again, this will be pretty trivial.

as of yet, however, we can only speculate as to why the response packet
"User Session Key"  is filled in with a 16 byte value, and why the
"Expansion Room" is filled in with an 8 byte value.

these values are the same size as the 16 byte long-term password and the 8
byte credential chain's session key.  maybe there's either some recursion
possible, or you need these for a "Network" SAM Logoff.  or password
changing.  all speculation.

luke

<a href="mailto:lkcl at samba.anu.edu.au" > Luke Kenneth Casson Leighton  </a>
<a href="http://mailhost.cb1.com/~lkcl"> Samba and Network Development </a>
<a href="http://www.samba.co.uk"       > Samba and Network Consultancy </a>