NTDOM: pass-through authentication in NT Domains.

Paul Ashton paul at argo.demon.co.uk
Thu Feb 5 12:34:08 GMT 1998

At 20:10 04/02/98 , Luke Kenneth Casson Leighton wrote:
>as of yet, however, we can only speculate as to why the response packet
>"User Session Key"  is filled in with a 16 byte value, and why the
>"Expansion Room" is filled in with an 8 byte value.

The UserSessionKey contains MD4(nthash) post SP3 and maybe
LM-FIX, and first8bytes(lmhash)|8 zeroes, previously.
ExpansionRoom contains first8bytes(lmhash) always.
Both are encrypted with the current RC4 session key.


More information about the samba-ntdom mailing list