joining an M$ NT Server Domain with TNG

Elrond elrond at samba.org
Tue Aug 29 17:30:42 GMT 2000 

On Tue, Aug 29, 2000 at 06:57:21PM +0200, Jens Skripczynski wrote:
[...]
> > Okay... The way, Luke wanted it to work:
> > 
> > On your Linuxbox as root:
> > 
> > rpcclient -S NTSERVER -U Administrator%adminpw
> > [...]$ createuser TNGBOX$ -j -L
> > 
> > 
> > Yes, you need to know a user on the domain, that is allowed
> > to create trust-accounts. If that isn't possible for you,
> > go and bug Luke. ;)
> *BUG* *BUG* :)
> Hm no. He did a good thing. No I wanted to try to see how  TNG
> behaves in an NT Environment. And with the old versions I could join via
> smbpasswd. Why do I suddenly need the Adminpassword  or why does the 2.0.7
> branch not need the pw ?

Luke wanted the stuff to be more secure.

In 2.0.x it works like this (and it works the same with
normal nt4 joining a domain):

- ntadmin creates the trust-account (MEMBER$)
- srvmgr sets the pw of that account to member
- MEMBER connects to the nt-box with that MEMBER$ and
  member
- the connection is encrypted with the current pw (guess
  what? That's "member" from above)
- MEMBER changes the pw for its trust-account.


If you want this scenario to be secure, you have to grab
your MEMBER-box and connect it to the PDC on a secure LAN.

With the method in TNG, you connect as Administrator and
the connection is encrypted with his pw (which shouldn't be
guessable). Then the trust-account is created and the new
random pw is set. It's more secure.

The problem, why there's currently no way for doing the old
method with TNG: We don't know the commands to remotely
join an NTBOX into a domain. This is possible, because a
util called netdom exists to do that. I simply haven't
enough spare boxes to trace, what it is doing...

(And we don't know yet, how passwords are encrypted for
lsa_set_secret, if (strlen(password) % 4) != 0.)

    Elrond

> 
> Ciao
> 
> Jens Skripczynski
> -- 
> E-Mail: skripi at igd.fhg.de
> 
> Computers are like airconditioners: They stop working 
> properly if you open windows.
> Win95:        A 32-bit patch for a 16-bit GUI shell running on top of an
>               8-bit operating system written for a 4-bit processor by a
>               2-bit company who cannot stand 1 bit of competition.

More information about the samba-ntdom mailing list