SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts

Luke Kenneth Casson Leighton lkcl at samba.org
Wed Feb 9 23:22:52 GMT 2000


On Thu, 10 Feb 2000, James Sutherland wrote:

> On Thu, 10 Feb 2000, Luke Kenneth Casson Leighton wrote:
> 
> > > > This trick is bad. The SAM daemon should only open its DB at startup and
> > > > after any event where it must close it for maintenance (say,
> > > > rewriting). Access to the records in SAM db must be controlled not by
> > > > the DB's file permissions but by code in the SAM daemon (and ACLs,
> > > > implicit or explicit, in the SAM DB).
> > > 
> > > Agreed - if Unix file permissions are used, then either users have full
> > > access to the entire SAM file, or no access to it at all. Neither is
> > > really desirable, I suspect? :)
> > 
> > well, that's microsoft's stupid fault, they shouldn't have allowed
> > anonymous access to the damn SAM database over DCE/RPC.
> > 
> > i.e if you can get the SAM remotely using DCE/RPC, who give a *monkey's*
> > if the same info (and only the same info) is available by telnet to a box
> > and vi some-sam-database-file????
> 
> One problem: If I can write the password list file (so I can change my
> password), I can also write to anyone ELSE's password entry. Not to
> mention read their (plaintext equivalent) password.

yes.  that's why i have owner-root, rw-r--r-- permissions on the SAM
files, and why i want to create a syskey-like angorithm.

or create an equivalent of /etc/shadow.
 
> I know there are problems (BIG problems) with NT's protection (or lack
> thereof) of the SAM database, but I didn't think it allowed anonymous
> users to download the passwords?

you're absolutely correct, they don't.... *giggle*

what makes you think i will, either?



[actually, if you add a BDC to a domain using NT4, you can use rpcclient's
samsync command to pretend to be that BDC because the trust account
password is BDCNAMEUNICODELOWERCASE, and grab the entire SAM database
anonymously.  the window of opportunity is between when the BDC is added
to the domain during the BDC-install stage and when the BDC installation
is compelted and yuou are presented , for the first time, with the
ctrl-alt-delete box on the BDC.

so yes, microsoft allows anonymous users to download the passwords, but
not in the way you perceive or describe.

the word from microsoft is that microsoft does not consider this to be a
serious security risk, by the way.  oh, and they've probably fixed it
for nt5.]



More information about the samba-technical mailing list