NTLMSSP [was - RE: About Kerberos Programming]

Mayers, Philip J p.mayers at ic.ac.uk
Wed Apr 4 18:40:28 GMT 2001

Ugh. Damn. That's unfortunate...

Jeremy - I was making progress with the ExtSec code, but I'm hung up on
decoding a new on-the-wire struct I haven't seen before - do you have any
idea if there's a good spec for NTLMSSP (ha!) anywhere - specifically what
flags cause what structs to be sent back? I want to get NTLMSSP working
first, and then kerberos should be a drop-in. My plan after that was to
attack the PAC (still managing to have not read the spec, despite several
people mailing links to me... :o)


| Phil Mayers, Network Support     |
| Centre for Computing Services    |
| Imperial College                 |

-----Original Message-----
From: Jeremy Allison [mailto:jeremy at valinux.com]
Sent: 04 April 2001 18:10
To: kerberos at MIT.EDU
Subject: Re: About Kerberos Programming

Nicolas Williams <Nicolas.Williams at ubsw.com> wrote:

: Well, not quite. You can only do this kind of query if you're
: authorized, and if you're running ActiveDirectory in native mode with no
: NT4 systems around, then by default computer trust accounts don't have
: the authorization to lookup up users' profiles.

: THAT is one of the points of putting the profile in Kerberos tickets,
: that hosts need not lookup user profiles and thus they do not need the
: authorization to perform the lookups, thus making it it harder to
: enumerate the users in your domain and thus find attack targets.

*Very* good point - I hadn't considered that, thanks. Looks like
we're going to have to be messing with the PAC format much sooner
than I thought.....


		Jeremy Allison,
		Samba Team.

Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.

More information about the samba-technical mailing list