NTLMSSP [was - RE: About Kerberos Programming]

Nicolas Williams Nicolas.Williams at ubsw.com
Wed Apr 4 18:56:15 GMT 2001

Hmmm, well, if you were all on good terms with Luke you could ask him.
Heimdal's web page includes instructions for obtaining a ticket with a
PAC from AD and looking at it and Luke looked at one and told me what he
recognized -- you wouldn't be surprised, it's just a user profile as if
lifted from LSA trace or something like that.

Several public MS docs describe some aspects of this stuff, like the
presence of two signatures of the profile and so on. I have posted URLs
to some of these docs at the open-it.org web site.

I'm sure you can all figure out the PAC stuff no problem.

The question is: how much effort must you do in order to prove that you
never got knowledge of any of those details by reading tha MS spec, the
one they distributed with a click license claiming protection under the

My advice? Get a lawyer.


On Wed, Apr 04, 2001 at 07:40:28PM +0100, Mayers, Philip J wrote:
> Ugh. Damn. That's unfortunate...
> Jeremy - I was making progress with the ExtSec code, but I'm hung up on
> decoding a new on-the-wire struct I haven't seen before - do you have any
> idea if there's a good spec for NTLMSSP (ha!) anywhere - specifically what
> flags cause what structs to be sent back? I want to get NTLMSSP working
> first, and then kerberos should be a drop-in. My plan after that was to
> attack the PAC (still managing to have not read the spec, despite several
> people mailing links to me... :o)
> Regards,
> Phil
> +----------------------------------+
> | Phil Mayers, Network Support     |
> | Centre for Computing Services    |
> | Imperial College                 |
> +----------------------------------+  
> -----Original Message-----
> From: Jeremy Allison [mailto:jeremy at valinux.com]
> Sent: 04 April 2001 18:10
> To: kerberos at MIT.EDU
> Subject: Re: About Kerberos Programming
> Nicolas Williams <Nicolas.Williams at ubsw.com> wrote:
> : Well, not quite. You can only do this kind of query if you're
> : authorized, and if you're running ActiveDirectory in native mode with no
> : NT4 systems around, then by default computer trust accounts don't have
> : the authorization to lookup up users' profiles.
> : THAT is one of the points of putting the profile in Kerberos tickets,
> : that hosts need not lookup user profiles and thus they do not need the
> : authorization to perform the lookups, thus making it it harder to
> : enumerate the users in your domain and thus find attack targets.
> *Very* good point - I hadn't considered that, thanks. Looks like
> we're going to have to be messing with the PAC format much sooner
> than I thought.....
> Thanks,
> 		Jeremy Allison,
> 		Samba Team.
> -- 
> --------------------------------------------------------
> Buying an operating system without source is like buying
> a self-assembly Space Shuttle with no instructions.
> --------------------------------------------------------

More information about the samba-technical mailing list