Empty passwords transferred from NT PDC to Samba BDC

[Luke Kenneth Casson Leighton]

On Tue, Sep 11, 2001 at 10:44:47PM -0700, Jeremy Jackson wrote:
> Luke Kenneth Casson Leighton wrote:
> > 
> > On Tue, Sep 11, 2001 at 10:28:50AM -0700, David Abouav wrote:
> > > Hi Luke,
> > >
> > > My PDC is a Windows 2000 Server.
> > 
> > BDC functionality, as i understand it, has been disabled
> > in NT5.
> 
> This is not entirely true.  If the domain has not been switched
> to native mode (w2k only), an MS NT4 BDC can be installed
> (after the w2k PDC is setup - upgrading from a nt4 pdc/bdc network
> i think automatically joins existing BDCs) ; I did
> this then used pwdump.exe to get the hashed passwords out of our
> w2k PDC so I could install samba instead.  I wanted to use TNG,
> but couldn't in the time available get samsync working.  To do
> the MS NT4 BDC thing, there is a MS KB article; you have to install
> a tool from the w2k cd, then use it to manually add the NT4 BDC
> into the domain controller container in AD.  I can personally verify
> that the passwords may be retrieved via this method; the w2k DC was
> sp2 at the time.  


thanks jeremy.

curious.  if anyone has nt5 server and nt4 sp3 server - yes, sp3 or
lower - could they please try the above setup and obtain a
netmon trace?

if not, we're going to have to use one of andrew's pass-through-and-
modify techniques to strip out bits from the NetrRequestChallenge
and NetrAuthenticate2 on \PIPE\NETLOGON, to switch off the
Schannel sign/seal negotiation.

this will result in a cleartext NetrSamSync on-wire that will
be easier to decode.

luke