Empty passwords transferred from NT PDC to Samba BDC
Ricardo Campos Passanezi
riccp at ige.unicamp.br
Thu Sep 13 16:25:02 GMT 2001
On Fri, Sep 14, 2001 at 12:58:29AM +0200, Luke Kenneth Casson Leighton wrote:
> hi there recaro, i'm posting this on-lists _without_ your
> confidential log.netlogon trace attached, which contains
> your private $MACHINE.ACC trust account and also a
> user-password, i recommend you change those soon [change
> user-pass, also re-join wksta to domain if you're seriously
> paranoid :) ]
No problems. The pass, I've already changed :-)
> okay, an analysis shows:
> - NetrRequestChallenge from client
> [internal, LsaQuerySecret by server on loopback to get Trust
> account pwd, $MACHINE.ACC]
> response to client
> - NetrAuth2 from client
> response to client: Schannel negotiation agreed
> - on a *separate* connection (SChannel):
> encrypted NetrSamLogon from client to validate User Logon.
> encrypted response to client, validating User Logon.
> - on the same connection (Schannel):
> *second* encrypted NetrSamLogon from client to validate User Logon.
> and this is the point at which failure occurs, but it
> is not obvious.
> encrypted response is INCORRECTLY digitally signed, i know
> this because the code's not finished.
> - *separate* connection is dropped.
> - re-negotiation of *separate* connection is requested, which
> i've never seen before.
> the solution is:
> fix the SChannel digital signatures. i don't have the
> resources at present to remotely contemplate doing this,
> but some kind people have responded so i _might_ be able
> to investigate this again at some point in the future.
> the temporary work-around is:
> disable SChannel. someone pointed out that XP forces
> SChannel SignandSeal to 'Required'. this was mentioned
> only last week or so.
> what i recommend you do is look this up and disable it,
> search in the registry for NETLOGON key, if you can't
> find it, and also search the MS KB articles. it would
> help if you _do_ find it if you could post the KB article
> reference, here.
> sorry i can't help more at this time,
So, i guess i have to spend some time on it later. I'm too damn busy
here and I have not much time left to do this testings.
If I ever have some work done, I'll send to the list.
Thanks for your help...
More information about the samba-technical