Empty passwords transferred from NT PDC to Samba BDC

Ricardo Campos Passanezi riccp at ige.unicamp.br
Thu Sep 13 16:25:02 GMT 2001

On Fri, Sep 14, 2001 at 12:58:29AM +0200, Luke Kenneth Casson Leighton wrote:
> hi there recaro, i'm posting this on-lists _without_ your
> confidential log.netlogon trace attached, which contains
> your private $MACHINE.ACC trust account and also a
> user-password, i recommend you change those soon [change
> user-pass, also re-join wksta to domain if you're seriously
> paranoid :) ]

No problems. The pass, I've already changed :-)

> okay, an analysis shows:
> - NetrRequestChallenge from client
>    [internal, LsaQuerySecret by server on loopback to get Trust
>     account pwd, $MACHINE.ACC]
>   response to client
> - NetrAuth2 from client
>   response to client: Schannel negotiation agreed
> - on a *separate* connection (SChannel):
>   encrypted NetrSamLogon from client to validate User Logon.
>   encrypted response to client, validating User Logon.
> - on the same connection (Schannel):
>   *second* encrypted NetrSamLogon from client to validate User Logon.
>   and this is the point at which failure occurs, but it
>   is not obvious.
>   encrypted response is INCORRECTLY digitally signed, i know
>   this because the code's not finished.
> - *separate* connection is dropped.
> - re-negotiation of *separate* connection is requested, which
>   i've never seen before.
> the solution is:
> fix the SChannel digital signatures.  i don't have the
> resources at present to remotely contemplate doing this,
> but some kind people have responded so i _might_ be able
> to investigate this again at some point in the future.
> the temporary work-around is:
> disable SChannel.  someone pointed out that XP forces
> SChannel SignandSeal to 'Required'.  this was mentioned
> only last week or so.
> what i recommend you do is look this up and disable it,
> search in the registry for NETLOGON key, if you can't
> find it, and also search the MS KB articles.  it would
> help if you _do_ find it if you could post the KB article
> reference, here.
> sorry i can't help more at this time,

So, i guess i have to spend some time on it later. I'm too damn busy
here and I have not much time left to do this testings.

If I ever have some work done, I'll send to the list.

Thanks for your help...


More information about the samba-technical mailing list