Machine account getting trashed (Was: Authentication through tran sitive trusts)

Andrew Bartlett abartlet at samba.org
Thu Jul 24 10:02:32 GMT 2003


On Thu, 2003-07-24 at 08:49, Marc Kaplan wrote:
> List:
> 
> This may be rehashing already extant data re: this post, but I want to send
> some traces that I've done recently.
> 
> Samba domain member trace:
> Let me introduce the cast of characters
> 
> 172.16.203.102: Win2k client, no service pack installed
> 172.16.203.107: Samba domain member server (running alpha19)
> 172.16.203.201: Win2k DC (KDC in this case)
> 
> In the first trace (hostentry-not-corrupted.ethereal.cap), I joined the
> domain, and then from the win2k client I did a find computer, and searched
> for the Samba server by hostname, and connected by hostname. My brief look
> at it shows that at first we offer Kerberos and ntlmssp, and the client
> chooses ntlmssp.  Seems that later the client does another negotiate
> protocol request, and then we use Kerberos.

The first try was a "" user, so the DC was not contacted.

> In the second trace (hostentry-corrupted.ethereal.cap), I joined the domain,
> and then from the win2k client I did a find computer, and searched for the
> Samba server by IP, and connected by IP.  Seems that in the TGS-REQ the
> win2k client asks the KDC for the principal 172.16.203.107 at win2kdom.snap2,
> which is wrong (correct is mkaplan-manta1 at win2kdom.snap2), and KRB-ERR is
> returned to the client, who then tries NTLMSSP.

What happens if you contact by hostname, after it becomes 'corrupted'? 
I'm not interested in how it gets 'corrupted' (I'm pretty sure I know
what's going on there) but I want to know how that manifests itself.

> 
> Win2k domain member trace:
> The next set of traces have the following characters:
> 172.16.203.102: Win2k client, no service pack installed
> 172.16.203.220: Win2k domain member server 
> 172.16.203.201: Win2k DC (KDC in this case)
> 
> In the first trace (hostentry-not-corrupted-win2kbyhostname.ethereal.cap), I
> joined the domain with the win2k domain member server, did a find computer
> and searched and connected by hostname.
> 
> In the second trace (hostentry-not-corrupted-win2kbyip.ethereal.cap), I
> joined the domain with the win2k domain member server, did a find computer
> and search and connected by IP.
> 
> The question is why does the host account not get trashed in
> hostentry-not-corrupted-win2kbyip.ethereal.cap when the same set of
> behaviors for samba in hostentry-corrupted.ethereal.cap corrupted it?
> 
> Let me know if I can provide some more information.

The reason is that the auth2 command on the NETLOGON pipe is an NT4-only
command - win2k will not issue it - and this causes the 'reset' back to
'this is an NT server'.  My theory is that 

What I need to see traced is the client connecting by hostname to a
'corrupted' server.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030724/bc684602/attachment.bin


More information about the samba-technical mailing list