samsync "secure channel"

Ronan Waide waider at waider.ie
Mon Mar 24 17:18:59 GMT 2003


Hi folks,

I've been digging around a problem I've had recently where an NT4 PDC
is refusing to give me password hashes. Everything else from a samsync
run appears ok, just that the password hashes are missing. I've tried
to build an identical virtual machine, but can't figure out what's
causing the problem. The network in question doesn't currently have a
BDC, so I've not been able to verify that it's solely a Samba problem,
either. However, I have turned up some (potentially) interesting
stuff; in performing a samsync, NT4 compares with Samba as
follows:

NT4 PDC/NT4 BDC, traffic from BDC->PDC
* Negotiated Protocol level is 7
* Setup AndX and Tree Connect are in one packet
  (chained together as permitted by AndX).
  Anonymous user used.
* NT Create AndX, path = \\netlogon
  Security Tracking mode is dynamic
* DCE bind to NETLOGON pipe
  callid = 0
  No packet flags set
  Auth data filled in:
    auth type = NETLOGON Secure Channel (0x68)
    auth level = Packet security (0x06)
    auth credentials include null-terminated Domain and PDC strings.
* Further traffic is encrypted based on the auth data

NT 4 PDC/Samba BDC, traffic from BDC->PDC
* Negotiated Protocol level is 8
* Separate Setup and Tree Connect AndX's
  Anonymous user used.
* NT Create AndX, path = \\netlogon
  Security tracking mode is dynamic
* DCE bind to NETLOGON pipe
  callid = 1
  First and Last frag flags set
  No auth data
* Further traffic appears to be entirely in the clear, but ethereal
  had trouble decoding it.

I'm not sure which, if any, of the above differences would be caused
by the different negotiated protocols - in fact, I'd expect level 8 to
be more secure than level 7, from what little I understand of the
protocol levels. I've also looked at the code that creates DCE packets
and there doesn't, at present, appear to be an easy way to signal that
the auth data should be activated - it's currently keyed off the
Sign/Seal stuff that Andrew was working on, and the auth data is fixed
length and fixed type (0x0a).

Anyway, I'm going to have to run up a BDC on the "real" network to
determine if any of the above explains why I can't get password hashes
from the PDC. If anyone has clues to throw me, feel free :)

Cheers,
Waider.

PS as ever, this is Samba HEAD, and NT4 SP6 + all Windows Update patches
-- 
waider at waider.ie / Yes, it /is/ very personal of me.

"anyplace where you cannot feel cold shall hold you in its arms forever."
                                                    - Corprew Reed


More information about the samba-technical mailing list