s3-netlogon: implement _netr_ServerPasswordSet2.

Andrew Bartlett abartlet at samba.org
Thu Sep 3 03:58:04 MDT 2009


On Thu, 2009-09-03 at 09:59 +0200, Guenther Deschner wrote:
> On Thu, Sep 03, 2009 at 07:25:48AM +1000, Andrew Bartlett wrote:
> > On Wed, 2009-09-02 at 14:31 +0200, Guenther Deschner wrote:
> > > Hi Andrew,
> > > 
> > > On Wed, Sep 02, 2009 at 09:24:48PM +1000, Andrew Bartlett wrote:
> > > > On Wed, 2009-09-02 at 03:48 -0500, Günther Deschner wrote:
> > > > > commit 2b8afd2257d8c9886f785929ca8dfcd04eb45755
> > > > > Author: Günther Deschner <gd at samba.org>
> > > > > Date:   Thu Aug 27 23:30:50 2009 +0200
> > > > > 
> > > > >     s3-netlogon: implement _netr_ServerPasswordSet2.
> > > > >     
> > > > >     Guenther
> > > > 
> > > > How do you propose to handle the random data windows feeds to this
> > > > function?  You cannot convert the password given here into UTF8 - you
> > > > must MD4 the original buffer. 
> > > 
> > > If you look at one of the preceding patches you'd see that we do exactly
> > > that: MD4 the original buffer. We ever only handle the cleartext if we can
> > > decode the buffer (just as Samba4 does). Also, Samba3 does not store clear
> > > text passwords at all so it's just fine to store generated hashes.
> > 
> > Ahh, great.  I didn't see that, and as this function left some pretty
> > deep wounds, I assumed the worst :-)
> > 
> > For safety's sake, as there are no password polices on machine accounts,
> > and no other reason to store the plaintext, I would always MD4 it.  That
> > is what Samba4 does (the conversion is only to create the kerberos
> > keys).
> 
> Right, so s3 should be ok then already. Thanks for ringing the alarm bell !

Not really.  What I'm saying is that for best safety, never even try
convert_string_talloc() on that DATA_BLOB, just MD4 it. 

> Ok, I noticed XP will also try netr_ServerPasswordSet2 first on a s3 dc
> once you issue a _netr_LogonControl2 with NETLOGON_CONTROL_CHANGE_PASSWORD
> remotely.

That will make testing this much easier...

> Thanks again for watching the work in this area.

No worries!

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090903/f53412de/attachment.pgp>


More information about the samba-technical mailing list