No subject


Wed Oct 20 02:45:58 MDT 2010 

challenge are produced using generate_random_buffer().
So, it doesn't use anything related to machine account or machine name.
So, which is the part that is produced using the machine account or machine
name, so that the server can use that value to verify the authenticity
later?

Warm Regards,
Narendra

Visit my blogs at:
http://ssnarendrakumar.blogspot.com/
   ___    ___    __    _
  /  __/  /  __/  /     | / /
_\   \   _ \   \   /   /| |/ /
\___/ \___/   /_/ |__/


On Tue, Jan 18, 2011 at 10:23 AM, Narendra Kumar S.S <ssnkumar at gmail.com>wrote:

> Andrew and Volker,
>
>      Thanks for all the clarifications.
>      I will contact again, if I get any other doubts.
>
> Warm Regards,
> Narendra
>
> Visit my blogs at:
> http://ssnarendrakumar.blogspot.com/
>    ___    ___    __    _
>   /  __/  /  __/  /     | / /
> _\   \   _ \   \   /   /| |/ /
> \___/ \___/   /_/ |__/
>
>
> On Tue, Jan 18, 2011 at 6:23 AM, Andrew Bartlett <abartlet at samba.org>wrote:
>
>> On Mon, 2011-01-17 at 18:41 +0530, Narendra Kumar S.S wrote:
>> > Hello Volker and Andrew,
>> >
>> >
>> >     One final clarification.
>> >     I am sending the AUTH_CRAP from my own code to winbindd and
>> > winbindd sends it to DC/AD.
>> >     Now the server has the capability to use the NTLMv2 response to
>> > find out the original user.
>> >     To verify the authenticity, it has to know who is sending the
>> > NTLMv2 (in this case, my code is sending it thru winbindd).
>> >     I am filling up the AUTH_CRAP with the same information that I
>> > received from server and client.
>> >     So, how does the DC/AD get the serverPrincipalName to verify with
>> > the information that it got in the NTLMv2 response?
>>
>> When winbindd connects to the target DC, it logs in using a username
>> (machine$) that is associated with a machine account, in order to have
>> the right to check passwords and retrieve session keys.  I've not yet
>> investigated exactly what list of names AD uses, but I have seen the
>> behaviour before (had to fix tests to use the correct names), which is
>> why I'm so definite that this is the problem.
>>
>> Andrew Bartlett
>>
>> --
>> Andrew Bartlett
>> http://samba.org/~abartlet/
>> Authentication Developer, Samba Team           http://samba.org
>> Samba Developer, Cisco Inc.
>>
>>
>

More information about the samba-technical mailing list