Regarding AUTH_CRAP and NTLMv2
Andrew Bartlett
abartlet at samba.org
Mon Jan 17 17:53:00 MST 2011
On Mon, 2011-01-17 at 18:41 +0530, Narendra Kumar S.S wrote:
> Hello Volker and Andrew,
>
>
> One final clarification.
> I am sending the AUTH_CRAP from my own code to winbindd and
> winbindd sends it to DC/AD.
> Now the server has the capability to use the NTLMv2 response to
> find out the original user.
> To verify the authenticity, it has to know who is sending the
> NTLMv2 (in this case, my code is sending it thru winbindd).
> I am filling up the AUTH_CRAP with the same information that I
> received from server and client.
> So, how does the DC/AD get the serverPrincipalName to verify with
> the information that it got in the NTLMv2 response?
When winbindd connects to the target DC, it logs in using a username
(machine$) that is associated with a machine account, in order to have
the right to check passwords and retrieve session keys. I've not yet
investigated exactly what list of names AD uses, but I have seen the
behaviour before (had to fix tests to use the correct names), which is
why I'm so definite that this is the problem.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
More information about the samba-technical
mailing list