Regarding AUTH_CRAP and NTLMv2
Narendra Kumar S.S
ssnkumar at gmail.com
Mon Jan 17 21:53:47 MST 2011
Andrew and Volker,
Thanks for all the clarifications.
I will contact again, if I get any other doubts.
Warm Regards,
Narendra
Visit my blogs at:
http://ssnarendrakumar.blogspot.com/
___ ___ __ _
/ __/ / __/ / | / /
_\ \ _ \ \ / /| |/ /
\___/ \___/ /_/ |__/
On Tue, Jan 18, 2011 at 6:23 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Mon, 2011-01-17 at 18:41 +0530, Narendra Kumar S.S wrote:
> > Hello Volker and Andrew,
> >
> >
> > One final clarification.
> > I am sending the AUTH_CRAP from my own code to winbindd and
> > winbindd sends it to DC/AD.
> > Now the server has the capability to use the NTLMv2 response to
> > find out the original user.
> > To verify the authenticity, it has to know who is sending the
> > NTLMv2 (in this case, my code is sending it thru winbindd).
> > I am filling up the AUTH_CRAP with the same information that I
> > received from server and client.
> > So, how does the DC/AD get the serverPrincipalName to verify with
> > the information that it got in the NTLMv2 response?
>
> When winbindd connects to the target DC, it logs in using a username
> (machine$) that is associated with a machine account, in order to have
> the right to check passwords and retrieve session keys. I've not yet
> investigated exactly what list of names AD uses, but I have seen the
> behaviour before (had to fix tests to use the correct names), which is
> why I'm so definite that this is the problem.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Cisco Inc.
>
>
More information about the samba-technical
mailing list