Extracting the trust account password (for use with Win2k's ktpass)?

Andrew Bartlett abartlet at pcug.org.au
Sun Dec 30 19:40:03 GMT 2001 

"Matthew X. Economou" wrote:
> 
> Hello, all:
> 
> My Samba server is a member of a Windows 2000 AD domain.
> Authentication to the Samba server is, of course, by encrypted NTLM
> hashes.  Authentication to the host itself, which runs Red Hat Linux
> 7.1, is by NIS (the AD domain controller is running Server for NIS).
> I want to remove NIS (or at least the passwords from NIS).  To
> accomplish this, I wish to use pam_krb5 to authenticate users logging
> into the host itself.
> 
> In order to configure pam_krb5, I need to create and export a service
> key for "host/host.domain at DOMAIN" using ktpass (on the domain
> controller).  This key is installed into /etc/krb5.keytab on the Linux
> box and is used by the PAM module.  pam_krb5 will not function without
> this service key.

pam_krb5 will function, just not with PDC spoof protection.

> The ktpass utility prompts for the password of the machine account and
> sets the Kerberos DES key using it.  I want to use the machine
> account's existing password, as set by 'smbpasswd -j', rather than
> make a new one up, so I don't screw up the trust relationship.
> 
> To that end, I've been hacking around with the pdb_gethexpwd()
> function, trying to figure out how to extract the trust account
> password from the file /etc/samba/$DOMAIN.$HOST.mac file.
> Unfortunately, the output I get has non-ASCII characters in it.  I
> really don't know what I'm doing.

Firstly, you must be using quite an old version of samba, becouse its
all in secrets.tdb now.

Secondly, the password is stored as an MD4 hash, not in plaintext, so
its not much use to you anyway.

Thirstly, the server wouldn't recognise it anyway, becouse of the way
its set/changed.

Finally, you couldn't type it, becouse it is entirly random. 
 
> Can any one help me extract the trust account password for use with
> ktpass?

Grab the current HEAD branch CVS (or one of the Samba 3.0 alpha
releases) and muck about with that.  If you were feeling particularly
interested, you could add a function to (optionally) write out the krb5
keytab each time we change the password. (patches welcome :-)

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba mailing list