[Samba] Keytab extraction for tshark analyze
Rowland Penny
rpenny at samba.org
Sat May 12 18:17:26 UTC 2018
On Sat, 12 May 2018 19:45:10 +0200
Lapin Blanc <fabien.toune at lapin-blanc.com> wrote:
> I'm studying samba related protocols for a work I have to present at
> the university,
> and for me to really understand how it works, I try to put in in
> practice. So I was reading
> http://www.kerberos.org/software/tutorial.html and tried to track
> packets... I was hoping this command, run on my kdc
>
> tshark -r kerberos.pcap -Y frame.number==10 -O kerberos -K
> decode.keytab (n° 10 is AS-REP NT in this case)
>
> would let me see the actual content of the TGT, and so on with further
> exchanges
> and other encrypted parts.
The whole idea behind kerberos is that it is supposed to be secure, so
whilst you may be able to see the traffic on the network, you will not
be able to see any passwords etc. I suggest you do a bit more internet
browsing ;-)
>
> I'm also trying to understand why Samba needs the presence of
> /etc/krb5.keytab
> on the server for GSSAPI to work (putty and ssh), even if it doesn't
> contain
> any user's principal.
It is only required if you are using shared keys, but you can use ssh in
a way that doesn't use shared keys. Even if you go down the shared keys
path, you only need /etc/krb5.keytab on the client, not the server.
I think you really need to read more on how kerberos works, for
instance, the password is never sent across the wire.
Rowland
More information about the samba
mailing list