Phil Mayers <[EMAIL PROTECTED]> wrote: > Ok, different libntlm then. Have you got the URL handy?
http://josefsson.org/libntlm/ > I don't know what you mean by this. Samba can act as both a client and > (member) server for win2k/win2k3 authentication methods (GSS-SPNEGO > primarily) using machine account credentials acquired using that domains > native protocols (kerberos+LDAP). You keep saying "machine authentication". I'm talking about authenticating users. I did this using Samba & smbclient. There were 4 packets. Most of the packet content was NTLM stuff. There was no extra RPC nonsense, like is done with a normal XP login to a DC. > The point I am (badly) trying to communicate is that, with a microsoft > domain controller (NT4, win2k, win2k3), to execute the RPC call required > to validate an MS-CHAPv2 request and return the NT key you MUST have a > machine account in the domain For user authentication? I don't think so. > It's 4 packets for me too, but TCP segments on an already-open MSRPC > pipe to a domain controller. Uh, no. Try using smbclient to grab a list of shares from a domain controller. It's 4 packets to authenticate the user, start to finish. The rest of the traffic is the "get list of shares" stuff. And those packets happen after the authentication. > The SMB packets are SMB-signed/sealed, the > contents are a Netlogon SCHANNEL RPC which is itself further signed and > sealed, and the variety and number of versions of a call and versions of > structures passed as arguments are truly, truly bewildering. Yes. I've spent time looking at those RPC's, they're truly horrid. But... I can't argue with success. smbclient does NTLM authentication in 4 packets. Why can't we? I understand the whole complexity and RPC nonsense, but forgive me if I'm stuck on a working example. Try it. Start tcpdump listening on packets from your machine to a domain controller. Verify that there are no packets going to the DC. Run smbclient to get the list of shares. Look at how many packets go back and forth. Then, tell me it's a huge amount of work to replicate that traffic, because there are endless other RPC's that have to be done. I just don't believe it. And I don't understand why you think it's so complicated to reproduce that traffic. I *think* you're talking about reproducing an entirely different kind of traffic, with a lot more packets. I've spent time looking at the Windows AD RPC's. In order to do a full XP-style login, there are nearly billions of packets you have to send back and forth. There are CLDAP packets, RPC packets, and multiple kinds of crap inside of the RPC's. But smbclient doesn't do any of that. And it's very successful doing NTLM against a domain controller, where that domain controller refuses to allow rlm_smb to work. The point here is that smbclient is *not* doing a full XP-style login. That would be truly a large amount of work. Instead, smbclient is doing something much simpler. Again, try it. Then, explain why we need to do more to get the same result of authenticating the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
