--- Alan DeKok <[EMAIL PROTECTED]> wrote: > Phil Mayers <[EMAIL PROTECTED]> wrote: > > Ok, different libntlm then. Have you got the URL > handy? > > http://josefsson.org/libntlm/ > > > I don't know what you mean by this. Samba can act > as both a client and > > (member) server for win2k/win2k3 authentication > methods (GSS-SPNEGO > > primarily) using machine account credentials > acquired using that domains > > native protocols (kerberos+LDAP). > > You keep saying "machine authentication". I'm > talking about > authenticating users. > > I did this using Samba & smbclient. There were 4 > packets. Most of > the packet content was NTLM stuff. There was no > extra RPC nonsense, > like is done with a normal XP login to a DC. > > > The point I am (badly) trying to communicate is > that, with a microsoft > > domain controller (NT4, win2k, win2k3), to execute > the RPC call required > > to validate an MS-CHAPv2 request and return the NT > key you MUST have a > > machine account in the domain > > For user authentication? I don't think so. > > > It's 4 packets for me too, but TCP segments on an > already-open MSRPC > > pipe to a domain controller. > > Uh, no. Try using smbclient to grab a list of > shares from a domain > controller. It's 4 packets to authenticate the > user, start to finish. > The rest of the traffic is the "get list of shares" > stuff. And those > packets happen after the authentication. > > > The SMB packets are SMB-signed/sealed, the > > contents are a Netlogon SCHANNEL RPC which is > itself further signed and > > sealed, and the variety and number of versions of > a call and versions of > > structures passed as arguments are truly, truly > bewildering. > > Yes. I've spent time looking at those RPC's, > they're truly horrid. > > But... I can't argue with success. smbclient does > NTLM > authentication in 4 packets. Why can't we? > > I understand the whole complexity and RPC > nonsense, but forgive me > if I'm stuck on a working example. > > Try it. Start tcpdump listening on packets from > your machine to a > domain controller. Verify that there are no packets > going to the DC. > Run smbclient to get the list of shares. Look at > how many packets go > back and forth. Then, tell me it's a huge amount of > work to replicate > that traffic, because there are endless other RPC's > that have to be > done. > > I just don't believe it. And I don't understand > why you think it's > so complicated to reproduce that traffic. I *think* > you're talking > about reproducing an entirely different kind of > traffic, with a lot > more packets. > > I've spent time looking at the Windows AD RPC's. > In order to do a > full XP-style login, there are nearly billions of > packets you have to > send back and forth. There are CLDAP packets, RPC > packets, and > multiple kinds of crap inside of the RPC's. But > smbclient doesn't do > any of that. And it's very successful doing NTLM > against a domain > controller, where that domain controller refuses to > allow rlm_smb to > work. > > The point here is that smbclient is *not* doing a > full XP-style > login. That would be truly a large amount of work. > Instead, > smbclient is doing something much simpler. > > Again, try it. Then, explain why we need to do > more to get the same > result of authenticating the user. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >
NTLM is sufficient to gain access to resources on Windows domain, "machine account" or no, in ANY windows domain flavor. To wit: I access shares and printers on work systems from home, via vpn, by mapping a drive and specifying a different username/password than my home system login in the process. To let our work DC (mixed-mode W2K3 AD) know who I am (from its perspecitve) I qualify my credentials with my work domain. Thus, user: WORKDOMAIN\username password: <domain_password> My home PCs are not "work" domain members. In fact, I run my own "home" domain. So these home systems actually have different native security (machine account) credentials than my work PC. A machine account is required (and only available to NT-branch OSes, i.e., not 95, 98, ME) to allow the domain controller to administer the security of the "workstation". Things like group policy, (workstation-level) registry and share management, etc necessitate a machine account. Laker __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
