samba - Feb 1998 - NTDOM: pass-through authentication in NT Domains.

a few days ago, i posted a NETLOGON message - a SAM Logon packet which
uses "pass through" technology, but for NT / NT interaction, not
non-NT /
NT interaction.  i asked if anyone knew anything about this, and whether
the data was encrypted.

well, after examining some surrounding traffic (SMBnegprot and
SMBsessionsetupX) it turns out that the SMBnegprot response (with the 8
byte challenge) and the SMBsessionsetupX request (with the LM and NT 24
byte responses) are not encrypted.

so, coding this up was pretty trivial.

as a result, a Samba PDC can now verify a user from one NT workstation (or
in fact _any_ smb client that uses NT / LM encrypted passwords) that
attempts to access a second workstation's shares, where the second
workstation is a member of the Samba PDC's domain.

client-side code is to follow.  again, this will be pretty trivial.

as of yet, however, we can only speculate as to why the response packet
"User Session Key"  is filled in with a 16 byte value, and why the
"Expansion Room" is filled in with an 8 byte value.

these values are the same size as the 16 byte long-term password and the 8
byte credential chain's session key.  maybe there's either some
recursion
possible, or you need these for a "Network" SAM Logoff.  or password
changing.  all speculation.

luke

<a href="mailto:lkcl@samba.anu.edu.au" > Luke Kenneth Casson
Leighton  </a>
<a href="http://mailhost.cb1.com/~lkcl"> Samba and Network
Development </a>
<a href="http://www.samba.co.uk"       > Samba and Network
Consultancy </a>