Matthew X. Economou
2001-Dec-30 18:35 UTC
Extracting the trust account password (for use with Win2k's ktpass)?
Hello, all: My Samba server is a member of a Windows 2000 AD domain. Authentication to the Samba server is, of course, by encrypted NTLM hashes. Authentication to the host itself, which runs Red Hat Linux 7.1, is by NIS (the AD domain controller is running Server for NIS). I want to remove NIS (or at least the passwords from NIS). To accomplish this, I wish to use pam_krb5 to authenticate users logging into the host itself. In order to configure pam_krb5, I need to create and export a service key for "host/host.domain@DOMAIN" using ktpass (on the domain controller). This key is installed into /etc/krb5.keytab on the Linux box and is used by the PAM module. pam_krb5 will not function without this service key. The ktpass utility prompts for the password of the machine account and sets the Kerberos DES key using it. I want to use the machine account's existing password, as set by 'smbpasswd -j', rather than make a new one up, so I don't screw up the trust relationship. To that end, I've been hacking around with the pdb_gethexpwd() function, trying to figure out how to extract the trust account password from the file /etc/samba/$DOMAIN.$HOST.mac file. Unfortunately, the output I get has non-ASCII characters in it. I really don't know what I'm doing. Can any one help me extract the trust account password for use with ktpass? Kind regards, #\Matthew -- Matthew X. Economou <xenophon@irtnog.org> - Unsafe at any clock speed! "We know for certain only when we know little. With knowlege, doubt increases." - Goethe
Andrew Bartlett
2001-Dec-30 19:40 UTC
Extracting the trust account password (for use with Win2k's ktpass)?
"Matthew X. Economou" wrote:> > Hello, all: > > My Samba server is a member of a Windows 2000 AD domain. > Authentication to the Samba server is, of course, by encrypted NTLM > hashes. Authentication to the host itself, which runs Red Hat Linux > 7.1, is by NIS (the AD domain controller is running Server for NIS). > I want to remove NIS (or at least the passwords from NIS). To > accomplish this, I wish to use pam_krb5 to authenticate users logging > into the host itself. > > In order to configure pam_krb5, I need to create and export a service > key for "host/host.domain@DOMAIN" using ktpass (on the domain > controller). This key is installed into /etc/krb5.keytab on the Linux > box and is used by the PAM module. pam_krb5 will not function without > this service key.pam_krb5 will function, just not with PDC spoof protection.> The ktpass utility prompts for the password of the machine account and > sets the Kerberos DES key using it. I want to use the machine > account's existing password, as set by 'smbpasswd -j', rather than > make a new one up, so I don't screw up the trust relationship. > > To that end, I've been hacking around with the pdb_gethexpwd() > function, trying to figure out how to extract the trust account > password from the file /etc/samba/$DOMAIN.$HOST.mac file. > Unfortunately, the output I get has non-ASCII characters in it. I > really don't know what I'm doing.Firstly, you must be using quite an old version of samba, becouse its all in secrets.tdb now. Secondly, the password is stored as an MD4 hash, not in plaintext, so its not much use to you anyway. Thirstly, the server wouldn't recognise it anyway, becouse of the way its set/changed. Finally, you couldn't type it, becouse it is entirly random.> Can any one help me extract the trust account password for use with > ktpass?Grab the current HEAD branch CVS (or one of the Samba 3.0 alpha releases) and muck about with that. If you were feeling particularly interested, you could add a function to (optionally) write out the krb5 keytab each time we change the password. (patches welcome :-) Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
Reasonably Related Threads
- ktpass.sh error / How to generate a keytab for a new service (apache) with SAMBA4?
- how to run ktpass with a Samba AD DC?
- kerberos/Samba integration questions
- Looking for GSSAPI config [was: Looking for NTLM config example]
- Samba + pdb_mysql - password hashes disappearing?