samba - Dec 2001 - Extracting the trust account password (for use with Win2k's ktpass)?

Hello, all:

My Samba server is a member of a Windows 2000 AD domain.
Authentication to the Samba server is, of course, by encrypted NTLM
hashes.  Authentication to the host itself, which runs Red Hat Linux
7.1, is by NIS (the AD domain controller is running Server for NIS).
I want to remove NIS (or at least the passwords from NIS).  To
accomplish this, I wish to use pam_krb5 to authenticate users logging
into the host itself.

In order to configure pam_krb5, I need to create and export a service
key for "host/host.domain@DOMAIN" using ktpass (on the domain
controller).  This key is installed into /etc/krb5.keytab on the Linux
box and is used by the PAM module.  pam_krb5 will not function without
this service key.

The ktpass utility prompts for the password of the machine account and
sets the Kerberos DES key using it.  I want to use the machine
account's existing password, as set by 'smbpasswd -j', rather than
make a new one up, so I don't screw up the trust relationship.

To that end, I've been hacking around with the pdb_gethexpwd()
function, trying to figure out how to extract the trust account
password from the file /etc/samba/$DOMAIN.$HOST.mac file.
Unfortunately, the output I get has non-ASCII characters in it.  I
really don't know what I'm doing.

Can any one help me extract the trust account password for use with
ktpass?

Kind regards,
#\Matthew

-- 
Matthew X. Economou <xenophon@irtnog.org> - Unsafe at any clock speed!
"We know for certain only when we know little.  With knowlege, doubt
increases." - Goethe

"Matthew X. Economou" wrote:
> 
> Hello, all:
> 
> My Samba server is a member of a Windows 2000 AD domain.
> Authentication to the Samba server is, of course, by encrypted NTLM
> hashes.  Authentication to the host itself, which runs Red Hat Linux
> 7.1, is by NIS (the AD domain controller is running Server for NIS).
> I want to remove NIS (or at least the passwords from NIS).  To
> accomplish this, I wish to use pam_krb5 to authenticate users logging
> into the host itself.
> 
> In order to configure pam_krb5, I need to create and export a service
> key for "host/host.domain@DOMAIN" using ktpass (on the domain
> controller).  This key is installed into /etc/krb5.keytab on the Linux
> box and is used by the PAM module.  pam_krb5 will not function without
> this service key.
pam_krb5 will function, just not with PDC spoof protection.
> The ktpass utility prompts for the password of the machine account and
> sets the Kerberos DES key using it.  I want to use the machine
> account's existing password, as set by 'smbpasswd -j', rather
than
> make a new one up, so I don't screw up the trust relationship.
> 
> To that end, I've been hacking around with the pdb_gethexpwd()
> function, trying to figure out how to extract the trust account
> password from the file /etc/samba/$DOMAIN.$HOST.mac file.
> Unfortunately, the output I get has non-ASCII characters in it.  I
> really don't know what I'm doing.
Firstly, you must be using quite an old version of samba, becouse its
all in secrets.tdb now.

Secondly, the password is stored as an MD4 hash, not in plaintext, so
its not much use to you anyway.

Thirstly, the server wouldn't recognise it anyway, becouse of the way
its set/changed.

Finally, you couldn't type it, becouse it is entirly random. 
 
> Can any one help me extract the trust account password for use with
> ktpass?
Grab the current HEAD branch CVS (or one of the Samba 3.0 alpha
releases) and muck about with that.  If you were feeling particularly
interested, you could add a function to (optionally) write out the krb5
keytab each time we change the password. (patches welcome :-)

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net