samba - Jul 2002 - Format of LSA Secret for Interdomain Trust Password

Hello, all!

Let's say, hypothetically, that one was trying to migrate a NT4 domain to
Samba without the knowledge of the NT admin of a domain you trusted. :)
Basically, what I need is the password for my trust account, but it's in
some obfuscated hash under the G$$xxxxx secret.  Does anybody know how this
is stored, or am I down to sniffing network traffic?


Thanks,
David Boynton

David Boynton wrote:
> 
> Hello, all!
> 
> Let's say, hypothetically, that one was trying to migrate a NT4 domain
to
> Samba without the knowledge of the NT admin of a domain you trusted. :)
> Basically, what I need is the password for my trust account, but it's
in
> some obfuscated hash under the G$$xxxxx secret.  Does anybody know how this
> is stored, or am I down to sniffing network traffic?
Are you sure its an obfusticated hash?  Are you sure its not just the
hash?

I would connect with some of the Samba-TNG tools and try and get back
the hash.  However, thats only half the story ;-).  Samba doesn't
support trusted domains anyway - and neither really does Samba-TNG -
both at the very least require that you hand-create the accounts in
/etc/passwd for the trusted domain.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

Andrew Bartlett wrote:
> Are you sure its an obfusticated hash?  Are you sure its not just the
> hash?
No, actually I'm not.  All I can say with reasonable certainty is that
it's
not a LANMAN hash as I ran John the Ripper on it for over 3 days (1 Ghz
Machine).  What leads me to believe that it's not just a straight NTLM hash
is that various MS technet articles refer to the trust password secret
having two fields (possibly three): Current Password, Old Password, and
possibly last change time.  Although it is suspicious that it's always
exactly 16 bytes.
> I would connect with some of the Samba-TNG tools and try and get back
> the hash.  However, thats only half the story ;-).  Samba doesn't
> support trusted domains anyway - and neither really does Samba-TNG -
> both at the very least require that you hand-create the accounts in
> /etc/passwd for the trusted domain.
Actually I got this to work for a few tests under the latest CVS build and
using WinBind to replicate the accounts from the trusted domain locally.
The hardest part was figuring out the settings for "auth method" as
they
haven't been documented yet.  Fortunately with open source software
that's
not a huge problem. :)

I guess I am going to have to take a harder look at TNG's source.  Strangely
enough, the last version I pulled off CVS wouldn't make.


Thanks,
Dave