Re: [patch] miscellaneous mechglue stuff

[Luke Howard <lukeh@PADL.COM>]

Hi Mike,

>I don't know. But bare in mind that Andrew is thinking the MD5 checksum
>issue is specific to a limitation in Samba 3's smbclient. If that's true,
>then the problem would be limited to SMB servers using stock Heimdal
>gss_accept_sec_context which is to say it's not terribly important
>right now.

I think it's OK to assume the client requested mutual, because SAMBA
and Windows send an AP-REP for CIFS authentication. eg. see

http://lists.samba.org/archive/samba-technical/2003-February/027385.html

>Do you happen to know how to export a cifs/name.foo.net@FOO.NET aka
>name$@foo.net service principal from a W2K3 DC such that it can be
>imported into a keytab for Ethereal to use? Ktpass.exe doesn't export
>those principals. Otherwise I don't have the setup to decrypt the
>Authenticator and know for certain that MS client's are really using 8003.

Probably the easiest way is to use pwdump2 to extract the NT OWF from
the SAM, then you just need to get it into a keytab somehow. You should
be able to do this with ktutil if it has an option to accept hex encoded
passwords.

-- Luke

--