[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal / MS kpasswd differences?



On Sun, 3 Sep 2006 05:04:50 +0000
"ronnie sahlberg" <ronniesahlberg@gmail.com> wrote:

> Port 464 is rfc3244 which is what wireshark displayed as ms kpasswd
> 
> I am intrigued by the other trace however that was also port 464 but
> was not decoded at all.
> Can you share that trace with me so i can see if this is a bug in wireshark?

Sure. They're from my test env. Hopefully the list doesn't mind two
small pcaps but I thought I should get the list because I noticed a further
inconsistency. If I use:

  $ kpasswd --admin-principal=administrator@WIN.NET HTTP/www6.foo.net@WIN.NET

I see a 1300 byte undecoded UDP packet. If I use:

  $ kpasswd --admin-principal=user1@WIN.NET HTTP/www6.foo.net@WIN.NET

(user1 is in the Account Operators group and therefore can change
passwords) the packet is shown as 'Kerberos v4' message type 0xa4 and
is otherwise not decoded. So it looks like Heimdal might be doing
something funky here too.

I'm using Ethereal 0.10.14. See attachments.

> As far as windows clients themself are concerned,  it is very very
> rare that they use this protocol to set/change passwords, most of the
> time they use sealed dcerpc interfaces instead.

This is exactly what I want to know about. I can do DCERPC or kpasswd. I
want to do what is most portable.

Do you happen to know what DCERPC is most common?  I need to set the
initial password on a service account though so I don't know if I want
one of the SamrChangePasswordUser or a SamrSetInformationUser.  I've seen
SamrSetInformationUser2 with SamrUserInfo25 used during a join which is
sort of what I'm doing but I can easily create the account with LDAP too.

Mike

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/

kpasswd_ad_udp.pcap

kpasswd_ad_krb4.pcap