Bug 6912 - net join password hashes
net join password hashes
Status: RESOLVED INVALID
Product: Samba 3.3
Classification: Unclassified
Component: Domain Control
3.3.9
x64 Solaris
: P3 normal
: ---
Assigned To: Guenther Deschner
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-11-20 10:29 UTC by Tom De Cooman
Modified: 2011-10-26 13:19 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tom De Cooman 2009-11-20 10:29:35 UTC
Hi,

Ran into some trouble joining a samba-3.3.9 into a domain. (PDC is samba with ldap backend)
Server is an x86 running solaris10u8.
When performing 'net join', it returns 'Joined domain FILES.'
So looks ok, but when we try a simple smbclient list on the member, it failes mentioning a trust problem in the client-log.
After some investigation it appears that the password hash for the machine is not correct in ldap.
(dumped the local tdb of the member and hashed the password)
When replacing the machine pass in the ldap it works.

samba-3.3.8 works, beginning with 3.3.9 the hash isn't ok anymore.
We noticed that the first part of the has is ok, the last part isn't.
eg:
hash in ldap:
D5C6EC524F258B51424B5387A445107D

generated hash from passwd in secrets.tdb:
D5C6EC524F258B51DE43917CA0985BFC

Regards
Comment 1 Tom De Cooman 2009-11-20 11:25:32 UTC
bisect:



commit 41106eda6bce2dc7e70fea00f23071e0820d9a13
Author: Stefan Metzmacher <metze@samba.org>
Date:   Thu Aug 27 13:16:15 2009 +0200
                                
    s3:netlogon: replace cred_hash3 by des_crypt112_16
                                
    This makes sure we don't truncate the session key to 8 bytes
    Fixes bug #6664.            
                                
    metze                       
    (cherry picked from commit 570a8cf5bb6924905b3ad20353d1e7b0ca087748)
                                
diff --git a/source/rpc_client/cli_netlogon.c b/source/rpc_client/cli_netlogon.c
index 23618ef..f2a260c 100644   
--- a/source/rpc_client/cli_netlogon.c
+++ b/source/rpc_client/cli_netlogon.c
@@ -601,9 +601,9 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
                                
                struct samr_Password new_password;
                                
-               cred_hash3(new_password.hash,
-                          new_trust_passwd_hash,
-                          cli->dc->sess_key, 1);
+               des_crypt112_16(new_password.hash,
+                               new_trust_passwd_hash,
+                               cli->dc->sess_key, 1);
                                
                result = rpccli_netr_ServerPasswordSet(cli, mem_ctx,
                                                       cli->dc->remote_machine,
diff --git a/source/rpc_server/srv_netlog_nt.c b/source/rpc_server/srv_netlog_nt.c
index dd49096..0c76c8e 100644   
--- a/source/rpc_server/srv_netlog_nt.c
+++ b/source/rpc_server/srv_netlog_nt.c
@@ -669,8 +669,7 @@ NTSTATUS _netr_ServerPasswordSet(pipes_struct *p,
                return NT_STATUS_ACCOUNT_DISABLED;
        }                       
                                
-       /* Woah - what does this to to the credential chain ? JRA */
-       cred_hash3(pwd, r->in.new_password->hash, p->dc->sess_key, 0);
+       des_crypt112_16(pwd, r->in.new_password->hash, p->dc->sess_key, 0);
                                
        DEBUG(100,("_netr_ServerPasswordSet: new given value was :\n"));
        for(i = 0; i < sizeof(pwd); i++)
(END) 







(In reply to comment #0)
> Hi,
> 
> Ran into some trouble joining a samba-3.3.9 into a domain. (PDC is samba with
> ldap backend)
> Server is an x86 running solaris10u8.
> When performing 'net join', it returns 'Joined domain FILES.'
> So looks ok, but when we try a simple smbclient list on the member, it failes
> mentioning a trust problem in the client-log.
> After some investigation it appears that the password hash for the machine is
> not correct in ldap.
> (dumped the local tdb of the member and hashed the password)
> When replacing the machine pass in the ldap it works.
> 
> samba-3.3.8 works, beginning with 3.3.9 the hash isn't ok anymore.
> We noticed that the first part of the has is ok, the last part isn't.
> eg:
> hash in ldap:
> D5C6EC524F258B51424B5387A445107D
> 
> generated hash from passwd in secrets.tdb:
> D5C6EC524F258B51DE43917CA0985BFC
> 
> Regards
> 

Comment 2 Tom De Cooman 2009-11-25 07:16:44 UTC
PDC is 3.0.26a-SerNet-Debian
Comment 3 Stefan Metzmacher 2009-12-08 07:12:40 UTC
the problem is that 3.0.26a is broken with 128Bit session keys.

This branch (based on v3-0-test) fixes most of the problems.
http://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/v3-0-trust

Maybe also some patches from this branch (based on v3-0-24) are needed:
http://
gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/v3-0-24-trust

Günther should we add a switch to disable 128Bit session keys,
that can be used against old samba versions.
Comment 4 Stefan Metzmacher 2011-10-26 13:19:17 UTC
This was a bug in 3.0.x