Hi, Ran into some trouble joining a samba-3.3.9 into a domain. (PDC is samba with ldap backend) Server is an x86 running solaris10u8. When performing 'net join', it returns 'Joined domain FILES.' So looks ok, but when we try a simple smbclient list on the member, it failes mentioning a trust problem in the client-log. After some investigation it appears that the password hash for the machine is not correct in ldap. (dumped the local tdb of the member and hashed the password) When replacing the machine pass in the ldap it works. samba-3.3.8 works, beginning with 3.3.9 the hash isn't ok anymore. We noticed that the first part of the has is ok, the last part isn't. eg: hash in ldap: D5C6EC524F258B51424B5387A445107D generated hash from passwd in secrets.tdb: D5C6EC524F258B51DE43917CA0985BFC Regards
bisect: commit 41106eda6bce2dc7e70fea00f23071e0820d9a13 Author: Stefan Metzmacher <metze@samba.org> Date: Thu Aug 27 13:16:15 2009 +0200 s3:netlogon: replace cred_hash3 by des_crypt112_16 This makes sure we don't truncate the session key to 8 bytes Fixes bug #6664. metze (cherry picked from commit 570a8cf5bb6924905b3ad20353d1e7b0ca087748) diff --git a/source/rpc_client/cli_netlogon.c b/source/rpc_client/cli_netlogon.c index 23618ef..f2a260c 100644 --- a/source/rpc_client/cli_netlogon.c +++ b/source/rpc_client/cli_netlogon.c @@ -601,9 +601,9 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli, struct samr_Password new_password; - cred_hash3(new_password.hash, - new_trust_passwd_hash, - cli->dc->sess_key, 1); + des_crypt112_16(new_password.hash, + new_trust_passwd_hash, + cli->dc->sess_key, 1); result = rpccli_netr_ServerPasswordSet(cli, mem_ctx, cli->dc->remote_machine, diff --git a/source/rpc_server/srv_netlog_nt.c b/source/rpc_server/srv_netlog_nt.c index dd49096..0c76c8e 100644 --- a/source/rpc_server/srv_netlog_nt.c +++ b/source/rpc_server/srv_netlog_nt.c @@ -669,8 +669,7 @@ NTSTATUS _netr_ServerPasswordSet(pipes_struct *p, return NT_STATUS_ACCOUNT_DISABLED; } - /* Woah - what does this to to the credential chain ? JRA */ - cred_hash3(pwd, r->in.new_password->hash, p->dc->sess_key, 0); + des_crypt112_16(pwd, r->in.new_password->hash, p->dc->sess_key, 0); DEBUG(100,("_netr_ServerPasswordSet: new given value was :\n")); for(i = 0; i < sizeof(pwd); i++) (END) (In reply to comment #0) > Hi, > > Ran into some trouble joining a samba-3.3.9 into a domain. (PDC is samba with > ldap backend) > Server is an x86 running solaris10u8. > When performing 'net join', it returns 'Joined domain FILES.' > So looks ok, but when we try a simple smbclient list on the member, it failes > mentioning a trust problem in the client-log. > After some investigation it appears that the password hash for the machine is > not correct in ldap. > (dumped the local tdb of the member and hashed the password) > When replacing the machine pass in the ldap it works. > > samba-3.3.8 works, beginning with 3.3.9 the hash isn't ok anymore. > We noticed that the first part of the has is ok, the last part isn't. > eg: > hash in ldap: > D5C6EC524F258B51424B5387A445107D > > generated hash from passwd in secrets.tdb: > D5C6EC524F258B51DE43917CA0985BFC > > Regards >
PDC is 3.0.26a-SerNet-Debian
the problem is that 3.0.26a is broken with 128Bit session keys. This branch (based on v3-0-test) fixes most of the problems. http://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/v3-0-trust Maybe also some patches from this branch (based on v3-0-24) are needed: http:// gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/v3-0-24-trust Günther should we add a switch to disable 128Bit session keys, that can be used against old samba versions.
This was a bug in 3.0.x