Re: "Secure" channel demystifying?

Am Mittwoch, 30. Juni 2004 20:35 schrieb Dimitry V. Ketov:
> Hi, samba hackers!
>
> Sorry if my post is an off-topic here, but there is no other best place
> to ask :)
>
> As I know domain controllers and domain members use so-called "secure"
> (but actually just machine-to machine authenticated) channel in netlogon
> protocol for communications. For the (my) first sight it's rather
> strange, in comparison with the "usual" method to authenticate the
> _entity_ wich accesses information (e.g. user that logons).
>
> All I can guess for this is authentication and authorization for DCs
> replications, inter-domain requests and so on, that is possible without
> any user intervention (and therefore without any user's account, just by
> using machine's accounts). But what reasons to use that "secure" channel
> for the real user logon purposes?
>
> Spent some time looked for an answer (why that additional "security" is
> needed) in the web sources (including microsoft), and found nothing
> illustrative to prove my guesses, I've decided to ask this list for an
> explanation. :)
>
> - Is my guesses right or wrong?
> - In which cases that "secure" (just authenticated) channel used?
> - Give me some good points to information/documentation...
>

The global problem is mutual authentication. You gain 2 profits with that:

RE: "Secure" channel demystifying?

> -----Original Message-----
> From: Peter Waechtler [mailto:peter <at> helios.de]
> 
> The global problem is mutual authentication. You gain 2
> profits with that:
> 
> 1) the server can authenticate the machine, since it was
> entered into the  domain by an admin. A malicious cracker 
> can't plug his laptop into  a port and try to impersonate. 
Sorry, still can't catch an idea of what that (just authenticated, not
signed and not chyphered channel) adds to the challenge-handshake (NTLM)
security...

> This alone does not prevent the use  of keyboard sniffers 
> (local security of client machine) etc.]

> 2) the client can be "more" sure about passing the 
> challenge/response  token to the "right" server. Without that 
> a cracker could spoof his  laptop as DC. If the passwords 
> would be passed with a reversible algorithm  he would get 
> them. With NTLM he can build a dictionary of challenge->hash. 
>  It's not only theoretical: the server possibly downgrades 
> the client to sent  the  password in clear...  The client 
> machine wouldn't do that if SChannel is mandatory and the 
Is that true by default for NT workstations?

> server  can't prove his identity. It's like SSL certificates 
Why spoofed "server" wil not be able to prove his identity?

> and fingerprints. If the  certificate is invalid the user 

User Quarantine Release Notification - Thu, 01 Jul 2004 01:05:48 -0600

An email sent to you was quarantined. This notification lists your emails quarantined since the previous
Quarantine Release Notification. Click a Message ID to release an email from quarantine. If an email has
multiple recipients, when any one recipient releases the email, it is released to all the recipients. You
may have additional messages that were quarantined before this  notification. Click on the first
hyperlink on this page (or copy and paste the link in a browser) to view a list of all of your quarantined
messages. If any messages in this notification are deleted or released before you view the list, those
messages do not appear in the list.

https://199.254.175.179:443/euser/view.jsp?623c1aed35bac69f911d343a07077be12cabf35700000000000000072834

Message ID	Sender	Subject	Size in Bytes	Date	Info

2746222	samba-technical <at> samba.org	read it immediately	30775	2004-06-30 23:35:35	SPAMQ TRU ESP50

VB: [Samba] Querying users(w2k) from Samba PDC

Hello!

This is a forward of a Question I asked on the Samba mailinglist.

Seeing that I'm not the only one with the problem I ask here if this is a bug or a missconfiguration? (followed
howto documents)

Hi,
I posted almost the same question couple days ago.
I think this problem is related to net user command.
That command does not show any user.
When I run that command with debug option it gives the following error:
error: rpc command function failed! (NT_STATUS_UNSUCCESSFUL)
If I use password file as a password backend
everything is OK. It only does not work with LDAP.
Net group is working fine that is why you can see
groups in W2k.
Does somebody know the answer?
Regards,
Ely Zavin.

RE: "Secure" channel demystifying?

On Thu, 1 Jul 2004, Dimitry V. Ketov wrote:

> > 1) the server can authenticate the machine, since it was
> > entered into the  domain by an admin. A malicious cracker 
> > can't plug his laptop into  a port and try to impersonate. 
>
> Sorry, still can't catch an idea of what that (just authenticated, not
> signed and not chyphered channel) adds to the challenge-handshake (NTLM)
> security...

Nothing really for the NTLM handshake as such, but there is a few fields
exchanged always encrypted unless my memory serves me wrong.. This
includes the "session key" and possibly other sensitive information.

> Is that true by default for NT workstations?

>From what I remember of NT this depends on the service pack level and 
then on registry settings to allow downgrade in later versions.

> > server  can't prove his identity. It's like SSL certificates
>
> Why spoofed "server" wil not be able to prove his identity?

He does not know the computer account password used in the mutual 
authenitcation sequence.

Regards
Henrik

RE: "Secure" channel demystifying?

> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno <at> squid-cache.org]

> > Sorry, still can't catch an idea of what that (just
> authenticated, not
> > signed and not chyphered channel) adds to the challenge-handshake
> > (NTLM) security...
>
> Nothing really for the NTLM handshake as such, but there is a
> few fields exchanged always encrypted unless my memory serves
> me wrong.. This includes the "session key" and possibly other
> sensitive information.
Yes, but why NTLM scheme cannot be used instead for user logon? Why
mutual authentication used between domain member and domain controller,
while simple challenge-response protocol is used between client and
domain member?

Dimitry.

RE: "Secure" channel demystifying?

On Thu, 1 Jul 2004, Dimitry V. Ketov wrote:

> Yes, but why NTLM scheme cannot be used instead for user logon? Why
> mutual authentication used between domain member and domain controller,
> while simple challenge-response protocol is used between client and
> domain member?

Even in a domain membership NTLM is used for user logon but in a somewhat
modified and secure manner than normal NTLM, and also made more efficient
and less demanding on the domain controller thanks to the alread
established trust between the member server and domain controller. The
computer account password encrypts important fields to protect from
man-in-the-middle and the NTLM challenge is generated by the station, not
the server, further protecting from man-in-the-middle redirection attacks
as the information exchanged can not be redirected to allow the attacker
to authenticate to any station with the users credentials.

Normal NTLM without these guards can be hijacked without you noticing, 
allowing the attacker to use your authentication to authenticating to 
another server by simply sending you the challenge of this other server 
and then using your NTLM response to authenticate to that server.

And as already noted the domain member form of authentication also
includes exchanges of additional restricted sensitive information required
by for example MS-CHAP (the user session key). This information is
sensitive information of the user beyond what is contained in the (public)
NTLM exchange and must be protected and is by encryption based on the
computer account.

Regards

Annual Vaccation

I am on a vaccation from June 08th July 08th therefore please direct your messages to following personals
Mr. Ajay email: ajay <at> badar-shipping.com or 
following personals
Operations: Mr Zubair Email:zubair <at> badar-shipping.com
Sales: Christopher, chris <at> badar-shipping.com
       Mahesh,  mahesh <at> badar-shipping.com

Mr. Ajay KV Email: ajay <at> badar-shipping.com

Operations3a- 
Zubair Haroon 3a  zubair <at> badar-shipping.com

Finance & Accounts
Anwar Zacky,   anwer <at> badar-shipping.com

Best Regards
Abdul Rahim

RE: "Secure" channel demystifying?

> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno <at> squid-cache.org] 

> And as already noted the domain member form of authentication 
> also includes exchanges of additional restricted sensitive 
> information required by for example MS-CHAP (the user session 
> key). This information is sensitive information of the user 
> beyond what is contained in the (public) NTLM exchange and 
> must be protected and is by encryption based on the computer account.

Ок. Thanks for clarification that.

Dimitry.

Unable to change password from win2k with a samba pdc

Hello,
	I would hope by now you fixed this wproble listed inthe message titles
"Unable to change password from win2k with a samba pdc".
If so, can you point me towards the answer? Im get the same error you did.

Kev
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.712 / Virus Database: 468 - Release Date: 6/27/04