Ok, I've filled out a little more of this exchange: Arriving in the first session setup: 0000 "NTLMSSP" (in ascii, null-terminated) 0008 int32 command 1 (negotiate) (1=neg 2=chal 3=auth) 000c int32 Negotiate flags 0010 header info for ascii netbios domain name (int16 len, int16 len, int32 offset) 0018 header info for ascii netbios client machine name (int16 len, int16 len, int32 offset) end of header, followed by: ascii machine and domain names (no null termination)
The ascii machine and domain names can be empty (leaving 16 bytes of zeroes in the header, and no data following) And the response is: 0000 "NTLMSSP" 0008 int 32 command 2 (challenge) 000c header info for Unicode netbios domain name (int16 len, int16 len, int32 offset) 0014 int32 negotiate flags 0018 8 byte crypt key 0020 8 bytes of zero 0028 header info for ntlmssp domain/server info (int16 len, int16 len, int32 offset) end of header 0030 unicode netbios domain name (header info at 000c above) ntlmssp domain/server info array, containing items of the format: int16 type (1=netbios server name, 2=netbios domain name, 3=dns server name (including domain), 4= dns domain name) int16 len unicode string (no null termination) This array is terminated by a uint32 of zeroes (probably type 0, length 0). .....can someone with a netbiosless setup send me a capture of this packet?... Next, from the client, comes: 0000 "NTLMSSP" 0008 int32 command 3 (auth) 000c header info for 24-byte lm hash (int16 len, int16 len, int32 offset) 0014 header info for 24-byte nt hash (int16 len, int16 len, int32 offset) 001c header info for unicode domain name (int16 len, int16 len, int32 offset) 0024 header info for unicode user name (int16 len, int16 len, int32 offset) 002c header info for unicode client machine name (int16 len, int16 len, int32 offset) 0034 header info for session key (int16 len, int16 len, int32 offset) 003c int32 negotiate flags followed by the info pointed to in the header items The response is not in NTLMSSP, but the asn.1 syntax is: context[1](sequence[0](context[0](enumerated(0))) Or a107 3005, a003, 0a0100 Without this last response, it won't work... Now, after responding with this, the AD join from a 2k client works (no kerberos, no ldap). I don't yet have the parsing of the ascii machine and domain names on the first packet, so after the join (before which these are empty), we can't logon (I'll work on this next). But the join works, and the client thinks we are an AD DC! ---------------------------- Jim McDonough IBM Linux Technology Center Samba Team 6 Minuteman Drive Scarborough, ME 04074 USA [EMAIL PROTECTED] [EMAIL PROTECTED] Phone: (207) 885-5565 IBM tie-line: 776-9984