Re: Account with no lanman hash [ was Re: [Samba] Machine accounts, Samba 3, NT Domain migration
On Sat, 2004-03-27 at 17:42, Beast wrote: * Andrew Bartlett [EMAIL PROTECTED] menulis: 'net rpc samdump' should do what you need Wew, it can dump all sam without asking for admin password ;-) Only because it already has a BDC account. However, it always gives segmentation fault error after retrieveing groups. Nevermind, it already get all acounts anyway... I'll try it on client and let you know. Also, net rpc vampire has few advantage over pwdump, it can retrieve groups where pwdump can not. pwdump was a quick hack, from what I understand... I wish i knew this tool before ;-(. However i can confirm that pwdump was able to get 100% of correct account if client is joined recently. Tested on hundreds clients on different domain. Quick hacks can work very well, but my vauge understanding is that it was written to demonstrate that it could be done. We wrote 'net rpc vampire' to do it properly, because we can do it all over the network, just like an NT4 BDC can. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Account with no lanman hash [ was Re: [Samba] Machine accounts, Samba 3, NT Domain migration
* Andrew Bartlett [EMAIL PROTECTED] menulis: 1. Machine has valid passwords (NT+LANMAN) in PWDUMP but only 1 NThash on rpc-Vampire, passwd is different. 2. Valid PWD, only NThash on VMP, but NTHASH in VMP is *same* as LANMANHASH in PWD. 3. No valid hash in PWD (only ), but has valid NTHASH in VMP. 4. Valid PWD, valid VMP and both are same. On rpc-vampire, from total of 638 machine, 448 are only having NTpassword hash entry. Is it ok for machine account to have only one hash? (i can not try it right now because the site is on another city). Only the NT password matters, except on 3.0.2 and 3.0.2a. Later CVS fixed an issue where the NT password not being present caused a bug (account would be marked disabled). 1. In which tools we trust the output? pwdump or rpc vampire? why the output is different? 2. Is this mean I can not use 3.0.2 or 3.0.2a if I don't have LANMAN hash? Note: this 'feature' is mark as 'bug' by jerry and has been fixed. Is it safe to have NT hash only on production? http://lists.samba.org/archive/samba/2004-March/082989.html 3. Thanks. Andrew Bartlett --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Account with no lanman hash [ was Re: [Samba] Machine accounts, Samba 3, NT Domain migration
On Sat, 2004-03-27 at 13:12, Beast wrote: * Andrew Bartlett [EMAIL PROTECTED] menulis: 1. Machine has valid passwords (NT+LANMAN) in PWDUMP but only 1 NThash on rpc-Vampire, passwd is different. 2. Valid PWD, only NThash on VMP, but NTHASH in VMP is *same* as LANMANHASH in PWD. 3. No valid hash in PWD (only ), but has valid NTHASH in VMP. 4. Valid PWD, valid VMP and both are same. On rpc-vampire, from total of 638 machine, 448 are only having NTpassword hash entry. Is it ok for machine account to have only one hash? (i can not try it right now because the site is on another city). Only the NT password matters, except on 3.0.2 and 3.0.2a. Later CVS fixed an issue where the NT password not being present caused a bug (account would be marked disabled). 1. In which tools we trust the output? pwdump or rpc vampire? why the output is different? Well, I understand how 'net rpc vampire' functions, and as it makes *exactly* the same calls that an NT BDC makes, I consider it to be the 'correct' output. I have not looked at the pwdump source, nor had any experience using it, so I don't know why it's output would differ. 2. Is this mean I can not use 3.0.2 or 3.0.2a if I don't have LANMAN hash? This is correct. Note: this 'feature' is mark as 'bug' by jerry and has been fixed. Is it safe to have NT hash only on production? http://lists.samba.org/archive/samba/2004-March/082989.html It is safe to have NT hash only in production, on versions of Samba the support this, because for many account types (machine accounts in particular, also accounts with strlen(pw) 14) the NT hash is the only valid hash. The practise (on machine accounts) of setting the NT and LM passwords to the same value derives from the need to avoid having a NULL LM password, where that might mean 'all passwords'. Samba no longer makes those assumptions, and has not for a long time, so in the very near future, this will be removed. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Account with no lanman hash [ was Re: [Samba] Machine accounts, Samba 3, NT Domain migration
* Andrew Bartlett [EMAIL PROTECTED] menulis: 1. In which tools we trust the output? pwdump or rpc vampire? why the output is different? Well, I understand how 'net rpc vampire' functions, and as it makes *exactly* the same calls that an NT BDC makes, I consider it to be the'correct' output. Just a wishes, is it possible to get pwdump.exe version of net rpc vampire? so we can get hashses output without installing full blown of samba and *script? It then up to administrator what to do with the output, this is the cleanest soulution if you already have existing account in ldap. Also, net rpc vampire has few advantage over pwdump, it can retrieve groups where pwdump can not. I have not looked at the pwdump source, nor had any experience using it, so I don't know why it's output would differ. 2. Is this mean I can not use 3.0.2 or 3.0.2a if I don't have LANMAN hash? This is correct. Sorry for asking again here, can I use samba 3.0.3pre1? sincei can't use older version of samba. Just to make sure... Note: this 'feature' is mark as 'bug' by jerry and has been fixed. Is it safe to have NT hash only on production? http://lists.samba.org/archive/samba/2004-March/082989.html It is safe to have NT hash only in production, on versions of Samba the support this, because for many account types (machine accounts in particular, also accounts with strlen(pw) 14) the NT hash is the only valid hash. The practise (on machine accounts) of setting the NT and LM passwords to the same value derives from the need to avoid having a NULL LM password, where that might mean 'all passwords'. Samba no longer makes those assumptions, and has not for a long time, so in the very near future, this will be removed. Thanks, you really save my life ;-) --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Account with no lanman hash [ was Re: [Samba] Machine accounts, Samba 3, NT Domain migration
On Sat, 2004-03-27 at 15:55, Beast wrote: * Andrew Bartlett [EMAIL PROTECTED] menulis: 1. In which tools we trust the output? pwdump or rpc vampire? why the output is different? Well, I understand how 'net rpc vampire' functions, and as it makes *exactly* the same calls that an NT BDC makes, I consider it to be the'correct' output. Just a wishes, is it possible to get pwdump.exe version of net rpc vampire? so we can get hashses output without installing full blown of samba and *script? It then up to administrator what to do with the output, this is the cleanest soulution if you already have existing account in ldap. 'net rpc samdump' should do what you need Also, net rpc vampire has few advantage over pwdump, it can retrieve groups where pwdump can not. pwdump was a quick hack, from what I understand... I have not looked at the pwdump source, nor had any experience using it, so I don't know why it's output would differ. 2. Is this mean I can not use 3.0.2 or 3.0.2a if I don't have LANMAN hash? This is correct. Sorry for asking again here, can I use samba 3.0.3pre1? sincei can't use older version of samba. Just to make sure... You can. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Account with no lanman hash [ was Re: [Samba] Machine accounts, Samba 3, NT Domain migration
* Andrew Bartlett [EMAIL PROTECTED] menulis: 'net rpc samdump' should do what you need Wew, it can dump all sam without asking for admin password ;-) However, it always gives segmentation fault error after retrieveing groups. Nevermind, it already get all acounts anyway... I'll try it on client and let you know. Also, net rpc vampire has few advantage over pwdump, it can retrieve groups where pwdump can not. pwdump was a quick hack, from what I understand... I wish i knew this tool before ;-(. However i can confirm that pwdump was able to get 100% of correct account if client is joined recently. Tested on hundreds clients on different domain. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba