Re: Passthough security fix.

Andrew Tridgell (tridge@samba.anu.edu.au)
Tue, 21 Apr 1998 11:20:21 +1000

From:	Andrew Tridgell <tridge@samba.anu.edu.au>
To:	jallison@whistle.com
Subject: Re: Passthough security fix.
Message-Id: <19980421012031Z12583667-459+11459@samba.anu.edu.au>
Date:	Tue, 21 Apr 1998 11:20:21 +1000

> They send the sessionsetup request *twice* - once
> with the correct password, and once with a password
> of random garbage. If both are accepted then the
> user was guest, if the first was accepted and
> the second rejected then the user was non-guest.

excellent!

> Simple, elegant and works with all broken versions
> of NT. Can anyone see any disadvanages ?

there is a minor one. The logs on the NT server will get filled with
messages about a bad password being entered. Hmmm, does NT log those
by default?

Also, you'll need to send the random garbage first, not 2nd.

Cheers, Andrew