samba-users August 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: [Samba] Join domain through direct registry manipul

[Samba] Join domain through direct registry manipulation?

From: David Mathog <mathog_at_nospam>
Date: Tue Aug 24 2010 - 18:17:58 GMT
To: samba@lists.samba.org

Might it be possible to join a Windows machine to a Samba domain
by direct registry manipulation?

As an experiment, on a test machine:

  (not in a domain)

  reg export HKLM >before_join.txt

  (join domain)

  reg export HKLM >pre_reboot.txt

  (reboot0

  reg export HKLM >post_reboot.txt

The files created are unicode, with every other byte a null, and diff
didn't like these on my linux boxes. Probably locale was set
incorrectly. In any case, used my extract program (from here:

  http://drmtools.sourceforge.net/

[nothing to do with digital rights management - those are my initials]
) to make them into plain text:

  extract -nr 1 -sc 3 -all -in post_reboot.txt -hnd >post_reboot.txt2
  extract -nr 1 -sc 3 -all -in before_join.txt -hnd >before_join.txt2
  extract -nr 1 -sc 3 -all -in pre_reboot.txt -hnd >pre_reboot.txt2

then

  xxdiff before_join.txt2 post_reboot.txt2
  xxdiff before_join.txt2 pre_reboot.txt

>From these I see a few random bits changing (which might be important
but I cannot interpret them), plus these three which definitely seem to
be relevant.

in post_reboot.txt2:

HKLM\SYSTEM\ControlSet001\Control\Lsa\Kerberos\Sidcache
  "MachineSid"=hex:<data - not shown>
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETLOGON\0000\Control
  "ActiveService"="NetLogon"
HKLM\SYSTEM\ControlSet001\Services\NetLogon "start"=dword:2

in pre_reboot.txt2:

HKLM\SYSTEM\ControlSet001\Control\Lsa\Kerberos\Sidcache
  no "MachineSid" value
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETLOGON\0000\Control
  "ActiveService"="Netlogon"
HKLM\SYSTEM\ControlSet001\Services\NetLogon "start"=dword:2

in before_join.txt2

HKLM\SYSTEM\ControlSet001\Control\Lsa\Kerberos\Sidcache
  no "MachineSid" value
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETLOGON\0000\Control
  no "ActiveService" value
HKLM\SYSTEM\ControlSet001\Services\NetLogon "start"=dword:3

It looks like the initial step in the netlogon is to change the 3rd and
2nd values. Not clear where the logon credentials are stored.
Then at reboot the MachineSid is returned by the Samba server to the
client, presumably very early in the boot process. The MachineSid
on two client machines differed, although only in a few digits.

That suggests that one should be able to able to join an XP machine by
doing something on the Samba server (maybe just: smbpasswd -a -m
MACHINE$ ?) and then on the client do three

  reg add

commands to set it to the appropriate state, and reboot. That would be
really convenient since the cloning process running under linux could
easily write a runonce file with these commands into the Windows
partition. However, I do not see a place on the server side to
retrieve the MachineSid for a particular workstation. If it is in
smbpasswd, it is encrypted.

Regards,

David Mathog
mathog@caltech.edu
Manager, Sequence Analysis Facility, Biology Division, Caltech

-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba