Hi everyone. I have been trying to find a issue witha piece of software talking with our DCs in NTLM (I know.. sigh..) and I have pinned the problem down to an ldap_modify call. However, neither in windows logs nor anywhere else can I see what it's trying to do.
I have taken several traces of the problem ocuring but no matter how I turn and twist it, I can't get wireshark to decrpyt the LDAP traffic although I understand that it should have been there since version 1.0, basically.
The traffic is going via port 389 and is using NTLMSSP. I see NTLMSSP_NEGOTIATE,NTLMSSP_Challenge, and NTLMSSP_auth just fine - I see that it uses signing and Extended security
I'm on 3.0.3 in my admin environment and I have tried the following:
- Adding a keytab file for the user authenticating against the DC for the bind with HMAC4 and one with all ciphers in
- Setting the "decode as" to LDAP
- Setting the "decode as" to ntlmssp
- Adding a NTLM password into the protocol options
I've been asking Dr Google till his (or her?) ears bled and I have no idea what I'm doing wrong. Can anybody give me a nudge in the right direction?