Bug 13884 - Joining Active Directory should not use SAMR to set the password
Joining Active Directory should not use SAMR to set the password
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.9.1
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-04-04 13:21 UTC by Andreas Schneider
Modified: 2019-10-17 07:25 UTC (History)
3 users (show)

See Also:


Attachments
RC4 encryption with the transport session key (4.93 KB, application/octet-stream)
2019-04-10 13:02 UTC, Andreas Schneider
no flags Details
RC4 encryption with the fixed "SystemLibraryDTC" session key (4.96 KB, application/octet-stream)
2019-04-10 13:03 UTC, Andreas Schneider
no flags Details
Network traces of Windows joining AD (131.51 KB, application/x-xz)
2019-08-09 05:51 UTC, Andreas Schneider
no flags Details
Network traces of Samba joining AD (74.57 KB, application/x-xz)
2019-08-14 11:46 UTC, Andreas Schneider
no flags Details
patch for 4.11 (40.26 KB, patch)
2019-10-09 08:33 UTC, Andreas Schneider
ab: review+
Details
patch for 4.10 (40.25 KB, patch)
2019-10-09 15:27 UTC, Andreas Schneider
ab: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2019-04-04 13:21:23 UTC
We are not able to join a domain using an authenticated DCERPC bind (KRB5, SPNEGE, NTLMSSP) with sealing (PRIVACY).

You simply reproduce this in our environment using:

make testevn SELFTEST_TESTENV="ad_dc:client"
bin/rpcclient $SERVER -U$USERNAME%$PASSWORD -c "seal; setuserinfo2 bob 26 P@ssword0" -d10

Patches will follow.
Comment 1 Stefan Metzmacher 2019-04-08 11:27:19 UTC
Can you describe how the real world problem looks like
and how this is avoided in a pure Windows setup?
Comment 2 Andreas Schneider 2019-04-08 15:06:41 UTC
Setup a DC with restricted access to LSA and SAMR. See

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls

When you try to call samr_Connect2() over an anonymous DCEPRC coonection you will get:

        fault: struct dcerpc_fault
            alloc_hint               : 0x00000020 (32)
            context_id               : 0x0000 (0) 
            cancel_count             : 0x00 (0) 
            flags                    : 0x00 (0)
                   0: DCERPC_FAULT_FLAG_EXTENDED_ERROR_INFORMATION
            status                   : DCERPC_FAULT_ACCESS_DENIED (5)
            reserved                 : 0x00000000 (0)
            error_and_verifier       : DATA_BLOB length=0

This means in order to join a domain and set the password for the machine account we need an authenticated sealed DCEPRC connection.
Comment 3 Stefan Metzmacher 2019-04-09 05:39:25 UTC
(In reply to Andreas Schneider from comment #2)

Where are we doing the non authenticated dcerpc bind over an anonymous smb connection? Is this only for a password change for an existing user?
It should not happen during a net * join.

How does the same work from a Windows client (2008R2 and 20016)?

Can you provide captures with keytabs?
Comment 4 Andreas Schneider 2019-04-09 05:48:06 UTC
We have authenticated SMB connection but open and anonymous DCERPC named pipe. As a result SAMR sees an anonymous DCERPC connection and denies the access.
Comment 5 Stefan Metzmacher 2019-04-09 14:16:04 UTC
(In reply to Andreas Schneider from comment #4)

Do you means we do an DCERPC bind with anonymous authentication,
or you mean the bind without authentication?

So the privilege inheritance doesn't work anymore?

We need to know how Windows clients manage to do the same...
Comment 6 Andreas Schneider 2019-04-09 15:44:23 UTC
cli_rpc_pipe_open_noauth()
Comment 7 Andreas Schneider 2019-04-09 15:46:43 UTC
cli_rpc_pipe_open_noauth: opened pipe samr to machine EXAMPLE.LOCAL and bound anonymously.
     samr_Connect2: struct samr_Connect2
        in: struct samr_Connect2
            system_name              : *
                system_name              : 'EXAMPLE.LOCAL'
            access_mask              : 0x00000030 (48)
                   0: SAMR_ACCESS_CONNECT_TO_SERVER
                   0: SAMR_ACCESS_SHUTDOWN_SERVER
                   0: SAMR_ACCESS_INITIALIZE_SERVER
                   0: SAMR_ACCESS_CREATE_DOMAIN
                   1: SAMR_ACCESS_ENUM_DOMAINS 
                   1: SAMR_ACCESS_LOOKUP_DOMAIN


We get access denied here.
Comment 8 Andreas Schneider 2019-04-10 13:02:36 UTC
Created attachment 15055 [details]
RC4 encryption with the transport session key
Comment 9 Andreas Schneider 2019-04-10 13:03:14 UTC
Created attachment 15056 [details]
RC4 encryption with the fixed "SystemLibraryDTC" session key
Comment 10 Andreas Schneider 2019-08-09 05:51:04 UTC
Created attachment 15385 [details]
Network traces of Windows joining AD

Windows doesn't set the password using RPC. It just sets it via LDAP and the unicodePwd field. The attached network traces.

Working patchset:

https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master-libads
Comment 11 Stefan Metzmacher 2019-08-09 10:09:23 UTC
(In reply to Andreas Schneider from comment #10)

Thanks! Can you also upload similar captures from the patches samba
for non-existing and existing?
Comment 12 Andreas Schneider 2019-08-14 11:46:07 UTC
Created attachment 15391 [details]
Network traces of Samba joining AD

Here are traces of the new code I wrote joining Windows AD.

However wit the new code, it looks like the samba4.blackbox.net_ads(ad_dc:client) doesn't work anymore, 'net ads leave' fails.
Comment 13 Andreas Schneider 2019-08-14 12:14:00 UTC
Fixed, there is only one bug left if we use --keep-account.
Comment 14 Guenther Deschner 2019-09-04 10:16:51 UTC
An isolated patch for fixing the account ou join regression is provided in this new bug #14114
Comment 15 Andreas Schneider 2019-10-09 08:33:32 UTC
Created attachment 15521 [details]
patch for 4.11
Comment 16 Alexander Bokovoy 2019-10-09 09:37:16 UTC
Comment on attachment 15521 [details]
patch for 4.11

LGTM
Comment 17 Andreas Schneider 2019-10-09 15:27:45 UTC
Created attachment 15522 [details]
patch for 4.10
Comment 18 Alexander Bokovoy 2019-10-10 06:21:14 UTC
Comment on attachment 15522 [details]
patch for 4.10

LGTM
Comment 19 Andreas Schneider 2019-10-10 06:27:11 UTC
Karolin, please apply the patchset to the relevant branches, thanks!
Comment 20 Karolin Seeger 2019-10-16 11:04:45 UTC
(In reply to Andreas Schneider from comment #19)
Pushed to autobuild-v4-{11,10}-test.
Comment 21 Karolin Seeger 2019-10-17 07:25:39 UTC
(In reply to Karolin Seeger from comment #20)
Pushed to both branches.
Closing out bug report.

Thanks!