The Samba-Bugzilla – Bug 13884
Joining Active Directory should not use SAMR to set the password
Last modified: 2019-08-14 12:14:00 UTC
We are not able to join a domain using an authenticated DCERPC bind (KRB5, SPNEGE, NTLMSSP) with sealing (PRIVACY).
You simply reproduce this in our environment using:
make testevn SELFTEST_TESTENV="ad_dc:client"
bin/rpcclient $SERVER -U$USERNAME%$PASSWORD -c "seal; setuserinfo2 bob 26 P@ssword0" -d10
Patches will follow.
Can you describe how the real world problem looks like
and how this is avoided in a pure Windows setup?
Setup a DC with restricted access to LSA and SAMR. See
When you try to call samr_Connect2() over an anonymous DCEPRC coonection you will get:
fault: struct dcerpc_fault
alloc_hint : 0x00000020 (32)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
flags : 0x00 (0)
status : DCERPC_FAULT_ACCESS_DENIED (5)
reserved : 0x00000000 (0)
error_and_verifier : DATA_BLOB length=0
This means in order to join a domain and set the password for the machine account we need an authenticated sealed DCEPRC connection.
(In reply to Andreas Schneider from comment #2)
Where are we doing the non authenticated dcerpc bind over an anonymous smb connection? Is this only for a password change for an existing user?
It should not happen during a net * join.
How does the same work from a Windows client (2008R2 and 20016)?
Can you provide captures with keytabs?
We have authenticated SMB connection but open and anonymous DCERPC named pipe. As a result SAMR sees an anonymous DCERPC connection and denies the access.
(In reply to Andreas Schneider from comment #4)
Do you means we do an DCERPC bind with anonymous authentication,
or you mean the bind without authentication?
So the privilege inheritance doesn't work anymore?
We need to know how Windows clients manage to do the same...
cli_rpc_pipe_open_noauth: opened pipe samr to machine EXAMPLE.LOCAL and bound anonymously.
samr_Connect2: struct samr_Connect2
in: struct samr_Connect2
system_name : *
system_name : 'EXAMPLE.LOCAL'
access_mask : 0x00000030 (48)
We get access denied here.
Created attachment 15055 [details]
RC4 encryption with the transport session key
Created attachment 15056 [details]
RC4 encryption with the fixed "SystemLibraryDTC" session key
Created attachment 15385 [details]
Network traces of Windows joining AD
Windows doesn't set the password using RPC. It just sets it via LDAP and the unicodePwd field. The attached network traces.
(In reply to Andreas Schneider from comment #10)
Thanks! Can you also upload similar captures from the patches samba
for non-existing and existing?
Created attachment 15391 [details]
Network traces of Samba joining AD
Here are traces of the new code I wrote joining Windows AD.
However wit the new code, it looks like the samba4.blackbox.net_ads(ad_dc:client) doesn't work anymore, 'net ads leave' fails.
Fixed, there is only one bug left if we use --keep-account.