Bug 13884 - Joining a domain using an authenticated DCERPC bind doesn't work
Joining a domain using an authenticated DCERPC bind doesn't work
Status: ASSIGNED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.9.1
All All
: P5 normal
: ---
Assigned To: Andreas Schneider
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-04-04 13:21 UTC by Andreas Schneider
Modified: 2019-04-10 13:03 UTC (History)
2 users (show)

See Also:


Attachments
RC4 encryption with the transport session key (4.93 KB, application/octet-stream)
2019-04-10 13:02 UTC, Andreas Schneider
no flags Details
RC4 encryption with the fixed "SystemLibraryDTC" session key (4.96 KB, application/octet-stream)
2019-04-10 13:03 UTC, Andreas Schneider
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2019-04-04 13:21:23 UTC
We are not able to join a domain using an authenticated DCERPC bind (KRB5, SPNEGE, NTLMSSP) with sealing (PRIVACY).

You simply reproduce this in our environment using:

make testevn SELFTEST_TESTENV="ad_dc:client"
bin/rpcclient $SERVER -U$USERNAME%$PASSWORD -c "seal; setuserinfo2 bob 26 P@ssword0" -d10

Patches will follow.
Comment 1 Stefan Metzmacher 2019-04-08 11:27:19 UTC
Can you describe how the real world problem looks like
and how this is avoided in a pure Windows setup?
Comment 2 Andreas Schneider 2019-04-08 15:06:41 UTC
Setup a DC with restricted access to LSA and SAMR. See

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls

When you try to call samr_Connect2() over an anonymous DCEPRC coonection you will get:

        fault: struct dcerpc_fault
            alloc_hint               : 0x00000020 (32)
            context_id               : 0x0000 (0) 
            cancel_count             : 0x00 (0) 
            flags                    : 0x00 (0)
                   0: DCERPC_FAULT_FLAG_EXTENDED_ERROR_INFORMATION
            status                   : DCERPC_FAULT_ACCESS_DENIED (5)
            reserved                 : 0x00000000 (0)
            error_and_verifier       : DATA_BLOB length=0

This means in order to join a domain and set the password for the machine account we need an authenticated sealed DCEPRC connection.
Comment 3 Stefan Metzmacher 2019-04-09 05:39:25 UTC
(In reply to Andreas Schneider from comment #2)

Where are we doing the non authenticated dcerpc bind over an anonymous smb connection? Is this only for a password change for an existing user?
It should not happen during a net * join.

How does the same work from a Windows client (2008R2 and 20016)?

Can you provide captures with keytabs?
Comment 4 Andreas Schneider 2019-04-09 05:48:06 UTC
We have authenticated SMB connection but open and anonymous DCERPC named pipe. As a result SAMR sees an anonymous DCERPC connection and denies the access.
Comment 5 Stefan Metzmacher 2019-04-09 14:16:04 UTC
(In reply to Andreas Schneider from comment #4)

Do you means we do an DCERPC bind with anonymous authentication,
or you mean the bind without authentication?

So the privilege inheritance doesn't work anymore?

We need to know how Windows clients manage to do the same...
Comment 6 Andreas Schneider 2019-04-09 15:44:23 UTC
cli_rpc_pipe_open_noauth()
Comment 7 Andreas Schneider 2019-04-09 15:46:43 UTC
cli_rpc_pipe_open_noauth: opened pipe samr to machine EXAMPLE.LOCAL and bound anonymously.
     samr_Connect2: struct samr_Connect2
        in: struct samr_Connect2
            system_name              : *
                system_name              : 'EXAMPLE.LOCAL'
            access_mask              : 0x00000030 (48)
                   0: SAMR_ACCESS_CONNECT_TO_SERVER
                   0: SAMR_ACCESS_SHUTDOWN_SERVER
                   0: SAMR_ACCESS_INITIALIZE_SERVER
                   0: SAMR_ACCESS_CREATE_DOMAIN
                   1: SAMR_ACCESS_ENUM_DOMAINS 
                   1: SAMR_ACCESS_LOOKUP_DOMAIN


We get access denied here.
Comment 8 Andreas Schneider 2019-04-10 13:02:36 UTC
Created attachment 15055 [details]
RC4 encryption with the transport session key
Comment 9 Andreas Schneider 2019-04-10 13:03:14 UTC
Created attachment 15056 [details]
RC4 encryption with the fixed "SystemLibraryDTC" session key