We are not able to join a domain using an authenticated DCERPC bind (KRB5, SPNEGE, NTLMSSP) with sealing (PRIVACY). You simply reproduce this in our environment using: make testevn SELFTEST_TESTENV="ad_dc:client" bin/rpcclient $SERVER -U$USERNAME%$PASSWORD -c "seal; setuserinfo2 bob 26 P@ssword0" -d10 Patches will follow.
Can you describe how the real world problem looks like and how this is avoided in a pure Windows setup?
Setup a DC with restricted access to LSA and SAMR. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls When you try to call samr_Connect2() over an anonymous DCEPRC coonection you will get: fault: struct dcerpc_fault alloc_hint : 0x00000020 (32) context_id : 0x0000 (0) cancel_count : 0x00 (0) flags : 0x00 (0) 0: DCERPC_FAULT_FLAG_EXTENDED_ERROR_INFORMATION status : DCERPC_FAULT_ACCESS_DENIED (5) reserved : 0x00000000 (0) error_and_verifier : DATA_BLOB length=0 This means in order to join a domain and set the password for the machine account we need an authenticated sealed DCEPRC connection.
(In reply to Andreas Schneider from comment #2) Where are we doing the non authenticated dcerpc bind over an anonymous smb connection? Is this only for a password change for an existing user? It should not happen during a net * join. How does the same work from a Windows client (2008R2 and 20016)? Can you provide captures with keytabs?
We have authenticated SMB connection but open and anonymous DCERPC named pipe. As a result SAMR sees an anonymous DCERPC connection and denies the access.
(In reply to Andreas Schneider from comment #4) Do you means we do an DCERPC bind with anonymous authentication, or you mean the bind without authentication? So the privilege inheritance doesn't work anymore? We need to know how Windows clients manage to do the same...
cli_rpc_pipe_open_noauth()
cli_rpc_pipe_open_noauth: opened pipe samr to machine EXAMPLE.LOCAL and bound anonymously. samr_Connect2: struct samr_Connect2 in: struct samr_Connect2 system_name : * system_name : 'EXAMPLE.LOCAL' access_mask : 0x00000030 (48) 0: SAMR_ACCESS_CONNECT_TO_SERVER 0: SAMR_ACCESS_SHUTDOWN_SERVER 0: SAMR_ACCESS_INITIALIZE_SERVER 0: SAMR_ACCESS_CREATE_DOMAIN 1: SAMR_ACCESS_ENUM_DOMAINS 1: SAMR_ACCESS_LOOKUP_DOMAIN We get access denied here.
Created attachment 15055 [details] RC4 encryption with the transport session key
Created attachment 15056 [details] RC4 encryption with the fixed "SystemLibraryDTC" session key
Created attachment 15385 [details] Network traces of Windows joining AD Windows doesn't set the password using RPC. It just sets it via LDAP and the unicodePwd field. The attached network traces. Working patchset: https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master-libads
(In reply to Andreas Schneider from comment #10) Thanks! Can you also upload similar captures from the patches samba for non-existing and existing?
Created attachment 15391 [details] Network traces of Samba joining AD Here are traces of the new code I wrote joining Windows AD. However wit the new code, it looks like the samba4.blackbox.net_ads(ad_dc:client) doesn't work anymore, 'net ads leave' fails.
Fixed, there is only one bug left if we use --keep-account.
An isolated patch for fixing the account ou join regression is provided in this new bug #14114
Created attachment 15521 [details] patch for 4.11
Comment on attachment 15521 [details] patch for 4.11 LGTM
Created attachment 15522 [details] patch for 4.10
Comment on attachment 15522 [details] patch for 4.10 LGTM
Karolin, please apply the patchset to the relevant branches, thanks!
(In reply to Andreas Schneider from comment #19) Pushed to autobuild-v4-{11,10}-test.
(In reply to Karolin Seeger from comment #20) Pushed to both branches. Closing out bug report. Thanks!