Bug 7036 - net rpc getsid fails in hardened windows environments
Summary: net rpc getsid fails in hardened windows environments
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.3
Classification: Unclassified
Component: Client tools (show other bugs)
Version: 3.3.9
Hardware: Other Linux
: P3 normal
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-01-12 20:46 UTC by David Daugherty
Modified: 2010-01-15 05:04 UTC (History)
0 users

See Also:

Attachments
Patch for master and 3.5.0. (1.29 KB, patch)
2010-01-14 16:45 UTC, Jeremy Allison 		no flags Details
git-am fix for 3.5.0. (1.22 KB, patch)
2010-01-14 17:41 UTC, Jeremy Allison 		no flags Details
git-am fix for 3.4.5. (1.21 KB, patch)
2010-01-14 17:43 UTC, Jeremy Allison 		no flags Details
git-am fix for 3.3.11. (1.14 KB, patch)
2010-01-14 17:51 UTC, Jeremy Allison 		no flags Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description David Daugherty 2010-01-12 20:46:10 UTC 
some windows environments do not allow anonymous connections to LSARPC pipe.  

In 3.0.33 net rpc getsid used to allow a user name and password to be entered, but this does not appear to be the case for 3.3.9
Comment 1 David Daugherty 2010-01-13 19:08:24 UTC 
This bug can be reproduced by doing the following on a Windows 2003 domain controller

GP, default domain policy,

computer configuration, windows settings, security settings, local policies, security options.

look for
Network access: Named Pipes that can be accessed anonymously 

open it up, check
define this policy settings in the template

remove lsarpc and sam

apply.

run gpupdate.
Then net rpc getsid will return  "Could not initialise lsa pipe"
Comment 2 David Daugherty 2010-01-13 19:16:35 UTC 
The suggested fix is to not pass in the NET_FLAGS_ANONYMOUS in the run_rpc_command if a user name was supplied on the command line

net_rpc.c:

int net_rpc_getsid(struct net_context *c, int argc, const char **argv)
{
    int conn_flags = NET_FLAGS_PDC;

    if (!c->opt_user_specified)
        conn_flags |= NET_FLAGS_ANONYMOUS;

    ...

    return run_rpc_command(c, NULL, &ndr_table_samr.syntax_id,
                                           conn_flags,
                                           rpc_getsid_internals,
                                           argc, argv);

}
Comment 3 Jeremy Allison 2010-01-14 16:45:52 UTC 
Created attachment 5187 [details]
Patch for master and 3.5.0.

David, can you confirm the patch (should be pretty simple) then I'll push to master and all the active release branches.

Thanks,

Jeremy.
Comment 4 David Daugherty 2010-01-14 16:54:24 UTC 
I am not sure what the selftest.sh part of the patch is about, but I have been testing the net_rpc_getsid portion against a Windows 2003 with hardened security as explained in comment #1 and it works well in my 3.3.9 environment.
Comment 5 Jeremy Allison 2010-01-14 17:20:02 UTC 
Oh, that's my mistake in doing a git diff -a instead of git diff util/net_rpc.c :-). Just ignore the selftest.sh change :-).

Great ! Thanks for reviewing, I'll create git-am style patches for 3.5.0, 3.4.x and 3.3.x and assign to Karolin for inclusion.

Cheers,

Jeremy.
Comment 6 Jeremy Allison 2010-01-14 17:41:55 UTC 
Created attachment 5188 [details]
git-am fix for 3.5.0.
Comment 7 Jeremy Allison 2010-01-14 17:43:15 UTC 
Created attachment 5189 [details]
git-am fix for 3.4.5.
Comment 8 Jeremy Allison 2010-01-14 17:51:35 UTC 
Created attachment 5190 [details]
git-am fix for 3.3.11.
Comment 9 Jeremy Allison 2010-01-14 17:52:05 UTC 
Re-assigning to Karolin for inclusion in 3.5.0, 3.4.5, and 3.3.11.

Jeremy.
Comment 10 Karolin Seeger 2010-01-15 05:04:40 UTC 
Pushed to all branches.
Closing out bug report.

Thanks!