The Samba-Bugzilla – Bug 7036
net rpc getsid fails in hardened windows environments
Last modified: 2010-01-15 05:04:40 UTC
some windows environments do not allow anonymous connections to LSARPC pipe.
In 3.0.33 net rpc getsid used to allow a user name and password to be entered, but this does not appear to be the case for 3.3.9
This bug can be reproduced by doing the following on a Windows 2003 domain controller
GP, default domain policy,
computer configuration, windows settings, security settings, local policies, security options.
Network access: Named Pipes that can be accessed anonymously
open it up, check
define this policy settings in the template
remove lsarpc and sam
Then net rpc getsid will return "Could not initialise lsa pipe"
The suggested fix is to not pass in the NET_FLAGS_ANONYMOUS in the run_rpc_command if a user name was supplied on the command line
int net_rpc_getsid(struct net_context *c, int argc, const char **argv)
int conn_flags = NET_FLAGS_PDC;
conn_flags |= NET_FLAGS_ANONYMOUS;
return run_rpc_command(c, NULL, &ndr_table_samr.syntax_id,
Created attachment 5187 [details]
Patch for master and 3.5.0.
David, can you confirm the patch (should be pretty simple) then I'll push to master and all the active release branches.
I am not sure what the selftest.sh part of the patch is about, but I have been testing the net_rpc_getsid portion against a Windows 2003 with hardened security as explained in comment #1 and it works well in my 3.3.9 environment.
Oh, that's my mistake in doing a git diff -a instead of git diff util/net_rpc.c :-). Just ignore the selftest.sh change :-).
Great ! Thanks for reviewing, I'll create git-am style patches for 3.5.0, 3.4.x and 3.3.x and assign to Karolin for inclusion.
Created attachment 5188 [details]
git-am fix for 3.5.0.
Created attachment 5189 [details]
git-am fix for 3.4.5.
Created attachment 5190 [details]
git-am fix for 3.3.11.
Re-assigning to Karolin for inclusion in 3.5.0, 3.4.5, and 3.3.11.
Pushed to all branches.
Closing out bug report.