[cifs-protocol] [MS-SAMR] SamrSetInformationUser2 over an authenticated DCERPC connection [119040819792364]
Andreas Schneider
asn at samba.org
Wed May 8 06:48:35 UTC 2019
On Monday, May 6, 2019 8:41:34 PM CEST Obaid Farooqi wrote:
> Hi Andreas:
Hi Obaid,
> Couple of questions for you:
> 1. is there a way in your rpcclient to use RPC_C_AUTHN_LEVEL_NONE? I know
> [Seal] will cause RPC_C_AUTHN_LEVEL_PKT_PRIVACY. Is there a similar option
> for RPC_C_AUTHN_LEVEL_NONE?
rpcclient ncacn_np:<server> -U <user>
should use RPC_C_AUTHN_LEVEL_NONE by default.
rpcclient ncacn_np:<server>[seal] -U <user>
will use RPC_C_AUTHN_LEVEL_PKT_PRIVACY.
I've just recently updated the rpcclient manpage to describe the binding
string. Here is what I added:
When connecting to a dcerpc service you need to specify a binding
string.
The format is:
TRANSPORT:host[options]
where TRANSPORT is either ncacn_np (named pipes) for SMB or
ncacn_ip_tcp for DCERPC over TCP/IP.
"host" is an IP or hostname or netbios name. If the binding string
identifies the server side of an endpoint, "host" may be an empty
string. See below for more details.
"options" can include a SMB pipe name if using the ncacn_np
transport or a TCP port number if using the ncacn_ip_tcp transport,
otherwise they will be auto-determined.
Examples:
• ncacn_ip_tcp:samba.example.com[1024]
• ncacn_ip_tcp:samba.example.com[sign,seal,krb5]
• ncacn_ip_tcp:samba.example.com[sign,spnego]
• ncacn_np:samba.example.com
• ncacn_np:samba.example.com[samr]
• ncacn_np:samba.example.com[samr,sign,print]
• ncalrpc:/path/to/unix/socket
• //SAMBA
The supported transports are:
• ncacn_np - Connect using named pipes
• ncacn_ip_tcp - Connect over TCP/IP
• ncalrpc - Connect over local RPC (unix sockets)
The supported options are:
• sign - Use RPC integrety autentication level
• seal - Enable RPC privacy (encryption) autentication
level
• connect - Use RPC connect level authentication (auth,
but no sign or seal)
• packet - Use RPC packet authentication level
• spnego - Use SPNEGO instead of NTLMSSP authentication
• ntlm - Use plain NTLM instead of SPNEGO or NTLMSSP
• krb5 - Use Kerberos instead of NTLMSSP authentication
• schannel - Create a schannel connection
• smb1 - Use SMB1 for named pipes
• smb2 - Use SMB2/3 for named pipes
I hope that helps :-)
> 2. You mentioned WS2008R2 behave differently.
> Does that mean WS2008R2 changes the password successfully when
> RPC_C_AUTHN_LEVEL_PKT_PRIVACY is used with SMB Session key?
On WS2008R2 using "SystemLibraryDTC" as the session key to encrypt the
password buffer over a RPC_C_AUTHN_LEVEL_PKT_PRIVACY connection doesn't work.
The password change is being rejected.
Best regards,
Andreas
--
Andreas Schneider asn at samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
More information about the cifs-protocol
mailing list