From ab8ed1ec1d295d1515a2ac6c9a831f3627950757 Mon Sep 17 00:00:00 2001 From: Joe Guo Date: Wed, 18 Apr 2018 15:31:12 +1200 Subject: [PATCH 1/9] traffic_replay: set gensec features to encrypt credentials While running traffic_replay script against windows dc, it will fail with a `LDAP_UNWILLING_TO_PERFORM` error for adding user. Windows requires the credentials to be encrypted before sending. `set_gensec_features` will fix it. Signed-off-by: Joe Guo --- script/traffic_replay | 3 +++ 1 file changed, 3 insertions(+) diff --git a/script/traffic_replay b/script/traffic_replay index 0e97d0a64af..df86115a48f 100755 --- a/script/traffic_replay +++ b/script/traffic_replay @@ -25,6 +25,7 @@ import shutil sys.path.insert(0, "bin/python") +from samba import gensec from samba.emulate import traffic import samba.getopt as options @@ -134,6 +135,7 @@ def main(): print_err("Removing user and machine accounts") lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) + creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL) ldb = traffic.openLdb(host, creds, lp) traffic.clean_up_accounts(ldb, opts.instance_id) exit(0) @@ -155,6 +157,7 @@ def main(): lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) + creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL) domain = opts.workgroup if domain: From 9bd42e38ab6813c16be6a71dd100d860dc9300ff Mon Sep 17 00:00:00 2001 From: Joe Guo Date: Wed, 18 Apr 2018 15:36:02 +1200 Subject: [PATCH 2/9] traffic: add paged_results control for ldb search While there are more then 1000 records in the search result, a `LDAP_SIZE_LIMIT_EXCEEDED` error will be returned. Add paged_results control to fix. Signed-off-by: Joe Guo --- python/samba/emulate/traffic.py | 1 + 1 file changed, 1 insertion(+) diff --git a/python/samba/emulate/traffic.py b/python/samba/emulate/traffic.py index 9d95e3a14d5..a99cf9163a5 100644 --- a/python/samba/emulate/traffic.py +++ b/python/samba/emulate/traffic.py @@ -343,6 +343,7 @@ def generate_ldap_search_tables(self): res = db.search(db.domain_dn(), scope=ldb.SCOPE_SUBTREE, + controls=["paged_results:1:1000"], attrs=['dn']) # find a list of dns for each pattern From 5bb5a7a8791785db26d4a4eba536e0799596de97 Mon Sep 17 00:00:00 2001 From: Joe Guo Date: Wed, 18 Apr 2018 15:40:18 +1200 Subject: [PATCH 3/9] traffic_replay: fix typo in message string Signed-off-by: Joe Guo --- script/traffic_replay | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/traffic_replay b/script/traffic_replay index df86115a48f..a56ea25d5c9 100755 --- a/script/traffic_replay +++ b/script/traffic_replay @@ -37,7 +37,7 @@ def print_err(*args, **kwargs): def main(): desc = ("Generates network traffic 'conversations' based on " - " (which should the output file produced by either traffic_learner" + " (which should be the output file produced by either traffic_learner" " or traffic_summary.pl). This traffic is sent to ," " which is the full DNS hostname of the DC being tested.") From 71de2305d9bd483560d9f43ba7623ec2d4c2d355 Mon Sep 17 00:00:00 2001 From: Joe Guo Date: Wed, 18 Apr 2018 15:45:10 +1200 Subject: [PATCH 4/9] traffic_packets: support NT_STATUS_NO_SUCH_DOMAIN in packet_lsarpc_39 For packet_lsarpc_39, samba will return NT_STATUS_OBJECT_NAME_NOT_FOUND, however, windows will return NT_STATUS_NO_SUCH_DOMAIN. Allow both status for now to keep compatiable with both samba and windows DC. Signed-off-by: Joe Guo --- python/samba/emulate/traffic_packets.py | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/python/samba/emulate/traffic_packets.py b/python/samba/emulate/traffic_packets.py index 688c935cdc0..89f97b41f8b 100644 --- a/python/samba/emulate/traffic_packets.py +++ b/python/samba/emulate/traffic_packets.py @@ -31,7 +31,10 @@ DONT_USE_KERBEROS ) from samba import NTSTATUSError -from samba.ntstatus import NT_STATUS_OBJECT_NAME_NOT_FOUND +from samba.ntstatus import ( + NT_STATUS_OBJECT_NAME_NOT_FOUND, + NT_STATUS_NO_SUCH_DOMAIN +) from samba.dcerpc.misc import SEC_CHAN_WKSTA import samba samba.ensure_third_party_module("dns", "dnspython") @@ -429,9 +432,11 @@ def packet_lsarpc_39(packet, conversation, context): try: c.QueryTrustedDomainInfoBySid(pol_handle, domsid, level) except NTSTATUSError as error: - # Object Not found is the expected result, anything else is a - # failure. - if not check_runtime_error(error, NT_STATUS_OBJECT_NAME_NOT_FOUND): + # Object Not found is the expected result from samba, + # while No Such Domain is the expected result from windows, + # anything else is a failure. + if not check_runtime_error(error, NT_STATUS_OBJECT_NAME_NOT_FOUND) \ + and not check_runtime_error(error, NT_STATUS_NO_SUCH_DOMAIN): raise return True From 706576e58f77f5f4b85b0b32f412ad4aac46e273 Mon Sep 17 00:00:00 2001 From: Joe Guo Date: Thu, 19 Apr 2018 17:05:21 +1200 Subject: [PATCH 5/9] Fix a few typo for response reponse --> response Signed-off-by: Joe Guo --- auth/credentials/pycredentials.c | 2 +- auth/ntlmssp/ntlmssp_client.c | 2 +- examples/pcap2nbench/readandxresponse.hpp | 2 +- source4/torture/krb5/kdc-canon-heimdal.c | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c index 638ae8de2ed..68bb3060a99 100644 --- a/auth/credentials/pycredentials.c +++ b/auth/credentials/pycredentials.c @@ -130,7 +130,7 @@ static PyObject *py_creds_get_ntlm_response(PyObject *self, PyObject *args, PyOb ret = Py_BuildValue("{sis" PYARG_BYTES_LEN "s" PYARG_BYTES_LEN "s" PYARG_BYTES_LEN "s" PYARG_BYTES_LEN "}", "flags", flags, - "lm_reponse", + "lm_response", (const char *)lm_response.data, lm_response.length, "nt_response", (const char *)nt_response.data, nt_response.length, diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c index db2003f0d6b..c511290d36b 100644 --- a/auth/ntlmssp/ntlmssp_client.c +++ b/auth/ntlmssp/ntlmssp_client.c @@ -777,7 +777,7 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) ntlmssp_state->unicode = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "unicode", true); - ntlmssp_state->use_nt_response = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "send_nt_reponse", true); + ntlmssp_state->use_nt_response = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "send_nt_response", true); ntlmssp_state->allow_lm_response = lpcfg_client_lanman_auth(gensec_security->settings->lp_ctx); diff --git a/examples/pcap2nbench/readandxresponse.hpp b/examples/pcap2nbench/readandxresponse.hpp index 0a302cb6575..8ecb3a35c0c 100644 --- a/examples/pcap2nbench/readandxresponse.hpp +++ b/examples/pcap2nbench/readandxresponse.hpp @@ -22,7 +22,7 @@ #define _READ_AND_X_RESPONSE_HPP class ReadAndXResponse { - ReadAndXReponse(const uint8_t *data, size_t size); + ReadAndXResponse(const uint8_t *data, size_t size); uint8_t word_count; uint8_t and_x_command; diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c index 7f806e73e66..5b782a23fc4 100644 --- a/source4/torture/krb5/kdc-canon-heimdal.c +++ b/source4/torture/krb5/kdc-canon-heimdal.c @@ -515,7 +515,7 @@ static bool torture_krb5_post_recv_tgs_req_krbtgt_canon_test(struct torture_krb5 torture_assert_str_equal(test_context->tctx, test_context->tgs_rep.ticket.sname.name_string.val[0], "krbtgt", - "Mismatch in name between reponse and expected response, expected krbtgt"); + "Mismatch in name between response and expected response, expected krbtgt"); torture_assert_str_equal(test_context->tctx, test_context->tgs_rep.ticket.sname.name_string.val[1], test_context->test_data->real_realm, "Mismatch in realm part of krbtgt/ in expected response, expected krbtgt/REALM@REALM"); From 414a3c4814a6d3bb181fbb12a9c61351cf9a9ee4 Mon Sep 17 00:00:00 2001 From: Joe Guo Date: Thu, 26 Apr 2018 12:15:10 +1200 Subject: [PATCH 6/9] traffic: add credentials to samr lp and creds are missing in SamrContext and samr connection. While run traffic_replay against windows, this will cause `Access Denied` error. Signed-off-by: Joe Guo --- python/samba/emulate/traffic.py | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/python/samba/emulate/traffic.py b/python/samba/emulate/traffic.py index a99cf9163a5..8fa3dab3edb 100644 --- a/python/samba/emulate/traffic.py +++ b/python/samba/emulate/traffic.py @@ -670,7 +670,8 @@ def sasl_bind(creds): def get_samr_context(self, new=False): if not self.samr_contexts or new: - self.samr_contexts.append(SamrContext(self.server)) + self.samr_contexts.append( + SamrContext(self.server, lp=self.lp, creds=self.creds)) return self.samr_contexts[-1] def get_netlogon_connection(self): @@ -707,7 +708,7 @@ def get_authenticator(self): class SamrContext(object): """State/Context associated with a samr connection. """ - def __init__(self, server): + def __init__(self, server, lp=None, creds=None): self.connection = None self.handle = None self.domain_handle = None @@ -716,10 +717,16 @@ def __init__(self, server): self.user_handle = None self.rids = None self.server = server + self.lp = lp + self.creds = creds def get_connection(self): if not self.connection: - self.connection = samr.samr("ncacn_ip_tcp:%s" % (self.server)) + self.connection = samr.samr( + "ncacn_ip_tcp:%s[seal]" % (self.server), + lp_ctx=self.lp, + credentials=self.creds) + return self.connection def get_handle(self): From fad0ad298ea923dba63e7d5abd1d430aa28e8429 Mon Sep 17 00:00:00 2001 From: Joe Guo Date: Fri, 27 Apr 2018 11:27:59 +1200 Subject: [PATCH 7/9] traffic_packets: replace level 102 to 101 for packet_srvsvc_21 Level 102 will cause WERR_ACCESS_DENIED error against Windows, because: > If the level is 102 or 502, the Windows implementation checks whether > the caller is a member of one of the groups previously mentioned or > is a member of the Power Users local group. It passed against Samba since this check is not implemented by Samba yet. refer to: https://msdn.microsoft.com/en-us/library/cc247297.aspx#Appendix_A_80 Signed-off-by: Joe Guo --- python/samba/emulate/traffic_packets.py | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/python/samba/emulate/traffic_packets.py b/python/samba/emulate/traffic_packets.py index 89f97b41f8b..9b81e07edbd 100644 --- a/python/samba/emulate/traffic_packets.py +++ b/python/samba/emulate/traffic_packets.py @@ -932,9 +932,25 @@ def packet_srvsvc_16(packet, conversation, context): def packet_srvsvc_21(packet, conversation, context): - # NetSrvGetInfo + """NetSrvGetInfo + + FIXME: Level changed from 102 to 101 here, to bypass Windows error. + + Level 102 will cause WERR_ACCESS_DENIED error against Windows, because: + + > If the level is 102 or 502, the Windows implementation checks whether + > the caller is a member of one of the groups previously mentioned or + > is a member of the Power Users local group. + + It passed against Samba since this check is not implemented by Samba yet. + + refer to: + + https://msdn.microsoft.com/en-us/library/cc247297.aspx#Appendix_A_80 + + """ srvsvc = context.get_srvsvc_connection() server_unc = "\\\\" + context.server - level = 102 + level = 101 srvsvc.NetSrvGetInfo(server_unc, level) return True From 71cc542e2e4114571c9eba9f2695f00d2d6483e6 Mon Sep 17 00:00:00 2001 From: Joe Guo Date: Fri, 27 Apr 2018 12:07:16 +1200 Subject: [PATCH 8/9] traffic_packets: replace share_name from netlogon to IPC$ for packet_srvsvc_16 Sharename list for Windows: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC For Samba: Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service While test packet_srvsvc_16 with share_name `netlogon`, it passed Samba, and got a WERR_NERR_NETNAMENOTFOUND error for Windows. Change share name to `IPC$` so Samba and Windows have it in common. Signed-off-by: Joe Guo --- python/samba/emulate/traffic_packets.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/samba/emulate/traffic_packets.py b/python/samba/emulate/traffic_packets.py index 9b81e07edbd..5785586f835 100644 --- a/python/samba/emulate/traffic_packets.py +++ b/python/samba/emulate/traffic_packets.py @@ -925,7 +925,7 @@ def packet_srvsvc_16(packet, conversation, context): # NetShareGetInfo s = context.get_srvsvc_connection() server_unc = "\\\\" + context.server - share_name = "netlogon" + share_name = "IPC$" level = 1 s.NetShareGetInfo(server_unc, share_name, level) return True From 4a7a4e7703429940861a2339fef0c0a0ada7a9ac Mon Sep 17 00:00:00 2001 From: Joe Guo Date: Fri, 27 Apr 2018 14:51:11 +1200 Subject: [PATCH 9/9] traffic_packets: add windows instructions for ldap 0 simple bind To run packet_ldap_0 simple bind test against Windows, we need to install CA on Windows with following PowerShell commands: Install-windowsfeature ADCS-Cert-Authority Install-AdcsCertificationAuthority -CAType EnterpriseRootCA Restart-Computer Otherwise we will get `NT_STATUS_CONNECTION_RESET` error. Didn't change any code, just add above instructions in comment. Signed-off-by: Joe Guo --- python/samba/emulate/traffic.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/python/samba/emulate/traffic.py b/python/samba/emulate/traffic.py index 8fa3dab3edb..8275218114d 100644 --- a/python/samba/emulate/traffic.py +++ b/python/samba/emulate/traffic.py @@ -644,6 +644,15 @@ def get_ldap_connection(self, new=False, simple=False): return self.ldap_connections[-1] def simple_bind(creds): + """ + To run simple bind against Windows, we need to run + following commands in PowerShell: + + Install-windowsfeature ADCS-Cert-Authority + Install-AdcsCertificationAuthority -CAType EnterpriseRootCA + Restart-Computer + + """ return SamDB('ldaps://%s' % self.server, credentials=creds, lp=self.lp)