[Samba] winexe double-hop credential delegation
Aleksy Wozniak
wozniakaleksy22 at gmail.com
Tue Mar 19 20:35:14 UTC 2024
Hi all,
I’m attempting to use winexe to launch a script located on a file
share, and it appears that I’m running into issues with credential
delegation.
For instance: “winexe -U jsmith at corp.example.com //desktop-foobar
\\\\dc-01\\data\\script.bat” does not work. I can however run local
commands such as: “winexe -U jsmith at corp.example.com //desktop-foobar
ipconfig” without issue.
The domain controller “dc-01” is running Windows Server 2022 and the
client “desktop-foobar” is running Windows 10 21H2. The client
desktop is joined to the AD domain “corp.example.com”.
I’ve tested winexe version 4.18 on Alma Linux 9 and winexe 4.19.5
built from source on Debian 12. In smb.conf I have “client use
kerberos = required” set.
On the domain controller, when looking at the Security logs in Event
Viewer, I see an event ID 4624 with a Security ID and Account Name as
“ANONYMOUS LOGON” with an Account Domain of “NT AUTHORITY”. It
appears that winexe is not passing the domain credentials during the
“second hop”.
Other commands run via winexe that attempt to access the file share
also fail, such as “net view \\dc-01”, with an error “System error 5
has occurred. Access is denied.”
Other tools, such as PSExec from Sysinternals and PAExec from Power
Admin do allow the execution of a script located on a file share.
For example: “paexec.exe \\desktop-foobar -u EXAMPLE\jsmith
\\dc-01\data\script.bat” runs the script without issue on the client
desktop. The Event Viewer on the DC also shows the correct
credentials being passed.
Any help or guidance is appreciated.
Regards,
Aleksy
More information about the samba
mailing list