[cifs-protocol] 602322 RE: How are disabled accounts handled in SNTP
rguthrie at microsoft.com
Tue Jun 17 19:14:19 GMT 2008
The text I referenced is in the MCPP [MS-SNTP] document at the following URL http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-SNTP%5D.pdf. You are correct it is not in the WSPP version though. I will work to see if this should be added to the WSPP version.
I pointed this section out because while an alternate implementation may not need to call the method NetrLogonComputeServerDigest, the documentation covers the behavior of the protocol when an invalid RID is provided in the Key Identifier field. There are two issues though, that need to be addressed. The first is that the section number in the document is incorrect, it states 220.127.116.11.2 when it should read 18.104.22.168.2. The second issue is that as you correctly point out, it does not mention an expired account. I will work to get this issue addressed as well. I will follow up with results of these two changes with you once we have a final outcome.
Let me know if you have any additional questions on these topics. I have pasted the original questions we were addressing below:
1. What is the correct response from a server responding to SNTP request when the request contains a RID that is disabled?
2. What if the account does not have rights to the server it is making an NTP request to? In particular, what is the behaviour when an account is expired etc.
3. When responding to an SNTP request from a client with a disabled account, should the service respond with an MD5 checksum that includes a checksum with the password?
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2"
Tel: +1 469 775 7794
E-mail: rguthrie at microsoft.com<mailto:rguthrie at microsoft.com>
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Tuesday, June 10, 2008 8:12 PM
To: Richard Guthrie
Cc: cifs-protocol at samba.org; pfif at tridgell.net
Subject: RE: How are disabled accounts handled in SNTP
On Tue, 2008-06-10 at 11:52 -0700, Richard Guthrie wrote:
> In response to question 1, 2 & 3 involving the MS-SNTP document, section 3.2.5 specifies the following:
> If the server fails to retrieve the cryptographic keys or to compute the crypto-checksum, the server SHOULD<16> fail the authentication and ignore the request without responding.
> Note 16 further clarifies the behavior of a couple of flavors of the server operating system as:
> <16> Section 3.2.5: Windows NTP servers in Windows 2000, Windows XP, and Windows Server 2003 do not honor the above "SHOULD". Instead, they respond to the request. In Windows 2000, the server responds with a Server NTP Response message without an Authenticator field if authentication fails. In Windows XP and Windows Server 2003, the server responds with a Server NTP Response message that includes an Authenticator field in which the Crypto-Checksum subfield is set to zero.
> In Windows Server 2008, in the case of the read-only domain controller (RODC) as the server, if the RODC does not store the cryptographic key locally, the server validates the RID. If the RID identifies a valid object, the server forwards the original Client NTP Request message to its own time source, which must be a writable domain controller. The writable domain controller that has the cryptographic key authenticates the client's request instead. On receiving the response from the writable domain controller, the RODC forwards the response to the client. This process is known as "chaining". If the RID is not identified as a valid object, the server fails the authentication and ignores the request without responding.
> In addition you can reference section 22.214.171.124.2 of the MS-NRPC
> documentation which discusses invalid accounts or accounts that could
> not be found. This covers what the response should look like when
> authentication fails which I think answers question 3 and the behavior
> when the account is disabled.
As alternate implementations do not need to call NetrLogonComputeServerDigest (nor is this referenced in the spec) can you please move or reference the discussion of how accounts are described as 'invalid' to the SNTP doc?
> Let me know if closes these issues.
As it appears the only control is on accounts marked disabled, the security section needs to detail the attacks that should be considered against accounts that are expired or otherwise unavailable, but not marked 'disabled'. (Unless of course machine accounts are not subject to such restrictions, in which case it should be clarified).
Regardless (but perhaps you are dealing with this separately) the issue of offline password attacks needs to be considered in the security section.
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the cifs-protocol