[cifs-protocol] [REG:111101553031054] RE: SystemLibraryDTC
hongweis at microsoft.com
Mon Nov 14 20:56:03 MST 2011
After reviewing code, we confirmed that this fixed session key are used by some SAMR/LSAD RPC functions. We are working on updating all the related documents. When they are available , I will let you know.
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Friday, October 21, 2011 6:07 PM
To: Hongwei Sun
Cc: cifs-protocol at cifs.org; MSSolve Case Email
Subject: RE: [REG:111101553031054] RE: [cifs-protocol] SystemLibraryDTC
On Fri, 2011-10-21 at 22:58 +0000, Hongwei Sun wrote:
> I am working with multiple product teams and we want to understand the scenario better. I searched and found some logs from Samba site regarding this issue as below:
> 06/01/06 12:37:21 <vl> abartlet_: Can you tell me the story about SystemLibraryDTC?
> 06/01/06 12:37:32 <vl> What is that exactly, when is that used?
> 06/01/06 12:38:20 <abartlet_> so, you know how administrative password sets are encrypted from the client to the SAMR server?
> 06/01/06 12:38:40 <vl> Yes. This is what Samba3 with an ntlmssp
> authenticated bind stumbles over right now :-)
> 06/01/06 12:38:48 <abartlet_> well, because windows doesn't always use
> the bulk encryption, the values are indivdually encrypted
> 06/01/06 12:39:39 <abartlet_> anyway, when we are bulk encrypted, or
> when we are on TCP/IP, the key is SystemLibraryDTC
> 06/01/06 12:39:59 <vl> Otherwise it's taken from the session setup?
> 06/01/06 12:40:02 <abartlet_> yep
> 06/01/06 12:40:08 <vl> I'm trying to design a torture test that joins samba3 and then does an schannel bind / samlogon and is runnable in the build farm...
> 06/01/06 12:40:22 <abartlet_> ahh, fun :-)
> 06/01/06 12:40:37 <vl> So I chose a null smb connection and did a ntlmssp bind as root. This is not able to set the user password.
> 06/01/06 12:41:02 <vl> So when the bind negotiates seal we can set the sessionkey to SystemLibraryDTC?
> 06/01/06 12:41:05 <abartlet_> yep
> Is this the correct description of the scenario ? Which SAMR functions are involved here ? The conversation above implies SamrChangePasswordUser/SamrOemChangePasswordUser2/SamrUnicodeChangePasswordUser2. Is this right ?
Yes, those functions are known to use this. Also the secrets calls on LSA (that's where we did the DES brute force, as it was a weaker encryption).
See the rpc.secrets smbtorture test, when used with either ncacn_ip_tcp, ncacn_ip_np:server[sign] or ncacn_ip_np:server[seal].
For security, I would really like to work with Microsoft to see this fixed key removed, or made unavailable over any unencrypted transport some day.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the cifs-protocol