[cifs-protocol] [REG:111101553031054] RE: SystemLibraryDTC

Hongwei Sun hongweis at microsoft.com
Mon Nov 14 20:56:03 MST 2011


  After reviewing code,  we confirmed that this fixed session key are used by some SAMR/LSAD RPC functions.  We are working on updating all the related documents.  When they are available , I will let you know.



-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Friday, October 21, 2011 6:07 PM
To: Hongwei Sun
Cc: cifs-protocol at cifs.org; MSSolve Case Email
Subject: RE: [REG:111101553031054] RE: [cifs-protocol] SystemLibraryDTC

On Fri, 2011-10-21 at 22:58 +0000, Hongwei Sun wrote:
> Andrew,
>   I am working with multiple product teams and we want to understand the scenario better.   I searched and found some logs from Samba site regarding this issue as below:
> 06/01/06 12:37:21 <vl> abartlet_: Can you tell me the story about SystemLibraryDTC?
> 06/01/06 12:37:32 <vl> What is that exactly, when is that used?
> 06/01/06 12:38:20 <abartlet_> so, you know how administrative password sets are encrypted from the client to the SAMR server?
> 06/01/06 12:38:40 <vl> Yes. This is what Samba3 with an ntlmssp 
> authenticated bind stumbles over right now :-)
> 06/01/06 12:38:48 <abartlet_> well, because windows doesn't always use 
> the bulk encryption, the values are indivdually encrypted
> 06/01/06 12:39:39 <abartlet_> anyway, when we are bulk encrypted, or 
> when we are on TCP/IP, the key is SystemLibraryDTC
> 06/01/06 12:39:59 <vl> Otherwise it's taken from the session setup?
> 06/01/06 12:40:02 <abartlet_> yep
> 06/01/06 12:40:08 <vl> I'm trying to design a torture test that joins samba3 and then does an schannel bind / samlogon and is runnable in the build farm...
> 06/01/06 12:40:22 <abartlet_> ahh, fun :-)
> 06/01/06 12:40:37 <vl> So I chose a null smb connection and did a ntlmssp bind as root. This is not able to set the user password.
> 06/01/06 12:41:02 <vl> So when the bind negotiates seal we can set the sessionkey to SystemLibraryDTC?
> 06/01/06 12:41:05 <abartlet_> yep
>        Is this the correct description of the scenario ?    Which SAMR functions are involved here ?    The conversation above implies  SamrChangePasswordUser/SamrOemChangePasswordUser2/SamrUnicodeChangePasswordUser2.  Is this right ?

Yes, those functions are known to use this.  Also the secrets calls on LSA (that's where we did the DES brute force, as it was a weaker encryption).

See the rpc.secrets smbtorture test, when used with either ncacn_ip_tcp, ncacn_ip_np:server[sign] or ncacn_ip_np:server[seal].  

For security, I would really like to work with Microsoft to see this fixed key removed, or made unavailable over any unencrypted transport some day. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the cifs-protocol mailing list