[cifs-protocol] [REG:111101553031054] RE: SystemLibraryDTC

Hongwei Sun hongweis at microsoft.com
Fri Oct 21 16:58:00 MDT 2011


  I am working with multiple product teams and we want to understand the scenario better.   I searched and found some logs from Samba site regarding this issue as below:

06/01/06 12:37:21 <vl> abartlet_: Can you tell me the story about SystemLibraryDTC?
06/01/06 12:37:32 <vl> What is that exactly, when is that used?
06/01/06 12:38:20 <abartlet_> so, you know how administrative password sets are encrypted from the client to the SAMR server?
06/01/06 12:38:40 <vl> Yes. This is what Samba3 with an ntlmssp authenticated bind stumbles over right now :-)
06/01/06 12:38:48 <abartlet_> well, because windows doesn't always use the bulk encryption, the values are indivdually encrypted
06/01/06 12:39:39 <abartlet_> anyway, when we are bulk encrypted, or when we are on TCP/IP, the key is SystemLibraryDTC
06/01/06 12:39:59 <vl> Otherwise it's taken from the session setup?
06/01/06 12:40:02 <abartlet_> yep
06/01/06 12:40:08 <vl> I'm trying to design a torture test that joins samba3 and then does an schannel bind / samlogon and is runnable in the build farm...
06/01/06 12:40:22 <abartlet_> ahh, fun :-)
06/01/06 12:40:37 <vl> So I chose a null smb connection and did a ntlmssp bind as root. This is not able to set the user password.
06/01/06 12:41:02 <vl> So when the bind negotiates seal we can set the sessionkey to SystemLibraryDTC?
06/01/06 12:41:05 <abartlet_> yep

       Is this the correct description of the scenario ?    Which SAMR functions are involved here ?    The conversation above implies  SamrChangePasswordUser/SamrOemChangePasswordUser2/SamrUnicodeChangePasswordUser2.  Is this right ?


-----Original Message-----
From: Hongwei Sun 
Sent: Thursday, October 20, 2011 4:25 PM
To: 'Andrew Bartlett'
Cc: cifs-protocol at cifs.org; MSSolve Case Email
Subject: RE: [REG:111101553031054] RE: [cifs-protocol] SystemLibraryDTC


  We also saw another case of usage of this fixed session key other than loopback behavior in NTLM.    Based on your testing before, could you tell me the repro steps, or  scenario , so I can have a repro to debug it ?




-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Tuesday, October 18, 2011 4:03 PM
To: Hongwei Sun
Cc: cifs-protocol at cifs.org; MSSolve Case Email
Subject: Re: [REG:111101553031054] RE: [cifs-protocol] SystemLibraryDTC

On Tue, 2011-10-18 at 19:57 +0000, Hongwei Sun wrote:
> Andrew,
>   I confirmed that the fixed session key "SystemLibraryDTC" is only 
> used by NTLM when the client and server are both on the same machine.
> This type of loopback behavior doesn't affect  interoperability and
> thus is not covered by the protocol documentation.   Please let me
> know if you have more questions.

This is not the case, or else we would not know about it, and would not need to deal with it for interoperability.  

Sadly you will need to dig deeper, as we discovered it the hard way (ie, needing to discover the magic fixed key by DES brute force), I can assure you it is used outside the server.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the cifs-protocol mailing list