[cifs-protocol] [REG:111101553031054] RE: SystemLibraryDTC

Andrew Bartlett abartlet at samba.org
Fri Oct 21 17:07:21 MDT 2011

On Fri, 2011-10-21 at 22:58 +0000, Hongwei Sun wrote:
> Andrew,
>   I am working with multiple product teams and we want to understand the scenario better.   I searched and found some logs from Samba site regarding this issue as below:
> 06/01/06 12:37:21 <vl> abartlet_: Can you tell me the story about SystemLibraryDTC?
> 06/01/06 12:37:32 <vl> What is that exactly, when is that used?
> 06/01/06 12:38:20 <abartlet_> so, you know how administrative password sets are encrypted from the client to the SAMR server?
> 06/01/06 12:38:40 <vl> Yes. This is what Samba3 with an ntlmssp authenticated bind stumbles over right now :-)
> 06/01/06 12:38:48 <abartlet_> well, because windows doesn't always use the bulk encryption, the values are indivdually encrypted
> 06/01/06 12:39:39 <abartlet_> anyway, when we are bulk encrypted, or when we are on TCP/IP, the key is SystemLibraryDTC
> 06/01/06 12:39:59 <vl> Otherwise it's taken from the session setup?
> 06/01/06 12:40:02 <abartlet_> yep
> 06/01/06 12:40:08 <vl> I'm trying to design a torture test that joins samba3 and then does an schannel bind / samlogon and is runnable in the build farm...
> 06/01/06 12:40:22 <abartlet_> ahh, fun :-)
> 06/01/06 12:40:37 <vl> So I chose a null smb connection and did a ntlmssp bind as root. This is not able to set the user password.
> 06/01/06 12:41:02 <vl> So when the bind negotiates seal we can set the sessionkey to SystemLibraryDTC?
> 06/01/06 12:41:05 <abartlet_> yep
>        Is this the correct description of the scenario ?    Which SAMR functions are involved here ?    The conversation above implies  SamrChangePasswordUser/SamrOemChangePasswordUser2/SamrUnicodeChangePasswordUser2.  Is this right ?

Yes, those functions are known to use this.  Also the secrets calls on
LSA (that's where we did the DES brute force, as it was a weaker

See the rpc.secrets smbtorture test, when used with either ncacn_ip_tcp,
ncacn_ip_np:server[sign] or ncacn_ip_np:server[seal].  

For security, I would really like to work with Microsoft to see this
fixed key removed, or made unavailable over any unencrypted transport
some day. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the cifs-protocol mailing list