[cifs-protocol] [MS-SAMR] SamrSetInformationUser2 over an authenticated DCERPC connection

Andreas Schneider asn at samba.org
Mon Apr 8 09:38:14 UTC 2019 

Hello Dochelp Team!

I would like to ask for clarification for SamrSetInformationUser2 with 
UserInformationClass set to UserInternal5Information.

This is used to change a users password over a SAMR DCERPC connection.

The SAMPR_USER_INTERNAL4_INFORMATION structure holds the UserPassword we want 
to set in this case.

The current documentation states:

> 2.2.7.21 SAMPR_ENCRYPTED_USER_PASSWORD
> 
> The SAMPR_ENCRYPTED_USER_PASSWORD structure carries an encrypted string.
> typedef struct _SAMPR_ENCRYPTED_USER_PASSWORD {
>     unsigned char Buffer[(256 * 2) + 4];
> } SAMPR_ENCRYPTED_USER_PASSWORD,
> *PSAMPR_ENCRYPTED_USER_PASSWORD;
> 
> Buffer: An array to carry encrypted cleartext password data. The encryption 
> key is method-specific, while the algorithm specified in section 3.2.2.1 is
> common for all methods that use this structure.

Section 3.2.2.1 stats:

> The encrypted portion of the SAMPR_ENCRYPTED_USER_PASSWORD_NEW.Buffer
> structure MUST be protected in the same way, but the 16-byte key is 
> specified in section 3.2.2.2.

Section 3.2.2.2 states:

> Where:
> [..]
> user-session-key is the 16-byte SMB session key obtained as specified in
> section 3.2.2.3.

Section 3.2.2.3 states:

> The client MUST retrieve the SMB session key as specified in [MS-CIFS]
> section 3.4.4.6.

According to my tests this is correct if you create a SMB connection and then 
open a DCEPRC anonymous connection using NCACN_NP (named pipe) and non as the 
authentication type and authentication level.

Using rpcclient from Samba 4.10:

$ rpcclient ncacn_np:windows-server -U Administrator%Secret -c "setuserinfo2 
alice1 26 P at ssword0"

-> SUCCESS (uses anonymous DCERPC connection)


$ rpcclient ncacn_np:windows-server[seal] -k -U Administrator%Secret -c 
"setuserinfo2 alice1 26 P at ssword0"

-> FAIL: Access denied (using the smb session key)


$ rpcclient ncacn_ip_tcp:windows-server[seal] -k -U Administrator%Secret -c 
"setuserinfo2 alice1 26 P at ssword0"

-> FAIL: Access denied (using the krb5 session key)

Tested against Windows Server 2016.


I got the two scenarios authenticated DCERPC connection over SMB (named pipe) 
and TCP/IP working with krb5, speneg or ntlmssp authentication type and an 
authentication level set to PRIVACY (seal) if I use the fixed string 
"SystemLibraryDTC" as the session key!

Could you please update the documentation, it would also be great to know if 
this is the case for all Windows versions.

The code changes to get this correctly working with rpcclient (using 
"SystemLibraryDTC" as the session key for sealed and authenticated DCEPRC 
connections can be found here:

    https://gitlab.com/samba-team/samba/merge_requests/361


Thanks you very much for your assistance.


Best regards,



	Andreas Schneider


-- 
Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the cifs-protocol mailing list