[cifs-protocol] 119040819792364 [MS-SAMR] SamrSetInformationUser2 over an authenticated DCERPC connection

Sreekanth Nadendla srenaden at microsoft.com
Mon Apr 8 13:51:36 UTC 2019

Casemail in Cc
Dochelp in Bcc

Hello Andreas,
Thank you for your inquiry. We have created incident # 119040819792364 to investigate this issue. One of the Open specifications team member will contact you shortly.

Sreekanth Nadendla
Microsoft Windows Open Specifications

-----Original Message-----
From: Andreas Schneider <asn at samba.org> 
Sent: Monday, April 8, 2019 5:38 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol <cifs-protocol at lists.samba.org>
Subject: [MS-SAMR] SamrSetInformationUser2 over an authenticated DCERPC connection

Hello Dochelp Team!

I would like to ask for clarification for SamrSetInformationUser2 with UserInformationClass set to UserInternal5Information.

This is used to change a users password over a SAMR DCERPC connection.

The SAMPR_USER_INTERNAL4_INFORMATION structure holds the UserPassword we want to set in this case.

The current documentation states:

> The SAMPR_ENCRYPTED_USER_PASSWORD structure carries an encrypted string.
>     unsigned char Buffer[(256 * 2) + 4]; } 
> Buffer: An array to carry encrypted cleartext password data. The 
> encryption key is method-specific, while the algorithm specified in 
> section is common for all methods that use this structure.

Section stats:

> The encrypted portion of the SAMPR_ENCRYPTED_USER_PASSWORD_NEW.Buffer
> structure MUST be protected in the same way, but the 16-byte key is 
> specified in section

Section states:

> Where:
> [..]
> user-session-key is the 16-byte SMB session key obtained as specified 
> in section

Section states:

> The client MUST retrieve the SMB session key as specified in [MS-CIFS] 
> section

According to my tests this is correct if you create a SMB connection and then open a DCEPRC anonymous connection using NCACN_NP (named pipe) and non as the authentication type and authentication level.

Using rpcclient from Samba 4.10:

$ rpcclient ncacn_np:windows-server -U Administrator%Secret -c "setuserinfo2
alice1 26 P at ssword0"

-> SUCCESS (uses anonymous DCERPC connection)

$ rpcclient ncacn_np:windows-server[seal] -k -U Administrator%Secret -c
"setuserinfo2 alice1 26 P at ssword0"

-> FAIL: Access denied (using the smb session key)

$ rpcclient ncacn_ip_tcp:windows-server[seal] -k -U Administrator%Secret -c
"setuserinfo2 alice1 26 P at ssword0"

-> FAIL: Access denied (using the krb5 session key)

Tested against Windows Server 2016.

I got the two scenarios authenticated DCERPC connection over SMB (named pipe) and TCP/IP working with krb5, speneg or ntlmssp authentication type and an authentication level set to PRIVACY (seal) if I use the fixed string "SystemLibraryDTC" as the session key!

Could you please update the documentation, it would also be great to know if this is the case for all Windows versions.

The code changes to get this correctly working with rpcclient (using "SystemLibraryDTC" as the session key for sealed and authenticated DCEPRC connections can be found here:


Thanks you very much for your assistance.

Best regards,

	Andreas Schneider

Andreas Schneider                      asn at samba.org
Samba Team                             https://nam06.safelinks.protection.outlook.com/?url=www.samba.org&data=02%7C01%7Csrenaden%40microsoft.com%7C2a31c4f46f6d4b1f475b08d6bc05f1ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636903131055097274&sdata=ymNvRh0oJQ%2FP2h%2BYp6kz3vzwU95jFyTqjKiKdAgiMpc%3D&reserved=0
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the cifs-protocol mailing list