[cifs-protocol] [MS-SAMR] SamrSetInformationUser2 over an authenticated DCERPC connection [119040819792364]

Tue Apr 9 22:35:35 UTC 2019

Hi Andreas:
I have copied a zip file (PartnerTTDRecorder_x86_x64.zip) in a workspace at the following link:
File Transfer - Case 119040819792364 (https://support.microsoft.com/files?workspace=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ3c2lkIjoiY2RlZmY3MzgtODc5Yy00NDAxLWE3ZjEtYzk4NjJlYzI3MDY2Iiwic3IiOiIxMTkwNDA4MTk3OTIzNjQiLCJhcHBpZCI6ImU2ZWU0M2ViLTBmYmMtNDU0Ni1iYzUyLTRjMTYxZmNkZjRjNCIsInN2IjoidjEiLCJycyI6IkV4dGVybmFsIiwid3RpZCI6IjUzMTgzMTUxLWE2YjktNGIyMi1iNDNiLTVmMmMwNTVmMzg5OCIsImlzcyI6Imh0dHBzOi8vYXBpLmR0bW5lYnVsYS5taWNyb3NvZnQuY29tIiwiYXVkIjoiaHR0cDovL3NtYyIsImV4cCI6MTU2MjYxMjAyOSwibmJmIjoxNTU0ODM2MDI5fQ.OWThceZQF29cJW39Ky0dN1z-IYVgNU7YouImZh9cZ3GsPEe7ZdRsvzjSKnMVK4quDn08Mj4NHXmr0PWkj0rEAvHuenqzl_N16JJ5LLQXOzSBUI4_EKj7CAk3yrqrhn6reCfSvZMJpLczLKyRebrXDwpOkfePrUrP38Hd0-gHxtfjrlcaetH6mdyzxNqFg1s8cVS6GYcZHxjVGSKVUkCaox4am9AhOqRR8VaLo8DQtvGpzIw-biTZHomrdspqc3GT5AuHGiXoxhRtDWddvdfVqxF2NwE7IB9xrmkDR0A32CSGxNEBbCQmpWFOzf-HlShdANW5ugiAk31EovzD2xcQSg&wid=cdeff738-879c-4401-a7f1-c9862ec27066 )

Username: 119040819792364_noemail at dtmxfer.onmicrosoft.com 
Password: 75b?_1W9

When you click on the link and on the landing page if you are logged in automatically, please logout and use the credentials provided above to login.

Please download the file to your WS2016 server and extract the contents of amd64\TTD directory in a folder called c:\ttd. 
Please perform the following steps to collect traces and send them to me.

1. open an elevated cmd window and cd to c:\ttd
2. find the PID of the lsass.exe process by executing the following command
	Tasklist | findstr /i "lsass"
The output would look like something 
	lsass.exe                      852 Services                   0     37,360 K

The second field from left (852) is the PID. Your number could be different 
3. execute the following command to start tracing 
	C:\ttd>tttracer.exe -attach PID
Where PID is the number you obtained in step 2
4. wait for a little window to pop up with tile lsass01.run
5. start a network capture 
6. Reproduce the scenario that you mentioned below from your samba client
7. after your scenarios is successfully reproduced, please uncheck the box next to "Tracing.." in windows titled "lsass01.run". Note: please do not click on Exit, if you did, your computer would be rebooted.
8. In cmd window, you will see message about creation of a file named lsass01.run. 
9. stop the network trace and save it
10. Zip the network trace and lsass01.run file and upload them to the workspace and let me know.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at ramagane at Microsoft dot com

-----Original Message-----
From: Andreas Schneider <asn at samba.org> 
Sent: Monday, April 8, 2019 4:38 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol <cifs-protocol at lists.samba.org>
Subject: [MS-SAMR] SamrSetInformationUser2 over an authenticated DCERPC connection

Hello Dochelp Team!

I would like to ask for clarification for SamrSetInformationUser2 with UserInformationClass set to UserInternal5Information.

This is used to change a users password over a SAMR DCERPC connection.

The SAMPR_USER_INTERNAL4_INFORMATION structure holds the UserPassword we want to set in this case.

The current documentation states:

> 2.2.7.21 SAMPR_ENCRYPTED_USER_PASSWORD
> 
> The SAMPR_ENCRYPTED_USER_PASSWORD structure carries an encrypted string.
> typedef struct _SAMPR_ENCRYPTED_USER_PASSWORD {
>     unsigned char Buffer[(256 * 2) + 4]; } 
> SAMPR_ENCRYPTED_USER_PASSWORD, *PSAMPR_ENCRYPTED_USER_PASSWORD;
> 
> Buffer: An array to carry encrypted cleartext password data. The 
> encryption key is method-specific, while the algorithm specified in 
> section 3.2.2.1 is common for all methods that use this structure.

Section 3.2.2.1 stats:

> The encrypted portion of the SAMPR_ENCRYPTED_USER_PASSWORD_NEW.Buffer
> structure MUST be protected in the same way, but the 16-byte key is 
> specified in section 3.2.2.2.

Section 3.2.2.2 states:

> Where:
> [..]
> user-session-key is the 16-byte SMB session key obtained as specified 
> in section 3.2.2.3.

Section 3.2.2.3 states:

> The client MUST retrieve the SMB session key as specified in [MS-CIFS] 
> section 3.4.4.6.

According to my tests this is correct if you create a SMB connection and then open a DCEPRC anonymous connection using NCACN_NP (named pipe) and non as the authentication type and authentication level.

Using rpcclient from Samba 4.10:

$ rpcclient ncacn_np:windows-server -U Administrator%Secret -c "setuserinfo2
alice1 26 P at ssword0"

-> SUCCESS (uses anonymous DCERPC connection)

$ rpcclient ncacn_np:windows-server[seal] -k -U Administrator%Secret -c
"setuserinfo2 alice1 26 P at ssword0"

-> FAIL: Access denied (using the smb session key)

$ rpcclient ncacn_ip_tcp:windows-server[seal] -k -U Administrator%Secret -c
"setuserinfo2 alice1 26 P at ssword0"

-> FAIL: Access denied (using the krb5 session key)

Tested against Windows Server 2016.

I got the two scenarios authenticated DCERPC connection over SMB (named pipe) and TCP/IP working with krb5, speneg or ntlmssp authentication type and an authentication level set to PRIVACY (seal) if I use the fixed string "SystemLibraryDTC" as the session key!

Could you please update the documentation, it would also be great to know if this is the case for all Windows versions.

The code changes to get this correctly working with rpcclient (using "SystemLibraryDTC" as the session key for sealed and authenticated DCEPRC connections can be found here:

    https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2Fsamba-team%2Fsamba%2Fmerge_requests%2F361&data=02%7C01%7Cobaidf%40microsoft.com%7C2a31c4f46f6d4b1f475b08d6bc05f1ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636903131056855676&sdata=KsVey2Xr6exWNXMXBIwyt8JvvPZJO1TytUDoZeYkP7g%3D&reserved=0

Thanks you very much for your assistance.

Best regards,

	Andreas Schneider

-- 
Andreas Schneider                      asn at samba.org
Samba Team                             https://nam06.safelinks.protection.outlook.com/?url=www.samba.org&data=02%7C01%7Cobaidf%40microsoft.com%7C2a31c4f46f6d4b1f475b08d6bc05f1ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636903131056855676&sdata=%2BuJvn8XlpECmtILh2hOgmBqaEawo5PdTlUBmz7tutVM%3D&reserved=0
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D