[cifs-protocol] [MS-SAMR] SamrSetInformationUser2 over an authenticated DCERPC connection [119040819792364]

Obaid Farooqi obaidf at microsoft.com
Thu Apr 25 17:40:57 UTC 2019


Hi Andreas:
I have filed a bug to document this behavior. 
The reason SMB session key does not work in case of authenticated SAMR bind is that the query to get the SMB session key fails since SMB session key is queried using id for the login session. Since you login again for samr, the id for login session is different from the SMB logon session. Due to this failure, the RPC is assumed to be local and SystemLibraryDTC is used. Jay Simmons describes this well in the thread that was mentioned by Metze. I am copy that link from his email and reproducing here:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Farchive%2Fcifs-protocol%2F2012-June%2F002343.html&data=02%7C01%7Cobaidf%40microsoft.com%7C2aaa70f3b41c45bce0e708d6bc28c627%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636903280648023447&sdata=YXYLWz%2BtKHBqEeVfKdflzGcJMejNTEd9TCr6OzcVGjc%3D&reserved=0


Please let me know if this does not answer your question.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

-----Original Message-----
From: Andreas Schneider <asn at samba.org> 
Sent: Friday, April 12, 2019 4:15 PM
To: Obaid Farooqi <obaidf at microsoft.com>
Cc: cifs-protocol <cifs-protocol at lists.samba.org>; support at mail.support.microsoft.com
Subject: Re: [MS-SAMR] SamrSetInformationUser2 over an authenticated DCERPC connection [119040819792364]

On Friday, 12 April 2019 22:10:00 CEST Obaid Farooqi wrote:
> Hi Andreas:

Hi Obaid,

> I need to dig deeper into this to find out what is happening.
> Can you please send me instructions on how to setup a Linux client to 
> run the test you ran?
> 
> My plan is to use Windows Subsystem for Linux (WSL) running Ubuntu to 
> accomplish this but that is not a requirement, just a convenience as 
> I'll not have to install Linux on a new VM.

if you're interesting in the case were the password change fails, you just need to install samba-client on WSL running Ubuntu.

First create a user e.g. bob1 on an AD DC.

Then go to a console on WSL Ubuntu and run:

$ sudo apt-get install samba-client

Once you have that installed you can execute:

$ rpcclient ncacn_np:<windows ad server>[seal] -U Administrator%<admin 
password> 
-c "setuserinfo2  bob1 26 P at ssword0"

Where <windows ad server> is the dns domain name of your windows ad dc.

This will fail with an error NT_STATUS_WRONG_PASSWORD as it uses the wrong session key.

If you want to use TCP/IP:

$ rpcclient ncacn_ip_tcp:<windows ad server>[seal] -U Administrator%<admin 
password> -c "setuserinfo2  bob1 26 P at ssword0"

This will fail with an error NT_STATUS_WRONG_PASSWORD as it uses the wrong session key.

I can send you the instructions how to build samba with my changes to use "SystemLibraryDTC" as the session key. Then the above commands will succeed. 
But as you need to clone the git repo and compile it, I need to lookup the packages you need to install for Ubuntu first. I can do that on Monday.

Have a nice weekend,


	Andreas





More information about the cifs-protocol mailing list