[cifs-protocol] [MS-SAMR] SamrSetInformationUser2 over an authenticated DCERPC connection [119040819792364]
Andreas Schneider
asn at samba.org
Fri Apr 26 08:21:25 UTC 2019
On Thursday, April 25, 2019 7:40:57 PM CEST Obaid Farooqi wrote:
> Hi Andreas:
Hi Obaid,
> I have filed a bug to document this behavior.
> The reason SMB session key does not work in case of authenticated SAMR bind
> is that the query to get the SMB session key fails since SMB session key is
> queried using id for the login session. Since you login again for samr, the
> id for login session is different from the SMB logon session. Due to this
> failure, the RPC is assumed to be local and SystemLibraryDTC is used.
the reauth using DCERPC is required if an Admin restricted anonymous SAMR
access.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
with the following values:
Value Name: RestrictAnonymous
Value Name: RestrictAnonymousSAM
in that case samr_Connect2() doesn't allow anonymous and will fail with
ACCESS_DENIED. This means you need to use an authenticated DCERPC connection
to connect to samr.
So proabably the code could be improved to check if the SMB connection is
already authenticated and then allow anonymous access to samr :-)
> Jay
> Simmons describes this well in the thread that was mentioned by Metze. I am
> copy that link from his email and reproducing here:
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sam
> ba.org%2Farchive%2Fcifs-protocol%2F2012-June%2F002343.html&data=02%7C01%
> 7Cobaidf%40microsoft.com%7C2aaa70f3b41c45bce0e708d6bc28c627%7C72f988bf86f141
> af91ab2d7cd011db47%7C1%7C0%7C636903280648023447&sdata=YXYLWz%2BtKHBqEeVf
> KdflzGcJMejNTEd9TCr6OzcVGjc%3D&reserved=0
>
>
> Please let me know if this does not answer your question.
Ok, this is what we discovered too. However using "SystemLibraryDTC" works on
Windows Server 2012 and newer. It doesn't work on Windows Server 2008R2,
what's the difference with there?
Thanks for your help!
Best regards,
Andreas
--
Andreas Schneider asn at samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
More information about the cifs-protocol
mailing list