[cifs-protocol] [MS-SAMR] SamrSetInformationUser2 over an authenticated DCERPC connection [119040819792364]

Andreas Schneider asn at samba.org
Fri Apr 26 08:21:25 UTC 2019 

On Thursday, April 25, 2019 7:40:57 PM CEST Obaid Farooqi wrote:
> Hi Andreas:

Hi Obaid,

> I have filed a bug to document this behavior.
> The reason SMB session key does not work in case of authenticated SAMR bind
> is that the query to get the SMB session key fails since SMB session key is
> queried using id for the login session. Since you login again for samr, the
> id for login session is different from the SMB logon session. Due to this
> failure, the RPC is assumed to be local and SystemLibraryDTC is used.

the reauth using DCERPC is required if an Admin restricted anonymous SAMR 
access.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

with the following values:
      Value Name: RestrictAnonymous
      Value Name: RestrictAnonymousSAM

in that case samr_Connect2() doesn't allow anonymous and will fail with 
ACCESS_DENIED. This means you need to use an authenticated DCERPC connection 
to connect to samr.

So proabably the code could be improved to check if the SMB connection is 
already authenticated and then allow anonymous access to samr :-)

> Jay
> Simmons describes this well in the thread that was mentioned by Metze. I am
> copy that link from his email and reproducing here:
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sam
> ba.org%2Farchive%2Fcifs-protocol%2F2012-June%2F002343.html&data=02%7C01%
> 7Cobaidf%40microsoft.com%7C2aaa70f3b41c45bce0e708d6bc28c627%7C72f988bf86f141
> af91ab2d7cd011db47%7C1%7C0%7C636903280648023447&sdata=YXYLWz%2BtKHBqEeVf
> KdflzGcJMejNTEd9TCr6OzcVGjc%3D&reserved=0
> 
> 
> Please let me know if this does not answer your question.

Ok, this is what we discovered too. However using "SystemLibraryDTC" works on 
Windows Server 2012 and newer. It doesn't work on Windows Server 2008R2, 
what's the difference with there?


Thanks for your help!

Best regards,


	Andreas

-- 
Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the cifs-protocol mailing list