[cifs-protocol] [MS-SAMR] SamrSetInformationUser2 over an authenticated DCERPC connection [119040819792364]

Wed May 8 06:48:35 UTC 2019

On Monday, May 6, 2019 8:41:34 PM CEST Obaid Farooqi wrote:
> Hi Andreas:

Hi Obaid,

> Couple of questions for you:
> 1. is there a way in your rpcclient to use RPC_C_AUTHN_LEVEL_NONE? I know
> [Seal] will cause RPC_C_AUTHN_LEVEL_PKT_PRIVACY. Is there a similar option
> for RPC_C_AUTHN_LEVEL_NONE?

rpcclient ncacn_np:<server> -U <user>

should use RPC_C_AUTHN_LEVEL_NONE by default.

rpcclient ncacn_np:<server>[seal] -U <user>

will use RPC_C_AUTHN_LEVEL_PKT_PRIVACY.

I've just recently updated the rpcclient manpage to describe the binding 
string. Here is what I added:

           When connecting to a dcerpc service you need to specify a binding
           string.

           The format is:

           TRANSPORT:host[options]

           where TRANSPORT is either ncacn_np (named pipes) for SMB or
           ncacn_ip_tcp for DCERPC over TCP/IP.

           "host" is an IP or hostname or netbios name. If the binding string
           identifies the server side of an endpoint, "host" may be an empty
           string. See below for more details.

           "options" can include a SMB pipe name if using the ncacn_np
           transport or a TCP port number if using the ncacn_ip_tcp transport,
           otherwise they will be auto-determined.

           Examples:

                  •   ncacn_ip_tcp:samba.example.com[1024]
                  •   ncacn_ip_tcp:samba.example.com[sign,seal,krb5]
                  •   ncacn_ip_tcp:samba.example.com[sign,spnego]
                  •   ncacn_np:samba.example.com
                  •   ncacn_np:samba.example.com[samr]
                  •   ncacn_np:samba.example.com[samr,sign,print]
                  •   ncalrpc:/path/to/unix/socket
                  •   //SAMBA

           The supported transports are:

                  •   ncacn_np - Connect using named pipes
                  •   ncacn_ip_tcp - Connect over TCP/IP
                  •   ncalrpc - Connect over local RPC (unix sockets)

           The supported options are:

                  •   sign - Use RPC integrety autentication level
                  •   seal - Enable RPC privacy (encryption) autentication
                      level
                  •   connect - Use RPC connect level authentication (auth,
                      but no sign or seal)
                  •   packet - Use RPC packet authentication level
                  •   spnego - Use SPNEGO instead of NTLMSSP authentication
                  •   ntlm - Use plain NTLM instead of SPNEGO or NTLMSSP
                  •   krb5 - Use Kerberos instead of NTLMSSP authentication
                  •   schannel - Create a schannel connection
                  •   smb1 - Use SMB1 for named pipes
                  •   smb2 - Use SMB2/3 for named pipes

I hope that helps :-)

> 2. You mentioned WS2008R2 behave differently.
> Does that mean WS2008R2 changes the password successfully when
> RPC_C_AUTHN_LEVEL_PKT_PRIVACY is used with SMB Session key?

On WS2008R2 using "SystemLibraryDTC" as the session key to encrypt the 
password buffer over a RPC_C_AUTHN_LEVEL_PKT_PRIVACY connection doesn't work. 
The password change is being rejected.

Best regards,

	Andreas

-- 
Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D