[PATCH] fix Samba3 LSA CreateTrustedDomainsEx2

Alexander Bokovoy ab at samba.org
Thu Mar 8 14:04:52 MST 2012


On Fri, Mar 2, 2012 at 23:30, Andrew Bartlett <abartlet at samba.org> wrote:
> On Fri, 2012-03-02 at 21:53 +0200, Alexander Bokovoy wrote:
>> Hi,
>> I found out when using samba4 python bindings that the same code to
>> establish trusts works against Windows 2008 R2 DC but doesn't work
>> against Samba3. On deeper inspection it appeared that LSA
>> CreateTrustedDomainsEx2 implementation in Samba 3 ignores the fact
>> that only up to 16 bytes of session key are used for encryption of
>> authentication blob. Samba 4 code does automatically limit session key
>> to 16 bytes when attempting to encrypt/decrypt the authentication
>> blob, thus is working well.
>> Attached patch fixes the issue and makes sure we re-use common code to
>> extract the parts of the authentication blob. With it I'm now able to
>> successfully establish cross-forest trust between Windows 2008 R2 and
>> Samba 3 with FreeIPA 3 backend (in development).
>> I'll make sure there is torture test to cover the situation, however,
>> it would require parallel use of two DCs, how should this be done with
>> autobuild in mind?
> Yes, the selftest environment can run quite complex things.  You can
> join s3dc or a new env to one of the Samba4 domains if you want.  We
> already join a s3 AD domain member to 'dc' as s3member, and that might
> be a good guide.  I'm very happy to either review, guide or assist in
> any reasonable way as you navigate our selftest system.
> On the patch, I suspect the layer at which the session key is being
> truncated is incorrect - we should be truncating it when it is imported
> into the dce/rpc stack, otherwise this will just fail on another call,
> like SAMR password setting.
Andreas and I have looked into various specifications (MS-SMB,
MS-LSAD, MS-NRPC, MS-SAMR, etc) and it seems that this fact that
session key could be trimmed to 16 bytes is an SMB pipe property.
There could be pipes which require full session key but at least LSA
and SAMR require 16 bytes ones. We decided to follow the Samba4 suite
and introduce a helper to extract session key. The only difference is
to allow the caller to specify intent to use of the session key, thus
forcing us to remember this knowledge at the place where it is used.

MS-LSAD's 5.1 section also states that
The session key for sections 5.1.1 and 5.1.2 is obtained from the SMB
transport, as specified in section 2.1. The session key is obtained
from the SMB transport every time a message that needs encryption is
to be sent or a message that needs decryption is to be received.

Thus, we cannot truncate it once and forever.

Attached patch implements the change for LSA and SAMR.
/ Alexander Bokovoy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Refactor-CreateTrustedDomainEx2-to-use-common-code-a.patch
Type: text/x-patch
Size: 14825 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120308/6b16440e/attachment.bin>

More information about the samba-technical mailing list