[PATCH] Re: netlogon_creds_cli_validate() in master4-schannel

Stefan (metze) Metzmacher metze at samba.org
Tue Dec 10 06:47:35 MST 2013

Hi Andrew,

>>>>> + sudo bin/net rpc join -S -Uroot%password12#
>>>>> No realm has been specified! Do you really want to join an Active
>>>>> Directory server?
>>>>> netlogon_creds_cli_ServerPasswordSet failed:
>>>>> No realm has been specified! Do you really want to join an Active
>>>>> Directory server?
>>>>> netlogon_creds_cli_check failed with NT_STATUS_NOT_IMPLEMENTED
>>>>> libnet_join_ok: failed to open schannel session on netlogon pipe to
>>>>> server for domain S3. Error was
>>>>> Failed to join domain: failed to verify domain membership after joining:
>>>>> Not implemented
>> So the above was not the 'bin/net rpc join -S
>> -Uroot%password12#' output?
> We couldn't find it in that output, and couldn't find it in the previous
> output.  Can you remind us where your original question came from, so we
> can re-investigate?

Just the above lines.

> I take it that's the bit for schannel?  I guess that's reasonable, but
> what situations would we not negotiate that?
>> The reason I added this was to prevent downgrade attacks where we would call
>> netlogon_creds_cli_ServerPasswordSet() without
>> netlogon_creds_cli_check() before
>> and use dcerpc_netr_ServerPasswordSet() with just des encryption.
> Hmm.  We really should do whatever we can to avoid using DES for this.  
> As Samba 3.5 and above implement ServerPasswordSet2, why are we calling
> ServerPasswordSet at all?
>> We also have this in netlogon_creds_cli_ServerPasswordSet_locked:
>>         if (state->auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
>>                 uint32_t tmp = state->creds->negotiate_flags;
>>                 if (tmp & NETLOGON_NEG_AUTHENTICATED_RPC) {
>>                         /*
>>                          * if DCERPC_AUTH_TYPE_SCHANNEL is supported
>>                          * it should be used, which means
>>                          * we had a chance to verify no downgrade
>>                          * happened.
>>                          *
>>                          * This relies on netlogon_creds_cli_check*
>>                          * being called before, as first request after
>>                          * the DCERPC bind.
>>                          */
>>                         tevent_req_nterror(req,
>>                         return;
>>                 }
>>         }
>> Maybe we should combine both tests. And also
>> add NETLOGON_NEG_PASSWORD_SET2 with if (require_strong_key)
>> added with Windows 2000.
> That sounds reasonable.  I don't want to break old Samba 3.x domains,
> but at the same time, I really think we must start asserting a
> requirement for modern crypto, particularly when we talk to an AD DC.
> Samba 3.5 seems a reasonable minimum, earlier versions are long out of
> our security support anyway. 

This changes add the "require strong key" option and we set the default
to "yes",
which means we have this:

        if (require_strong_key) {
                required_flags |= NETLOGON_NEG_ARCFOUR;
                required_flags |= NETLOGON_NEG_STRONG_KEYS;
                required_flags |= NETLOGON_NEG_PASSWORD_SET2;
                required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;

which should avoid des as much as possible.

I've updated my

I now require NETLOGON_NEG_PASSWORD_SET2 with require_strong_key.
and we also require NETLOGON_NEG_ARCFOUR unless we don't propose

I've also added "allow nt4 crypto" (default: no) and "reject md5
clients" (default: no)
as options for the AD netlogon server.


More information about the samba-technical mailing list