[PATCH] Re: netlogon_creds_cli_validate() in master4-schannel
Stefan (metze) Metzmacher
metze at samba.org
Tue Dec 10 06:47:35 MST 2013
Hi Andrew,
>>>>> + sudo bin/net rpc join -S 192.168.122.249 -Uroot%password12#
>>>>> No realm has been specified! Do you really want to join an Active
>>>>> Directory server?
>>>>> netlogon_creds_cli_ServerPasswordSet failed:
>>>>> NT_STATUS_INVALID_PARAMETER_MIX
>>>>> No realm has been specified! Do you really want to join an Active
>>>>> Directory server?
>>>>> netlogon_creds_cli_check failed with NT_STATUS_NOT_IMPLEMENTED
>>>>> libnet_join_ok: failed to open schannel session on netlogon pipe to
>>>>> server 192.168.122.249 for domain S3. Error was
>>>>> NT_STATUS_NOT_IMPLEMENTED
>>>>> Failed to join domain: failed to verify domain membership after joining:
>>>>> Not implemented
>>
>> So the above was not the 'bin/net rpc join -S 192.168.122.249
>> -Uroot%password12#' output?
>
> We couldn't find it in that output, and couldn't find it in the previous
> output. Can you remind us where your original question came from, so we
> can re-investigate?
Just the above lines.
>
> I take it that's the bit for schannel? I guess that's reasonable, but
> what situations would we not negotiate that?
>
>> The reason I added this was to prevent downgrade attacks where we would call
>> netlogon_creds_cli_ServerPasswordSet() without
>> netlogon_creds_cli_check() before
>> and use dcerpc_netr_ServerPasswordSet() with just des encryption.
>
> Hmm. We really should do whatever we can to avoid using DES for this.
>
> As Samba 3.5 and above implement ServerPasswordSet2, why are we calling
> ServerPasswordSet at all?
>
>> We also have this in netlogon_creds_cli_ServerPasswordSet_locked:
>>
>> if (state->auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
>> uint32_t tmp = state->creds->negotiate_flags;
>>
>> if (tmp & NETLOGON_NEG_AUTHENTICATED_RPC) {
>> /*
>> * if DCERPC_AUTH_TYPE_SCHANNEL is supported
>> * it should be used, which means
>> * we had a chance to verify no downgrade
>> * happened.
>> *
>> * This relies on netlogon_creds_cli_check*
>> * being called before, as first request after
>> * the DCERPC bind.
>> */
>> tevent_req_nterror(req,
>> NT_STATUS_INVALID_PARAMETER_MIX);
>> return;
>> }
>> }
>>
>> Maybe we should combine both tests. And also
>> add NETLOGON_NEG_PASSWORD_SET2 with if (require_strong_key)
>> as NETLOGON_NEG_STRONG_KEYS and NETLOGON_NEG_PASSWORD_SET2 were both
>> added with Windows 2000.
>
> That sounds reasonable. I don't want to break old Samba 3.x domains,
> but at the same time, I really think we must start asserting a
> requirement for modern crypto, particularly when we talk to an AD DC.
>
> Samba 3.5 seems a reasonable minimum, earlier versions are long out of
> our security support anyway.
This changes add the "require strong key" option and we set the default
to "yes",
which means we have this:
if (require_strong_key) {
required_flags |= NETLOGON_NEG_ARCFOUR;
required_flags |= NETLOGON_NEG_STRONG_KEYS;
required_flags |= NETLOGON_NEG_PASSWORD_SET2;
required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
}
which should avoid des as much as possible.
I've updated my
https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-schannel-ok
I now require NETLOGON_NEG_PASSWORD_SET2 with require_strong_key.
and we also require NETLOGON_NEG_ARCFOUR unless we don't propose
NETLOGON_NEG_AUTHENTICATED_RPC.
I've also added "allow nt4 crypto" (default: no) and "reject md5
clients" (default: no)
as options for the AD netlogon server.
metze
More information about the samba-technical
mailing list