access denied for network sam logon

moore chestnut moore.43132 at gmail.com
Tue Feb 25 14:26:51 UTC 2020 

Hello samba folks,

I'm very interested in network based logon ( netlogon over rpc over tcp).
Have been doing alot of reading from the hack samba page and code browsing
per the recommendations on https://www.samba.org/samba/devel/
Also reading
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f


So to simplify things for my own understanding, I have created a client
with the sole purpose of netlogon over rpc over tcp with view to do ntlm
pass thru.

Here is a summary of the flow.

NTLM enabled browser client and a bespoke http server.
The http server is a machine that I have added computer account to MS
active directory domain - essentially like torture_join_domain
The account flags is just set for ACB_WSTRUST only.
cli_credentials_set_secure_channel_type() with SEC_CHAN_WKSTA

With creds for the http server machine, I have been able to use
dcerpc_pipe_connect_b() to establish a schannel.

all looks reasonably good on wireshark per my reading of the code and spec.
I can see the epm and server request challenge req/resp and server
authenticate2 request response.

I can then do a ntlm handshake with the client.
Save the random nonce from the generated type 2 and get the LM resp and
NTLM response from the type 3 message.

These are then used to build up the netr_NetworkInfo and
netr_LogonSamLogonEx and call dcerpc_netr_LogonSamLogonEx_r()

But the response from AD, is access denied.

>From the MS NRPC spec, it says:
3.5.4.5.1 NetrLogonSamLogonEx (Opnum 39)
"If the server cannot service the request due to an implementation-specific
condition, the server returns STATUS_ACCESS_DENIED."

And in section:
3.4.5.3.2 Calling NetrLogonSamLogonEx
it says:
"On receiving STATUS_ACCESS_DENIED, the client SHOULD<104> re-establish the
secure channel with the DC."

The random password for the machine computer account has not changed. Would
there be value in actually reestablishing the schannel? is there any known
subtlety on AD side?

Any suggestions on approach, methods used and the access denied?

Thank you.

More information about the samba-technical mailing list