[Samba] rpcclient & smbpasswd user PASSWORD_MUST_CHANGE

Jeremy Brousseau jeremy.brousseau at outlook.com
Wed Jul 22 15:08:19 UTC 2020 

To put an emphasis on my word on the samba github : https://github.com/samba-team/samba/blob/08867de2efde05e4730b41a335d13f775e44e397/source3/libsmb/passchange.c

Starting from line 145 :

if (!pass_must_change) {
     result = cli_rpc_pipe_open_with_creds(cli,
     &ndr_table_samr,
     NCACN_NP,
     DCERPC_AUTH_TYPE_NTLMSSP,
     DCERPC_AUTH_LEVEL_PRIVACY,
     remote_machine,
     creds,
     &pipe_hnd);
} else {
     /*
     * If the user password must be changed the ntlmssp bind will
     * fail the same way as the session setup above did. The
     * difference ist that with a pipe bind we don't get a good
     * error message, the result will be that the rpc call below
     * will just fail. So we do it anonymously, there's no other
     * way.
     */
     result = cli_rpc_pipe_open_noauth(
     cli, &ndr_table_samr, &pipe_hnd);
}

Best regards,
[https://avatars2.githubusercontent.com/u/13281359?s=400&v=4]<https://github.com/samba-team/samba/blob/08867de2efde05e4730b41a335d13f775e44e397/source3/libsmb/passchange.c>
samba-team/samba<https://github.com/samba-team/samba/blob/08867de2efde05e4730b41a335d13f775e44e397/source3/libsmb/passchange.c>
https://gitlab.com/samba-team/samba is the Official GitLab mirror of https://git.samba.org/samba.git -- Merge requests should be made on GitLab (not on GitHub) - samba-team/samba
github.com

________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Jeremy Brousseau via samba <samba at lists.samba.org>
Sent: Wednesday, July 22, 2020 4:56 PM
To: samba at lists.samba.org <samba at lists.samba.org>; Rowland penny <rpenny at samba.org>
Subject: Re: [Samba] rpcclient & smbpasswd user PASSWORD_MUST_CHANGE

First thanks for your quick reply,

I may have explained myself improperly. By default - from my understanding- on any windows domain you're allowed to anonymously connect to :

    - rootDSE of the LDAP with an Anonymous bind ;
     -Connect to the IPC$ with a NULL session if allowed in the registry.

But indeed you're not allowed to perform any method on the IPC$ neither to list the share etc.. on the DC with this session(if not allowed) but you're allowed to change your password.

Nevertheless my problem do not lie here since the first connection to the IP$ is established  but rather on the inner working of rpcclient vs smbpasswd. My question is why do rpcclient perform a 'Connect5/4/2' before performing the 'ChangeUserPassword' is performed in contrary of smbpasswd.

In the end this is perfectly working with smbpasswd but the behavior of rpcclient over this method piqued my curiosity

Best regards,
Jerem
________________________________
From: Jeremy Brousseau <jeremy.brousseau at outlook.com>
Sent: Wednesday, July 22, 2020 4:39 PM
To: samba at lists.samba.org <samba at lists.samba.org>; Rowland penny <rpenny at samba.org>
Subject: Re: [Samba] rpcclient & smbpasswd user PASSWORD_MUST_CHANGE

First thanks for your quick reply,

I may have explained myself improperly. By default - from my understanding- on any windows domain you're allowed to anonymously connect to :

    - rootDSE of the LDAP ;
     -Connect to the IPC$ as anonymous if not directly forbidden in the registry.

But indeed you're not allowed to perform any method on the IPC$ (only a few like to get the password policy) neither to list the share etc.. but you're allowed to change your password( if the anonymous logon is not forbidden).

Nevertheless my problem do not lie here but rather on the inner working of rpcclient vs smbpasswd. My question is with do rpcclient perform a 'Connect5/4/2' before performing the 'ChangeUserPassword' is performed in contrary of smbpassw>

As a picture worth a thousands words, please find attached 2 screenshots :
-smbpasswd traffic
-rpcclient traffic

Best regards,

________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland penny via samba <samba at lists.samba.org>
Sent: Wednesday, July 22, 2020 3:39 PM
To: samba at lists.samba.org <samba at lists.samba.org>
Subject: Re: [Samba] rpcclient & smbpasswd user PASSWORD_MUST_CHANGE

On 22/07/2020 14:31, Jeremy Brousseau via samba wrote:
> Hello,
>
> First of all I would like to apologize if my mail is not clear, this is my first time doing this kind of things !
>
> I'm currently working within a small AD environment within a single forest-domain which is the following :
>     - DC Windows 2016
>     - Archlinux with samba version 4.12.3
>
> I currently have a standard domain user named 'test' which has the attribute PASSWORD_MUST_CHANGE set and my goal is to change this password.  During my test is used the following client
> - rpcclient 4.12.3
> -smbpasswd
>
> When trying to change the password of the user 'test' with smbpasswd i have  no issue and this is behaving like expected (smbpasswd -r 10.10.10.2 -U "CORP.LOCAL\TEST" )
> Commands:
>    smbpasswd -r 10.10.10.193 -U "CORP.LOCAL\test"
>    Old SMB password:
>    New SMB password:
>    Retype new SMB password:
>    Password changed for user test
>
> My main problem is that when trying to do the same with rpcclient using the 'chgpasswd2' with an anonymous logon I simply got an ACCESS_DENIED.

I stopped reading here, you cannot do an anonymous logon to AD, it isn't
allowed.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list