On Fri, 2011-10-21 at 22:58 +0000, Hongwei Sun wrote: > Andrew, > > I am working with multiple product teams and we want to understand the > scenario better. I searched and found some logs from Samba site regarding > this issue as below: > > 06/01/06 12:37:21 <vl> abartlet_: Can you tell me the story about > SystemLibraryDTC? > 06/01/06 12:37:32 <vl> What is that exactly, when is that used? > 06/01/06 12:38:20 <abartlet_> so, you know how administrative password sets > are encrypted from the client to the SAMR server? > 06/01/06 12:38:40 <vl> Yes. This is what Samba3 with an ntlmssp authenticated > bind stumbles over right now :-) > 06/01/06 12:38:48 <abartlet_> well, because windows doesn't always use the > bulk encryption, the values are indivdually encrypted > 06/01/06 12:39:39 <abartlet_> anyway, when we are bulk encrypted, or when we > are on TCP/IP, the key is SystemLibraryDTC > 06/01/06 12:39:59 <vl> Otherwise it's taken from the session setup? > 06/01/06 12:40:02 <abartlet_> yep > 06/01/06 12:40:08 <vl> I'm trying to design a torture test that joins samba3 > and then does an schannel bind / samlogon and is runnable in the build farm... > 06/01/06 12:40:22 <abartlet_> ahh, fun :-) > 06/01/06 12:40:37 <vl> So I chose a null smb connection and did a ntlmssp > bind as root. This is not able to set the user password. > 06/01/06 12:41:02 <vl> So when the bind negotiates seal we can set the > sessionkey to SystemLibraryDTC? > 06/01/06 12:41:05 <abartlet_> yep > > Is this the correct description of the scenario ? Which SAMR > functions are involved here ? The conversation above implies > SamrChangePasswordUser/SamrOemChangePasswordUser2/SamrUnicodeChangePasswordUser2. > Is this right ?
Yes, those functions are known to use this. Also the secrets calls on LSA (that's where we did the DES brute force, as it was a weaker encryption). See the rpc.secrets smbtorture test, when used with either ncacn_ip_tcp, ncacn_ip_np:server[sign] or ncacn_ip_np:server[seal]. For security, I would really like to work with Microsoft to see this fixed key removed, or made unavailable over any unencrypted transport some day. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org _______________________________________________ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol