[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] [MS-SAMR] SamrSetInformationUser2 over an authenticated DCERPC connection [11904
From: Andreas Schneider via cifs-protocol <cifs-protocol () lists ! samba ! org>
Date: 2019-05-08 6:48:35
Message-ID: 1997365.m7AEx3NtLi () magrathea ! fritz ! box
[Download RAW message or body]
On Monday, May 6, 2019 8:41:34 PM CEST Obaid Farooqi wrote:
> Hi Andreas:
Hi Obaid,
> Couple of questions for you:
> 1. is there a way in your rpcclient to use RPC_C_AUTHN_LEVEL_NONE? I know
> [Seal] will cause RPC_C_AUTHN_LEVEL_PKT_PRIVACY. Is there a similar option
> for RPC_C_AUTHN_LEVEL_NONE?
rpcclient ncacn_np:<server> -U <user>
should use RPC_C_AUTHN_LEVEL_NONE by default.
rpcclient ncacn_np:<server>[seal] -U <user>
will use RPC_C_AUTHN_LEVEL_PKT_PRIVACY.
I've just recently updated the rpcclient manpage to describe the binding
string. Here is what I added:
When connecting to a dcerpc service you need to specify a binding
string.
The format is:
TRANSPORT:host[options]
where TRANSPORT is either ncacn_np (named pipes) for SMB or
ncacn_ip_tcp for DCERPC over TCP/IP.
"host" is an IP or hostname or netbios name. If the binding string
identifies the server side of an endpoint, "host" may be an empty
string. See below for more details.
"options" can include a SMB pipe name if using the ncacn_np
transport or a TCP port number if using the ncacn_ip_tcp transport,
otherwise they will be auto-determined.
Examples:
• ncacn_ip_tcp:samba.example.com[1024]
• ncacn_ip_tcp:samba.example.com[sign,seal,krb5]
• ncacn_ip_tcp:samba.example.com[sign,spnego]
• ncacn_np:samba.example.com
• ncacn_np:samba.example.com[samr]
• ncacn_np:samba.example.com[samr,sign,print]
• ncalrpc:/path/to/unix/socket
• //SAMBA
The supported transports are:
• ncacn_np - Connect using named pipes
• ncacn_ip_tcp - Connect over TCP/IP
• ncalrpc - Connect over local RPC (unix sockets)
The supported options are:
• sign - Use RPC integrety autentication level
• seal - Enable RPC privacy (encryption) autentication
level
• connect - Use RPC connect level authentication (auth,
but no sign or seal)
• packet - Use RPC packet authentication level
• spnego - Use SPNEGO instead of NTLMSSP authentication
• ntlm - Use plain NTLM instead of SPNEGO or NTLMSSP
• krb5 - Use Kerberos instead of NTLMSSP authentication
• schannel - Create a schannel connection
• smb1 - Use SMB1 for named pipes
• smb2 - Use SMB2/3 for named pipes
I hope that helps :-)
> 2. You mentioned WS2008R2 behave differently.
> Does that mean WS2008R2 changes the password successfully when
> RPC_C_AUTHN_LEVEL_PKT_PRIVACY is used with SMB Session key?
On WS2008R2 using "SystemLibraryDTC" as the session key to encrypt the
password buffer over a RPC_C_AUTHN_LEVEL_PKT_PRIVACY connection doesn't work.
The password change is being rejected.
Best regards,
Andreas
--
Andreas Schneider asn@samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic