On 02/17/2012 10:57 PM, Andrew Bartlett wrote:
On Sat, 2012-02-11 at 15:40 -0800, Matthieu Patou wrote:
Hello Dochelp,
A bug report concerning user's session key was reported in samba when
using level 3 validation for NetrLogonSamLogonEx.
I did a bit of investigation and witnessed the corruption if we use
level 3 validation for NetrLogonSamLogonEx and if samba opens more than
1 schannel connection with one DC and is not using the session key of
the latest connection for decrypting the user's session key (and other
encrypted fields) in the Validation 3 response.
I checked that samba is using the same key for encrypting and decrypting
schannel and sensitive fields in the validation 3 response of the
NetrLogonSamLogonEx call.
MS-NRPC seems to indicate that the session key should be the same and I
didn't find a trace in the documentation saying that only the latest
session key exchanged during a NetrAuthenticateX and what seems even
more puzzeling is that using the "old" session key for schannel
encryption and decryption works.
Can you explain us the problem ?
Matthieu,
The issue is in part that RC4 encryption is not checksumed, and so the
stream cipher has no way to tell if the encryption was in fact valid.
Therefore, you can decrypt a returned session key with the wrong key and
have no errors.
Right.
The reason for my original patch in
https://bugzilla.samba.org/show_bug.cgi?id=8599 is that only by
validating the netlogon authentication chain can we have any confidence
that we share the same session key as the remote server at this exact
moment.
In theory if we are able to decrypt a schannel encrypted RPC we should
be able to also RC4 encrypted secrets in NetLogon RPC, it seems not to
be the hence my question to Microsoft to get some clarification.
After this explanation, it might be useful to use your patch and step
away from LogonEx call if we don't have a schannel connection to a DC.
Of course, when we can choose a level without netlogon authentication
and without an encrypted session key, this is even better.
Matthieu.
--
Matthieu Patou
Samba Team
http://samba.org
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
