samba - Jul 2020 - rpcclient & smbpasswd user PASSWORD_MUST_CHANGE

Hello,

First of all I would like to apologize if my mail is not clear, this is my first
time doing this kind of things !

I'm currently working within a small AD environment within a single
forest-domain which is the following :
   - DC Windows 2016
   - Archlinux with samba version 4.12.3

I currently have a standard domain user named 'test' which has the
attribute PASSWORD_MUST_CHANGE set and my goal is to change this password. 
During my test is used the following client
- rpcclient 4.12.3
-smbpasswd

When trying to change the password of the user 'test' with smbpasswd i
have  no issue and this is behaving like expected (smbpasswd -r 10.10.10.2 -U
"CORP.LOCAL\TEST" )
Commands:
  smbpasswd -r 10.10.10.193 -U "CORP.LOCAL\test"
  Old SMB password:
  New SMB password:
  Retype new SMB password:
  Password changed for user test

My main problem is that when trying to do the same with rpcclient using the
'chgpasswd2' with an anonymous logon I simply got an ACCESS_DENIED. I
decided to ran wirehsark to see what happen under the hood for both clients. The
main diff>

Commands :
  rpcclient -U "" 10.10.10.2
  Enter WORKGROUP\'s password:
  rpcclient $> chgpasswd2 test Password01! Password02!
  result was NT_STATUS_ACCESS_DENIED

Also when using rpcclient client with another account which is a  domain user
(i.e : Test2) and calling 'chgpasswd2' on the user 'Test' this
is working fine ! (Indeed the Connect5 worked and thus 'ChangePasswordUser2
get called)

Commands:
  rpcclient -U "CORP.LOCAL\TEST2" 10.10.10.2
  Enter CORP.LOCAL\TEST2's password:
  rpcclient $> chgpasswd2 test Password01! Password02!
  rpcclient $>

I tried to dig into the code on github on the cli_samr.c / passchange.c /
smbpasswd.c and in the end they are all using the same function
(rpccli_samr_chgpasswd_user2) and i could not spot the difference between the
call made by rpcclie>

So here are my two main questions :
-Why is rpcclient issuing a 'Connect5/4/2' before calling the
'ChangePasswordUser2' method whereas 'smbpasswd' does not ?
-Is this a normal behavior ? Why do rpcclient do not simply use the
'SamrUnicodeChangePasswordUser2'  with the already establish anonymous
logon as stated in the Microsoft documentation ?
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/41d7ca60-909f-4d0d-b85a-c9a35b5f2aaa

Thank you very much in advance for taking the time to read this e-mail, and
sorry if this questions has already been answered somewhere else but i just
could not find any answer with my google fu !

Best Regards,
Jerem

On 22/07/2020 14:31, Jeremy Brousseau via samba wrote:
> Hello,
>
> First of all I would like to apologize if my mail is not clear, this is my
first time doing this kind of things !
>
> I'm currently working within a small AD environment within a single
forest-domain which is the following :
>     - DC Windows 2016
>     - Archlinux with samba version 4.12.3
>
> I currently have a standard domain user named 'test' which has the
attribute PASSWORD_MUST_CHANGE set and my goal is to change this password. 
During my test is used the following client
> - rpcclient 4.12.3
> -smbpasswd
>
> When trying to change the password of the user 'test' with
smbpasswd i have  no issue and this is behaving like expected (smbpasswd -r
10.10.10.2 -U "CORP.LOCAL\TEST" )
> Commands:
>    smbpasswd -r 10.10.10.193 -U "CORP.LOCAL\test"
>    Old SMB password:
>    New SMB password:
>    Retype new SMB password:
>    Password changed for user test
>
> My main problem is that when trying to do the same with rpcclient using the
'chgpasswd2' with an anonymous logon I simply got an ACCESS_DENIED.
I stopped reading here, you cannot do an anonymous logon to AD, it isn't 
allowed.

Rowland

First thanks for your quick reply,

I may have explained myself improperly. By default - from my understanding- on
any windows domain you're allowed to anonymously connect to :

    - rootDSE of the LDAP with an Anonymous bind ;
     -Connect to the IPC$ with a NULL session if allowed in the registry.

But indeed you're not allowed to perform any method on the IPC$ neither to
list the share etc.. on the DC with this session(if not allowed) but you're
allowed to change your password.

Nevertheless my problem do not lie here since the first connection to the IP$ is
established  but rather on the inner working of rpcclient vs smbpasswd. My
question is why do rpcclient perform a 'Connect5/4/2' before performing
the 'ChangeUserPassword' is performed in contrary of smbpasswd.

In the end this is perfectly working with smbpasswd but the behavior of
rpcclient over this method piqued my curiosity

Best regards,
Jerem
________________________________
From: Jeremy Brousseau <jeremy.brousseau at outlook.com>
Sent: Wednesday, July 22, 2020 4:39 PM
To: samba at lists.samba.org <samba at lists.samba.org>; Rowland penny
<rpenny at samba.org>
Subject: Re: [Samba] rpcclient & smbpasswd user PASSWORD_MUST_CHANGE

First thanks for your quick reply,

I may have explained myself improperly. By default - from my understanding- on
any windows domain you're allowed to anonymously connect to :

    - rootDSE of the LDAP ;
     -Connect to the IPC$ as anonymous if not directly forbidden in the
registry.

But indeed you're not allowed to perform any method on the IPC$ (only a few
like to get the password policy) neither to list the share etc.. but you're
allowed to change your password( if the anonymous logon is not forbidden).

Nevertheless my problem do not lie here but rather on the inner working of
rpcclient vs smbpasswd. My question is with do rpcclient perform a
'Connect5/4/2' before performing the 'ChangeUserPassword' is
performed in contrary of smbpassw>

As a picture worth a thousands words, please find attached 2 screenshots :
-smbpasswd traffic
-rpcclient traffic

Best regards,

________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland penny
via samba <samba at lists.samba.org>
Sent: Wednesday, July 22, 2020 3:39 PM
To: samba at lists.samba.org <samba at lists.samba.org>
Subject: Re: [Samba] rpcclient & smbpasswd user PASSWORD_MUST_CHANGE

On 22/07/2020 14:31, Jeremy Brousseau via samba wrote:
> Hello,
>
> First of all I would like to apologize if my mail is not clear, this is my
first time doing this kind of things !
>
> I'm currently working within a small AD environment within a single
forest-domain which is the following :
>     - DC Windows 2016
>     - Archlinux with samba version 4.12.3
>
> I currently have a standard domain user named 'test' which has the
attribute PASSWORD_MUST_CHANGE set and my goal is to change this password. 
During my test is used the following client
> - rpcclient 4.12.3
> -smbpasswd
>
> When trying to change the password of the user 'test' with
smbpasswd i have  no issue and this is behaving like expected (smbpasswd -r
10.10.10.2 -U "CORP.LOCAL\TEST" )
> Commands:
>    smbpasswd -r 10.10.10.193 -U "CORP.LOCAL\test"
>    Old SMB password:
>    New SMB password:
>    Retype new SMB password:
>    Password changed for user test
>
> My main problem is that when trying to do the same with rpcclient using the
'chgpasswd2' with an anonymous logon I simply got an ACCESS_DENIED.
I stopped reading here, you cannot do an anonymous logon to AD, it isn't
allowed.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

To put an emphasis on my word on the samba github :
https://github.com/samba-team/samba/blob/08867de2efde05e4730b41a335d13f775e44e397/source3/libsmb/passchange.c

Starting from line 145 :

if (!pass_must_change) {
     result = cli_rpc_pipe_open_with_creds(cli,
     &ndr_table_samr,
     NCACN_NP,
     DCERPC_AUTH_TYPE_NTLMSSP,
     DCERPC_AUTH_LEVEL_PRIVACY,
     remote_machine,
     creds,
     &pipe_hnd);
} else {
     /*
     * If the user password must be changed the ntlmssp bind will
     * fail the same way as the session setup above did. The
     * difference ist that with a pipe bind we don't get a good
     * error message, the result will be that the rpc call below
     * will just fail. So we do it anonymously, there's no other
     * way.
     */
     result = cli_rpc_pipe_open_noauth(
     cli, &ndr_table_samr, &pipe_hnd);
}

Best regards,
[https://avatars2.githubusercontent.com/u/13281359?s=400&v=4]<https://github.com/samba-team/samba/blob/08867de2efde05e4730b41a335d13f775e44e397/source3/libsmb/passchange.c>
samba-team/samba<https://github.com/samba-team/samba/blob/08867de2efde05e4730b41a335d13f775e44e397/source3/libsmb/passchange.c>
https://gitlab.com/samba-team/samba is the Official GitLab mirror of
https://git.samba.org/samba.git -- Merge requests should be made on GitLab (not
on GitHub) - samba-team/samba
github.com

________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Jeremy
Brousseau via samba <samba at lists.samba.org>
Sent: Wednesday, July 22, 2020 4:56 PM
To: samba at lists.samba.org <samba at lists.samba.org>; Rowland penny
<rpenny at samba.org>
Subject: Re: [Samba] rpcclient & smbpasswd user PASSWORD_MUST_CHANGE

First thanks for your quick reply,

I may have explained myself improperly. By default - from my understanding- on
any windows domain you're allowed to anonymously connect to :

    - rootDSE of the LDAP with an Anonymous bind ;
     -Connect to the IPC$ with a NULL session if allowed in the registry.

But indeed you're not allowed to perform any method on the IPC$ neither to
list the share etc.. on the DC with this session(if not allowed) but you're
allowed to change your password.

Nevertheless my problem do not lie here since the first connection to the IP$ is
established  but rather on the inner working of rpcclient vs smbpasswd. My
question is why do rpcclient perform a 'Connect5/4/2' before performing
the 'ChangeUserPassword' is performed in contrary of smbpasswd.

In the end this is perfectly working with smbpasswd but the behavior of
rpcclient over this method piqued my curiosity

Best regards,
Jerem
________________________________
From: Jeremy Brousseau <jeremy.brousseau at outlook.com>
Sent: Wednesday, July 22, 2020 4:39 PM
To: samba at lists.samba.org <samba at lists.samba.org>; Rowland penny
<rpenny at samba.org>
Subject: Re: [Samba] rpcclient & smbpasswd user PASSWORD_MUST_CHANGE

First thanks for your quick reply,

I may have explained myself improperly. By default - from my understanding- on
any windows domain you're allowed to anonymously connect to :

    - rootDSE of the LDAP ;
     -Connect to the IPC$ as anonymous if not directly forbidden in the
registry.

But indeed you're not allowed to perform any method on the IPC$ (only a few
like to get the password policy) neither to list the share etc.. but you're
allowed to change your password( if the anonymous logon is not forbidden).

Nevertheless my problem do not lie here but rather on the inner working of
rpcclient vs smbpasswd. My question is with do rpcclient perform a
'Connect5/4/2' before performing the 'ChangeUserPassword' is
performed in contrary of smbpassw>

As a picture worth a thousands words, please find attached 2 screenshots :
-smbpasswd traffic
-rpcclient traffic

Best regards,

________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland penny
via samba <samba at lists.samba.org>
Sent: Wednesday, July 22, 2020 3:39 PM
To: samba at lists.samba.org <samba at lists.samba.org>
Subject: Re: [Samba] rpcclient & smbpasswd user PASSWORD_MUST_CHANGE

On 22/07/2020 14:31, Jeremy Brousseau via samba wrote:
> Hello,
>
> First of all I would like to apologize if my mail is not clear, this is my
first time doing this kind of things !
>
> I'm currently working within a small AD environment within a single
forest-domain which is the following :
>     - DC Windows 2016
>     - Archlinux with samba version 4.12.3
>
> I currently have a standard domain user named 'test' which has the
attribute PASSWORD_MUST_CHANGE set and my goal is to change this password. 
During my test is used the following client
> - rpcclient 4.12.3
> -smbpasswd
>
> When trying to change the password of the user 'test' with
smbpasswd i have  no issue and this is behaving like expected (smbpasswd -r
10.10.10.2 -U "CORP.LOCAL\TEST" )
> Commands:
>    smbpasswd -r 10.10.10.193 -U "CORP.LOCAL\test"
>    Old SMB password:
>    New SMB password:
>    Retype new SMB password:
>    Password changed for user test
>
> My main problem is that when trying to do the same with rpcclient using the
'chgpasswd2' with an anonymous logon I simply got an ACCESS_DENIED.
I stopped reading here, you cannot do an anonymous logon to AD, it isn't
allowed.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba