No example of creating user using SAMR protocol

[gredwhite]

I have local Samba server. I start it using docker-compose file.

services:
  samba:
    image: instantlinux/samba-dc:latest
    container_name: samba-dc
    cap_add:
      - CAP_SYS_ADMIN
    hostname: my.company
    environment:
      DOMAIN_ACTION: provision
      REALM: my.company
    volumes:
      - etc:/etc/samba
      - lib:/var/lib/samba
    ports:
      - "53:53"
      - "53:53/udp"
      - "88:88"
      - "88:88/udp"
      - "389:389"
      - "139:139"
      - "446:445"
    secrets:
      - samba-admin-password

I want to implement a java program to create a new user in Sambe. SAMR protocol is suitable for this https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/d0360910-33dd-4e3c-b5a2-26daf95f5ffa

In that library (jcifs-ng) there are some classes/files which contain samr as a part of the name. All of them are located in that package: https://github.com/AgNO3/jcifs-ng/tree/master/src/main/java/jcifs/dcerpc/msrpc

But I can't find any example of usage such classes.

Also I asked chatGpt to help me and it returned me the following code:

import jcifs.smb.*;

public class SambaUserCreationExample {
    public static void main(String[] args) {
        String username = "admin";
        String password = "admin_password";
        String domainController = "smb://domain_controller_ip_address";
        String userToCreate = "new_user";
        String userPassword = "new_user_password";
        String groupName = "users";

        try {
            NtlmPasswordAuthentication auth = new NtlmPasswordAuthentication("", username, password);
            String remotePath = domainController + "/samr";

            SmbFile smbFile = new SmbFile(remotePath, auth);
            SamrDomain domain = new SamrDomain(smbFile, auth);

            // Create the new user
            SamrUser newUser = domain.createUser(userToCreate, SamrUser.USER_NORMAL_ACCOUNT);
            newUser.setPassword(userPassword);
            newUser.commit();

            // Add the new user to a group
            SamrGroup group = domain.getGroup(groupName);
            group.addUser(newUser);
            group.commit();

            System.out.println("New user created successfully!");
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

But I can't find SamrUser, SamrDomain classes in any jcif library

Could you please provide working example of program creating the user ?

[mbechler]

jcifs-ng only provides the basics for the MSRPC protocol and SMB transport - as well as some select calls from the SAMR spec to implement specific functions.

GPT clearly is hallucinating.... (or reproducing someone else's code) welcome to the future....

So you would have to implement the necessary RPCs yourself. I'd strongly suggest using LDAP to create users instead, much less painful.

[gredwhite]

jcifs-ng only provides the basics for the MSRPC protocol and SMB transport - as well as some select calls from the SAMR spec to implement specific functions.

GPT clearly is hallucinating.... (or reproducing someone else's code) welcome to the future....

So you would have to implement the necessary RPCs yourself. I'd strongly suggest using LDAP to create users instead, much less painful.

First of all I would like to say thank you for your answer!

Highly likely that we will use LDAP instead but we would like to have an estimate for implementation of SAMR protocol for user creation. I don't have expirience in any protocol implementation so could you please provide some high level pieces of advice to start from just to give me high-level understanding of the effort.

Why does library has a partial support of SAMR ? Could it be used somehow by the libraries clients?

Because you take a part in development of jcif-ng library you might know some knowledge about similar libraries. Are there any other java libraries which can support it (user creation using SAMR protocol) ?

[mbechler]

You'd have to put together the DCERPC/MSPRC encoding/decoding of the necessary messages like in https://github.com/AgNO3/jcifs-ng/blob/master/src/main/java/jcifs/dcerpc/msrpc/samr.java, then you could just send them as in the existing uses. There is some legacy jcifs IDL to java compiler somewhere, but that never worked for me. Putting these things together by hand, from my experience, is no fun at all.

There are some functions provided to resolve group memberships that use SAMR RPCs, even though I'm not sure anybody even uses them.

I don't believe there is an alternerative Java implementation for MSRPC (at least via SMB, but probably also otherwise) out there. There is SMBJ, but I don't see any RPC support in there.

[gredwhite]

Well... looks like it is painful to use SAMR from java nowadays. And looks like almost noone does it. It is because there are no advantages in SAMR in comparison with quite popular LDAP. Correct ?

You'd have to put together the DCERPC/MSPRC encoding/decoding of the necessary messages like in https://github.com/AgNO3/jcifs-ng/blob/master/src/main/java/jcifs/dcerpc/msrpc/samr.java, then you could just send them as in the existing uses. There is some legacy jcifs IDL to java compiler somewhere, but that never worked for me. Putting these things together by hand, from my experience, is no fun at all.

As I can see there are 2 files: samr.java and samr.iml.

@Generated ( "midlc" )
@SuppressWarnings ( "all" )
public class samr {

Looks like samr.java is generated based on samr.iml but even contributor didn't have successful experience with that staff. Another option is manual implementaion of samr.java taking existing methods as an example.

then you could just send them as in the existing uses

Where can I find existing uses ?

[mbechler]

I don't believe there are advantages using SAMR, that may even be a relict of the pre-AD days.

https://github.com/AgNO3/jcifs-ng/blob/4d45352b1fca9430b9799fbd59f2c667cec2d945/src/main/java/jcifs/smb/SIDCacheImpl.java#L228

shows the currently existing usage of SAMR services.