/[smeserver]/rpms/samba/sme10/samba-4.10-redhat.patch
ViewVC logotype

Annotation of /rpms/samba/sme10/samba-4.10-redhat.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.1 - (hide annotations) (download)
Wed Aug 9 04:48:46 2023 UTC (10 months ago) by jpp
Branch: MAIN
CVS Tags: samba-4_10_16-24_el7_9, samba-4_10_16-24_1_el7_sme, HEAD 
Initial import
1 jpp 1.1 From 9aa816f5017bd38cbb9af2af5a7c385647e4f76d Mon Sep 17 00:00:00 2001
2     From: Alexander Bokovoy <ab@samba.org>
3     Date: Tue, 7 Jan 2020 19:25:53 +0200
4     Subject: [PATCH 001/142] s3-rpcserver: fix security level check for
5     DsRGetForestTrustInformation
6     MIME-Version: 1.0
7     Content-Type: text/plain; charset=UTF-8
8     Content-Transfer-Encoding: 8bit
9    
10     Harmonize _netr_DsRGetForestTrustInformation with source4/ logic which
11     didn't change since DCE RPC channel refactoring.
12    
13     With the current code we return RPC faul as can be seen in the logs:
14    
15     2019/12/11 17:12:55.463081, 1, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
16     netr_DsRGetForestTrustInformation: struct netr_DsRGetForestTrustInformation
17     in: struct netr_DsRGetForestTrustInformation
18     server_name : *
19     server_name : '\\some-dc.example.com'
20     trusted_domain_name : NULL
21     flags : 0x00000000 (0)
22     [2019/12/11 17:12:55.463122, 4, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1561(api_rpcTNP)
23     api_rpcTNP: fault(5) return.
24    
25     This is due to this check in processing a request:
26     if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE)
27     && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) {
28     p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
29     return WERR_ACCESS_DENIED;
30     }
31    
32     and since we get AuthZ response,
33    
34     Successful AuthZ: [netlogon,ncacn_np] user [EXAMPLE]\[admin] [S-1-5-21-1234567-890123456-500] at [Wed, 11 Dec 2019 17:12:55.461164 UTC]
35     Remote host [ipv4:Y.Y.Y.Y:59017] local host [ipv4:X.X.X.X:445]
36     [2019/12/11 17:12:55.461584, 4, pid=20939, effective(0, 0), real(0, 0)] ../lib/audit_logging/audit_logging.c:141(audit_log_json)
37     JSON Authorization: {"timestamp": "2019-12-11T17:12:55.461491+0000",
38     "type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1},
39     "localAddress": "ipv4:X.X.X.X:445", "remoteAddress": "ipv4:Y.Y.Y.Y:59017",
40     "serviceDescription": "netlogon", "authType": "ncacn_np",
41     "domain": "EXAMPLE", "account": "admin", "sid": "S-1-5-21-1234567-890123456-500",
42     "sessionId": "c5a2386f-f2cc-4241-9a9e-d104cf5859d5", "logonServer": "SOME-DC",
43     "transportProtection": "SMB", "accountFlags": "0x00000010"}}
44    
45     this means we are actually getting anonymous DCE/RPC access to netlogon
46     on top of authenticated SMB connection. In such case we have exactly
47     auth_type set to DCERPC_AUTH_TYPE_NONE and auth_level set to
48     DCERPC_AUTH_LEVEL_NONE in the pipe->auth. Thus, returning an error.
49    
50     Update the code to follow the same security level check as in s4 variant
51     of the call.
52    
53     Signed-off-by: Alexander Bokovoy <ab@samba.org>
54     Reviewed-by: Guenther Deschner <gd@samba.org>
55    
56     Autobuild-User(master): Günther Deschner <gd@samba.org>
57     Autobuild-Date(master): Mon Jan 13 15:05:28 UTC 2020 on sn-devel-184
58    
59     (cherry picked from commit c6d880a115095c336b8b74f45854a99abb1bbb87)
60     ---
61     source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++---
62     1 file changed, 3 insertions(+), 3 deletions(-)
63    
64     diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
65     index d799ba4feef..87613b99fde 100644
66     --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
67     +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
68     @@ -2425,10 +2425,10 @@ WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p,
69     {
70     NTSTATUS status;
71     struct lsa_ForestTrustInformation *info, **info_ptr;
72     + enum security_user_level security_level;
73    
74     - if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE)
75     - && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) {
76     - p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
77     + security_level = security_session_user_level(p->session_info, NULL);
78     + if (security_level < SECURITY_USER) {
79     return WERR_ACCESS_DENIED;
80     }
81    
82     --
83     2.39.0
84    
85    
86     From e71fddb9ad5275a222d96bdcee06571a9a8c73c8 Mon Sep 17 00:00:00 2001
87     From: Isaac Boukris <iboukris@gmail.com>
88     Date: Wed, 27 May 2020 16:50:45 +0200
89     Subject: [PATCH 002/142] Add a test to check dNSHostName with netbios aliases
90    
91     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
92    
93     Signed-off-by: Isaac Boukris <iboukris@samba.org>
94     Reviewed-by: Andreas Schneider <asn@samba.org>
95     ---
96     selftest/knownfail.d/nb_alias_dnshostname | 2 ++
97     testprogs/blackbox/test_net_ads.sh | 14 ++++++++++++++
98     2 files changed, 16 insertions(+)
99     create mode 100644 selftest/knownfail.d/nb_alias_dnshostname
100    
101     diff --git a/selftest/knownfail.d/nb_alias_dnshostname b/selftest/knownfail.d/nb_alias_dnshostname
102     new file mode 100644
103     index 00000000000..3c14e9931b9
104     --- /dev/null
105     +++ b/selftest/knownfail.d/nb_alias_dnshostname
106     @@ -0,0 +1,2 @@
107     +^samba4.blackbox.net_ads.nb_alias check dNSHostName
108     +^samba4.blackbox.net_ads.nb_alias check main SPN
109     diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
110     index 95c0cf76f90..6073ea972f9 100755
111     --- a/testprogs/blackbox/test_net_ads.sh
112     +++ b/testprogs/blackbox/test_net_ads.sh
113     @@ -220,6 +220,20 @@ testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samac
114     ##Goodbye...
115     testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
116    
117     +# netbios aliases tests
118     +testit "join nb_alias" $VALGRIND $net_tool --option=netbiosaliases=nb_alias1,nb_alias2 ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
119     +
120     +testit "testjoin nb_alias" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1`
121     +
122     +testit_grep "nb_alias check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1`
123     +testit_grep "nb_alias check main SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
124     +
125     +testit_grep "nb_alias1 SPN" nb_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
126     +testit_grep "nb_alias2 SPN" nb_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
127     +
128     +##Goodbye...
129     +testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
130     +
131     #
132     # Test createcomputer option of 'net ads join'
133     #
134     --
135     2.39.0
136    
137    
138     From e80e373485818eb7faebf5c9aae10d82fbc4e2e2 Mon Sep 17 00:00:00 2001
139     From: Isaac Boukris <iboukris@gmail.com>
140     Date: Wed, 27 May 2020 15:52:46 +0200
141     Subject: [PATCH 003/142] Fix accidental overwrite of dnsHostName by the last
142     netbios alias
143    
144     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
145    
146     Signed-off-by: Isaac Boukris <iboukris@samba.org>
147     Reviewed-by: Andreas Schneider <asn@samba.org>
148     ---
149     selftest/knownfail.d/nb_alias_dnshostname | 2 --
150     source3/libnet/libnet_join.c | 5 +++--
151     2 files changed, 3 insertions(+), 4 deletions(-)
152     delete mode 100644 selftest/knownfail.d/nb_alias_dnshostname
153    
154     diff --git a/selftest/knownfail.d/nb_alias_dnshostname b/selftest/knownfail.d/nb_alias_dnshostname
155     deleted file mode 100644
156     index 3c14e9931b9..00000000000
157     --- a/selftest/knownfail.d/nb_alias_dnshostname
158     +++ /dev/null
159     @@ -1,2 +0,0 @@
160     -^samba4.blackbox.net_ads.nb_alias check dNSHostName
161     -^samba4.blackbox.net_ads.nb_alias check main SPN
162     diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
163     index 9d4f656ffec..a31011b0ff8 100644
164     --- a/source3/libnet/libnet_join.c
165     +++ b/source3/libnet/libnet_join.c
166     @@ -507,6 +507,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
167     ADS_STATUS status;
168     ADS_MODLIST mods;
169     fstring my_fqdn;
170     + fstring my_alias;
171     const char **spn_array = NULL;
172     size_t num_spns = 0;
173     char *spn = NULL;
174     @@ -587,11 +588,11 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
175     /*
176     * Add HOST/netbiosname.domainname
177     */
178     - fstr_sprintf(my_fqdn, "%s.%s",
179     + fstr_sprintf(my_alias, "%s.%s",
180     *netbios_aliases,
181     lp_dnsdomain());
182    
183     - spn = talloc_asprintf(frame, "HOST/%s", my_fqdn);
184     + spn = talloc_asprintf(frame, "HOST/%s", my_alias);
185     if (spn == NULL) {
186     status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
187     goto done;
188     --
189     2.39.0
190    
191    
192     From 7ca5f9b2956ec41777837a7e14800a4345505ed6 Mon Sep 17 00:00:00 2001
193     From: Isaac Boukris <iboukris@gmail.com>
194     Date: Thu, 24 Oct 2019 19:04:51 +0300
195     Subject: [PATCH 004/142] Refactor ads_keytab_add_entry() to make it iterable
196    
197     so we can more easily add msDS-AdditionalDnsHostName entries.
198    
199     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
200    
201     Signed-off-by: Isaac Boukris <iboukris@samba.org>
202     Reviewed-by: Andreas Schneider <asn@samba.org>
203     ---
204     source3/libads/kerberos_keytab.c | 197 +++++++++++++++++--------------
205     1 file changed, 107 insertions(+), 90 deletions(-)
206    
207     diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
208     index 97d5535041c..0f450a09df5 100644
209     --- a/source3/libads/kerberos_keytab.c
210     +++ b/source3/libads/kerberos_keytab.c
211     @@ -228,18 +228,16 @@ out:
212     return ok;
213     }
214    
215     -/**********************************************************************
216     - Adds a single service principal, i.e. 'host' to the system keytab
217     -***********************************************************************/
218     -
219     -int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
220     +static int add_kt_entry_etypes(krb5_context context, TALLOC_CTX *tmpctx,
221     + ADS_STRUCT *ads, const char *salt_princ_s,
222     + krb5_keytab keytab, krb5_kvno kvno,
223     + const char *srvPrinc, const char *my_fqdn,
224     + krb5_data *password, bool update_ads)
225     {
226     krb5_error_code ret = 0;
227     - krb5_context context = NULL;
228     - krb5_keytab keytab = NULL;
229     - krb5_data password;
230     - krb5_kvno kvno;
231     - krb5_enctype enctypes[6] = {
232     + char *princ_s = NULL;
233     + char *short_princ_s = NULL;
234     + krb5_enctype enctypes[6] = {
235     ENCTYPE_DES_CBC_CRC,
236     ENCTYPE_DES_CBC_MD5,
237     #ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
238     @@ -251,65 +249,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
239     ENCTYPE_ARCFOUR_HMAC,
240     0
241     };
242     - char *princ_s = NULL;
243     - char *short_princ_s = NULL;
244     - char *salt_princ_s = NULL;
245     - char *password_s = NULL;
246     - char *my_fqdn;
247     - TALLOC_CTX *tmpctx = NULL;
248     - int i;
249     -
250     - ret = smb_krb5_init_context_common(&context);
251     - if (ret) {
252     - DBG_ERR("kerberos init context failed (%s)\n",
253     - error_message(ret));
254     - return -1;
255     - }
256     -
257     - ret = ads_keytab_open(context, &keytab);
258     - if (ret != 0) {
259     - goto out;
260     - }
261     -
262     - /* retrieve the password */
263     - if (!secrets_init()) {
264     - DEBUG(1, (__location__ ": secrets_init failed\n"));
265     - ret = -1;
266     - goto out;
267     - }
268     - password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
269     - if (!password_s) {
270     - DEBUG(1, (__location__ ": failed to fetch machine password\n"));
271     - ret = -1;
272     - goto out;
273     - }
274     - ZERO_STRUCT(password);
275     - password.data = password_s;
276     - password.length = strlen(password_s);
277     -
278     - /* we need the dNSHostName value here */
279     - tmpctx = talloc_init(__location__);
280     - if (!tmpctx) {
281     - DEBUG(0, (__location__ ": talloc_init() failed!\n"));
282     - ret = -1;
283     - goto out;
284     - }
285     -
286     - my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name());
287     - if (!my_fqdn) {
288     - DEBUG(0, (__location__ ": unable to determine machine "
289     - "account's dns name in AD!\n"));
290     - ret = -1;
291     - goto out;
292     - }
293     -
294     - /* make sure we have a single instance of a the computer account */
295     - if (!ads_has_samaccountname(ads, tmpctx, lp_netbios_name())) {
296     - DEBUG(0, (__location__ ": unable to determine machine "
297     - "account's short name in AD!\n"));
298     - ret = -1;
299     - goto out;
300     - }
301     + size_t i;
302    
303     /* Construct our principal */
304     if (strchr_m(srvPrinc, '@')) {
305     @@ -358,22 +298,6 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
306     }
307     }
308    
309     - kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
310     - if (kvno == -1) {
311     - /* -1 indicates failure, everything else is OK */
312     - DEBUG(1, (__location__ ": ads_get_machine_kvno failed to "
313     - "determine the system's kvno.\n"));
314     - ret = -1;
315     - goto out;
316     - }
317     -
318     - salt_princ_s = kerberos_secrets_fetch_salt_princ();
319     - if (salt_princ_s == NULL) {
320     - DBG_WARNING("kerberos_secrets_fetch_salt_princ() failed\n");
321     - ret = -1;
322     - goto out;
323     - }
324     -
325     for (i = 0; enctypes[i]; i++) {
326    
327     /* add the fqdn principal to the keytab */
328     @@ -383,11 +307,11 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
329     princ_s,
330     salt_princ_s,
331     enctypes[i],
332     - &password,
333     + password,
334     false,
335     false);
336     if (ret) {
337     - DEBUG(1, (__location__ ": Failed to add entry to keytab\n"));
338     + DBG_WARNING("Failed to add entry to keytab\n");
339     goto out;
340     }
341    
342     @@ -399,16 +323,109 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
343     short_princ_s,
344     salt_princ_s,
345     enctypes[i],
346     - &password,
347     + password,
348     false,
349     false);
350     if (ret) {
351     - DEBUG(1, (__location__
352     - ": Failed to add short entry to keytab\n"));
353     + DBG_WARNING("Failed to add short entry to keytab\n");
354     goto out;
355     }
356     }
357     }
358     +out:
359     + return ret;
360     +}
361     +
362     +/**********************************************************************
363     + Adds a single service principal, i.e. 'host' to the system keytab
364     +***********************************************************************/
365     +
366     +int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
367     +{
368     + krb5_error_code ret = 0;
369     + krb5_context context = NULL;
370     + krb5_keytab keytab = NULL;
371     + krb5_data password;
372     + krb5_kvno kvno;
373     + char *salt_princ_s = NULL;
374     + char *password_s = NULL;
375     + char *my_fqdn;
376     + TALLOC_CTX *tmpctx = NULL;
377     +
378     + ret = smb_krb5_init_context_common(&context);
379     + if (ret) {
380     + DBG_ERR("kerberos init context failed (%s)\n",
381     + error_message(ret));
382     + return -1;
383     + }
384     +
385     + ret = ads_keytab_open(context, &keytab);
386     + if (ret != 0) {
387     + goto out;
388     + }
389     +
390     + /* retrieve the password */
391     + if (!secrets_init()) {
392     + DBG_WARNING("secrets_init failed\n");
393     + ret = -1;
394     + goto out;
395     + }
396     + password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
397     + if (!password_s) {
398     + DBG_WARNING("failed to fetch machine password\n");
399     + ret = -1;
400     + goto out;
401     + }
402     + ZERO_STRUCT(password);
403     + password.data = password_s;
404     + password.length = strlen(password_s);
405     +
406     + /* we need the dNSHostName value here */
407     + tmpctx = talloc_init(__location__);
408     + if (!tmpctx) {
409     + DBG_ERR("talloc_init() failed!\n");
410     + ret = -1;
411     + goto out;
412     + }
413     +
414     + my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name());
415     + if (!my_fqdn) {
416     + DBG_ERR("unable to determine machine account's dns name in "
417     + "AD!\n");
418     + ret = -1;
419     + goto out;
420     + }
421     +
422     + /* make sure we have a single instance of a the computer account */
423     + if (!ads_has_samaccountname(ads, tmpctx, lp_netbios_name())) {
424     + DBG_ERR("unable to determine machine account's short name in "
425     + "AD!\n");
426     + ret = -1;
427     + goto out;
428     + }
429     +
430     + kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
431     + if (kvno == -1) {
432     + /* -1 indicates failure, everything else is OK */
433     + DBG_WARNING("ads_get_machine_kvno failed to determine the "
434     + "system's kvno.\n");
435     + ret = -1;
436     + goto out;
437     + }
438     +
439     + salt_princ_s = kerberos_secrets_fetch_salt_princ();
440     + if (salt_princ_s == NULL) {
441     + DBG_WARNING("kerberos_secrets_fetch_salt_princ() failed\n");
442     + ret = -1;
443     + goto out;
444     + }
445     +
446     + ret = add_kt_entry_etypes(context, tmpctx, ads, salt_princ_s, keytab,
447     + kvno, srvPrinc, my_fqdn, &password,
448     + update_ads);
449     + if (ret != 0) {
450     + goto out;
451     + }
452    
453     out:
454     SAFE_FREE(salt_princ_s);
455     --
456     2.39.0
457    
458    
459     From 087d6dd4c4f25860643ab5920a1b2c0c70e5551b Mon Sep 17 00:00:00 2001
460     From: Isaac Boukris <iboukris@gmail.com>
461     Date: Wed, 27 May 2020 17:55:12 +0200
462     Subject: [PATCH 005/142] Add a test for msDS-AdditionalDnsHostName entries in
463     keytab
464    
465     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
466    
467     Signed-off-by: Isaac Boukris <iboukris@samba.org>
468     Reviewed-by: Andreas Schneider <asn@samba.org>
469     ---
470     selftest/knownfail.d/dns_alias_keytab | 2 ++
471     testprogs/blackbox/test_net_ads.sh | 9 +++++++++
472     2 files changed, 11 insertions(+)
473     create mode 100644 selftest/knownfail.d/dns_alias_keytab
474    
475     diff --git a/selftest/knownfail.d/dns_alias_keytab b/selftest/knownfail.d/dns_alias_keytab
476     new file mode 100644
477     index 00000000000..216592e1210
478     --- /dev/null
479     +++ b/selftest/knownfail.d/dns_alias_keytab
480     @@ -0,0 +1,2 @@
481     +^samba4.blackbox.net_ads.dns alias1 check keytab
482     +^samba4.blackbox.net_ads.dns alias2 check keytab
483     diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
484     index 6073ea972f9..a40b477a173 100755
485     --- a/testprogs/blackbox/test_net_ads.sh
486     +++ b/testprogs/blackbox/test_net_ads.sh
487     @@ -217,6 +217,15 @@ testit_grep "dns alias SPN" $dns_alias2 $VALGRIND $net_tool ads search -P samacc
488     testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
489     testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
490    
491     +dedicated_keytab_file="$PREFIX_ABS/test_dns_aliases_dedicated_krb5.keytab"
492     +
493     +testit "dns alias create_keytab" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
494     +
495     +testit_grep "dns alias1 check keytab" "host/${dns_alias1}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
496     +testit_grep "dns alias2 check keytab" "host/${dns_alias2}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
497     +
498     +rm -f $dedicated_keytab_file
499     +
500     ##Goodbye...
501     testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
502    
503     --
504     2.39.0
505    
506    
507     From 1ae32dddad89cdb75ae2c8fb3e7378ce6f5ad6af Mon Sep 17 00:00:00 2001
508     From: Isaac Boukris <iboukris@gmail.com>
509     Date: Wed, 27 May 2020 15:36:28 +0200
510     Subject: [PATCH 006/142] Add msDS-AdditionalDnsHostName entries to the keytab
511    
512     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
513    
514     Signed-off-by: Isaac Boukris <iboukris@samba.org>
515     Reviewed-by: Andreas Schneider <asn@samba.org>
516     ---
517     selftest/knownfail.d/dns_alias_keytab | 2 --
518     source3/libads/ads_proto.h | 5 +++
519     source3/libads/kerberos_keytab.c | 21 +++++++++++++
520     source3/libads/ldap.c | 45 +++++++++++++++++++++++++++
521     4 files changed, 71 insertions(+), 2 deletions(-)
522     delete mode 100644 selftest/knownfail.d/dns_alias_keytab
523    
524     diff --git a/selftest/knownfail.d/dns_alias_keytab b/selftest/knownfail.d/dns_alias_keytab
525     deleted file mode 100644
526     index 216592e1210..00000000000
527     --- a/selftest/knownfail.d/dns_alias_keytab
528     +++ /dev/null
529     @@ -1,2 +0,0 @@
530     -^samba4.blackbox.net_ads.dns alias1 check keytab
531     -^samba4.blackbox.net_ads.dns alias2 check keytab
532     diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
533     index 495ef5d3325..cd9c1082681 100644
534     --- a/source3/libads/ads_proto.h
535     +++ b/source3/libads/ads_proto.h
536     @@ -137,6 +137,11 @@ ADS_STATUS ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx,
537     enum ads_extended_dn_flags flags,
538     struct dom_sid *sid);
539     char* ads_get_dnshostname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
540     +ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx,
541     + ADS_STRUCT *ads,
542     + const char *machine_name,
543     + char ***hostnames_array,
544     + size_t *num_hostnames);
545     char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
546     bool ads_has_samaccountname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
547     ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *machine_name,
548     diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
549     index 0f450a09df5..818ec884a03 100644
550     --- a/source3/libads/kerberos_keytab.c
551     +++ b/source3/libads/kerberos_keytab.c
552     @@ -351,6 +351,8 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
553     char *password_s = NULL;
554     char *my_fqdn;
555     TALLOC_CTX *tmpctx = NULL;
556     + char **hostnames_array = NULL;
557     + size_t num_hostnames = 0;
558    
559     ret = smb_krb5_init_context_common(&context);
560     if (ret) {
561     @@ -427,6 +429,25 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
562     goto out;
563     }
564    
565     + if (ADS_ERR_OK(ads_get_additional_dns_hostnames(tmpctx, ads,
566     + lp_netbios_name(),
567     + &hostnames_array,
568     + &num_hostnames))) {
569     + size_t i;
570     +
571     + for (i = 0; i < num_hostnames; i++) {
572     +
573     + ret = add_kt_entry_etypes(context, tmpctx, ads,
574     + salt_princ_s, keytab,
575     + kvno, srvPrinc,
576     + hostnames_array[i],
577     + &password, update_ads);
578     + if (ret != 0) {
579     + goto out;
580     + }
581     + }
582     + }
583     +
584     out:
585     SAFE_FREE(salt_princ_s);
586     TALLOC_FREE(tmpctx);
587     diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
588     index db2b72ab1b5..02a628ee0e6 100644
589     --- a/source3/libads/ldap.c
590     +++ b/source3/libads/ldap.c
591     @@ -1377,6 +1377,7 @@ char *ads_parent_dn(const char *dn)
592     "unicodePwd",
593    
594     /* Additional attributes Samba checks */
595     + "msDS-AdditionalDnsHostName",
596     "msDS-SupportedEncryptionTypes",
597     "nTSecurityDescriptor",
598    
599     @@ -3663,6 +3664,50 @@ out:
600     /********************************************************************
601     ********************************************************************/
602    
603     +ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx,
604     + ADS_STRUCT *ads,
605     + const char *machine_name,
606     + char ***hostnames_array,
607     + size_t *num_hostnames)
608     +{
609     + ADS_STATUS status;
610     + LDAPMessage *res = NULL;
611     + int count;
612     +
613     + status = ads_find_machine_acct(ads,
614     + &res,
615     + machine_name);
616     + if (!ADS_ERR_OK(status)) {
617     + DEBUG(1,("Host Account for %s not found... skipping operation.\n",
618     + machine_name));
619     + return status;
620     + }
621     +
622     + count = ads_count_replies(ads, res);
623     + if (count != 1) {
624     + status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
625     + goto done;
626     + }
627     +
628     + *hostnames_array = ads_pull_strings(ads, mem_ctx, res,
629     + "msDS-AdditionalDnsHostName",
630     + num_hostnames);
631     + if (*hostnames_array == NULL) {
632     + DEBUG(1, ("Host account for %s does not have msDS-AdditionalDnsHostName.\n",
633     + machine_name));
634     + status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
635     + goto done;
636     + }
637     +
638     +done:
639     + ads_msgfree(ads, res);
640     +
641     + return status;
642     +}
643     +
644     +/********************************************************************
645     +********************************************************************/
646     +
647     char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name )
648     {
649     LDAPMessage *res = NULL;
650     --
651     2.39.0
652    
653    
654     From 939b9265a533393189ef3c513e77b2cb009a51d5 Mon Sep 17 00:00:00 2001
655     From: Isaac Boukris <iboukris@gmail.com>
656     Date: Wed, 27 May 2020 15:54:12 +0200
657     Subject: [PATCH 007/142] Add net-ads-join dnshostname=fqdn option
658    
659     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
660    
661     Signed-off-by: Isaac Boukris <iboukris@samba.org>
662     Reviewed-by: Andreas Schneider <asn@samba.org>
663    
664     Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
665     Autobuild-Date(master): Fri May 29 13:33:28 UTC 2020 on sn-devel-184
666     ---
667     docs-xml/manpages/net.8.xml | 7 ++++++-
668     source3/libnet/libnet_join.c | 7 ++++++-
669     source3/librpc/idl/libnet_join.idl | 1 +
670     source3/utils/net_ads.c | 9 ++++++++-
671     testprogs/blackbox/test_net_ads.sh | 15 +++++++++++++++
672     5 files changed, 36 insertions(+), 3 deletions(-)
673    
674     diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
675     index 37dfa2af694..69e18df8b6c 100644
676     --- a/docs-xml/manpages/net.8.xml
677     +++ b/docs-xml/manpages/net.8.xml
678     @@ -454,7 +454,7 @@ The remote server must be specified with the -S option.
679    
680     <refsect2>
681     <title>[RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]]
682     -[createupn=UPN] [createcomputer=OU] [machinepass=PASS]
683     +[dnshostname=FQDN] [createupn=UPN] [createcomputer=OU] [machinepass=PASS]
684     [osName=string osVer=string] [options]</title>
685    
686     <para>
687     @@ -469,6 +469,11 @@ be created.</para>
688     joining the domain.
689     </para>
690    
691     +<para>
692     +[FQDN] (ADS only) set the dnsHosName attribute during the join.
693     +The default format is netbiosname.dnsdomain.
694     +</para>
695     +
696     <para>
697     [UPN] (ADS only) set the principalname attribute during the join. The default
698     format is host/netbiosname@REALM.
699     diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
700     index a31011b0ff8..de558be4f91 100644
701     --- a/source3/libnet/libnet_join.c
702     +++ b/source3/libnet/libnet_join.c
703     @@ -546,7 +546,12 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
704     goto done;
705     }
706    
707     - fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain());
708     + if (r->in.dnshostname != NULL) {
709     + fstr_sprintf(my_fqdn, "%s", r->in.dnshostname);
710     + } else {
711     + fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name,
712     + lp_dnsdomain());
713     + }
714    
715     if (!strlower_m(my_fqdn)) {
716     status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
717     diff --git a/source3/librpc/idl/libnet_join.idl b/source3/librpc/idl/libnet_join.idl
718     index e45034d40da..03d919863b5 100644
719     --- a/source3/librpc/idl/libnet_join.idl
720     +++ b/source3/librpc/idl/libnet_join.idl
721     @@ -37,6 +37,7 @@ interface libnetjoin
722     [in] string os_servicepack,
723     [in] boolean8 create_upn,
724     [in] string upn,
725     + [in] string dnshostname,
726     [in] boolean8 modify_config,
727     [in,unique] ads_struct *ads,
728     [in] boolean8 debug,
729     diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
730     index 07a22098fb1..3cf8fbbf7c8 100644
731     --- a/source3/utils/net_ads.c
732     +++ b/source3/utils/net_ads.c
733     @@ -1710,6 +1710,8 @@ static int net_ads_join_usage(struct net_context *c, int argc, const char **argv
734     {
735     d_printf(_("net ads join [--no-dns-updates] [options]\n"
736     "Valid options:\n"));
737     + d_printf(_(" dnshostname=FQDN Set the dnsHostName attribute during the join.\n"
738     + " The default is in the form netbiosname.dnsdomain\n"));
739     d_printf(_(" createupn[=UPN] Set the userPrincipalName attribute during the join.\n"
740     " The default UPN is in the form host/netbiosname@REALM.\n"));
741     d_printf(_(" createcomputer=OU Precreate the computer account in a specific OU.\n"
742     @@ -1830,6 +1832,7 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
743     const char *domain = lp_realm();
744     WERROR werr = WERR_NERR_SETUPNOTJOINED;
745     bool createupn = false;
746     + const char *dnshostname = NULL;
747     const char *machineupn = NULL;
748     const char *machine_password = NULL;
749     const char *create_in_ou = NULL;
750     @@ -1870,7 +1873,10 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
751     /* process additional command line args */
752    
753     for ( i=0; i<argc; i++ ) {
754     - if ( !strncasecmp_m(argv[i], "createupn", strlen("createupn")) ) {
755     + if ( !strncasecmp_m(argv[i], "dnshostname", strlen("dnshostname")) ) {
756     + dnshostname = get_string_param(argv[i]);
757     + }
758     + else if ( !strncasecmp_m(argv[i], "createupn", strlen("createupn")) ) {
759     createupn = true;
760     machineupn = get_string_param(argv[i]);
761     }
762     @@ -1938,6 +1944,7 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
763     r->in.domain_name_type = domain_name_type;
764     r->in.create_upn = createupn;
765     r->in.upn = machineupn;
766     + r->in.dnshostname = dnshostname;
767     r->in.account_ou = create_in_ou;
768     r->in.os_name = os_name;
769     r->in.os_version = os_version;
770     diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
771     index a40b477a173..85257f445d8 100755
772     --- a/testprogs/blackbox/test_net_ads.sh
773     +++ b/testprogs/blackbox/test_net_ads.sh
774     @@ -277,6 +277,21 @@ rm -f $dedicated_keytab_file
775    
776     testit "leave+createupn" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
777    
778     +#
779     +# Test dnshostname option of 'net ads join'
780     +#
781     +testit "join+dnshostname" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD dnshostname="alt.hostname.$HOSTNAME" || failed=`expr $failed + 1`
782     +
783     +testit_grep "check dnshostname opt" "dNSHostName: alt.hostname.$HOSTNAME" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "CN=$HOSTNAME,CN=Computers,$base_dn" || failed=`expr $failed + 1`
784     +
785     +testit "create_keytab+dnshostname" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
786     +
787     +testit_grep "check dnshostname+keytab" "host/alt.hostname.$HOSTNAME@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
788     +
789     +rm -f $dedicated_keytab_file
790     +
791     +testit "leave+dnshostname" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
792     +
793     rm -rf $BASEDIR/$WORKDIR
794    
795     exit $failed
796     --
797     2.39.0
798    
799    
800     From 25a6679a5260dafde7a7d2aed9bfe43eaf083b1c Mon Sep 17 00:00:00 2001
801     From: Stefan Metzmacher <metze@samba.org>
802     Date: Wed, 16 Sep 2020 16:04:57 +0200
803     Subject: [PATCH 008/142] CVE-2020-1472(ZeroLogon): libcli/auth: add
804     netlogon_creds_random_challenge()
805    
806     It's good to have just a single isolated function that will generate
807     random challenges, in future we can add some logic in order to
808     avoid weak values, which are likely to be rejected by a server.
809    
810     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
811    
812     Signed-off-by: Stefan Metzmacher <metze@samba.org>
813     ---
814     libcli/auth/credentials.c | 8 ++++++++
815     libcli/auth/proto.h | 2 ++
816     2 files changed, 10 insertions(+)
817    
818     diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
819     index b6c8ba281ba..dbbef9e7a3c 100644
820     --- a/libcli/auth/credentials.c
821     +++ b/libcli/auth/credentials.c
822     @@ -26,9 +26,17 @@
823     #include "libcli/auth/libcli_auth.h"
824     #include "../libcli/security/dom_sid.h"
825    
826     +
827     +void netlogon_creds_random_challenge(struct netr_Credential *challenge)
828     +{
829     + ZERO_STRUCTP(challenge);
830     + generate_random_buffer(challenge->data, sizeof(challenge->data));
831     +}
832     +
833     static void netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *creds,
834     const struct netr_Credential *in,
835     struct netr_Credential *out)
836     +
837     {
838     if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
839     AES_KEY key;
840     diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
841     index 82febe74440..82797d453ed 100644
842     --- a/libcli/auth/proto.h
843     +++ b/libcli/auth/proto.h
844     @@ -11,6 +11,8 @@
845    
846     /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/credentials.c */
847    
848     +void netlogon_creds_random_challenge(struct netr_Credential *challenge);
849     +
850     void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key);
851     void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key);
852     void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass);
853     --
854     2.39.0
855    
856    
857     From 1e8ad7efe35d8b79fef387ff709d6a499565c39a Mon Sep 17 00:00:00 2001
858     From: Stefan Metzmacher <metze@samba.org>
859     Date: Wed, 16 Sep 2020 16:07:30 +0200
860     Subject: [PATCH 009/142] CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of
861     netlogon_creds_random_challenge()
862    
863     This will avoid getting flakey tests once our server starts to
864     reject weak challenges.
865    
866     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
867    
868     Signed-off-by: Stefan Metzmacher <metze@samba.org>
869     ---
870     source4/torture/rpc/lsa.c | 2 +-
871     source4/torture/rpc/netlogon.c | 34 ++++++++++++----------------------
872     2 files changed, 13 insertions(+), 23 deletions(-)
873    
874     diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
875     index 21cc16afbaf..7bdc0cf679a 100644
876     --- a/source4/torture/rpc/lsa.c
877     +++ b/source4/torture/rpc/lsa.c
878     @@ -2847,7 +2847,7 @@ static bool check_pw_with_ServerAuthenticate3(struct dcerpc_pipe *p,
879     r.in.credentials = &credentials1;
880     r.out.return_credentials = &credentials2;
881    
882     - generate_random_buffer(credentials1.data, sizeof(credentials1.data));
883     + netlogon_creds_random_challenge(&credentials1);
884    
885     torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
886     "ServerReqChallenge failed");
887     diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
888     index 026d86d50e4..e11014922f8 100644
889     --- a/source4/torture/rpc/netlogon.c
890     +++ b/source4/torture/rpc/netlogon.c
891     @@ -160,7 +160,7 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
892     r.in.credentials = &credentials1;
893     r.out.return_credentials = &credentials2;
894    
895     - generate_random_buffer(credentials1.data, sizeof(credentials1.data));
896     + netlogon_creds_random_challenge(&credentials1);
897    
898     torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
899     "ServerReqChallenge failed");
900     @@ -229,7 +229,7 @@ bool test_SetupCredentials2ex(struct dcerpc_pipe *p, struct torture_context *tct
901     r.in.credentials = &credentials1;
902     r.out.return_credentials = &credentials2;
903    
904     - generate_random_buffer(credentials1.data, sizeof(credentials1.data));
905     + netlogon_creds_random_challenge(&credentials1);
906    
907     torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
908     "ServerReqChallenge failed");
909     @@ -318,7 +318,7 @@ bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx,
910     r.in.credentials = &credentials1;
911     r.out.return_credentials = &credentials2;
912    
913     - generate_random_buffer(credentials1.data, sizeof(credentials1.data));
914     + netlogon_creds_random_challenge(&credentials1);
915    
916     torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
917     "ServerReqChallenge failed");
918     @@ -390,7 +390,7 @@ bool test_SetupCredentialsDowngrade(struct torture_context *tctx,
919     r.in.credentials = &credentials1;
920     r.out.return_credentials = &credentials2;
921    
922     - generate_random_buffer(credentials1.data, sizeof(credentials1.data));
923     + netlogon_creds_random_challenge(&credentials1);
924    
925     torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
926     "ServerReqChallenge failed");
927     @@ -1278,7 +1278,7 @@ static bool test_ServerReqChallengeGlobal(struct torture_context *tctx,
928     r.in.credentials = &credentials1;
929     r.out.return_credentials = &credentials2;
930    
931     - generate_random_buffer(credentials1.data, sizeof(credentials1.data));
932     + netlogon_creds_random_challenge(&credentials1);
933    
934     torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
935     "ServerReqChallenge failed on b1");
936     @@ -1367,7 +1367,7 @@ static bool test_ServerReqChallengeReuseGlobal(struct torture_context *tctx,
937     r.in.credentials = &credentials1;
938     r.out.return_credentials = &credentials2;
939    
940     - generate_random_buffer(credentials1.data, sizeof(credentials1.data));
941     + netlogon_creds_random_challenge(&credentials1);
942    
943     torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
944     "ServerReqChallenge failed on b1");
945     @@ -1456,7 +1456,7 @@ static bool test_ServerReqChallengeReuseGlobal2(struct torture_context *tctx,
946     r.in.credentials = &credentials1;
947     r.out.return_credentials = &credentials2;
948    
949     - generate_random_buffer(credentials1.data, sizeof(credentials1.data));
950     + netlogon_creds_random_challenge(&credentials1);
951    
952     torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
953     "ServerReqChallenge failed on b1");
954     @@ -1546,7 +1546,7 @@ static bool test_ServerReqChallengeReuseGlobal3(struct torture_context *tctx,
955     r.in.credentials = &credentials1;
956     r.out.return_credentials = &credentials2;
957    
958     - generate_random_buffer(credentials1.data, sizeof(credentials1.data));
959     + netlogon_creds_random_challenge(&credentials1);
960    
961     torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
962     "ServerReqChallenge failed on b1");
963     @@ -1638,8 +1638,7 @@ static bool test_ServerReqChallengeReuseGlobal4(struct torture_context *tctx,
964     r.in.credentials = &credentials1_random;
965     r.out.return_credentials = &credentials_discard;
966    
967     - generate_random_buffer(credentials1_random.data,
968     - sizeof(credentials1_random.data));
969     + netlogon_creds_random_challenge(&credentials1_random);
970    
971     torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
972     "ServerReqChallenge failed on b1");
973     @@ -1651,7 +1650,7 @@ static bool test_ServerReqChallengeReuseGlobal4(struct torture_context *tctx,
974     r.in.credentials = &credentials1;
975     r.out.return_credentials = &credentials2;
976    
977     - generate_random_buffer(credentials1.data, sizeof(credentials1.data));
978     + netlogon_creds_random_challenge(&credentials1);
979    
980     torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
981     "ServerReqChallenge failed on b1");
982     @@ -1662,16 +1661,7 @@ static bool test_ServerReqChallengeReuseGlobal4(struct torture_context *tctx,
983     r.in.credentials = &credentials1_random;
984     r.out.return_credentials = &credentials_discard;
985    
986     - generate_random_buffer(credentials1_random.data,
987     - sizeof(credentials1_random.data));
988     -
989     - r.in.server_name = NULL;
990     - r.in.computer_name = "CHALTEST3";
991     - r.in.credentials = &credentials1_random;
992     - r.out.return_credentials = &credentials_discard;
993     -
994     - generate_random_buffer(credentials1_random.data,
995     - sizeof(credentials1_random.data));
996     + netlogon_creds_random_challenge(&credentials1_random);
997    
998     torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
999     "ServerReqChallenge failed on b1");
1000     @@ -1747,7 +1737,7 @@ static bool test_ServerReqChallengeReuse(struct torture_context *tctx,
1001     r.in.credentials = &credentials1;
1002     r.out.return_credentials = &credentials2;
1003    
1004     - generate_random_buffer(credentials1.data, sizeof(credentials1.data));
1005     + netlogon_creds_random_challenge(&credentials1);
1006    
1007     torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
1008     "ServerReqChallenge");
1009     --
1010     2.39.0
1011    
1012    
1013     From 74ee204ad4647d0d7a2097124652cbcd43406c7d Mon Sep 17 00:00:00 2001
1014     From: Stefan Metzmacher <metze@samba.org>
1015     Date: Wed, 16 Sep 2020 16:08:38 +0200
1016     Subject: [PATCH 010/142] CVE-2020-1472(ZeroLogon): libcli/auth: make use of
1017     netlogon_creds_random_challenge() in netlogon_creds_cli.c
1018    
1019     This will avoid getting rejected by the server if we generate
1020     a weak challenge.
1021    
1022     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1023    
1024     Signed-off-by: Stefan Metzmacher <metze@samba.org>
1025     ---
1026     libcli/auth/netlogon_creds_cli.c | 3 +--
1027     1 file changed, 1 insertion(+), 2 deletions(-)
1028    
1029     diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
1030     index 817d2cd041a..0f6ca11ff96 100644
1031     --- a/libcli/auth/netlogon_creds_cli.c
1032     +++ b/libcli/auth/netlogon_creds_cli.c
1033     @@ -1177,8 +1177,7 @@ static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req)
1034    
1035     TALLOC_FREE(state->creds);
1036    
1037     - generate_random_buffer(state->client_challenge.data,
1038     - sizeof(state->client_challenge.data));
1039     + netlogon_creds_random_challenge(&state->client_challenge);
1040    
1041     subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev,
1042     state->binding_handle,
1043     --
1044     2.39.0
1045    
1046    
1047     From 10196846d019d0e2ccef51f32ddd39fc17ca60aa Mon Sep 17 00:00:00 2001
1048     From: Stefan Metzmacher <metze@samba.org>
1049     Date: Wed, 16 Sep 2020 16:10:53 +0200
1050     Subject: [PATCH 011/142] CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon:
1051     make use of netlogon_creds_random_challenge()
1052    
1053     This is not strictly needed, but makes things more clear.
1054    
1055     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1056    
1057     Signed-off-by: Stefan Metzmacher <metze@samba.org>
1058     ---
1059     source3/rpc_server/netlogon/srv_netlog_nt.c | 3 +--
1060     1 file changed, 1 insertion(+), 2 deletions(-)
1061    
1062     diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
1063     index 87613b99fde..86b2f343e82 100644
1064     --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
1065     +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
1066     @@ -840,8 +840,7 @@ NTSTATUS _netr_ServerReqChallenge(struct pipes_struct *p,
1067    
1068     pipe_state->client_challenge = *r->in.credentials;
1069    
1070     - generate_random_buffer(pipe_state->server_challenge.data,
1071     - sizeof(pipe_state->server_challenge.data));
1072     + netlogon_creds_random_challenge(&pipe_state->server_challenge);
1073    
1074     *r->out.return_credentials = pipe_state->server_challenge;
1075    
1076     --
1077     2.39.0
1078    
1079    
1080     From 215aca6d11b900ee3cf11568d27bce77e0567653 Mon Sep 17 00:00:00 2001
1081     From: Stefan Metzmacher <metze@samba.org>
1082     Date: Wed, 16 Sep 2020 16:10:53 +0200
1083     Subject: [PATCH 012/142] CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon:
1084     make use of netlogon_creds_random_challenge()
1085    
1086     This is not strictly needed, but makes things more clear.
1087    
1088     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1089    
1090     Signed-off-by: Stefan Metzmacher <metze@samba.org>
1091     ---
1092     source4/rpc_server/netlogon/dcerpc_netlogon.c | 3 +--
1093     1 file changed, 1 insertion(+), 2 deletions(-)
1094    
1095     diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
1096     index 023adfd99e9..de260d8051d 100644
1097     --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
1098     +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
1099     @@ -90,8 +90,7 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal
1100    
1101     pipe_state->client_challenge = *r->in.credentials;
1102    
1103     - generate_random_buffer(pipe_state->server_challenge.data,
1104     - sizeof(pipe_state->server_challenge.data));
1105     + netlogon_creds_random_challenge(&pipe_state->server_challenge);
1106    
1107     *r->out.return_credentials = pipe_state->server_challenge;
1108    
1109     --
1110     2.39.0
1111    
1112    
1113     From 4551bf623426e8c543b287807d447feb69bb0f09 Mon Sep 17 00:00:00 2001
1114     From: Stefan Metzmacher <metze@samba.org>
1115     Date: Wed, 16 Sep 2020 16:15:26 +0200
1116     Subject: [PATCH 013/142] CVE-2020-1472(ZeroLogon): libcli/auth: add
1117     netlogon_creds_is_random_challenge() to avoid weak values
1118    
1119     This is the check Windows is using, so we won't generate challenges,
1120     which are rejected by Windows DCs (and future Samba DCs).
1121    
1122     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1123    
1124     Signed-off-by: Stefan Metzmacher <metze@samba.org>
1125     ---
1126     libcli/auth/credentials.c | 23 ++++++++++++++++++++++-
1127     libcli/auth/proto.h | 1 +
1128     2 files changed, 23 insertions(+), 1 deletion(-)
1129    
1130     diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
1131     index dbbef9e7a3c..64b424c099f 100644
1132     --- a/libcli/auth/credentials.c
1133     +++ b/libcli/auth/credentials.c
1134     @@ -27,10 +27,31 @@
1135     #include "../libcli/security/dom_sid.h"
1136    
1137    
1138     +bool netlogon_creds_is_random_challenge(const struct netr_Credential *challenge)
1139     +{
1140     + /*
1141     + * If none of the first 5 bytes of the client challenge is unique, the
1142     + * server MUST fail session-key negotiation without further processing
1143     + * of the following steps.
1144     + */
1145     +
1146     + if (challenge->data[1] == challenge->data[0] &&
1147     + challenge->data[2] == challenge->data[0] &&
1148     + challenge->data[3] == challenge->data[0] &&
1149     + challenge->data[4] == challenge->data[0])
1150     + {
1151     + return false;
1152     + }
1153     +
1154     + return true;
1155     +}
1156     +
1157     void netlogon_creds_random_challenge(struct netr_Credential *challenge)
1158     {
1159     ZERO_STRUCTP(challenge);
1160     - generate_random_buffer(challenge->data, sizeof(challenge->data));
1161     + while (!netlogon_creds_is_random_challenge(challenge)) {
1162     + generate_random_buffer(challenge->data, sizeof(challenge->data));
1163     + }
1164     }
1165    
1166     static void netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *creds,
1167     diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
1168     index 82797d453ed..ad768682b9f 100644
1169     --- a/libcli/auth/proto.h
1170     +++ b/libcli/auth/proto.h
1171     @@ -11,6 +11,7 @@
1172    
1173     /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/credentials.c */
1174    
1175     +bool netlogon_creds_is_random_challenge(const struct netr_Credential *challenge);
1176     void netlogon_creds_random_challenge(struct netr_Credential *challenge);
1177    
1178     void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key);
1179     --
1180     2.39.0
1181    
1182    
1183     From f7e09421ace8fe60c0110770d909800d21ae6c8e Mon Sep 17 00:00:00 2001
1184     From: Stefan Metzmacher <metze@samba.org>
1185     Date: Wed, 16 Sep 2020 16:17:29 +0200
1186     Subject: [PATCH 014/142] CVE-2020-1472(ZeroLogon): libcli/auth: reject weak
1187     client challenges in netlogon_creds_server_init()
1188    
1189     This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation:
1190    
1191     7. If none of the first 5 bytes of the client challenge is unique, the
1192     server MUST fail session-key negotiation without further processing of
1193     the following steps.
1194    
1195     It lets ./zerologon_tester.py from
1196     https://github.com/SecuraBV/CVE-2020-1472.git
1197     report: "Attack failed. Target is probably patched."
1198    
1199     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1200    
1201     Signed-off-by: Stefan Metzmacher <metze@samba.org>
1202    
1203     [dbagnall@samba.org, abartlet@samba.org: wscript_build backport
1204     differs because 4.10 has no gnutls dependency]
1205     ---
1206     libcli/auth/credentials.c | 16 ++++++++++++++++
1207     libcli/auth/wscript_build | 2 +-
1208     2 files changed, 17 insertions(+), 1 deletion(-)
1209    
1210     diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
1211     index 64b424c099f..e2bc82809b7 100644
1212     --- a/libcli/auth/credentials.c
1213     +++ b/libcli/auth/credentials.c
1214     @@ -25,6 +25,7 @@
1215     #include "../lib/crypto/crypto.h"
1216     #include "libcli/auth/libcli_auth.h"
1217     #include "../libcli/security/dom_sid.h"
1218     +#include "lib/util/util_str_escape.h"
1219    
1220    
1221     bool netlogon_creds_is_random_challenge(const struct netr_Credential *challenge)
1222     @@ -451,6 +452,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
1223     {
1224    
1225     struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
1226     + bool ok;
1227    
1228     if (!creds) {
1229     return NULL;
1230     @@ -463,6 +465,20 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
1231     dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data));
1232     dump_data_pw("Machine Pass", machine_password->hash, sizeof(machine_password->hash));
1233    
1234     + ok = netlogon_creds_is_random_challenge(client_challenge);
1235     + if (!ok) {
1236     + DBG_WARNING("CVE-2020-1472(ZeroLogon): "
1237     + "non-random client challenge rejected for "
1238     + "client_account[%s] client_computer_name[%s]\n",
1239     + log_escape(mem_ctx, client_account),
1240     + log_escape(mem_ctx, client_computer_name));
1241     + dump_data(DBGLVL_WARNING,
1242     + client_challenge->data,
1243     + sizeof(client_challenge->data));
1244     + talloc_free(creds);
1245     + return NULL;
1246     + }
1247     +
1248     creds->computer_name = talloc_strdup(creds, client_computer_name);
1249     if (!creds->computer_name) {
1250     talloc_free(creds);
1251     diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
1252     index d319d9b879e..394505d166d 100644
1253     --- a/libcli/auth/wscript_build
1254     +++ b/libcli/auth/wscript_build
1255     @@ -18,7 +18,7 @@ bld.SAMBA_SUBSYSTEM('NTLM_CHECK',
1256    
1257     bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH',
1258     source='credentials.c session.c smbencrypt.c smbdes.c',
1259     - public_deps='MSRPC_PARSE',
1260     + public_deps='MSRPC_PARSE util_str_escape',
1261     public_headers='credentials.h:domain_credentials.h'
1262     )
1263    
1264     --
1265     2.39.0
1266    
1267    
1268     From 6bc86fb69bf50c89a334fd2dcbce6999a2360fb7 Mon Sep 17 00:00:00 2001
1269     From: Stefan Metzmacher <metze@samba.org>
1270     Date: Wed, 16 Sep 2020 19:20:25 +0200
1271     Subject: [PATCH 015/142] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
1272     protect netr_ServerPasswordSet2 against unencrypted passwords
1273    
1274     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1275    
1276     Signed-off-by: Stefan Metzmacher <metze@samba.org>
1277     ---
1278     source4/rpc_server/netlogon/dcerpc_netlogon.c | 60 ++++++++++++++++++-
1279     1 file changed, 59 insertions(+), 1 deletion(-)
1280    
1281     diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
1282     index de260d8051d..acbf077c6c7 100644
1283     --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
1284     +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
1285     @@ -722,7 +722,10 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal
1286     struct NL_PASSWORD_VERSION version = {};
1287     const uint32_t *new_version = NULL;
1288     NTSTATUS nt_status;
1289     - DATA_BLOB new_password;
1290     + DATA_BLOB new_password = data_blob_null;
1291     + size_t confounder_len;
1292     + DATA_BLOB dec_blob = data_blob_null;
1293     + DATA_BLOB enc_blob = data_blob_null;
1294     int ret;
1295     struct samr_CryptPassword password_buf;
1296    
1297     @@ -780,6 +783,61 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal
1298     return NT_STATUS_WRONG_PASSWORD;
1299     }
1300    
1301     + /*
1302     + * Make sure the length field was encrypted,
1303     + * otherwise we are under attack.
1304     + */
1305     + if (new_password.length == r->in.new_password->length) {
1306     + DBG_WARNING("Length[%zu] field not encrypted\n",
1307     + new_password.length);
1308     + return NT_STATUS_WRONG_PASSWORD;
1309     + }
1310     +
1311     + /*
1312     + * We don't allow empty passwords for machine accounts.
1313     + */
1314     + if (new_password.length < 2) {
1315     + DBG_WARNING("Empty password Length[%zu]\n",
1316     + new_password.length);
1317     + return NT_STATUS_WRONG_PASSWORD;
1318     + }
1319     +
1320     + /*
1321     + * Make sure the confounder part of CryptPassword
1322     + * buffer was encrypted, otherwise we are under attack.
1323     + */
1324     + confounder_len = 512 - new_password.length;
1325     + enc_blob = data_blob_const(r->in.new_password->data, confounder_len);
1326     + dec_blob = data_blob_const(password_buf.data, confounder_len);
1327     + if (data_blob_cmp(&dec_blob, &enc_blob) == 0) {
1328     + DBG_WARNING("Confounder buffer not encrypted Length[%zu]\n",
1329     + confounder_len);
1330     + return NT_STATUS_WRONG_PASSWORD;
1331     + }
1332     +
1333     + /*
1334     + * Check that the password part was actually encrypted,
1335     + * otherwise we are under attack.
1336     + */
1337     + enc_blob = data_blob_const(r->in.new_password->data + confounder_len,
1338     + new_password.length);
1339     + dec_blob = data_blob_const(password_buf.data + confounder_len,
1340     + new_password.length);
1341     + if (data_blob_cmp(&dec_blob, &enc_blob) == 0) {
1342     + DBG_WARNING("Password buffer not encrypted Length[%zu]\n",
1343     + new_password.length);
1344     + return NT_STATUS_WRONG_PASSWORD;
1345     + }
1346     +
1347     + /*
1348     + * don't allow zero buffers
1349     + */
1350     + if (all_zero(new_password.data, new_password.length)) {
1351     + DBG_WARNING("Password zero buffer Length[%zu]\n",
1352     + new_password.length);
1353     + return NT_STATUS_WRONG_PASSWORD;
1354     + }
1355     +
1356     /* fetch the old password hashes (at least one of both has to exist) */
1357    
1358     ret = gendb_search(sam_ctx, mem_ctx, NULL, &res, attrs,
1359     --
1360     2.39.0
1361    
1362    
1363     From 1f8dec1cbb37f3406d999425590f8a923586ccac Mon Sep 17 00:00:00 2001
1364     From: Jeremy Allison <jra@samba.org>
1365     Date: Wed, 16 Sep 2020 12:53:50 -0700
1366     Subject: [PATCH 016/142] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
1367     protect netr_ServerPasswordSet2 against unencrypted passwords
1368    
1369     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1370    
1371     Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
1372    
1373     Signed-off-by: Jeremy Allison <jra@samba.org>
1374     Signed-off-by: Stefan Metzmacher <metze@samba.org>
1375     ---
1376     source3/rpc_server/netlogon/srv_netlog_nt.c | 98 +++++++++++++++++++--
1377     1 file changed, 92 insertions(+), 6 deletions(-)
1378    
1379     diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
1380     index 86b2f343e82..fd9127b386f 100644
1381     --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
1382     +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
1383     @@ -1326,9 +1326,14 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p,
1384     {
1385     NTSTATUS status;
1386     struct netlogon_creds_CredentialState *creds = NULL;
1387     - DATA_BLOB plaintext;
1388     + DATA_BLOB plaintext = data_blob_null;
1389     + DATA_BLOB new_password = data_blob_null;
1390     + size_t confounder_len;
1391     + DATA_BLOB dec_blob = data_blob_null;
1392     + DATA_BLOB enc_blob = data_blob_null;
1393     struct samr_CryptPassword password_buf;
1394     struct _samr_Credentials_t cr = { CRED_TYPE_PLAIN_TEXT, {0}};
1395     + bool ok;
1396    
1397     become_root();
1398     status = netr_creds_server_step_check(p, p->mem_ctx,
1399     @@ -1364,18 +1369,99 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p,
1400     netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
1401     }
1402    
1403     - if (!decode_pw_buffer(p->mem_ctx,
1404     - password_buf.data,
1405     - (char**) &plaintext.data,
1406     - &plaintext.length,
1407     - CH_UTF16)) {
1408     + if (!extract_pw_from_buffer(p->mem_ctx, password_buf.data, &new_password)) {
1409     DEBUG(2,("_netr_ServerPasswordSet2: unable to extract password "
1410     "from a buffer. Rejecting auth request as a wrong password\n"));
1411     TALLOC_FREE(creds);
1412     return NT_STATUS_WRONG_PASSWORD;
1413     }
1414    
1415     + /*
1416     + * Make sure the length field was encrypted,
1417     + * otherwise we are under attack.
1418     + */
1419     + if (new_password.length == r->in.new_password->length) {
1420     + DBG_WARNING("Length[%zu] field not encrypted\n",
1421     + new_password.length);
1422     + TALLOC_FREE(creds);
1423     + return NT_STATUS_WRONG_PASSWORD;
1424     + }
1425     +
1426     + /*
1427     + * We don't allow empty passwords for machine accounts.
1428     + */
1429     + if (new_password.length < 2) {
1430     + DBG_WARNING("Empty password Length[%zu]\n",
1431     + new_password.length);
1432     + TALLOC_FREE(creds);
1433     + return NT_STATUS_WRONG_PASSWORD;
1434     + }
1435     +
1436     + /*
1437     + * Make sure the confounder part of CryptPassword
1438     + * buffer was encrypted, otherwise we are under attack.
1439     + */
1440     + confounder_len = 512 - new_password.length;
1441     + enc_blob = data_blob_const(r->in.new_password->data, confounder_len);
1442     + dec_blob = data_blob_const(password_buf.data, confounder_len);
1443     + if (data_blob_cmp(&dec_blob, &enc_blob) == 0) {
1444     + DBG_WARNING("Confounder buffer not encrypted Length[%zu]\n",
1445     + confounder_len);
1446     + TALLOC_FREE(creds);
1447     + return NT_STATUS_WRONG_PASSWORD;
1448     + }
1449     +
1450     + /*
1451     + * Check that the password part was actually encrypted,
1452     + * otherwise we are under attack.
1453     + */
1454     + enc_blob = data_blob_const(r->in.new_password->data + confounder_len,
1455     + new_password.length);
1456     + dec_blob = data_blob_const(password_buf.data + confounder_len,
1457     + new_password.length);
1458     + if (data_blob_cmp(&dec_blob, &enc_blob) == 0) {
1459     + DBG_WARNING("Password buffer not encrypted Length[%zu]\n",
1460     + new_password.length);
1461     + TALLOC_FREE(creds);
1462     + return NT_STATUS_WRONG_PASSWORD;
1463     + }
1464     +
1465     + /*
1466     + * don't allow zero buffers
1467     + */
1468     + if (all_zero(new_password.data, new_password.length)) {
1469     + DBG_WARNING("Password zero buffer Length[%zu]\n",
1470     + new_password.length);
1471     + TALLOC_FREE(creds);
1472     + return NT_STATUS_WRONG_PASSWORD;
1473     + }
1474     +
1475     + /* Convert from UTF16 -> plaintext. */
1476     + ok = convert_string_talloc(p->mem_ctx,
1477     + CH_UTF16,
1478     + CH_UNIX,
1479     + new_password.data,
1480     + new_password.length,
1481     + (void *)&plaintext.data,
1482     + &plaintext.length);
1483     + if (!ok) {
1484     + DBG_WARNING("unable to extract password from a buffer. "
1485     + "Rejecting auth request as a wrong password\n");
1486     + TALLOC_FREE(creds);
1487     + return NT_STATUS_WRONG_PASSWORD;
1488     + }
1489     +
1490     + /*
1491     + * We don't allow empty passwords for machine accounts.
1492     + */
1493     +
1494     cr.creds.password = (const char*) plaintext.data;
1495     + if (strlen(cr.creds.password) == 0) {
1496     + DBG_WARNING("Empty plaintext password\n");
1497     + TALLOC_FREE(creds);
1498     + return NT_STATUS_WRONG_PASSWORD;
1499     + }
1500     +
1501     status = netr_set_machine_account_password(p->mem_ctx,
1502     p->session_info,
1503     p->msg_ctx,
1504     --
1505     2.39.0
1506    
1507    
1508     From 2ad269be74481789ded62a3dcb538709c6d6e291 Mon Sep 17 00:00:00 2001
1509     From: Stefan Metzmacher <metze@samba.org>
1510     Date: Wed, 16 Sep 2020 10:18:45 +0200
1511     Subject: [PATCH 017/142] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
1512     refactor dcesrv_netr_creds_server_step_check()
1513    
1514     We should debug more details about the failing request.
1515    
1516     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1517    
1518     Signed-off-by: Stefan Metzmacher <metze@samba.org>
1519     ---
1520     source4/rpc_server/netlogon/dcerpc_netlogon.c | 45 ++++++++++++++-----
1521     1 file changed, 33 insertions(+), 12 deletions(-)
1522    
1523     diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
1524     index acbf077c6c7..b4326a4ecaa 100644
1525     --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
1526     +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
1527     @@ -623,26 +623,47 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
1528     NTSTATUS nt_status;
1529     int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx);
1530     bool schannel_global_required = (schannel == true);
1531     + struct netlogon_creds_CredentialState *creds = NULL;
1532     + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
1533     + uint16_t opnum = dce_call->pkt.u.request.opnum;
1534     + const char *opname = "<unknown>";
1535    
1536     - if (schannel_global_required) {
1537     - enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
1538     -
1539     - dcesrv_call_auth_info(dce_call, &auth_type, NULL);
1540     -
1541     - if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
1542     - DBG_ERR("[%s] is not using schannel\n",
1543     - computer_name);
1544     - return NT_STATUS_ACCESS_DENIED;
1545     - }
1546     + if (opnum < ndr_table_netlogon.num_calls) {
1547     + opname = ndr_table_netlogon.calls[opnum].name;
1548     }
1549    
1550     + dcesrv_call_auth_info(dce_call, &auth_type, NULL);
1551     +
1552     nt_status = schannel_check_creds_state(mem_ctx,
1553     dce_call->conn->dce_ctx->lp_ctx,
1554     computer_name,
1555     received_authenticator,
1556     return_authenticator,
1557     - creds_out);
1558     - return nt_status;
1559     + &creds);
1560     + if (!NT_STATUS_IS_OK(nt_status)) {
1561     + ZERO_STRUCTP(return_authenticator);
1562     + return nt_status;
1563     + }
1564     +
1565     + if (schannel_global_required) {
1566     + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
1567     + *creds_out = creds;
1568     + return NT_STATUS_OK;
1569     + }
1570     +
1571     + DBG_ERR("CVE-2020-1472(ZeroLogon): "
1572     + "%s request (opnum[%u]) without schannel from "
1573     + "client_account[%s] client_computer_name[%s]\n",
1574     + opname, opnum,
1575     + log_escape(mem_ctx, creds->account_name),
1576     + log_escape(mem_ctx, creds->computer_name));
1577     + TALLOC_FREE(creds);
1578     + ZERO_STRUCTP(return_authenticator);
1579     + return NT_STATUS_ACCESS_DENIED;
1580     + }
1581     +
1582     + *creds_out = creds;
1583     + return NT_STATUS_OK;
1584     }
1585    
1586     /*
1587     --
1588     2.39.0
1589    
1590    
1591     From 57941290adb9a2fd4be9aa4a70f879a684b38dfd Mon Sep 17 00:00:00 2001
1592     From: Stefan Metzmacher <metze@samba.org>
1593     Date: Wed, 16 Sep 2020 10:56:53 +0200
1594     Subject: [PATCH 018/142] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
1595     support "server require schannel:WORKSTATION$ = no"
1596    
1597     This allows to add expections for individual workstations, when using "server schannel = yes".
1598     "server schannel = auto" is very insecure and will be removed soon.
1599    
1600     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1601    
1602     Signed-off-by: Stefan Metzmacher <metze@samba.org>
1603     ---
1604     source4/rpc_server/netlogon/dcerpc_netlogon.c | 9 ++++++++-
1605     1 file changed, 8 insertions(+), 1 deletion(-)
1606    
1607     diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
1608     index b4326a4ecaa..e7bafb31e83 100644
1609     --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
1610     +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
1611     @@ -623,6 +623,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
1612     NTSTATUS nt_status;
1613     int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx);
1614     bool schannel_global_required = (schannel == true);
1615     + bool schannel_required = schannel_global_required;
1616     struct netlogon_creds_CredentialState *creds = NULL;
1617     enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
1618     uint16_t opnum = dce_call->pkt.u.request.opnum;
1619     @@ -645,7 +646,13 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
1620     return nt_status;
1621     }
1622    
1623     - if (schannel_global_required) {
1624     + schannel_required = lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx,
1625     + NULL,
1626     + "server require schannel",
1627     + creds->account_name,
1628     + schannel_global_required);
1629     +
1630     + if (schannel_required) {
1631     if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
1632     *creds_out = creds;
1633     return NT_STATUS_OK;
1634     --
1635     2.39.0
1636    
1637    
1638     From 779b37e825fe406892ff77be18c098d314cd387d Mon Sep 17 00:00:00 2001
1639     From: Stefan Metzmacher <metze@samba.org>
1640     Date: Thu, 17 Sep 2020 13:37:26 +0200
1641     Subject: [PATCH 019/142] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log
1642     warnings about unsecure configurations
1643     MIME-Version: 1.0
1644     Content-Type: text/plain; charset=UTF-8
1645     Content-Transfer-Encoding: 8bit
1646    
1647     This should give admins wawrnings until they have a secure
1648     configuration.
1649    
1650     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1651    
1652     Signed-off-by: Stefan Metzmacher <metze@samba.org>
1653     Reviewed-by: Ralph Boehme <slow@samba.org>
1654     Reviewed-by: Günther Deschner <gd@samba.org>
1655     ---
1656     source4/rpc_server/netlogon/dcerpc_netlogon.c | 66 ++++++++++++++++++-
1657     1 file changed, 63 insertions(+), 3 deletions(-)
1658    
1659     diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
1660     index e7bafb31e83..7668a9eb923 100644
1661     --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
1662     +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
1663     @@ -624,10 +624,12 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
1664     int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx);
1665     bool schannel_global_required = (schannel == true);
1666     bool schannel_required = schannel_global_required;
1667     + const char *explicit_opt = NULL;
1668     struct netlogon_creds_CredentialState *creds = NULL;
1669     enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
1670     uint16_t opnum = dce_call->pkt.u.request.opnum;
1671     const char *opname = "<unknown>";
1672     + static bool warned_global_once = false;
1673    
1674     if (opnum < ndr_table_netlogon.num_calls) {
1675     opname = ndr_table_netlogon.calls[opnum].name;
1676     @@ -646,11 +648,18 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
1677     return nt_status;
1678     }
1679    
1680     - schannel_required = lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx,
1681     + /*
1682     + * We don't use lpcfg_parm_bool(), as we
1683     + * need the explicit_opt pointer in order to
1684     + * adjust the debug messages.
1685     + */
1686     + explicit_opt = lpcfg_get_parametric(dce_call->conn->dce_ctx->lp_ctx,
1687     NULL,
1688     "server require schannel",
1689     - creds->account_name,
1690     - schannel_global_required);
1691     + creds->account_name);
1692     + if (explicit_opt != NULL) {
1693     + schannel_required = lp_bool(explicit_opt);
1694     + }
1695    
1696     if (schannel_required) {
1697     if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
1698     @@ -664,11 +673,62 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
1699     opname, opnum,
1700     log_escape(mem_ctx, creds->account_name),
1701     log_escape(mem_ctx, creds->computer_name));
1702     + DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
1703     + "'server require schannel:%s = no' is needed! \n",
1704     + log_escape(mem_ctx, creds->account_name));
1705     TALLOC_FREE(creds);
1706     ZERO_STRUCTP(return_authenticator);
1707     return NT_STATUS_ACCESS_DENIED;
1708     }
1709    
1710     + if (!schannel_global_required && !warned_global_once) {
1711     + /*
1712     + * We want admins to notice their misconfiguration!
1713     + */
1714     + DBG_ERR("CVE-2020-1472(ZeroLogon): "
1715     + "Please configure 'server schannel = yes', "
1716     + "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
1717     + warned_global_once = true;
1718     + }
1719     +
1720     + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
1721     + DBG_ERR("CVE-2020-1472(ZeroLogon): "
1722     + "%s request (opnum[%u]) WITH schannel from "
1723     + "client_account[%s] client_computer_name[%s]\n",
1724     + opname, opnum,
1725     + log_escape(mem_ctx, creds->account_name),
1726     + log_escape(mem_ctx, creds->computer_name));
1727     + DBG_ERR("CVE-2020-1472(ZeroLogon): "
1728     + "Option 'server require schannel:%s = no' not needed!?\n",
1729     + log_escape(mem_ctx, creds->account_name));
1730     +
1731     + *creds_out = creds;
1732     + return NT_STATUS_OK;
1733     + }
1734     +
1735     +
1736     + if (explicit_opt != NULL) {
1737     + DBG_INFO("CVE-2020-1472(ZeroLogon): "
1738     + "%s request (opnum[%u]) without schannel from "
1739     + "client_account[%s] client_computer_name[%s]\n",
1740     + opname, opnum,
1741     + log_escape(mem_ctx, creds->account_name),
1742     + log_escape(mem_ctx, creds->computer_name));
1743     + DBG_INFO("CVE-2020-1472(ZeroLogon): "
1744     + "Option 'server require schannel:%s = no' still needed!\n",
1745     + log_escape(mem_ctx, creds->account_name));
1746     + } else {
1747     + DBG_ERR("CVE-2020-1472(ZeroLogon): "
1748     + "%s request (opnum[%u]) without schannel from "
1749     + "client_account[%s] client_computer_name[%s]\n",
1750     + opname, opnum,
1751     + log_escape(mem_ctx, creds->account_name),
1752     + log_escape(mem_ctx, creds->computer_name));
1753     + DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
1754     + "'server require schannel:%s = no' might be needed!\n",
1755     + log_escape(mem_ctx, creds->account_name));
1756     + }
1757     +
1758     *creds_out = creds;
1759     return NT_STATUS_OK;
1760     }
1761     --
1762     2.39.0
1763    
1764    
1765     From 60b83fbda31c53c592a02f0ed43356a912021021 Mon Sep 17 00:00:00 2001
1766     From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
1767     Date: Thu, 17 Sep 2020 14:57:22 +0200
1768     Subject: [PATCH 020/142] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
1769     refactor dcesrv_netr_creds_server_step_check()
1770     MIME-Version: 1.0
1771     Content-Type: text/plain; charset=UTF-8
1772     Content-Transfer-Encoding: 8bit
1773    
1774     We should debug more details about the failing request.
1775    
1776     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1777    
1778     Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
1779    
1780     Signed-off-by: Günther Deschner <gd@samba.org>
1781     Signed-off-by: Stefan Metzmacher <metze@samba.org>
1782     ---
1783     source3/rpc_server/netlogon/srv_netlog_nt.c | 43 +++++++++++++++++----
1784     1 file changed, 35 insertions(+), 8 deletions(-)
1785    
1786     diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
1787     index fd9127b386f..8541571b459 100644
1788     --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
1789     +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
1790     @@ -48,6 +48,7 @@
1791     #include "../lib/tsocket/tsocket.h"
1792     #include "lib/param/param.h"
1793     #include "libsmb/dsgetdcname.h"
1794     +#include "lib/util/util_str_escape.h"
1795    
1796     extern userdom_struct current_user_info;
1797    
1798     @@ -1073,19 +1074,21 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
1799     NTSTATUS status;
1800     bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
1801     struct loadparm_context *lp_ctx;
1802     + struct netlogon_creds_CredentialState *creds = NULL;
1803     + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
1804     + uint16_t opnum = p->opnum;
1805     + const char *opname = "<unknown>";
1806    
1807     if (creds_out != NULL) {
1808     *creds_out = NULL;
1809     }
1810    
1811     - if (schannel_global_required) {
1812     - if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
1813     - DBG_ERR("[%s] is not using schannel\n",
1814     - computer_name);
1815     - return NT_STATUS_ACCESS_DENIED;
1816     - }
1817     + if (opnum < ndr_table_netlogon.num_calls) {
1818     + opname = ndr_table_netlogon.calls[opnum].name;
1819     }
1820    
1821     + auth_type = p->auth.auth_type;
1822     +
1823     lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers());
1824     if (lp_ctx == NULL) {
1825     DEBUG(0, ("loadparm_init_s3 failed\n"));
1826     @@ -1094,9 +1097,33 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
1827    
1828     status = schannel_check_creds_state(mem_ctx, lp_ctx,
1829     computer_name, received_authenticator,
1830     - return_authenticator, creds_out);
1831     + return_authenticator, &creds);
1832     talloc_unlink(mem_ctx, lp_ctx);
1833     - return status;
1834     +
1835     + if (!NT_STATUS_IS_OK(status)) {
1836     + ZERO_STRUCTP(return_authenticator);
1837     + return status;
1838     + }
1839     +
1840     + if (schannel_global_required) {
1841     + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
1842     + *creds_out = creds;
1843     + return NT_STATUS_OK;
1844     + }
1845     +
1846     + DBG_ERR("CVE-2020-1472(ZeroLogon): "
1847     + "%s request (opnum[%u]) without schannel from "
1848     + "client_account[%s] client_computer_name[%s]\n",
1849     + opname, opnum,
1850     + log_escape(mem_ctx, creds->account_name),
1851     + log_escape(mem_ctx, creds->computer_name));
1852     + TALLOC_FREE(creds);
1853     + ZERO_STRUCTP(return_authenticator);
1854     + return NT_STATUS_ACCESS_DENIED;
1855     + }
1856     +
1857     + *creds_out = creds;
1858     + return NT_STATUS_OK;
1859     }
1860    
1861    
1862     --
1863     2.39.0
1864    
1865    
1866     From c0a188b2696edb8f3ae9f7f56a820b11358bad98 Mon Sep 17 00:00:00 2001
1867     From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
1868     Date: Thu, 17 Sep 2020 14:23:16 +0200
1869     Subject: [PATCH 021/142] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
1870     support "server require schannel:WORKSTATION$ = no"
1871     MIME-Version: 1.0
1872     Content-Type: text/plain; charset=UTF-8
1873     Content-Transfer-Encoding: 8bit
1874    
1875     This allows to add expections for individual workstations, when using "server schannel = yes".
1876     "server schannel = auto" is very insecure and will be removed soon.
1877    
1878     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1879    
1880     Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
1881    
1882     Signed-off-by: Günther Deschner <gd@samba.org>
1883     Signed-off-by: Stefan Metzmacher <metze@samba.org>
1884     ---
1885     source3/rpc_server/netlogon/srv_netlog_nt.c | 7 ++++++-
1886     1 file changed, 6 insertions(+), 1 deletion(-)
1887    
1888     diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
1889     index 8541571b459..f9b10103bd5 100644
1890     --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
1891     +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
1892     @@ -1073,6 +1073,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
1893     {
1894     NTSTATUS status;
1895     bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
1896     + bool schannel_required = schannel_global_required;
1897     struct loadparm_context *lp_ctx;
1898     struct netlogon_creds_CredentialState *creds = NULL;
1899     enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
1900     @@ -1105,7 +1106,11 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
1901     return status;
1902     }
1903    
1904     - if (schannel_global_required) {
1905     + schannel_required = lp_parm_bool(GLOBAL_SECTION_SNUM,
1906     + "server require schannel",
1907     + creds->account_name,
1908     + schannel_global_required);
1909     + if (schannel_required) {
1910     if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
1911     *creds_out = creds;
1912     return NT_STATUS_OK;
1913     --
1914     2.39.0
1915    
1916    
1917     From c9550b81b55316cf5d667502885fc248a5999fb5 Mon Sep 17 00:00:00 2001
1918     From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
1919     Date: Thu, 17 Sep 2020 14:42:52 +0200
1920     Subject: [PATCH 022/142] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log
1921     warnings about unsecure configurations
1922     MIME-Version: 1.0
1923     Content-Type: text/plain; charset=UTF-8
1924     Content-Transfer-Encoding: 8bit
1925    
1926     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1927    
1928     Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
1929    
1930     Signed-off-by: Günther Deschner <gd@samba.org>
1931     Signed-off-by: Stefan Metzmacher <metze@samba.org>
1932     ---
1933     source3/rpc_server/netlogon/srv_netlog_nt.c | 70 +++++++++++++++++++--
1934     1 file changed, 66 insertions(+), 4 deletions(-)
1935    
1936     diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
1937     index f9b10103bd5..7f6704adbda 100644
1938     --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
1939     +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
1940     @@ -1074,11 +1074,13 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
1941     NTSTATUS status;
1942     bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
1943     bool schannel_required = schannel_global_required;
1944     + const char *explicit_opt = NULL;
1945     struct loadparm_context *lp_ctx;
1946     struct netlogon_creds_CredentialState *creds = NULL;
1947     enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
1948     uint16_t opnum = p->opnum;
1949     const char *opname = "<unknown>";
1950     + static bool warned_global_once = false;
1951    
1952     if (creds_out != NULL) {
1953     *creds_out = NULL;
1954     @@ -1106,10 +1108,20 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
1955     return status;
1956     }
1957    
1958     - schannel_required = lp_parm_bool(GLOBAL_SECTION_SNUM,
1959     - "server require schannel",
1960     - creds->account_name,
1961     - schannel_global_required);
1962     + /*
1963     + * We don't use lp_parm_bool(), as we
1964     + * need the explicit_opt pointer in order to
1965     + * adjust the debug messages.
1966     + */
1967     +
1968     + explicit_opt = lp_parm_const_string(GLOBAL_SECTION_SNUM,
1969     + "server require schannel",
1970     + creds->account_name,
1971     + NULL);
1972     + if (explicit_opt != NULL) {
1973     + schannel_required = lp_bool(explicit_opt);
1974     + }
1975     +
1976     if (schannel_required) {
1977     if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
1978     *creds_out = creds;
1979     @@ -1122,11 +1134,61 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
1980     opname, opnum,
1981     log_escape(mem_ctx, creds->account_name),
1982     log_escape(mem_ctx, creds->computer_name));
1983     + DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
1984     + "'server require schannel:%s = no' is needed! \n",
1985     + log_escape(mem_ctx, creds->account_name));
1986     TALLOC_FREE(creds);
1987     ZERO_STRUCTP(return_authenticator);
1988     return NT_STATUS_ACCESS_DENIED;
1989     }
1990    
1991     + if (!schannel_global_required && !warned_global_once) {
1992     + /*
1993     + * We want admins to notice their misconfiguration!
1994     + */
1995     + DBG_ERR("CVE-2020-1472(ZeroLogon): "
1996     + "Please configure 'server schannel = yes', "
1997     + "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
1998     + warned_global_once = true;
1999     + }
2000     +
2001     + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
2002     + DBG_ERR("CVE-2020-1472(ZeroLogon): "
2003     + "%s request (opnum[%u]) WITH schannel from "
2004     + "client_account[%s] client_computer_name[%s]\n",
2005     + opname, opnum,
2006     + log_escape(mem_ctx, creds->account_name),
2007     + log_escape(mem_ctx, creds->computer_name));
2008     + DBG_ERR("CVE-2020-1472(ZeroLogon): "
2009     + "Option 'server require schannel:%s = no' not needed!?\n",
2010     + log_escape(mem_ctx, creds->account_name));
2011     +
2012     + *creds_out = creds;
2013     + return NT_STATUS_OK;
2014     + }
2015     +
2016     + if (explicit_opt != NULL) {
2017     + DBG_INFO("CVE-2020-1472(ZeroLogon): "
2018     + "%s request (opnum[%u]) without schannel from "
2019     + "client_account[%s] client_computer_name[%s]\n",
2020     + opname, opnum,
2021     + log_escape(mem_ctx, creds->account_name),
2022     + log_escape(mem_ctx, creds->computer_name));
2023     + DBG_INFO("CVE-2020-1472(ZeroLogon): "
2024     + "Option 'server require schannel:%s = no' still needed!\n",
2025     + log_escape(mem_ctx, creds->account_name));
2026     + } else {
2027     + DBG_ERR("CVE-2020-1472(ZeroLogon): "
2028     + "%s request (opnum[%u]) without schannel from "
2029     + "client_account[%s] client_computer_name[%s]\n",
2030     + opname, opnum,
2031     + log_escape(mem_ctx, creds->account_name),
2032     + log_escape(mem_ctx, creds->computer_name));
2033     + DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
2034     + "'server require schannel:%s = no' might be needed!\n",
2035     + log_escape(mem_ctx, creds->account_name));
2036     + }
2037     +
2038     *creds_out = creds;
2039     return NT_STATUS_OK;
2040     }
2041     --
2042     2.39.0
2043    
2044    
2045     From 63f03e2e29e81f890a5d88c726cced6d3e7bbf5d Mon Sep 17 00:00:00 2001
2046     From: Stefan Metzmacher <metze@samba.org>
2047     Date: Thu, 17 Sep 2020 17:27:54 +0200
2048     Subject: [PATCH 023/142] CVE-2020-1472(ZeroLogon): docs-xml: document 'server
2049     require schannel:COMPUTERACCOUNT'
2050    
2051     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
2052    
2053     Signed-off-by: Stefan Metzmacher <metze@samba.org>
2054     ---
2055     .../smbdotconf/security/serverschannel.xml | 69 +++++++++++++++----
2056     1 file changed, 54 insertions(+), 15 deletions(-)
2057    
2058     diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
2059     index 489492d79b1..b682d086f76 100644
2060     --- a/docs-xml/smbdotconf/security/serverschannel.xml
2061     +++ b/docs-xml/smbdotconf/security/serverschannel.xml
2062     @@ -7,26 +7,65 @@
2063     <description>
2064    
2065     <para>
2066     - This option is deprecated with Samba 4.8 and will be removed in future.
2067     - At the same time the default changed to yes, which will be the
2068     - hardcoded behavior in future. If you have the need for the behavior of "auto"
2069     - to be kept, please file a bug at https://bugzilla.samba.org.
2070     + This option is deprecated and will be removed in future,
2071     + as it is a security problem if not set to "yes" (which will be
2072     + the hardcoded behavior in future).
2073     </para>
2074    
2075     <para>
2076     - This controls whether the server offers or even demands the use of the netlogon schannel.
2077     - <smbconfoption name="server schannel">no</smbconfoption> does not offer the schannel, <smbconfoption
2078     - name="server schannel">auto</smbconfoption> offers the schannel but does not enforce it, and <smbconfoption
2079     - name="server schannel">yes</smbconfoption> denies access if the client is not able to speak netlogon schannel.
2080     - This is only the case for Windows NT4 before SP4.
2081     - </para>
2082     -
2083     + Samba will complain in the log files at log level 0,
2084     + about the security problem if the option is not set to "yes".
2085     + </para>
2086     <para>
2087     - Please note that with this set to <literal>no</literal>, you will have to apply the WindowsXP
2088     - <filename>WinXP_SignOrSeal.reg</filename> registry patch found in the docs/registry subdirectory of the Samba distribution tarball.
2089     - </para>
2090     + See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
2091     + </para>
2092     +
2093     + <para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.
2094     + </para>
2095     +
2096     + <para>This option yields precedence to the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>
2097     +
2098     </description>
2099    
2100     <value type="default">yes</value>
2101     -<value type="example">auto</value>
2102     +</samba:parameter>
2103     +
2104     +<samba:parameter name="server require schannel:COMPUTERACCOUNT"
2105     + context="G"
2106     + type="string"
2107     + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
2108     +<description>
2109     +
2110     + <para>If you still have legacy domain members, which required "server schannel = auto" before,
2111     + it is possible to specify explicit expection per computer account
2112     + by using 'server require schannel:COMPUTERACCOUNT = no' as option.
2113     + Note that COMPUTERACCOUNT has to be the sAMAccountName value of
2114     + the computer account (including the trailing '$' sign).
2115     + </para>
2116     +
2117     + <para>
2118     + Samba will complain in the log files at log level 0,
2119     + about the security problem if the option is not set to "no",
2120     + but the related computer is actually using the netlogon
2121     + secure channel (schannel) feature.
2122     + </para>
2123     +
2124     + <para>
2125     + Samba will warn in the log files at log level 5,
2126     + if a setting is still needed for the specified computer account.
2127     + </para>
2128     +
2129     + <para>
2130     + See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
2131     + </para>
2132     +
2133     + <para>This option takes precedence to the <smbconfoption name="server schannel"/> option.</para>
2134     +
2135     + <programlisting>
2136     + server require schannel:LEGACYCOMPUTER1$ = no
2137     + server require schannel:NASBOX$ = no
2138     + server require schannel:LEGACYCOMPUTER2$ = no
2139     + </programlisting>
2140     +</description>
2141     +
2142     </samba:parameter>
2143     --
2144     2.39.0
2145    
2146    
2147     From 8a40da45b7f4e7a9110daf010383c4fce30bd9b6 Mon Sep 17 00:00:00 2001
2148     From: Gary Lockyer <gary@catalyst.net.nz>
2149     Date: Fri, 18 Sep 2020 12:39:54 +1200
2150     Subject: [PATCH 024/142] CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty
2151     machine acct pwd
2152    
2153     Ensure that an empty machine account password can't be set by
2154     netr_ServerPasswordSet2
2155    
2156     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
2157    
2158     Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2159     ---
2160     source4/torture/rpc/netlogon.c | 64 +++++++++++++++-------------------
2161     1 file changed, 29 insertions(+), 35 deletions(-)
2162    
2163     diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
2164     index e11014922f8..0ba45f0c1da 100644
2165     --- a/source4/torture/rpc/netlogon.c
2166     +++ b/source4/torture/rpc/netlogon.c
2167     @@ -719,45 +719,39 @@ static bool test_SetPassword2_with_flags(struct torture_context *tctx,
2168    
2169     cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
2170    
2171     - if (!torture_setting_bool(tctx, "dangerous", false)) {
2172     - torture_comment(tctx,
2173     - "Not testing ability to set password to '', enable dangerous tests to perform this test\n");
2174     + /*
2175     + * As a consequence of CVE-2020-1472(ZeroLogon)
2176     + * Samba explicitly disallows the setting of an empty machine account
2177     + * password.
2178     + *
2179     + * Note that this may fail against Windows, and leave a machine account
2180     + * with an empty password.
2181     + */
2182     + password = "";
2183     + encode_pw_buffer(password_buf.data, password, STR_UNICODE);
2184     + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
2185     + netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
2186     } else {
2187     - /* by changing the machine password to ""
2188     - * we check if the server uses password restrictions
2189     - * for ServerPasswordSet2
2190     - * (win2k3 accepts "")
2191     - */
2192     - password = "";
2193     - encode_pw_buffer(password_buf.data, password, STR_UNICODE);
2194     - if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
2195     - netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
2196     - } else {
2197     - netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
2198     - }
2199     - memcpy(new_password.data, password_buf.data, 512);
2200     - new_password.length = IVAL(password_buf.data, 512);
2201     -
2202     - torture_comment(tctx,
2203     - "Testing ServerPasswordSet2 on machine account\n");
2204     - torture_comment(tctx,
2205     - "Changing machine account password to '%s'\n", password);
2206     -
2207     - netlogon_creds_client_authenticator(creds, &credential);
2208     -
2209     - torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
2210     - "ServerPasswordSet2 failed");
2211     - torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet2 failed");
2212     + netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
2213     + }
2214     + memcpy(new_password.data, password_buf.data, 512);
2215     + new_password.length = IVAL(password_buf.data, 512);
2216    
2217     - if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
2218     - torture_comment(tctx, "Credential chaining failed\n");
2219     - }
2220     + torture_comment(tctx,
2221     + "Testing ServerPasswordSet2 on machine account\n");
2222     + torture_comment(tctx,
2223     + "Changing machine account password to '%s'\n", password);
2224    
2225     - cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
2226     - }
2227     + netlogon_creds_client_authenticator(creds, &credential);
2228    
2229     - torture_assert(tctx, test_SetupCredentials(p, tctx, machine_credentials, &creds),
2230     - "ServerPasswordSet failed to actually change the password");
2231     + torture_assert_ntstatus_ok(
2232     + tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
2233     + "ServerPasswordSet2 failed");
2234     + torture_assert_ntstatus_equal(
2235     + tctx,
2236     + r.out.result,
2237     + NT_STATUS_WRONG_PASSWORD,
2238     + "ServerPasswordSet2 did not return NT_STATUS_WRONG_PASSWORD");
2239    
2240     /* now try a random password */
2241     password = generate_random_password(tctx, 8, 255);
2242     --
2243     2.39.0
2244    
2245    
2246     From 341a448cb69557410fa79dbb8a3d4adbab79d5b6 Mon Sep 17 00:00:00 2001
2247     From: Gary Lockyer <gary@catalyst.net.nz>
2248     Date: Fri, 18 Sep 2020 15:57:34 +1200
2249     Subject: [PATCH 025/142] CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated
2250     bytes in client challenge
2251    
2252     Ensure that client challenges with the first 5 bytes identical are
2253     rejected.
2254    
2255     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
2256    
2257     Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2258    
2259     [abartlet@samba.org: backported from master as test order was flipped]
2260     ---
2261     source4/torture/rpc/netlogon.c | 335 +++++++++++++++++++++++++++++++++
2262     1 file changed, 335 insertions(+)
2263    
2264     diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
2265     index 0ba45f0c1da..97c16688bc9 100644
2266     --- a/source4/torture/rpc/netlogon.c
2267     +++ b/source4/torture/rpc/netlogon.c
2268     @@ -480,6 +480,325 @@ bool test_SetupCredentialsPipe(const struct dcerpc_pipe *p1,
2269     return true;
2270     }
2271    
2272     +static bool test_ServerReqChallenge(
2273     + struct torture_context *tctx,
2274     + struct dcerpc_pipe *p,
2275     + struct cli_credentials *credentials)
2276     +{
2277     + struct netr_ServerReqChallenge r;
2278     + struct netr_Credential credentials1, credentials2, credentials3;
2279     + const char *machine_name;
2280     + struct dcerpc_binding_handle *b = p->binding_handle;
2281     + struct netr_ServerAuthenticate2 a;
2282     + uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
2283     + uint32_t out_negotiate_flags = 0;
2284     + const struct samr_Password *mach_password = NULL;
2285     + enum netr_SchannelType sec_chan_type = 0;
2286     + struct netlogon_creds_CredentialState *creds = NULL;
2287     + const char *account_name = NULL;
2288     +
2289     + machine_name = cli_credentials_get_workstation(credentials);
2290     + mach_password = cli_credentials_get_nt_hash(credentials, tctx);
2291     + account_name = cli_credentials_get_username(credentials);
2292     + sec_chan_type = cli_credentials_get_secure_channel_type(credentials);
2293     +
2294     + torture_comment(tctx, "Testing ServerReqChallenge\n");
2295     +
2296     + r.in.server_name = NULL;
2297     + r.in.computer_name = machine_name;
2298     + r.in.credentials = &credentials1;
2299     + r.out.return_credentials = &credentials2;
2300     +
2301     + netlogon_creds_random_challenge(&credentials1);
2302     +
2303     + torture_assert_ntstatus_ok(
2304     + tctx,
2305     + dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
2306     + "ServerReqChallenge failed");
2307     + torture_assert_ntstatus_ok(
2308     + tctx,
2309     + r.out.result,
2310     + "ServerReqChallenge failed");
2311     + a.in.server_name = NULL;
2312     + a.in.account_name = account_name;
2313     + a.in.secure_channel_type = sec_chan_type;
2314     + a.in.computer_name = machine_name;
2315     + a.in.negotiate_flags = &in_negotiate_flags;
2316     + a.out.negotiate_flags = &out_negotiate_flags;
2317     + a.in.credentials = &credentials3;
2318     + a.out.return_credentials = &credentials3;
2319     +
2320     + creds = netlogon_creds_client_init(tctx, a.in.account_name,
2321     + a.in.computer_name,
2322     + a.in.secure_channel_type,
2323     + &credentials1, &credentials2,
2324     + mach_password, &credentials3,
2325     + in_negotiate_flags);
2326     +
2327     + torture_assert(tctx, creds != NULL, "memory allocation");
2328     +
2329     + torture_comment(tctx, "Testing ServerAuthenticate2\n");
2330     +
2331     + torture_assert_ntstatus_ok(
2332     + tctx,
2333     + dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a),
2334     + "ServerAuthenticate2 failed");
2335     + torture_assert_ntstatus_equal(
2336     + tctx,
2337     + a.out.result,
2338     + NT_STATUS_OK,
2339     + "ServerAuthenticate2 unexpected");
2340     +
2341     + return true;
2342     +}
2343     +
2344     +static bool test_ServerReqChallenge_zero_challenge(
2345     + struct torture_context *tctx,
2346     + struct dcerpc_pipe *p,
2347     + struct cli_credentials *credentials)
2348     +{
2349     + struct netr_ServerReqChallenge r;
2350     + struct netr_Credential credentials1, credentials2, credentials3;
2351     + const char *machine_name;
2352     + struct dcerpc_binding_handle *b = p->binding_handle;
2353     + struct netr_ServerAuthenticate2 a;
2354     + uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
2355     + uint32_t out_negotiate_flags = 0;
2356     + const struct samr_Password *mach_password = NULL;
2357     + enum netr_SchannelType sec_chan_type = 0;
2358     + struct netlogon_creds_CredentialState *creds = NULL;
2359     + const char *account_name = NULL;
2360     +
2361     + machine_name = cli_credentials_get_workstation(credentials);
2362     + mach_password = cli_credentials_get_nt_hash(credentials, tctx);
2363     + account_name = cli_credentials_get_username(credentials);
2364     + sec_chan_type = cli_credentials_get_secure_channel_type(credentials);
2365     +
2366     + torture_comment(tctx, "Testing ServerReqChallenge\n");
2367     +
2368     + r.in.server_name = NULL;
2369     + r.in.computer_name = machine_name;
2370     + r.in.credentials = &credentials1;
2371     + r.out.return_credentials = &credentials2;
2372     +
2373     + /*
2374     + * Set the client challenge to zero, this should fail
2375     + * CVE-2020-1472(ZeroLogon)
2376     + * BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
2377     + */
2378     + ZERO_STRUCT(credentials1);
2379     +
2380     + torture_assert_ntstatus_ok(
2381     + tctx,
2382     + dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
2383     + "ServerReqChallenge failed");
2384     + torture_assert_ntstatus_ok(
2385     + tctx,
2386     + r.out.result,
2387     + "ServerReqChallenge failed");
2388     + a.in.server_name = NULL;
2389     + a.in.account_name = account_name;
2390     + a.in.secure_channel_type = sec_chan_type;
2391     + a.in.computer_name = machine_name;
2392     + a.in.negotiate_flags = &in_negotiate_flags;
2393     + a.out.negotiate_flags = &out_negotiate_flags;
2394     + a.in.credentials = &credentials3;
2395     + a.out.return_credentials = &credentials3;
2396     +
2397     + creds = netlogon_creds_client_init(tctx, a.in.account_name,
2398     + a.in.computer_name,
2399     + a.in.secure_channel_type,
2400     + &credentials1, &credentials2,
2401     + mach_password, &credentials3,
2402     + in_negotiate_flags);
2403     +
2404     + torture_assert(tctx, creds != NULL, "memory allocation");
2405     +
2406     + torture_comment(tctx, "Testing ServerAuthenticate2\n");
2407     +
2408     + torture_assert_ntstatus_ok(
2409     + tctx,
2410     + dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a),
2411     + "ServerAuthenticate2 failed");
2412     + torture_assert_ntstatus_equal(
2413     + tctx,
2414     + a.out.result,
2415     + NT_STATUS_ACCESS_DENIED,
2416     + "ServerAuthenticate2 unexpected");
2417     +
2418     + return true;
2419     +}
2420     +
2421     +static bool test_ServerReqChallenge_5_repeats(
2422     + struct torture_context *tctx,
2423     + struct dcerpc_pipe *p,
2424     + struct cli_credentials *credentials)
2425     +{
2426     + struct netr_ServerReqChallenge r;
2427     + struct netr_Credential credentials1, credentials2, credentials3;
2428     + const char *machine_name;
2429     + struct dcerpc_binding_handle *b = p->binding_handle;
2430     + struct netr_ServerAuthenticate2 a;
2431     + uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
2432     + uint32_t out_negotiate_flags = 0;
2433     + const struct samr_Password *mach_password = NULL;
2434     + enum netr_SchannelType sec_chan_type = 0;
2435     + struct netlogon_creds_CredentialState *creds = NULL;
2436     + const char *account_name = NULL;
2437     +
2438     + machine_name = cli_credentials_get_workstation(credentials);
2439     + mach_password = cli_credentials_get_nt_hash(credentials, tctx);
2440     + account_name = cli_credentials_get_username(credentials);
2441     + sec_chan_type = cli_credentials_get_secure_channel_type(credentials);
2442     +
2443     + torture_comment(tctx, "Testing ServerReqChallenge\n");
2444     +
2445     + r.in.server_name = NULL;
2446     + r.in.computer_name = machine_name;
2447     + r.in.credentials = &credentials1;
2448     + r.out.return_credentials = &credentials2;
2449     +
2450     + /*
2451     + * Set the first 5 bytes of the client challenge to the same value,
2452     + * this should fail CVE-2020-1472(ZeroLogon)
2453     + * BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
2454     + */
2455     + credentials1.data[0] = 'A';
2456     + credentials1.data[1] = 'A';
2457     + credentials1.data[2] = 'A';
2458     + credentials1.data[3] = 'A';
2459     + credentials1.data[4] = 'A';
2460     + credentials1.data[5] = 'B';
2461     + credentials1.data[6] = 'C';
2462     + credentials1.data[7] = 'D';
2463     +
2464     + torture_assert_ntstatus_ok(
2465     + tctx,
2466     + dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
2467     + "ServerReqChallenge failed");
2468     + torture_assert_ntstatus_ok(
2469     + tctx,
2470     + r.out.result,
2471     + "ServerReqChallenge failed");
2472     + a.in.server_name = NULL;
2473     + a.in.account_name = account_name;
2474     + a.in.secure_channel_type = sec_chan_type;
2475     + a.in.computer_name = machine_name;
2476     + a.in.negotiate_flags = &in_negotiate_flags;
2477     + a.out.negotiate_flags = &out_negotiate_flags;
2478     + a.in.credentials = &credentials3;
2479     + a.out.return_credentials = &credentials3;
2480     +
2481     + creds = netlogon_creds_client_init(tctx, a.in.account_name,
2482     + a.in.computer_name,
2483     + a.in.secure_channel_type,
2484     + &credentials1, &credentials2,
2485     + mach_password, &credentials3,
2486     + in_negotiate_flags);
2487     +
2488     + torture_assert(tctx, creds != NULL, "memory allocation");
2489     +
2490     + torture_comment(tctx, "Testing ServerAuthenticate2\n");
2491     +
2492     + torture_assert_ntstatus_ok(
2493     + tctx,
2494     + dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a),
2495     + "ServerAuthenticate2 failed");
2496     + torture_assert_ntstatus_equal(
2497     + tctx,
2498     + a.out.result,
2499     + NT_STATUS_ACCESS_DENIED,
2500     + "ServerAuthenticate2 unexpected");
2501     +
2502     + return true;
2503     +}
2504     +
2505     +static bool test_ServerReqChallenge_4_repeats(
2506     + struct torture_context *tctx,
2507     + struct dcerpc_pipe *p,
2508     + struct cli_credentials *credentials)
2509     +{
2510     + struct netr_ServerReqChallenge r;
2511     + struct netr_Credential credentials1, credentials2, credentials3;
2512     + const char *machine_name;
2513     + struct dcerpc_binding_handle *b = p->binding_handle;
2514     + struct netr_ServerAuthenticate2 a;
2515     + uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
2516     + uint32_t out_negotiate_flags = 0;
2517     + const struct samr_Password *mach_password = NULL;
2518     + enum netr_SchannelType sec_chan_type = 0;
2519     + struct netlogon_creds_CredentialState *creds = NULL;
2520     + const char *account_name = NULL;
2521     +
2522     + machine_name = cli_credentials_get_workstation(credentials);
2523     + mach_password = cli_credentials_get_nt_hash(credentials, tctx);
2524     + account_name = cli_credentials_get_username(credentials);
2525     + sec_chan_type = cli_credentials_get_secure_channel_type(credentials);
2526     +
2527     + torture_comment(tctx, "Testing ServerReqChallenge\n");
2528     +
2529     + r.in.server_name = NULL;
2530     + r.in.computer_name = machine_name;
2531     + r.in.credentials = &credentials1;
2532     + r.out.return_credentials = &credentials2;
2533     +
2534     + /*
2535     + * Set the first 4 bytes of the client challenge to the same
2536     + * value, this should pass as 5 bytes identical are needed to
2537     + * fail for CVE-2020-1472(ZeroLogon)
2538     + *
2539     + * BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
2540     + */
2541     + credentials1.data[0] = 'A';
2542     + credentials1.data[1] = 'A';
2543     + credentials1.data[2] = 'A';
2544     + credentials1.data[3] = 'A';
2545     + credentials1.data[4] = 'B';
2546     + credentials1.data[5] = 'C';
2547     + credentials1.data[6] = 'D';
2548     + credentials1.data[7] = 'E';
2549     +
2550     + torture_assert_ntstatus_ok(
2551     + tctx,
2552     + dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
2553     + "ServerReqChallenge failed");
2554     + torture_assert_ntstatus_ok(
2555     + tctx,
2556     + r.out.result,
2557     + "ServerReqChallenge failed");
2558     + a.in.server_name = NULL;
2559     + a.in.account_name = account_name;
2560     + a.in.secure_channel_type = sec_chan_type;
2561     + a.in.computer_name = machine_name;
2562     + a.in.negotiate_flags = &in_negotiate_flags;
2563     + a.out.negotiate_flags = &out_negotiate_flags;
2564     + a.in.credentials = &credentials3;
2565     + a.out.return_credentials = &credentials3;
2566     +
2567     + creds = netlogon_creds_client_init(tctx, a.in.account_name,
2568     + a.in.computer_name,
2569     + a.in.secure_channel_type,
2570     + &credentials1, &credentials2,
2571     + mach_password, &credentials3,
2572     + in_negotiate_flags);
2573     +
2574     + torture_assert(tctx, creds != NULL, "memory allocation");
2575     +
2576     + torture_comment(tctx, "Testing ServerAuthenticate2\n");
2577     +
2578     + torture_assert_ntstatus_ok(
2579     + tctx,
2580     + dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a),
2581     + "ServerAuthenticate2 failed");
2582     + torture_assert_ntstatus_equal(
2583     + tctx,
2584     + a.out.result,
2585     + NT_STATUS_OK,
2586     + "ServerAuthenticate2 unexpected");
2587     +
2588     + return true;
2589     +}
2590     +
2591     /*
2592     try a change password for our machine account
2593     */
2594     @@ -4949,6 +5268,22 @@ struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx)
2595     torture_rpc_tcase_add_test(tcase, "lsa_over_netlogon", test_lsa_over_netlogon);
2596     torture_rpc_tcase_add_test_creds(tcase, "SetupCredentialsDowngrade", test_SetupCredentialsDowngrade);
2597    
2598     + torture_rpc_tcase_add_test_creds(
2599     + tcase,
2600     + "ServerReqChallenge",
2601     + test_ServerReqChallenge);
2602     + torture_rpc_tcase_add_test_creds(
2603     + tcase,
2604     + "ServerReqChallenge_zero_challenge",
2605     + test_ServerReqChallenge_zero_challenge);
2606     + torture_rpc_tcase_add_test_creds(
2607     + tcase,
2608     + "ServerReqChallenge_5_repeats",
2609     + test_ServerReqChallenge_5_repeats);
2610     + torture_rpc_tcase_add_test_creds(
2611     + tcase,
2612     + "ServerReqChallenge_4_repeats",
2613     + test_ServerReqChallenge_4_repeats);
2614     return suite;
2615     }
2616    
2617     --
2618     2.39.0
2619    
2620    
2621     From 268303632f79d7395b452172c06b25ad68fe35fb Mon Sep 17 00:00:00 2001
2622     From: Jeremy Allison <jra@samba.org>
2623     Date: Fri, 10 Jul 2020 15:09:33 -0700
2624     Subject: [PATCH 026/142] s4: torture: Add smb2.notify.handle-permissions test.
2625    
2626     Add knownfail entry.
2627    
2628     CVE-2020-14318
2629    
2630     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434
2631    
2632     Signed-off-by: Jeremy Allison <jra@samba.org>
2633     (cherry picked from commit f100bd2f2e4f047942002a992c99104227a17f81)
2634     ---
2635     .../smb2_notify_handle_permissions | 2 +
2636     source4/torture/smb2/notify.c | 80 +++++++++++++++++++
2637     2 files changed, 82 insertions(+)
2638     create mode 100644 selftest/knownfail.d/smb2_notify_handle_permissions
2639    
2640     diff --git a/selftest/knownfail.d/smb2_notify_handle_permissions b/selftest/knownfail.d/smb2_notify_handle_permissions
2641     new file mode 100644
2642     index 00000000000..c0ec8fc8153
2643     --- /dev/null
2644     +++ b/selftest/knownfail.d/smb2_notify_handle_permissions
2645     @@ -0,0 +1,2 @@
2646     +^samba3.smb2.notify.handle-permissions
2647     +
2648     diff --git a/source4/torture/smb2/notify.c b/source4/torture/smb2/notify.c
2649     index ebb4f8a4f8e..b017491c8fb 100644
2650     --- a/source4/torture/smb2/notify.c
2651     +++ b/source4/torture/smb2/notify.c
2652     @@ -2569,6 +2569,83 @@ done:
2653     return ok;
2654     }
2655    
2656     +/*
2657     + Test asking for a change notify on a handle without permissions.
2658     +*/
2659     +
2660     +#define BASEDIR_HPERM BASEDIR "_HPERM"
2661     +
2662     +static bool torture_smb2_notify_handle_permissions(
2663     + struct torture_context *torture,
2664     + struct smb2_tree *tree)
2665     +{
2666     + bool ret = true;
2667     + NTSTATUS status;
2668     + union smb_notify notify;
2669     + union smb_open io;
2670     + struct smb2_handle h1 = {{0}};
2671     + struct smb2_request *req;
2672     +
2673     + smb2_deltree(tree, BASEDIR_HPERM);
2674     + smb2_util_rmdir(tree, BASEDIR_HPERM);
2675     +
2676     + torture_comment(torture,
2677     + "TESTING CHANGE NOTIFY "
2678     + "ON A HANDLE WITHOUT PERMISSIONS\n");
2679     +
2680     + /*
2681     + get a handle on the directory
2682     + */
2683     + ZERO_STRUCT(io.smb2);
2684     + io.generic.level = RAW_OPEN_SMB2;
2685     + io.smb2.in.create_flags = 0;
2686     + io.smb2.in.desired_access = SEC_FILE_READ_ATTRIBUTE;
2687     + io.smb2.in.create_options = NTCREATEX_OPTIONS_DIRECTORY;
2688     + io.smb2.in.file_attributes = FILE_ATTRIBUTE_NORMAL;
2689     + io.smb2.in.share_access = NTCREATEX_SHARE_ACCESS_READ |
2690     + NTCREATEX_SHARE_ACCESS_WRITE;
2691     + io.smb2.in.alloc_size = 0;
2692     + io.smb2.in.create_disposition = NTCREATEX_DISP_CREATE;
2693     + io.smb2.in.impersonation_level = SMB2_IMPERSONATION_ANONYMOUS;
2694     + io.smb2.in.security_flags = 0;
2695     + io.smb2.in.fname = BASEDIR_HPERM;
2696     +
2697     + status = smb2_create(tree, torture, &io.smb2);
2698     + CHECK_STATUS(status, NT_STATUS_OK);
2699     + h1 = io.smb2.out.file.handle;
2700     +
2701     + /* ask for a change notify,
2702     + on file or directory name changes */
2703     + ZERO_STRUCT(notify.smb2);
2704     + notify.smb2.level = RAW_NOTIFY_SMB2;
2705     + notify.smb2.in.buffer_size = 1000;
2706     + notify.smb2.in.completion_filter = FILE_NOTIFY_CHANGE_NAME;
2707     + notify.smb2.in.file.handle = h1;
2708     + notify.smb2.in.recursive = true;
2709     +
2710     + req = smb2_notify_send(tree, &notify.smb2);
2711     + torture_assert_goto(torture,
2712     + req != NULL,
2713     + ret,
2714     + done,
2715     + "smb2_notify_send failed\n");
2716     +
2717     + /*
2718     + * Cancel it, we don't really want to wait.
2719     + */
2720     + smb2_cancel(req);
2721     + status = smb2_notify_recv(req, torture, &notify.smb2);
2722     + /* Handle h1 doesn't have permissions for ChangeNotify. */
2723     + CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
2724     +
2725     +done:
2726     + if (!smb2_util_handle_empty(h1)) {
2727     + smb2_util_close(tree, h1);
2728     + }
2729     + smb2_deltree(tree, BASEDIR_HPERM);
2730     + return ret;
2731     +}
2732     +
2733     /*
2734     basic testing of SMB2 change notify
2735     */
2736     @@ -2602,6 +2679,9 @@ struct torture_suite *torture_smb2_notify_init(TALLOC_CTX *ctx)
2737     torture_smb2_notify_rmdir3);
2738     torture_suite_add_2smb2_test(suite, "rmdir4",
2739     torture_smb2_notify_rmdir4);
2740     + torture_suite_add_1smb2_test(suite,
2741     + "handle-permissions",
2742     + torture_smb2_notify_handle_permissions);
2743    
2744     suite->description = talloc_strdup(suite, "SMB2-NOTIFY tests");
2745    
2746     --
2747     2.39.0
2748    
2749    
2750     From 448d4e99f8883a07589264cfca474c3dff8b5942 Mon Sep 17 00:00:00 2001
2751     From: Jeremy Allison <jra@samba.org>
2752     Date: Tue, 7 Jul 2020 18:25:23 -0700
2753     Subject: [PATCH 027/142] s3: smbd: Ensure change notifies can't get set unless
2754     the directory handle is open for SEC_DIR_LIST.
2755    
2756     Remove knownfail entry.
2757    
2758     CVE-2020-14318
2759    
2760     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434
2761    
2762     Signed-off-by: Jeremy Allison <jra@samba.org>
2763     (cherry picked from commit f43ecce46a89c6380317fbb5f2ae38f48d3d42c8)
2764     ---
2765     selftest/knownfail.d/smb2_notify_handle_permissions | 2 --
2766     source3/smbd/notify.c | 8 ++++++++
2767     2 files changed, 8 insertions(+), 2 deletions(-)
2768     delete mode 100644 selftest/knownfail.d/smb2_notify_handle_permissions
2769    
2770     diff --git a/selftest/knownfail.d/smb2_notify_handle_permissions b/selftest/knownfail.d/smb2_notify_handle_permissions
2771     deleted file mode 100644
2772     index c0ec8fc8153..00000000000
2773     --- a/selftest/knownfail.d/smb2_notify_handle_permissions
2774     +++ /dev/null
2775     @@ -1,2 +0,0 @@
2776     -^samba3.smb2.notify.handle-permissions
2777     -
2778     diff --git a/source3/smbd/notify.c b/source3/smbd/notify.c
2779     index 44c0b09432e..d23c03bce41 100644
2780     --- a/source3/smbd/notify.c
2781     +++ b/source3/smbd/notify.c
2782     @@ -283,6 +283,14 @@ NTSTATUS change_notify_create(struct files_struct *fsp, uint32_t filter,
2783     char fullpath[len+1];
2784     NTSTATUS status = NT_STATUS_NOT_IMPLEMENTED;
2785    
2786     + /*
2787     + * Setting a changenotify needs READ/LIST access
2788     + * on the directory handle.
2789     + */
2790     + if (!(fsp->access_mask & SEC_DIR_LIST)) {
2791     + return NT_STATUS_ACCESS_DENIED;
2792     + }
2793     +
2794     if (fsp->notify != NULL) {
2795     DEBUG(1, ("change_notify_create: fsp->notify != NULL, "
2796     "fname = %s\n", fsp->fsp_name->base_name));
2797     --
2798     2.39.0
2799    
2800    
2801     From 041c86926999594f13b884522b1d9fcc65f92a52 Mon Sep 17 00:00:00 2001
2802     From: Volker Lendecke <vl@samba.org>
2803     Date: Thu, 9 Jul 2020 21:49:25 +0200
2804     Subject: [PATCH 028/142] CVE-2020-14323 winbind: Fix invalid lookupsids DoS
2805    
2806     A lookupsids request without extra_data will lead to "state->domain==NULL",
2807     which makes winbindd_lookupsids_recv trying to dereference it.
2808    
2809     Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134
2810    
2811     Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436
2812     Signed-off-by: Volker Lendecke <vl@samba.org>
2813     (cherry picked from commit f17967ad73e9c1d2bd6e0b7c181f08079d2a8214)
2814     ---
2815     source3/winbindd/winbindd_lookupsids.c | 2 +-
2816     1 file changed, 1 insertion(+), 1 deletion(-)
2817    
2818     diff --git a/source3/winbindd/winbindd_lookupsids.c b/source3/winbindd/winbindd_lookupsids.c
2819     index d28b5fa9f01..a289fd86f0f 100644
2820     --- a/source3/winbindd/winbindd_lookupsids.c
2821     +++ b/source3/winbindd/winbindd_lookupsids.c
2822     @@ -47,7 +47,7 @@ struct tevent_req *winbindd_lookupsids_send(TALLOC_CTX *mem_ctx,
2823     DEBUG(3, ("lookupsids\n"));
2824    
2825     if (request->extra_len == 0) {
2826     - tevent_req_done(req);
2827     + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
2828     return tevent_req_post(req, ev);
2829     }
2830     if (request->extra_data.data[request->extra_len-1] != '\0') {
2831     --
2832     2.39.0
2833    
2834    
2835     From e6e77a3a503f9223ecbc2d32a1d24e20f834659f Mon Sep 17 00:00:00 2001
2836     From: Volker Lendecke <vl@samba.org>
2837     Date: Thu, 9 Jul 2020 21:48:57 +0200
2838     Subject: [PATCH 029/142] CVE-2020-14323 torture4: Add a simple test for
2839     invalid lookup_sids winbind call
2840    
2841     We can't add this test before the fix, add it to knownfail and have the fix
2842     remove the knownfail entry again. As this crashes winbind, many tests after
2843     this one will fail.
2844    
2845     Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134
2846    
2847     Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436
2848     Signed-off-by: Volker Lendecke <vl@samba.org>
2849     (cherry picked from commit d0ca2a63aaedf123205337aaa211426175ffcebf)
2850     ---
2851     source4/torture/winbind/struct_based.c | 27 ++++++++++++++++++++++++++
2852     1 file changed, 27 insertions(+)
2853    
2854     diff --git a/source4/torture/winbind/struct_based.c b/source4/torture/winbind/struct_based.c
2855     index 9745b621ca9..71f248c0d61 100644
2856     --- a/source4/torture/winbind/struct_based.c
2857     +++ b/source4/torture/winbind/struct_based.c
2858     @@ -1110,6 +1110,29 @@ static bool torture_winbind_struct_lookup_name_sid(struct torture_context *tortu
2859     return true;
2860     }
2861    
2862     +static bool torture_winbind_struct_lookup_sids_invalid(
2863     + struct torture_context *torture)
2864     +{
2865     + struct winbindd_request req = {0};
2866     + struct winbindd_response rep = {0};
2867     + bool strict = torture_setting_bool(torture, "strict mode", false);
2868     + bool ok;
2869     +
2870     + torture_comment(torture,
2871     + "Running WINBINDD_LOOKUP_SIDS (struct based)\n");
2872     +
2873     + ok = true;
2874     + DO_STRUCT_REQ_REP_EXT(WINBINDD_LOOKUPSIDS, &req, &rep,
2875     + NSS_STATUS_NOTFOUND,
2876     + strict,
2877     + ok=false,
2878     + talloc_asprintf(
2879     + torture,
2880     + "invalid lookupsids succeeded"));
2881     +
2882     + return ok;
2883     +}
2884     +
2885     struct torture_suite *torture_winbind_struct_init(TALLOC_CTX *ctx)
2886     {
2887     struct torture_suite *suite = torture_suite_create(ctx, "struct");
2888     @@ -1132,6 +1155,10 @@ struct torture_suite *torture_winbind_struct_init(TALLOC_CTX *ctx)
2889     torture_suite_add_simple_test(suite, "getpwent", torture_winbind_struct_getpwent);
2890     torture_suite_add_simple_test(suite, "endpwent", torture_winbind_struct_endpwent);
2891     torture_suite_add_simple_test(suite, "lookup_name_sid", torture_winbind_struct_lookup_name_sid);
2892     + torture_suite_add_simple_test(
2893     + suite,
2894     + "lookup_sids_invalid",
2895     + torture_winbind_struct_lookup_sids_invalid);
2896    
2897     suite->description = talloc_strdup(suite, "WINBIND - struct based protocol tests");
2898    
2899     --
2900     2.39.0
2901    
2902    
2903     From 2b4763940d1826a2b4e5eaa1e2df338004cd9af0 Mon Sep 17 00:00:00 2001
2904     From: Laurent Menase <laurent.menase@hpe.com>
2905     Date: Wed, 20 May 2020 12:31:53 +0200
2906     Subject: [PATCH 030/142] winbind: Fix a memleak
2907    
2908     Bug: https://bugzilla.samba.org/show_bug.cgi?id=14388
2909     Signed-off-by: Laurent Menase <laurent.menase@hpe.com>
2910     Reviewed-by: Volker Lendecke <vl@samba.org>
2911     Reviewed-by: Noel Power <noel.power@suse.com>
2912    
2913     Autobuild-User(master): Volker Lendecke <vl@samba.org>
2914     Autobuild-Date(master): Mon Sep 14 13:33:13 UTC 2020 on sn-devel-184
2915    
2916     (cherry picked from commit 8f868b0ea0b4795668f7bc0b028cd85686b249fb)
2917     ---
2918     source3/winbindd/winbindd_ads.c | 1 +
2919     1 file changed, 1 insertion(+)
2920    
2921     diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
2922     index 556b4523866..325ba1abd82 100644
2923     --- a/source3/winbindd/winbindd_ads.c
2924     +++ b/source3/winbindd/winbindd_ads.c
2925     @@ -405,6 +405,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
2926     DBG_NOTICE("ads query_user_list gave %d entries\n", count);
2927    
2928     done:
2929     + ads_msgfree(ads, res);
2930     return status;
2931     }
2932    
2933     --
2934     2.39.0
2935    
2936    
2937     From accc423a4eb9170ab0dbe4b2ba90ce83790e7a16 Mon Sep 17 00:00:00 2001
2938     From: Andreas Schneider <asn@samba.org>
2939     Date: Mon, 17 Aug 2020 13:39:58 +0200
2940     Subject: [PATCH 031/142] s3:tests: Add test for 'valid users = DOMAIN\%U'
2941    
2942     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14467
2943    
2944     Signed-off-by: Andreas Schneider <asn@samba.org>
2945     Reviewed-by: Ralph Boehme <slow@samba.org>
2946     (cherry picked from commit 53b6dd951249052772e1ffcf651b7efd0963b931)
2947     (cherry picked from commit 20d3cf455c631c6cea6d471333779cc15d0e8d8a)
2948     ---
2949     selftest/knownfail.d/samba3.substiutions | 1 +
2950     selftest/target/Samba3.pm | 4 ++++
2951     source3/script/tests/test_substitutions.sh | 5 +++++
2952     3 files changed, 10 insertions(+)
2953     create mode 100644 selftest/knownfail.d/samba3.substiutions
2954    
2955     diff --git a/selftest/knownfail.d/samba3.substiutions b/selftest/knownfail.d/samba3.substiutions
2956     new file mode 100644
2957     index 00000000000..f116d3b2fcf
2958     --- /dev/null
2959     +++ b/selftest/knownfail.d/samba3.substiutions
2960     @@ -0,0 +1 @@
2961     +^samba3.substitutions.Test.login.to.share.with.substitution.for.valid.users
2962     diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
2963     index 75960dbc790..9e4da0e6a08 100755
2964     --- a/selftest/target/Samba3.pm
2965     +++ b/selftest/target/Samba3.pm
2966     @@ -423,6 +423,10 @@ sub setup_ad_member
2967     path = $share_dir/D_%D/u_%u/g_%g
2968     writeable = yes
2969    
2970     +[sub_valid_users]
2971     + path = $share_dir
2972     + valid users = ADDOMAIN/%U
2973     +
2974     ";
2975    
2976     my $ret = $self->provision($prefix, $dcvars->{DOMAIN},
2977     diff --git a/source3/script/tests/test_substitutions.sh b/source3/script/tests/test_substitutions.sh
2978     index 1a46f11c85d..c813a8f9def 100755
2979     --- a/source3/script/tests/test_substitutions.sh
2980     +++ b/source3/script/tests/test_substitutions.sh
2981     @@ -34,4 +34,9 @@ SMB_UNC="//$SERVER/sub_dug2"
2982     test_smbclient "Test login to share with substitution (Dug)" \
2983     "ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1)
2984    
2985     +SMB_UNC="//$SERVER/sub_valid_users"
2986     +
2987     +test_smbclient "Test login to share with substitution for valid users" \
2988     + "ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1)
2989     +
2990     exit $failed
2991     --
2992     2.39.0
2993    
2994    
2995     From 1c594e3734e3ffd2dfc615897ac95792878f2df4 Mon Sep 17 00:00:00 2001
2996     From: Andreas Schneider <asn@samba.org>
2997     Date: Mon, 17 Aug 2020 14:12:48 +0200
2998     Subject: [PATCH 032/142] s3:smbd: Fix %U substitutions if it contains a domain
2999     name
3000    
3001     'valid users = DOMAIN\%U' worked with Samba 3.6 and broke in a newer
3002     version.
3003    
3004     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14467
3005    
3006     Signed-off-by: Andreas Schneider <asn@samba.org>
3007     Reviewed-by: Ralph Boehme <slow@samba.org>
3008     (cherry picked from commit 5de7c91e6d4e98f438157a7675c8582cabdd828d)
3009     (cherry picked from commit 60ddb7b20071b00f0cd7f1cb818022220eb0c279)
3010     ---
3011     selftest/knownfail.d/samba3.substiutions | 1 -
3012     source3/smbd/share_access.c | 18 +++++++++++++++++-
3013     2 files changed, 17 insertions(+), 2 deletions(-)
3014     delete mode 100644 selftest/knownfail.d/samba3.substiutions
3015    
3016     diff --git a/selftest/knownfail.d/samba3.substiutions b/selftest/knownfail.d/samba3.substiutions
3017     deleted file mode 100644
3018     index f116d3b2fcf..00000000000
3019     --- a/selftest/knownfail.d/samba3.substiutions
3020     +++ /dev/null
3021     @@ -1 +0,0 @@
3022     -^samba3.substitutions.Test.login.to.share.with.substitution.for.valid.users
3023     diff --git a/source3/smbd/share_access.c b/source3/smbd/share_access.c
3024     index 3cbf7f318a2..0705e197975 100644
3025     --- a/source3/smbd/share_access.c
3026     +++ b/source3/smbd/share_access.c
3027     @@ -79,7 +79,23 @@ static bool token_contains_name(TALLOC_CTX *mem_ctx,
3028     enum lsa_SidType type;
3029    
3030     if (username != NULL) {
3031     - name = talloc_sub_basic(mem_ctx, username, domain, name);
3032     + size_t domain_len = strlen(domain);
3033     +
3034     + /* Check if username starts with domain name */
3035     + if (domain_len > 0) {
3036     + const char *sep = lp_winbind_separator();
3037     + int cmp = strncasecmp_m(username, domain, domain_len);
3038     + if (cmp == 0 && sep[0] == username[domain_len]) {
3039     + /* Move after the winbind separator */
3040     + domain_len += 1;
3041     + } else {
3042     + domain_len = 0;
3043     + }
3044     + }
3045     + name = talloc_sub_basic(mem_ctx,
3046     + username + domain_len,
3047     + domain,
3048     + name);
3049     }
3050     if (sharename != NULL) {
3051     name = talloc_string_sub(mem_ctx, name, "%S", sharename);
3052     --
3053     2.39.0
3054    
3055    
3056     From d93ddae23e1b378f771134e93d1b15e61e2278af Mon Sep 17 00:00:00 2001
3057     From: Andreas Schneider <asn@samba.org>
3058     Date: Thu, 9 Jul 2020 11:48:26 +0200
3059     Subject: [PATCH 033/142] docs: Fix documentation for require_membership_of of
3060     pam_winbind
3061    
3062     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358
3063    
3064     Signed-off-by: Andreas Schneider <asn@samba.org>
3065     Reviewed-by: Alexander Bokovoy <ab@samba.org>
3066     (cherry picked from commit 4c74db6978c682f8ba4e74a6ee8157cfcbb54971)
3067     ---
3068     docs-xml/manpages/pam_winbind.8.xml | 8 +++++---
3069     1 file changed, 5 insertions(+), 3 deletions(-)
3070    
3071     diff --git a/docs-xml/manpages/pam_winbind.8.xml b/docs-xml/manpages/pam_winbind.8.xml
3072     index a9a227f1647..a61fb2d58e5 100644
3073     --- a/docs-xml/manpages/pam_winbind.8.xml
3074     +++ b/docs-xml/manpages/pam_winbind.8.xml
3075     @@ -84,9 +84,11 @@
3076     If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID
3077     can be either a group-SID, an alias-SID or even an user-SID. It is also possible to give a NAME instead of the
3078     SID. That name must have the form: <parameter>MYDOMAIN\mygroup</parameter> or
3079     - <parameter>MYDOMAIN\myuser</parameter>. pam_winbind will, in that case, lookup the SID internally. Note that
3080     - NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a
3081     - user is a member of with <command>wbinfo --user-sids=SID</command>.
3082     + <parameter>MYDOMAIN\myuser</parameter> (where '\' character corresponds to the value of
3083     + <parameter>winbind separator</parameter> parameter). It is also possible to use a UPN in the form
3084     + <parameter>user@REALM</parameter> or <parameter>group@REALM</parameter>. pam_winbind will, in that case, lookup
3085     + the SID internally. Note that NAME may not contain any spaces. It is thus recommended to only use SIDs. You can
3086     + verify the list of SIDs a user is a member of with <command>wbinfo --user-sids=SID</command>.
3087     </para>
3088    
3089     <para>
3090     --
3091     2.39.0
3092    
3093    
3094     From c9aea952eb3f8d83701abd6db4d48c8d93a8517a Mon Sep 17 00:00:00 2001
3095     From: Andreas Schneider <asn@samba.org>
3096     Date: Fri, 17 Jul 2020 12:14:16 +0200
3097     Subject: [PATCH 034/142] docs: Fix documentation for require_membership_of of
3098     pam_winbind.conf
3099    
3100     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358
3101    
3102     Signed-off-by: Andreas Schneider <asn@samba.org>
3103     Reviewed-by: Isaac Boukris <iboukris@samba.org>
3104     (cherry picked from commit 71b7140fd0a33e7e8c5bf37c2897cea8224b3f01)
3105     ---
3106     docs-xml/manpages/pam_winbind.conf.5.xml | 9 ++++++---
3107     1 file changed, 6 insertions(+), 3 deletions(-)
3108    
3109     diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
3110     index fcac1ee7036..d81a0bd6eba 100644
3111     --- a/docs-xml/manpages/pam_winbind.conf.5.xml
3112     +++ b/docs-xml/manpages/pam_winbind.conf.5.xml
3113     @@ -69,9 +69,12 @@
3114     If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID
3115     can be either a group-SID, an alias-SID or even an user-SID. It is also possible to give a NAME instead of the
3116     SID. That name must have the form: <parameter>MYDOMAIN\mygroup</parameter> or
3117     - <parameter>MYDOMAIN\myuser</parameter>. pam_winbind will, in that case, lookup the SID internally. Note that
3118     - NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a
3119     - user is a member of with <command>wbinfo --user-sids=SID</command>. This setting is empty by default.
3120     + <parameter>MYDOMAIN\myuser</parameter> (where '\' character corresponds to the value of
3121     + <parameter>winbind separator</parameter> parameter). It is also possible to use a UPN in the form
3122     + <parameter>user@REALM</parameter> or <parameter>group@REALM</parameter>. pam_winbind will, in that case, lookup
3123     + the SID internally. Note that NAME may not contain any spaces. It is thus recommended to only use SIDs. You can
3124     + verify the list of SIDs a user is a member of with <command>wbinfo --user-sids=SID</command>.
3125     + This setting is empty by default.
3126     </para>
3127     <para>This option only operates during password authentication, and will not restrict access if a password is not required for any reason (such as SSH key-based login).</para>
3128     </listitem>
3129     --
3130     2.39.0
3131    
3132    
3133     From b04be6ffd3a1c9eda1f1dc78d60ad7b3a9b7471d Mon Sep 17 00:00:00 2001
3134     From: Isaac Boukris <iboukris@gmail.com>
3135     Date: Thu, 11 Jun 2020 21:05:07 +0300
3136     Subject: [PATCH 035/142] Fix a typo in recent net man page changes
3137    
3138     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
3139    
3140     Signed-off-by: Isaac Boukris <iboukris@samba.org>
3141     Reviewed-by: Andreas Schneider <asn@samba.org>
3142     (cherry picked from commit 4e51e832176a99f2a841c7a0d78fb0424f02956e)
3143     ---
3144     docs-xml/manpages/net.8.xml | 2 +-
3145     1 file changed, 1 insertion(+), 1 deletion(-)
3146    
3147     diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
3148     index 69e18df8b6c..9b1d4458acc 100644
3149     --- a/docs-xml/manpages/net.8.xml
3150     +++ b/docs-xml/manpages/net.8.xml
3151     @@ -470,7 +470,7 @@ joining the domain.
3152     </para>
3153    
3154     <para>
3155     -[FQDN] (ADS only) set the dnsHosName attribute during the join.
3156     +[FQDN] (ADS only) set the dnsHostName attribute during the join.
3157     The default format is netbiosname.dnsdomain.
3158     </para>
3159    
3160     --
3161     2.39.0
3162    
3163    
3164     From a5a7dac759c2570861732c68efefb62371a29565 Mon Sep 17 00:00:00 2001
3165     From: Isaac Boukris <iboukris@gmail.com>
3166     Date: Tue, 16 Jun 2020 22:01:49 +0300
3167     Subject: [PATCH 036/142] selftest: add tests for binary
3168     msDS-AdditionalDnsHostName
3169    
3170     Like the short names added implicitly by Windows DC.
3171    
3172     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
3173    
3174     Signed-off-by: Isaac Boukris <iboukris@samba.org>
3175     Reviewed-by: Andreas Schneider <asn@samba.org>
3176     (cherry picked from commit 4605d7aec5caf494a23f2c9800d6689f710ffbce)
3177     ---
3178     selftest/knownfail.d/binary_addl_hostname | 3 +++
3179     testprogs/blackbox/test_net_ads.sh | 22 ++++++++++++++++++++++
3180     2 files changed, 25 insertions(+)
3181     create mode 100644 selftest/knownfail.d/binary_addl_hostname
3182    
3183     diff --git a/selftest/knownfail.d/binary_addl_hostname b/selftest/knownfail.d/binary_addl_hostname
3184     new file mode 100644
3185     index 00000000000..559db1df507
3186     --- /dev/null
3187     +++ b/selftest/knownfail.d/binary_addl_hostname
3188     @@ -0,0 +1,3 @@
3189     +^samba4.blackbox.net_ads.dns alias1 check keytab
3190     +^samba4.blackbox.net_ads.dns alias2 check keytab
3191     +^samba4.blackbox.net_ads.addl short check keytab
3192     diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
3193     index 85257f445d8..eef4a31a6a7 100755
3194     --- a/testprogs/blackbox/test_net_ads.sh
3195     +++ b/testprogs/blackbox/test_net_ads.sh
3196     @@ -41,6 +41,11 @@ if [ -x "$BINDIR/ldbdel" ]; then
3197     ldbdel="$BINDIR/ldbdel"
3198     fi
3199    
3200     +ldbmodify="ldbmodify"
3201     +if [ -x "$BINDIR/ldbmodify" ]; then
3202     + ldbmodify="$BINDIR/ldbmodify"
3203     +fi
3204     +
3205     # Load test functions
3206     . `dirname $0`/subunit.sh
3207    
3208     @@ -217,12 +222,29 @@ testit_grep "dns alias SPN" $dns_alias2 $VALGRIND $net_tool ads search -P samacc
3209     testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
3210     testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
3211    
3212     +# Test binary msDS-AdditionalDnsHostName like ones added by Windows DC
3213     +short_alias_file="$PREFIX_ABS/short_alias_file"
3214     +printf 'short_alias\0$' > $short_alias_file
3215     +cat > $PREFIX_ABS/tmpldbmodify <<EOF
3216     +dn: CN=$HOSTNAME,$computers_dn
3217     +changetype: modify
3218     +add: msDS-AdditionalDnsHostName
3219     +msDS-AdditionalDnsHostName:< file://$short_alias_file
3220     +EOF
3221     +
3222     +testit "add binary msDS-AdditionalDnsHostName" $VALGRIND $ldbmodify -k yes -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM $PREFIX_ABS/tmpldbmodify || failed=`expr $failed + 1`
3223     +
3224     +testit_grep "addl short alias" short_alias $ldbsearch --show-binary -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "CN=$HOSTNAME,CN=Computers,$base_dn" msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
3225     +
3226     +rm -f $PREFIX_ABS/tmpldbmodify $short_alias_file
3227     +
3228     dedicated_keytab_file="$PREFIX_ABS/test_dns_aliases_dedicated_krb5.keytab"
3229    
3230     testit "dns alias create_keytab" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
3231    
3232     testit_grep "dns alias1 check keytab" "host/${dns_alias1}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
3233     testit_grep "dns alias2 check keytab" "host/${dns_alias2}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
3234     +testit_grep "addl short check keytab" "host/short_alias@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
3235    
3236     rm -f $dedicated_keytab_file
3237    
3238     --
3239     2.39.0
3240    
3241    
3242     From 2769976aaa13474d2b5ee7b58ee17d5824dfa5a2 Mon Sep 17 00:00:00 2001
3243     From: Isaac Boukris <iboukris@gmail.com>
3244     Date: Thu, 11 Jun 2020 16:51:27 +0300
3245     Subject: [PATCH 037/142] Properly handle msDS-AdditionalDnsHostName returned
3246     from Windows DC
3247    
3248     Windows DC adds short names for each specified msDS-AdditionalDnsHostName
3249     attribute, but these have a suffix of "\0$" and thus fail with
3250     ldap_get_values(), use ldap_get_values_len() instead.
3251    
3252     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
3253    
3254     Signed-off-by: Isaac Boukris <iboukris@samba.org>
3255     Reviewed-by: Andreas Schneider <asn@samba.org>
3256    
3257     Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
3258     Autobuild-Date(master): Thu Jun 18 16:43:47 UTC 2020 on sn-devel-184
3259    
3260     (cherry picked from commit 9a447fb7e0701bf8b2fd922aed44d89f40420251)
3261     ---
3262     selftest/knownfail.d/binary_addl_hostname | 3 --
3263     source3/libads/ldap.c | 38 +++++++++++++++++++++--
3264     2 files changed, 35 insertions(+), 6 deletions(-)
3265     delete mode 100644 selftest/knownfail.d/binary_addl_hostname
3266    
3267     diff --git a/selftest/knownfail.d/binary_addl_hostname b/selftest/knownfail.d/binary_addl_hostname
3268     deleted file mode 100644
3269     index 559db1df507..00000000000
3270     --- a/selftest/knownfail.d/binary_addl_hostname
3271     +++ /dev/null
3272     @@ -1,3 +0,0 @@
3273     -^samba4.blackbox.net_ads.dns alias1 check keytab
3274     -^samba4.blackbox.net_ads.dns alias2 check keytab
3275     -^samba4.blackbox.net_ads.addl short check keytab
3276     diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
3277     index 02a628ee0e6..2684bba63ec 100644
3278     --- a/source3/libads/ldap.c
3279     +++ b/source3/libads/ldap.c
3280     @@ -3664,6 +3664,40 @@ out:
3281     /********************************************************************
3282     ********************************************************************/
3283    
3284     +static char **get_addl_hosts(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
3285     + LDAPMessage *msg, size_t *num_values)
3286     +{
3287     + const char *field = "msDS-AdditionalDnsHostName";
3288     + struct berval **values = NULL;
3289     + char **ret = NULL;
3290     + size_t i, converted_size;
3291     +
3292     + values = ldap_get_values_len(ads->ldap.ld, msg, field);
3293     + if (values == NULL) {
3294     + return NULL;
3295     + }
3296     +
3297     + *num_values = ldap_count_values_len(values);
3298     +
3299     + ret = talloc_array(mem_ctx, char *, *num_values + 1);
3300     + if (ret == NULL) {
3301     + ldap_value_free_len(values);
3302     + return NULL;
3303     + }
3304     +
3305     + for (i = 0; i < *num_values; i++) {
3306     + if (!pull_utf8_talloc(mem_ctx, &ret[i], values[i]->bv_val,
3307     + &converted_size)) {
3308     + ldap_value_free_len(values);
3309     + return NULL;
3310     + }
3311     + }
3312     + ret[i] = NULL;
3313     +
3314     + ldap_value_free_len(values);
3315     + return ret;
3316     +}
3317     +
3318     ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx,
3319     ADS_STRUCT *ads,
3320     const char *machine_name,
3321     @@ -3689,9 +3723,7 @@ ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx,
3322     goto done;
3323     }
3324    
3325     - *hostnames_array = ads_pull_strings(ads, mem_ctx, res,
3326     - "msDS-AdditionalDnsHostName",
3327     - num_hostnames);
3328     + *hostnames_array = get_addl_hosts(ads, mem_ctx, res, num_hostnames);
3329     if (*hostnames_array == NULL) {
3330     DEBUG(1, ("Host account for %s does not have msDS-AdditionalDnsHostName.\n",
3331     machine_name));
3332     --
3333     2.39.0
3334    
3335    
3336     From 9727953d482a3849d4ac1f40486bc567f6b77067 Mon Sep 17 00:00:00 2001
3337     From: Isaac Boukris <iboukris@gmail.com>
3338     Date: Sat, 20 Jun 2020 17:17:33 +0200
3339     Subject: [PATCH 038/142] Fix usage of ldap_get_values_len for
3340     msDS-AdditionalDnsHostName
3341    
3342     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
3343    
3344     Signed-off-by: Isaac Boukris <iboukris@samba.org>
3345     Reviewed-by: Andreas Schneider <asn@samba.org>
3346    
3347     Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
3348     Autobuild-Date(master): Mon Jun 22 09:59:04 UTC 2020 on sn-devel-184
3349    
3350     (cherry picked from commit f9dd67355ba35539d7ae1774d5135fd05d747b3f)
3351     ---
3352     source3/libads/ldap.c | 8 ++++++--
3353     1 file changed, 6 insertions(+), 2 deletions(-)
3354    
3355     diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
3356     index 2684bba63ec..d1ce9cee2f0 100644
3357     --- a/source3/libads/ldap.c
3358     +++ b/source3/libads/ldap.c
3359     @@ -3686,8 +3686,12 @@ static char **get_addl_hosts(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
3360     }
3361    
3362     for (i = 0; i < *num_values; i++) {
3363     - if (!pull_utf8_talloc(mem_ctx, &ret[i], values[i]->bv_val,
3364     - &converted_size)) {
3365     + ret[i] = NULL;
3366     + if (!convert_string_talloc(mem_ctx, CH_UTF8, CH_UNIX,
3367     + values[i]->bv_val,
3368     + strnlen(values[i]->bv_val,
3369     + values[i]->bv_len),
3370     + &ret[i], &converted_size)) {
3371     ldap_value_free_len(values);
3372     return NULL;
3373     }
3374     --
3375     2.39.0
3376    
3377    
3378     From ec4cfe786d8c3cb67bb0e9224ae1822902c672d3 Mon Sep 17 00:00:00 2001
3379     From: Isaac Boukris <iboukris@gmail.com>
3380     Date: Tue, 15 Dec 2020 15:17:04 +0100
3381     Subject: [PATCH 039/142] HACK:s3:winbind: Rely on the domain child for online
3382     check
3383    
3384     ---
3385     source3/winbindd/winbindd_cm.c | 9 +++++++++
3386     source3/winbindd/winbindd_dual.c | 3 +++
3387     2 files changed, 12 insertions(+)
3388    
3389     diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
3390     index 4bd03ed8b7a..502331f7260 100644
3391     --- a/source3/winbindd/winbindd_cm.c
3392     +++ b/source3/winbindd/winbindd_cm.c
3393     @@ -89,6 +89,8 @@
3394     #undef DBGC_CLASS
3395     #define DBGC_CLASS DBGC_WINBIND
3396    
3397     +extern bool wb_idmap_child;
3398     +
3399     struct dc_name_ip {
3400     fstring name;
3401     struct sockaddr_storage ss;
3402     @@ -176,6 +178,13 @@ static void msg_try_to_go_online(struct messaging_context *msg,
3403     continue;
3404     }
3405    
3406     + if (wb_child_domain() == NULL && !wb_idmap_child) {
3407     + DEBUG(5,("msg_try_to_go_online: domain %s "
3408     + "NOT CONNECTING IN MAIN PROCESS.\n", domainname));
3409     + domain->online = true;
3410     + continue;
3411     + }
3412     +
3413     /* This call takes care of setting the online
3414     flag to true if we connected, or re-adding
3415     the offline handler if false. Bypasses online
3416     diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
3417     index 6e3277e5529..35b76a367aa 100644
3418     --- a/source3/winbindd/winbindd_dual.c
3419     +++ b/source3/winbindd/winbindd_dual.c
3420     @@ -1612,6 +1612,8 @@ static void child_handler(struct tevent_context *ev, struct tevent_fd *fde,
3421     }
3422     }
3423    
3424     +bool wb_idmap_child;
3425     +
3426     static bool fork_domain_child(struct winbindd_child *child)
3427     {
3428     int fdpair[2];
3429     @@ -1715,6 +1717,7 @@ static bool fork_domain_child(struct winbindd_child *child)
3430     setproctitle("domain child [%s]", child_domain->name);
3431     } else if (child == idmap_child()) {
3432     setproctitle("idmap child");
3433     + wb_idmap_child = true;
3434     }
3435    
3436     /* Handle online/offline messages. */
3437     --
3438     2.39.0
3439    
3440    
3441     From 958bed1a1e5c9f334a1859bef14f4fe1657c3e49 Mon Sep 17 00:00:00 2001
3442     From: Andreas Schneider <asn@samba.org>
3443     Date: Wed, 9 Sep 2020 16:00:52 +0200
3444     Subject: [PATCH 040/142] s3:smbd: Use fsp al the talloc memory context
3445    
3446     Somehow the lck pointer gets freed before we call TALLOC_FREE().
3447    
3448     Signed-off-by: Andreas Schneider <asn@samba.org>
3449     Reviewed-by: Guenther Deschner <gd@samba.org>
3450     Reviewed-by: Alexander Bokovoy <ab@samba.org>
3451     ---
3452     source3/smbd/open.c | 2 +-
3453     1 file changed, 1 insertion(+), 1 deletion(-)
3454    
3455     diff --git a/source3/smbd/open.c b/source3/smbd/open.c
3456     index de557f53a20..9a24e331ab1 100644
3457     --- a/source3/smbd/open.c
3458     +++ b/source3/smbd/open.c
3459     @@ -4239,7 +4239,7 @@ static NTSTATUS open_directory(connection_struct *conn,
3460     return NT_STATUS_ACCESS_DENIED;
3461     }
3462    
3463     - lck = get_share_mode_lock(talloc_tos(), fsp->file_id,
3464     + lck = get_share_mode_lock(fsp, fsp->file_id,
3465     conn->connectpath, smb_dname,
3466     &mtimespec);
3467    
3468     --
3469     2.39.0
3470    
3471    
3472     From 2591ae5d6a1dbd71391801b7bdf20bd37c8e8375 Mon Sep 17 00:00:00 2001
3473     From: Andreas Schneider <asn@samba.org>
3474     Date: Wed, 3 Feb 2021 12:58:31 +0100
3475     Subject: [PATCH 041/142] Revert "s3:smbd: Use fsp al the talloc memory
3476     context"
3477    
3478     This reverts commit 958bed1a1e5c9f334a1859bef14f4fe1657c3e49.
3479     ---
3480     source3/smbd/open.c | 2 +-
3481     1 file changed, 1 insertion(+), 1 deletion(-)
3482    
3483     diff --git a/source3/smbd/open.c b/source3/smbd/open.c
3484     index 9a24e331ab1..de557f53a20 100644
3485     --- a/source3/smbd/open.c
3486     +++ b/source3/smbd/open.c
3487     @@ -4239,7 +4239,7 @@ static NTSTATUS open_directory(connection_struct *conn,
3488     return NT_STATUS_ACCESS_DENIED;
3489     }
3490    
3491     - lck = get_share_mode_lock(fsp, fsp->file_id,
3492     + lck = get_share_mode_lock(talloc_tos(), fsp->file_id,
3493     conn->connectpath, smb_dname,
3494     &mtimespec);
3495    
3496     --
3497     2.39.0
3498    
3499    
3500     From 2438619ec7ef18816f6b92c87a094851223d2bb1 Mon Sep 17 00:00:00 2001
3501     From: Khem Raj <raj.khem@gmail.com>
3502     Date: Wed, 22 Jul 2020 22:42:09 -0700
3503     Subject: [PATCH 042/142] nsswitch/nsstest.c: Avoid nss function conflicts with
3504     glibc nss.h
3505    
3506     glibc 2.32 will define these varibles [1] which results in conflicts
3507     with these static function names, therefore prefix these function names
3508     with samba_ to avoid it
3509    
3510     [1] https://sourceware.org/git/?p=glibc.git;a=commit;h=499a92df8b9fc64a054cf3b7f728f8967fc1da7d
3511    
3512     Signed-off-by: Khem Raj <raj.khem@gmail.com>
3513     Reviewed-by: Volker Lendecke <vl@samba.org>
3514     Reviewed-by: Noel Power <npower@samba.org>
3515    
3516     Autobuild-User(master): Noel Power <npower@samba.org>
3517     Autobuild-Date(master): Tue Jul 28 10:52:00 UTC 2020 on sn-devel-184
3518    
3519     (cherry picked from commit 6e496aa3635557b59792e469f7c7f8eccd822322)
3520     ---
3521     nsswitch/nsstest.c | 16 ++++++++--------
3522     1 file changed, 8 insertions(+), 8 deletions(-)
3523    
3524     diff --git a/nsswitch/nsstest.c b/nsswitch/nsstest.c
3525     index 6d92806cffc..46f96795f39 100644
3526     --- a/nsswitch/nsstest.c
3527     +++ b/nsswitch/nsstest.c
3528     @@ -137,7 +137,7 @@ static struct passwd *nss_getpwuid(uid_t uid)
3529     return &pwd;
3530     }
3531    
3532     -static void nss_setpwent(void)
3533     +static void samba_nss_setpwent(void)
3534     {
3535     NSS_STATUS (*_nss_setpwent)(void) =
3536     (NSS_STATUS(*)(void))find_fn("setpwent");
3537     @@ -152,7 +152,7 @@ static void nss_setpwent(void)
3538     }
3539     }
3540    
3541     -static void nss_endpwent(void)
3542     +static void samba_nss_endpwent(void)
3543     {
3544     NSS_STATUS (*_nss_endpwent)(void) =
3545     (NSS_STATUS (*)(void))find_fn("endpwent");
3546     @@ -284,7 +284,7 @@ again:
3547     return &grp;
3548     }
3549    
3550     -static void nss_setgrent(void)
3551     +static void samba_nss_setgrent(void)
3552     {
3553     NSS_STATUS (*_nss_setgrent)(void) =
3554     (NSS_STATUS (*)(void))find_fn("setgrent");
3555     @@ -299,7 +299,7 @@ static void nss_setgrent(void)
3556     }
3557     }
3558    
3559     -static void nss_endgrent(void)
3560     +static void samba_nss_endgrent(void)
3561     {
3562     NSS_STATUS (*_nss_endgrent)(void) =
3563     (NSS_STATUS (*)(void))find_fn("endgrent");
3564     @@ -396,7 +396,7 @@ static void nss_test_users(void)
3565     {
3566     struct passwd *pwd;
3567    
3568     - nss_setpwent();
3569     + samba_nss_setpwent();
3570     /* loop over all users */
3571     while ((pwd = nss_getpwent())) {
3572     printf("Testing user %s\n", pwd->pw_name);
3573     @@ -418,14 +418,14 @@ static void nss_test_users(void)
3574     printf("initgroups: "); nss_test_initgroups(pwd->pw_name, pwd->pw_gid);
3575     printf("\n");
3576     }
3577     - nss_endpwent();
3578     + samba_nss_endpwent();
3579     }
3580    
3581     static void nss_test_groups(void)
3582     {
3583     struct group *grp;
3584    
3585     - nss_setgrent();
3586     + samba_nss_setgrent();
3587     /* loop over all groups */
3588     while ((grp = nss_getgrent())) {
3589     printf("Testing group %s\n", grp->gr_name);
3590     @@ -446,7 +446,7 @@ static void nss_test_groups(void)
3591     printf("getgrgid: "); print_group(grp);
3592     printf("\n");
3593     }
3594     - nss_endgrent();
3595     + samba_nss_endgrent();
3596     }
3597    
3598     static void nss_test_errors(void)
3599     --
3600     2.39.0
3601    
3602    
3603     From d5410b038bb3b1d31783c0d825dc933497f6eeaa Mon Sep 17 00:00:00 2001
3604     From: Andreas Schneider <asn@samba.org>
3605     Date: Wed, 3 Feb 2021 10:30:08 +0100
3606     Subject: [PATCH 043/142] lib:util: Add basic memcache unit test
3607    
3608     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625
3609    
3610     Signed-off-by: Andreas Schneider <asn@samba.org>
3611     Reviewed-by: Ralph Boehme <slow@samba.org>
3612     (cherry picked from commit bebbf621d6052f797c5cf19a2a9bbc13e699d3f0)
3613     ---
3614     lib/util/tests/test_memcache.c | 122 +++++++++++++++++++++++++++++++++
3615     lib/util/wscript_build | 6 ++
3616     selftest/tests.py | 2 +
3617     3 files changed, 130 insertions(+)
3618     create mode 100644 lib/util/tests/test_memcache.c
3619    
3620     diff --git a/lib/util/tests/test_memcache.c b/lib/util/tests/test_memcache.c
3621     new file mode 100644
3622     index 00000000000..8ea5e5b042e
3623     --- /dev/null
3624     +++ b/lib/util/tests/test_memcache.c
3625     @@ -0,0 +1,122 @@
3626     +/*
3627     + * Unix SMB/CIFS implementation.
3628     + *
3629     + * Copyright (C) 2021 Andreas Schneider <asn@samba.org>
3630     + *
3631     + * This program is free software; you can redistribute it and/or modify
3632     + * it under the terms of the GNU General Public License as published by
3633     + * the Free Software Foundation; either version 3 of the License, or
3634     + * (at your option) any later version.
3635     + *
3636     + * This program is distributed in the hope that it will be useful,
3637     + * but WITHOUT ANY WARRANTY; without even the implied warranty of
3638     + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
3639     + * GNU General Public License for more details.
3640     + *
3641     + * You should have received a copy of the GNU General Public License
3642     + * along with this program. If not, see <http://www.gnu.org/licenses/>.
3643     + */
3644     +
3645     +#include <stdarg.h>
3646     +#include <stddef.h>
3647     +#include <stdint.h>
3648     +#include <setjmp.h>
3649     +#include <cmocka.h>
3650     +
3651     +#include "lib/replace/replace.h"
3652     +#include "lib/util/talloc_stack.h"
3653     +#include "lib/util/memcache.h"
3654     +
3655     +static int setup_talloc_context(void **state)
3656     +{
3657     + TALLOC_CTX *frame = talloc_stackframe();
3658     +
3659     + *state = frame;
3660     + return 0;
3661     +}
3662     +
3663     +static int teardown_talloc_context(void **state)
3664     +{
3665     + TALLOC_CTX *frame = *state;
3666     + TALLOC_FREE(frame);
3667     + return 0;
3668     +}
3669     +
3670     +static void torture_memcache_init(void **state)
3671     +{
3672     + TALLOC_CTX *mem_ctx = *state;
3673     + struct memcache *cache = NULL;
3674     +
3675     + cache = memcache_init(mem_ctx, 0);
3676     + assert_non_null(cache);
3677     +
3678     + TALLOC_FREE(cache);
3679     +
3680     + cache = memcache_init(mem_ctx, 10);
3681     + assert_non_null(cache);
3682     +
3683     + TALLOC_FREE(cache);
3684     +}
3685     +
3686     +static void torture_memcache_add_lookup_delete(void **state)
3687     +{
3688     + TALLOC_CTX *mem_ctx = *state;
3689     + struct memcache *cache = NULL;
3690     + DATA_BLOB key1, key2;
3691     + char *path1 = NULL, *path2 = NULL;
3692     +
3693     + cache = memcache_init(mem_ctx, 0);
3694     + assert_non_null(cache);
3695     +
3696     + key1 = data_blob_const("key1", 4);
3697     + path1 = talloc_strdup(mem_ctx, "/tmp/one");
3698     + assert_non_null(path1);
3699     +
3700     + key2 = data_blob_const("key2", 4);
3701     + path2 = talloc_strdup(mem_ctx, "/tmp/two");
3702     + assert_non_null(path1);
3703     +
3704     + memcache_add_talloc(cache, GETWD_CACHE, key1, &path1);
3705     + assert_null(path1);
3706     +
3707     + memcache_add_talloc(cache, GETWD_CACHE, key2, &path2);
3708     + assert_null(path2);
3709     +
3710     + path1 = memcache_lookup_talloc(cache, GETWD_CACHE, key1);
3711     + assert_non_null(path1);
3712     + assert_string_equal(path1, "/tmp/one");
3713     +
3714     + path2 = memcache_lookup_talloc(cache, GETWD_CACHE, key2);
3715     + assert_non_null(path2);
3716     + assert_string_equal(path2, "/tmp/two");
3717     +
3718     + memcache_delete(cache, GETWD_CACHE, key1);
3719     + path1 = memcache_lookup_talloc(cache, GETWD_CACHE, key1);
3720     + assert_null(path1);
3721     +
3722     + memcache_flush(cache, GETWD_CACHE);
3723     + path2 = memcache_lookup_talloc(cache, GETWD_CACHE, key2);
3724     + assert_null(path2);
3725     +
3726     + TALLOC_FREE(cache);
3727     +}
3728     +
3729     +int main(int argc, char *argv[])
3730     +{
3731     + int rc;
3732     + const struct CMUnitTest tests[] = {
3733     + cmocka_unit_test(torture_memcache_init),
3734     + cmocka_unit_test(torture_memcache_add_lookup_delete),
3735     + };
3736     +
3737     + if (argc == 2) {
3738     + cmocka_set_test_filter(argv[1]);
3739     + }
3740     + cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
3741     +
3742     + rc = cmocka_run_group_tests(tests,
3743     + setup_talloc_context,
3744     + teardown_talloc_context);
3745     +
3746     + return rc;
3747     +}
3748     diff --git a/lib/util/wscript_build b/lib/util/wscript_build
3749     index fd3027eff77..229dbd5ef6a 100644
3750     --- a/lib/util/wscript_build
3751     +++ b/lib/util/wscript_build
3752     @@ -256,3 +256,9 @@ else:
3753     deps='cmocka replace talloc samba-util',
3754     local_include=False,
3755     install=False)
3756     +
3757     + bld.SAMBA_BINARY('test_memcache',
3758     + source='tests/test_memcache.c',
3759     + deps='cmocka replace talloc samba-util',
3760     + local_include=False,
3761     + install=False)
3762     diff --git a/selftest/tests.py b/selftest/tests.py
3763     index e7639c4da27..e3f7d9acb4a 100644
3764     --- a/selftest/tests.py
3765     +++ b/selftest/tests.py
3766     @@ -254,6 +254,8 @@ plantestsuite("samba.unittests.ms_fnmatch", "none",
3767     [os.path.join(bindir(), "default/lib/util/test_ms_fnmatch")])
3768     plantestsuite("samba.unittests.util_paths", "none",
3769     [os.path.join(bindir(), "default/lib/util/test_util_paths")])
3770     +plantestsuite("samba.unittests.memcache", "none",
3771     + [os.path.join(bindir(), "default/lib/util/test_memcache")])
3772     plantestsuite("samba.unittests.ntlm_check", "none",
3773     [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")])
3774     plantestsuite("samba.unittests.test_registry_regfio", "none",
3775     --
3776     2.39.0
3777    
3778    
3779     From 7f6661b3c60319073d7fd58906b9a3728f421fed Mon Sep 17 00:00:00 2001
3780     From: Andreas Schneider <asn@samba.org>
3781     Date: Wed, 3 Feb 2021 10:37:12 +0100
3782     Subject: [PATCH 044/142] lib:util: Add cache oversize test for memcache
3783    
3784     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625
3785    
3786     Signed-off-by: Andreas Schneider <asn@samba.org>
3787     Reviewed-by: Ralph Boehme <slow@samba.org>
3788     (cherry picked from commit 00543ab3b29e3fbfe8314e51919629803e14ede6)
3789     ---
3790     lib/util/tests/test_memcache.c | 39 ++++++++++++++++++++++++++++++++++
3791     selftest/knownfail.d/memcache | 1 +
3792     2 files changed, 40 insertions(+)
3793     create mode 100644 selftest/knownfail.d/memcache
3794    
3795     diff --git a/lib/util/tests/test_memcache.c b/lib/util/tests/test_memcache.c
3796     index 8ea5e5b042e..8a3997817c1 100644
3797     --- a/lib/util/tests/test_memcache.c
3798     +++ b/lib/util/tests/test_memcache.c
3799     @@ -98,6 +98,44 @@ static void torture_memcache_add_lookup_delete(void **state)
3800     path2 = memcache_lookup_talloc(cache, GETWD_CACHE, key2);
3801     assert_null(path2);
3802    
3803     + TALLOC_FREE(path1);
3804     + TALLOC_FREE(path2);
3805     + TALLOC_FREE(cache);
3806     +}
3807     +
3808     +static void torture_memcache_add_oversize(void **state)
3809     +{
3810     + TALLOC_CTX *mem_ctx = *state;
3811     + struct memcache *cache = NULL;
3812     + DATA_BLOB key1, key2;
3813     + char *path1 = NULL, *path2 = NULL;
3814     +
3815     + cache = memcache_init(mem_ctx, 10);
3816     + assert_non_null(cache);
3817     +
3818     + key1 = data_blob_const("key1", 4);
3819     + path1 = talloc_strdup(mem_ctx, "/tmp/one");
3820     + assert_non_null(path1);
3821     +
3822     + key2 = data_blob_const("key2", 4);
3823     + path2 = talloc_strdup(mem_ctx, "/tmp/two");
3824     + assert_non_null(path1);
3825     +
3826     + memcache_add_talloc(cache, GETWD_CACHE, key1, &path1);
3827     + assert_null(path1);
3828     +
3829     + memcache_add_talloc(cache, GETWD_CACHE, key2, &path2);
3830     + assert_null(path2);
3831     +
3832     + path1 = memcache_lookup_talloc(cache, GETWD_CACHE, key1);
3833     + assert_null(path1);
3834     +
3835     + path2 = memcache_lookup_talloc(cache, GETWD_CACHE, key2);
3836     + assert_non_null(path2);
3837     + assert_string_equal(path2, "/tmp/two");
3838     +
3839     + TALLOC_FREE(path1);
3840     + TALLOC_FREE(path2);
3841     TALLOC_FREE(cache);
3842     }
3843    
3844     @@ -107,6 +145,7 @@ int main(int argc, char *argv[])
3845     const struct CMUnitTest tests[] = {
3846     cmocka_unit_test(torture_memcache_init),
3847     cmocka_unit_test(torture_memcache_add_lookup_delete),
3848     + cmocka_unit_test(torture_memcache_add_oversize),
3849     };
3850    
3851     if (argc == 2) {
3852     diff --git a/selftest/knownfail.d/memcache b/selftest/knownfail.d/memcache
3853     new file mode 100644
3854     index 00000000000..0a74ace3003
3855     --- /dev/null
3856     +++ b/selftest/knownfail.d/memcache
3857     @@ -0,0 +1 @@
3858     +^samba.unittests.memcache.torture_memcache_add_oversize
3859     --
3860     2.39.0
3861    
3862    
3863     From 53c7f00510556aea15b640254934e514c1d88c25 Mon Sep 17 00:00:00 2001
3864     From: Andreas Schneider <asn@samba.org>
3865     Date: Tue, 2 Feb 2021 18:10:38 +0100
3866     Subject: [PATCH 045/142] lib:util: Avoid free'ing our own pointer
3867     MIME-Version: 1.0
3868     Content-Type: text/plain; charset=UTF-8
3869     Content-Transfer-Encoding: 8bit
3870    
3871     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625
3872    
3873     Signed-off-by: Andreas Schneider <asn@samba.org>
3874     Reviewed-by: Ralph Boehme <slow@samba.org>
3875    
3876     Autobuild-User(master): Ralph Böhme <slow@samba.org>
3877     Autobuild-Date(master): Wed Feb 3 10:57:01 UTC 2021 on sn-devel-184
3878    
3879     (cherry picked from commit 0bdbe50fac680be3fe21043246b8c75005611351)
3880     ---
3881     lib/util/memcache.c | 19 +++++++++++++++----
3882     selftest/knownfail.d/memcache | 1 -
3883     2 files changed, 15 insertions(+), 5 deletions(-)
3884     delete mode 100644 selftest/knownfail.d/memcache
3885    
3886     diff --git a/lib/util/memcache.c b/lib/util/memcache.c
3887     index 1e616bd0e9a..7b0b27eaddb 100644
3888     --- a/lib/util/memcache.c
3889     +++ b/lib/util/memcache.c
3890     @@ -223,14 +223,25 @@ static void memcache_delete_element(struct memcache *cache,
3891     TALLOC_FREE(e);
3892     }
3893    
3894     -static void memcache_trim(struct memcache *cache)
3895     +static void memcache_trim(struct memcache *cache, struct memcache_element *e)
3896     {
3897     + struct memcache_element *tail = NULL;
3898     +
3899     if (cache->max_size == 0) {
3900     return;
3901     }
3902    
3903     - while ((cache->size > cache->max_size) && DLIST_TAIL(cache->mru)) {
3904     - memcache_delete_element(cache, DLIST_TAIL(cache->mru));
3905     + for (tail = DLIST_TAIL(cache->mru);
3906     + (cache->size > cache->max_size) && (tail != NULL);
3907     + tail = DLIST_TAIL(cache->mru))
3908     + {
3909     + if (tail == e) {
3910     + tail = DLIST_PREV(tail);
3911     + if (tail == NULL) {
3912     + break;
3913     + }
3914     + }
3915     + memcache_delete_element(cache, tail);
3916     }
3917     }
3918    
3919     @@ -351,7 +362,7 @@ void memcache_add(struct memcache *cache, enum memcache_number n,
3920     memcpy(&mtv, cache_value.data, sizeof(mtv));
3921     cache->size += mtv.len;
3922     }
3923     - memcache_trim(cache);
3924     + memcache_trim(cache, e);
3925     }
3926    
3927     void memcache_add_talloc(struct memcache *cache, enum memcache_number n,
3928     diff --git a/selftest/knownfail.d/memcache b/selftest/knownfail.d/memcache
3929     deleted file mode 100644
3930     index 0a74ace3003..00000000000
3931     --- a/selftest/knownfail.d/memcache
3932     +++ /dev/null
3933     @@ -1 +0,0 @@
3934     -^samba.unittests.memcache.torture_memcache_add_oversize
3935     --
3936     2.39.0
3937    
3938    
3939     From 138662453fb421609b4fa30487a53a50c085895f Mon Sep 17 00:00:00 2001
3940     From: Jeremy Allison <jra@samba.org>
3941     Date: Thu, 5 Nov 2020 15:48:08 -0800
3942     Subject: [PATCH 046/142] s3: spoolss: Make parameters in call to
3943     user_ok_token() match all other uses.
3944    
3945     We already have p->session_info->unix_info->unix_name, we don't
3946     need to go through a legacy call to uidtoname(p->session_info->unix_token->uid).
3947    
3948     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14568
3949    
3950     Signed-off-by: Jeremy Allison <jra@samba.org>
3951     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
3952    
3953     Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
3954     Autobuild-Date(master): Mon Nov 9 04:10:45 UTC 2020 on sn-devel-184
3955    
3956     (cherry picked from commit e5e1759057a767f517bf480a2172a36623df2799)
3957     ---
3958     source3/rpc_server/spoolss/srv_spoolss_nt.c | 3 ++-
3959     1 file changed, 2 insertions(+), 1 deletion(-)
3960    
3961     diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
3962     index f32b465afb6..c0f1803c2fa 100644
3963     --- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
3964     +++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
3965     @@ -1869,7 +1869,8 @@ WERROR _spoolss_OpenPrinterEx(struct pipes_struct *p,
3966     return WERR_ACCESS_DENIED;
3967     }
3968    
3969     - if (!user_ok_token(uidtoname(p->session_info->unix_token->uid), NULL,
3970     + if (!user_ok_token(p->session_info->unix_info->unix_name,
3971     + p->session_info->info->domain_name,
3972     p->session_info->security_token, snum) ||
3973     !W_ERROR_IS_OK(print_access_check(p->session_info,
3974     p->msg_ctx,
3975     --
3976     2.39.0
3977    
3978    
3979     From 9550eb620ff23fb9f9414c9de596789aae64aef1 Mon Sep 17 00:00:00 2001
3980     From: Andreas Schneider <asn@samba.org>
3981     Date: Wed, 11 Nov 2020 13:42:06 +0100
3982     Subject: [PATCH 047/142] s3:smbd: Fix possible null pointer dereference in
3983     token_contains_name()
3984    
3985     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14572
3986    
3987     Signed-off-by: Andreas Schneider <asn@samba.org>
3988     Reviewed-by: Alexander Bokovoy <ab@samba.org>
3989    
3990     Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
3991     Autobuild-Date(master): Thu Nov 12 15:13:47 UTC 2020 on sn-devel-184
3992    
3993     (cherry picked from commit 8036bf9717f83e83c3e4a9cf00fded42e9a5de15)
3994     ---
3995     source3/smbd/share_access.c | 2 +-
3996     1 file changed, 1 insertion(+), 1 deletion(-)
3997    
3998     diff --git a/source3/smbd/share_access.c b/source3/smbd/share_access.c
3999     index 0705e197975..64276c79fbe 100644
4000     --- a/source3/smbd/share_access.c
4001     +++ b/source3/smbd/share_access.c
4002     @@ -79,7 +79,7 @@ static bool token_contains_name(TALLOC_CTX *mem_ctx,
4003     enum lsa_SidType type;
4004    
4005     if (username != NULL) {
4006     - size_t domain_len = strlen(domain);
4007     + size_t domain_len = domain != NULL ? strlen(domain) : 0;
4008    
4009     /* Check if username starts with domain name */
4010     if (domain_len > 0) {
4011     --
4012     2.39.0
4013    
4014    
4015     From 49a19805c6837df04dce449841d011fc67e0a7df Mon Sep 17 00:00:00 2001
4016     From: Volker Lendecke <vl@samba.org>
4017     Date: Sat, 20 Feb 2021 15:50:12 +0100
4018     Subject: [PATCH 048/142] passdb: Simplify sids_to_unixids()
4019    
4020     Best reviewed with "git show -b", there's a "continue" statement that
4021     changes subsequent indentation.
4022    
4023     Decouple lookup status of ids from ID_TYPE_NOT_SPECIFIED
4024    
4025     Bug: https://bugzilla.samba.org/show_bug.cgi?id=14571
4026    
4027     Signed-off-by: Volker Lendecke <vl@samba.org>
4028     Reviewed-by: Jeremy Allison <jra@samba.org>
4029     ---
4030     source3/passdb/lookup_sid.c | 123 +++++++++++++++++++++++++++++-------
4031     1 file changed, 101 insertions(+), 22 deletions(-)
4032    
4033     diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
4034     index 1bb15ccb8b4..186ba17fda6 100644
4035     --- a/source3/passdb/lookup_sid.c
4036     +++ b/source3/passdb/lookup_sid.c
4037     @@ -29,6 +29,7 @@
4038     #include "../libcli/security/security.h"
4039     #include "lib/winbind_util.h"
4040     #include "../librpc/gen_ndr/idmap.h"
4041     +#include "lib/util/bitmap.h"
4042    
4043     static bool lookup_unix_user_name(const char *name, struct dom_sid *sid)
4044     {
4045     @@ -1247,7 +1248,9 @@ bool sids_to_unixids(const struct dom_sid *sids, uint32_t num_sids,
4046     {
4047     struct wbcDomainSid *wbc_sids = NULL;
4048     struct wbcUnixId *wbc_ids = NULL;
4049     + struct bitmap *found = NULL;
4050     uint32_t i, num_not_cached;
4051     + uint32_t wbc_ids_size = 0;
4052     wbcErr err;
4053     bool ret = false;
4054    
4055     @@ -1255,6 +1258,20 @@ bool sids_to_unixids(const struct dom_sid *sids, uint32_t num_sids,
4056     if (wbc_sids == NULL) {
4057     return false;
4058     }
4059     + found = bitmap_talloc(wbc_sids, num_sids);
4060     + if (found == NULL) {
4061     + goto fail;
4062     + }
4063     +
4064     + /*
4065     + * We go through the requested SID array three times.
4066     + * First time to look for global_sid_Unix_Users
4067     + * and global_sid_Unix_Groups SIDS, and to look
4068     + * for mappings cached in the idmap_cache.
4069     + *
4070     + * Use bitmap_set() to mark an ids[] array entry as
4071     + * being mapped.
4072     + */
4073    
4074     num_not_cached = 0;
4075    
4076     @@ -1266,17 +1283,20 @@ bool sids_to_unixids(const struct dom_sid *sids, uint32_t num_sids,
4077     &sids[i], &rid)) {
4078     ids[i].type = ID_TYPE_UID;
4079     ids[i].id = rid;
4080     + bitmap_set(found, i);
4081     continue;
4082     }
4083     if (sid_peek_check_rid(&global_sid_Unix_Groups,
4084     &sids[i], &rid)) {
4085     ids[i].type = ID_TYPE_GID;
4086     ids[i].id = rid;
4087     + bitmap_set(found, i);
4088     continue;
4089     }
4090     if (idmap_cache_find_sid2unixid(&sids[i], &ids[i], &expired)
4091     && !expired)
4092     {
4093     + bitmap_set(found, i);
4094     continue;
4095     }
4096     ids[i].type = ID_TYPE_NOT_SPECIFIED;
4097     @@ -1287,62 +1307,121 @@ bool sids_to_unixids(const struct dom_sid *sids, uint32_t num_sids,
4098     if (num_not_cached == 0) {
4099     goto done;
4100     }
4101     - wbc_ids = talloc_array(talloc_tos(), struct wbcUnixId, num_not_cached);
4102     +
4103     + /*
4104     + * For the ones that we couldn't map in the loop above, query winbindd
4105     + * via wbcSidsToUnixIds().
4106     + */
4107     +
4108     + wbc_ids_size = num_not_cached;
4109     + wbc_ids = talloc_array(talloc_tos(), struct wbcUnixId, wbc_ids_size);
4110     if (wbc_ids == NULL) {
4111     goto fail;
4112     }
4113     - for (i=0; i<num_not_cached; i++) {
4114     + for (i=0; i<wbc_ids_size; i++) {
4115     wbc_ids[i].type = WBC_ID_TYPE_NOT_SPECIFIED;
4116     + wbc_ids[i].id.gid = (uint32_t)-1;
4117     }
4118     - err = wbcSidsToUnixIds(wbc_sids, num_not_cached, wbc_ids);
4119     + err = wbcSidsToUnixIds(wbc_sids, wbc_ids_size, wbc_ids);
4120     if (!WBC_ERROR_IS_OK(err)) {
4121     DEBUG(10, ("wbcSidsToUnixIds returned %s\n",
4122     wbcErrorString(err)));
4123     }
4124    
4125     + /*
4126     + * Second time through the SID array, replace
4127     + * the ids[] entries that wbcSidsToUnixIds() was able to
4128     + * map.
4129     + *
4130     + * Use bitmap_set() to mark an ids[] array entry as
4131     + * being mapped.
4132     + */
4133     +
4134     num_not_cached = 0;
4135    
4136     for (i=0; i<num_sids; i++) {
4137     - if (ids[i].type == ID_TYPE_NOT_SPECIFIED) {
4138     - switch (wbc_ids[num_not_cached].type) {
4139     - case WBC_ID_TYPE_UID:
4140     - ids[i].type = ID_TYPE_UID;
4141     - ids[i].id = wbc_ids[num_not_cached].id.uid;
4142     - break;
4143     - case WBC_ID_TYPE_GID:
4144     - ids[i].type = ID_TYPE_GID;
4145     - ids[i].id = wbc_ids[num_not_cached].id.gid;
4146     - break;
4147     - default:
4148     - /* The types match, and wbcUnixId -> id is a union anyway */
4149     - ids[i].type = (enum id_type)wbc_ids[num_not_cached].type;
4150     - ids[i].id = wbc_ids[num_not_cached].id.gid;
4151     - break;
4152     - }
4153     - num_not_cached += 1;
4154     + if (bitmap_query(found, i)) {
4155     + continue;
4156     }
4157     +
4158     + SMB_ASSERT(num_not_cached < wbc_ids_size);
4159     +
4160     + switch (wbc_ids[num_not_cached].type) {
4161     + case WBC_ID_TYPE_UID:
4162     + ids[i].type = ID_TYPE_UID;
4163     + ids[i].id = wbc_ids[num_not_cached].id.uid;
4164     + bitmap_set(found, i);
4165     + break;
4166     + case WBC_ID_TYPE_GID:
4167     + ids[i].type = ID_TYPE_GID;
4168     + ids[i].id = wbc_ids[num_not_cached].id.gid;
4169     + bitmap_set(found, i);
4170     + break;
4171     + case WBC_ID_TYPE_BOTH:
4172     + ids[i].type = ID_TYPE_BOTH;
4173     + ids[i].id = wbc_ids[num_not_cached].id.uid;
4174     + bitmap_set(found, i);
4175     + break;
4176     + case WBC_ID_TYPE_NOT_SPECIFIED:
4177     + /*
4178     + * wbcSidsToUnixIds() wasn't able to map this
4179     + * so we still need to check legacy_sid_to_XXX()
4180     + * below. Don't mark the bitmap entry
4181     + * as being found so the final loop knows
4182     + * to try and map this entry.
4183     + */
4184     + ids[i].type = ID_TYPE_NOT_SPECIFIED;
4185     + ids[i].id = (uint32_t)-1;
4186     + break;
4187     + default:
4188     + /*
4189     + * A successful return from wbcSidsToUnixIds()
4190     + * cannot return anything other than the values
4191     + * checked for above. Ensure this is so.
4192     + */
4193     + smb_panic(__location__);
4194     + break;
4195     + }
4196     + num_not_cached += 1;
4197     }
4198    
4199     + /*
4200     + * Third and final time through the SID array,
4201     + * try legacy_sid_to_gid()/legacy_sid_to_uid()
4202     + * for entries we haven't already been able to
4203     + * map.
4204     + *
4205     + * Use bitmap_set() to mark an ids[] array entry as
4206     + * being mapped.
4207     + */
4208     +
4209     for (i=0; i<num_sids; i++) {
4210     - if (ids[i].type != ID_TYPE_NOT_SPECIFIED) {
4211     + if (bitmap_query(found, i)) {
4212     continue;
4213     }
4214     if (legacy_sid_to_gid(&sids[i], &ids[i].id)) {
4215     ids[i].type = ID_TYPE_GID;
4216     + bitmap_set(found, i);
4217     continue;
4218     }
4219     if (legacy_sid_to_uid(&sids[i], &ids[i].id)) {
4220     ids[i].type = ID_TYPE_UID;
4221     + bitmap_set(found, i);
4222     continue;
4223     }
4224     }
4225     done:
4226     + /*
4227     + * Pass through the return array for consistency.
4228     + * Any ids[].id mapped to (uint32_t)-1 must be returned
4229     + * as ID_TYPE_NOT_SPECIFIED.
4230     + */
4231     for (i=0; i<num_sids; i++) {
4232     switch(ids[i].type) {
4233     case WBC_ID_TYPE_GID:
4234     case WBC_ID_TYPE_UID:
4235     case WBC_ID_TYPE_BOTH:
4236     - if (ids[i].id == -1) {
4237     + if (ids[i].id == (uint32_t)-1) {
4238     ids[i].type = ID_TYPE_NOT_SPECIFIED;
4239     }
4240     break;
4241     --
4242     2.39.0
4243    
4244    
4245     From 8b39b14dcaf104a2f3172917ef926a3fec5db891 Mon Sep 17 00:00:00 2001
4246     From: Stefan Metzmacher <metze@samba.org>
4247     Date: Thu, 24 Nov 2016 09:12:59 +0100
4248     Subject: [PATCH 049/142] CVE-2016-2124: s4:libcli/sesssetup: don't fallback to
4249     non spnego authentication if we require kerberos
4250    
4251     We should not send NTLM[v2] data on the wire if the user asked for kerberos
4252     only.
4253    
4254     BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
4255    
4256     Signed-off-by: Stefan Metzmacher <metze@samba.org>
4257     ---
4258     source4/libcli/smb_composite/sesssetup.c | 14 ++++++++++++++
4259     1 file changed, 14 insertions(+)
4260    
4261     diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c
4262     index 6ee4929e8d7..a0a1f4baa56 100644
4263     --- a/source4/libcli/smb_composite/sesssetup.c
4264     +++ b/source4/libcli/smb_composite/sesssetup.c
4265     @@ -620,6 +620,8 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se
4266     struct composite_context *c;
4267     struct sesssetup_state *state;
4268     NTSTATUS status;
4269     + enum credentials_use_kerberos krb5_state =
4270     + cli_credentials_get_kerberos_state(io->in.credentials);
4271    
4272     c = composite_create(session, session->transport->ev);
4273     if (c == NULL) return NULL;
4274     @@ -635,6 +637,10 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se
4275    
4276     /* no session setup at all in earliest protocol varients */
4277     if (session->transport->negotiate.protocol < PROTOCOL_LANMAN1) {
4278     + if (krb5_state == CRED_MUST_USE_KERBEROS) {
4279     + composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
4280     + return c;
4281     + }
4282     ZERO_STRUCT(io->out);
4283     composite_done(c);
4284     return c;
4285     @@ -642,9 +648,17 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se
4286    
4287     /* see what session setup interface we will use */
4288     if (session->transport->negotiate.protocol < PROTOCOL_NT1) {
4289     + if (krb5_state == CRED_MUST_USE_KERBEROS) {
4290     + composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
4291     + return c;
4292     + }
4293     status = session_setup_old(c, session, io, &state->req);
4294     } else if (!session->transport->options.use_spnego ||
4295     !(io->in.capabilities & CAP_EXTENDED_SECURITY)) {
4296     + if (krb5_state == CRED_MUST_USE_KERBEROS) {
4297     + composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
4298     + return c;
4299     + }
4300     status = session_setup_nt1(c, session, io, &state->req);
4301     } else {
4302     struct tevent_req *subreq = NULL;
4303     --
4304     2.39.0
4305    
4306    
4307     From 41cc796909aeade44c4f1e88923936ba4444278e Mon Sep 17 00:00:00 2001
4308     From: Stefan Metzmacher <metze@samba.org>
4309     Date: Thu, 27 Oct 2016 10:40:28 +0200
4310     Subject: [PATCH 050/142] CVE-2016-2124: s3:libsmb: don't fallback to non
4311     spnego authentication if we require kerberos
4312    
4313     We should not send NTLM[v2] nor plaintext data on the wire if the user
4314     asked for kerberos only.
4315    
4316     BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
4317    
4318     Signed-off-by: Stefan Metzmacher <metze@samba.org>
4319     ---
4320     source3/libsmb/cliconnect.c | 7 +++++++
4321     1 file changed, 7 insertions(+)
4322    
4323     diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
4324     index 9bba2665663..9a69d4b7217 100644
4325     --- a/source3/libsmb/cliconnect.c
4326     +++ b/source3/libsmb/cliconnect.c
4327     @@ -1455,6 +1455,13 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
4328     return req;
4329     }
4330    
4331     + if (krb5_state == CRED_MUST_USE_KERBEROS) {
4332     + DBG_WARNING("Kerberos authentication requested, but "
4333     + "the server does not support SPNEGO authentication\n");
4334     + tevent_req_nterror(req, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
4335     + return tevent_req_post(req, ev);
4336     + }
4337     +
4338     if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_LANMAN1) {
4339     /*
4340     * SessionSetupAndX was introduced by LANMAN 1.0. So we skip
4341     --
4342     2.39.0
4343    
4344    
4345     From 3c1688714ea93cdb7c3088b8a5e5da3025e43b42 Mon Sep 17 00:00:00 2001
4346     From: Ralph Boehme <slow@samba.org>
4347     Date: Sat, 18 Jan 2020 08:06:45 +0100
4348     Subject: [PATCH 051/142] s3/auth: use set_current_user_info() in
4349     auth3_generate_session_info_pac()
4350    
4351     This delays reloading config slightly, but I don't see how could affect
4352     observable behaviour other then log messages coming from the functions in
4353     between the different locations for lp_load_with_shares() like
4354     make_session_info_krb5() are sent to a different logfile if "log file" uses %U.
4355    
4356     Signed-off-by: Ralph Boehme <slow@samba.org>
4357     Reviewed-by: Andreas Schneider <asn@samba.org>
4358     (cherry picked from commit dc4b1e39ce1f2201a2d6ae2d4cffef2448f69a62)
4359    
4360     [scabrero@samba.org Prerequisite for CVE-2020-25717 backport]
4361     ---
4362     source3/auth/auth_generic.c | 14 ++++++++------
4363     1 file changed, 8 insertions(+), 6 deletions(-)
4364    
4365     diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
4366     index 167d4e00367..0e9c423efef 100644
4367     --- a/source3/auth/auth_generic.c
4368     +++ b/source3/auth/auth_generic.c
4369     @@ -159,12 +159,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
4370     }
4371     }
4372    
4373     - /* setup the string used by %U */
4374     - sub_set_smb_name(username);
4375     -
4376     - /* reload services so that the new %U is taken into account */
4377     - lp_load_with_shares(get_dyn_CONFIGFILE());
4378     -
4379     status = make_session_info_krb5(mem_ctx,
4380     ntuser, ntdomain, username, pw,
4381     info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
4382     @@ -176,6 +170,14 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
4383     goto done;
4384     }
4385    
4386     + /* setup the string used by %U */
4387     + set_current_user_info((*session_info)->unix_info->sanitized_username,
4388     + (*session_info)->unix_info->unix_name,
4389     + (*session_info)->info->domain_name);
4390     +
4391     + /* reload services so that the new %U is taken into account */
4392     + lp_load_with_shares(get_dyn_CONFIGFILE());
4393     +
4394     DEBUG(5, (__location__ "OK: user: %s domain: %s client: %s\n",
4395     ntuser, ntdomain, rhost));
4396    
4397     --
4398     2.39.0
4399    
4400    
4401     From cf43f0a90b3025077479d37ad905fe730695e739 Mon Sep 17 00:00:00 2001
4402     From: Samuel Cabrero <scabrero@suse.de>
4403     Date: Thu, 4 Nov 2021 11:51:08 +0100
4404     Subject: [PATCH 052/142] selftest: Fix ktest usermap file
4405    
4406     The user was not mapped:
4407    
4408     user_in_list: checking user |KTEST/administrator| against |KTEST\Administrator|
4409     The user 'KTEST/administrator' has no mapping. Skip it next time.
4410    
4411     Signed-off-by: Samuel Cabrero <scabrero@samba.org>
4412    
4413     [scabrero@samba.org Once smb_getpswnam() fallbacks are removed the user
4414     has to be mapped]
4415     ---
4416     selftest/target/Samba3.pm | 2 +-
4417     1 file changed, 1 insertion(+), 1 deletion(-)
4418    
4419     diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
4420     index 9e4da0e6a08..2eb5003112e 100755
4421     --- a/selftest/target/Samba3.pm
4422     +++ b/selftest/target/Samba3.pm
4423     @@ -1124,7 +1124,7 @@ sub setup_ktest
4424    
4425     open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map");
4426     print USERMAP "
4427     -$ret->{USERNAME} = KTEST\\Administrator
4428     +$ret->{USERNAME} = KTEST/Administrator
4429     ";
4430     close(USERMAP);
4431    
4432     --
4433     2.39.0
4434    
4435    
4436     From 703f43ea7817fa0ab423134a4c40bf9c37f90274 Mon Sep 17 00:00:00 2001
4437     From: Stefan Metzmacher <metze@samba.org>
4438     Date: Tue, 5 Oct 2021 16:42:00 +0200
4439     Subject: [PATCH 053/142] selftest/Samba3: replace (winbindd => "yes",
4440     skip_wait => 1) with (winbindd => "offline")
4441    
4442     This is much more flexible and concentrates the logic in a single place.
4443    
4444     We'll use winbindd => "offline" in other places soon.
4445    
4446     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
4447     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
4448    
4449     Signed-off-by: Stefan Metzmacher <metze@samba.org>
4450     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4451     (cherry picked from commit 4dc3c68c9a28f71888e3d6dd3b1f0bcdb8fa45de)
4452     (cherry picked from commit 89b9cb8b786c3e4eb8691b5363390b68d8228a2d)
4453    
4454     [scabrero@samba.org Backported to 4.10]
4455     ---
4456     selftest/target/Samba3.pm | 10 +++++++---
4457     1 file changed, 7 insertions(+), 3 deletions(-)
4458    
4459     diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
4460     index 2eb5003112e..bbbefea44b7 100755
4461     --- a/selftest/target/Samba3.pm
4462     +++ b/selftest/target/Samba3.pm
4463     @@ -1333,7 +1333,7 @@ sub check_or_start($$$$$) {
4464    
4465     $ENV{ENVNAME} = "$ENV{ENVNAME}.winbindd";
4466    
4467     - if ($winbindd ne "yes") {
4468     + if ($winbindd ne "yes" and $winbindd ne "offline") {
4469     $SIG{USR1} = $SIG{ALRM} = $SIG{INT} = $SIG{QUIT} = $SIG{TERM} = sub {
4470     my $signame = shift;
4471     print("Skip winbindd received signal $signame");
4472     @@ -2564,13 +2564,17 @@ sub wait_for_start($$$$$)
4473     }
4474     }
4475    
4476     - if ($winbindd eq "yes") {
4477     + if ($winbindd eq "yes" or $winbindd eq "offline") {
4478     print "checking for winbindd\n";
4479     my $count = 0;
4480     $cmd = "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' ";
4481     $cmd .= "NSS_WRAPPER_PASSWD='$envvars->{NSS_WRAPPER_PASSWD}' ";
4482     $cmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' ";
4483     - $cmd .= Samba::bindir_path($self, "wbinfo") . " --ping-dc";
4484     + if ($winbindd eq "yes") {
4485     + $cmd .= Samba::bindir_path($self, "wbinfo") . " --ping-dc";
4486     + } elsif ($winbindd eq "offline") {
4487     + $cmd .= Samba::bindir_path($self, "wbinfo") . " --ping";
4488     + }
4489    
4490     do {
4491     if ($ret != 0) {
4492     --
4493     2.39.0
4494    
4495    
4496     From eadbcf608a98c8ff90b2d5d91b61fc8100d2cc71 Mon Sep 17 00:00:00 2001
4497     From: Stefan Metzmacher <metze@samba.org>
4498     Date: Fri, 22 Oct 2021 16:20:36 +0200
4499     Subject: [PATCH 054/142] CVE-2020-25719 CVE-2020-25717: selftest: remove
4500     "gensec:require_pac" settings
4501    
4502     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
4503     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
4504    
4505     Signed-off-by: Stefan Metzmacher <metze@samba.org>
4506     ---
4507     selftest/selftest.pl | 2 --
4508     selftest/target/Samba4.pm | 2 --
4509     2 files changed, 4 deletions(-)
4510    
4511     diff --git a/selftest/selftest.pl b/selftest/selftest.pl
4512     index f2968139cfd..8c273951ab3 100755
4513     --- a/selftest/selftest.pl
4514     +++ b/selftest/selftest.pl
4515     @@ -637,8 +637,6 @@ sub write_clientconf($$$)
4516     client lanman auth = Yes
4517     log level = 1
4518     torture:basedir = $clientdir
4519     -#We don't want to pass our self-tests if the PAC code is wrong
4520     - gensec:require_pac = true
4521     #We don't want to run 'speed' tests for very long
4522     torture:timelimit = 1
4523     winbind separator = /
4524     diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
4525     index a7a6c4c9587..0f644661176 100755
4526     --- a/selftest/target/Samba4.pm
4527     +++ b/selftest/target/Samba4.pm
4528     @@ -777,8 +777,6 @@ sub provision_raw_step1($$)
4529     notify:inotify = false
4530     ldb:nosync = true
4531     ldap server require strong auth = yes
4532     -#We don't want to pass our self-tests if the PAC code is wrong
4533     - gensec:require_pac = true
4534     log file = $ctx->{logdir}/log.\%m
4535     log level = $ctx->{server_loglevel}
4536     lanman auth = Yes
4537     --
4538     2.39.0
4539    
4540    
4541     From 628493ea5f0cda3851ab13a41b8018daa228132b Mon Sep 17 00:00:00 2001
4542     From: Stefan Metzmacher <metze@samba.org>
4543     Date: Mon, 4 Oct 2021 17:29:34 +0200
4544     Subject: [PATCH 055/142] CVE-2020-25717: s3:winbindd: make sure we default to
4545     r->out.authoritative = true
4546    
4547     We need to make sure that temporary failures don't trigger a fallback
4548     to the local SAM that silently ignores the domain name part for users.
4549    
4550     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
4551    
4552     Signed-off-by: Stefan Metzmacher <metze@samba.org>
4553    
4554     [scabrero@samba.org Backported for 4.10 due to no logon_id for
4555     log_authentication() neither is_allowed_domain()]
4556     ---
4557     source3/winbindd/winbindd_dual_srv.c | 7 +++++++
4558     source3/winbindd/winbindd_irpc.c | 7 +++++++
4559     source3/winbindd/winbindd_pam.c | 13 ++++++++++---
4560     source3/winbindd/winbindd_pam_auth_crap.c | 9 ++++++++-
4561     source3/winbindd/winbindd_util.c | 7 +++++++
4562     5 files changed, 39 insertions(+), 4 deletions(-)
4563    
4564     diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
4565     index ab14f5d51a0..0842241e02e 100644
4566     --- a/source3/winbindd/winbindd_dual_srv.c
4567     +++ b/source3/winbindd/winbindd_dual_srv.c
4568     @@ -928,6 +928,13 @@ NTSTATUS _winbind_SamLogon(struct pipes_struct *p,
4569     union netr_Validation *validation = NULL;
4570     bool interactive = false;
4571    
4572     + /*
4573     + * Make sure we start with authoritative=true,
4574     + * it will only set to false if we don't know the
4575     + * domain.
4576     + */
4577     + r->out.authoritative = true;
4578     +
4579     domain = wb_child_domain();
4580     if (domain == NULL) {
4581     return NT_STATUS_REQUEST_NOT_ACCEPTED;
4582     diff --git a/source3/winbindd/winbindd_irpc.c b/source3/winbindd/winbindd_irpc.c
4583     index 8cbb0b93086..45615c2dc47 100644
4584     --- a/source3/winbindd/winbindd_irpc.c
4585     +++ b/source3/winbindd/winbindd_irpc.c
4586     @@ -143,6 +143,13 @@ static NTSTATUS wb_irpc_SamLogon(struct irpc_message *msg,
4587     const char *target_domain_name = NULL;
4588     const char *account_name = NULL;
4589    
4590     + /*
4591     + * Make sure we start with authoritative=true,
4592     + * it will only set to false if we don't know the
4593     + * domain.
4594     + */
4595     + req->out.authoritative = true;
4596     +
4597     switch (req->in.logon_level) {
4598     case NetlogonInteractiveInformation:
4599     case NetlogonServiceInformation:
4600     diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
4601     index 35018fbe284..deed81d0a79 100644
4602     --- a/source3/winbindd/winbindd_pam.c
4603     +++ b/source3/winbindd/winbindd_pam.c
4604     @@ -1703,7 +1703,7 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(
4605     unsigned char local_nt_response[24];
4606     fstring name_namespace, name_domain, name_user;
4607     NTSTATUS result;
4608     - uint8_t authoritative = 0;
4609     + uint8_t authoritative = 1;
4610     uint32_t flags = 0;
4611     uint16_t validation_level;
4612     union netr_Validation *validation = NULL;
4613     @@ -2238,6 +2238,13 @@ done:
4614     result = NT_STATUS_NO_LOGON_SERVERS;
4615     }
4616    
4617     + /*
4618     + * Here we don't alter
4619     + * state->response->data.auth.authoritative based
4620     + * on the servers response
4621     + * as we don't want a fallback to the local sam
4622     + * for interactive PAM logons
4623     + */
4624     set_auth_errors(state->response, result);
4625    
4626     DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
4627     @@ -2420,7 +2427,7 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
4628     const char *name_user = NULL;
4629     const char *name_domain = NULL;
4630     const char *workstation;
4631     - uint8_t authoritative = 0;
4632     + uint8_t authoritative = 1;
4633     uint32_t flags = 0;
4634     uint16_t validation_level;
4635     union netr_Validation *validation = NULL;
4636     @@ -2482,7 +2489,6 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
4637     &validation_level,
4638     &validation);
4639     if (!NT_STATUS_IS_OK(result)) {
4640     - state->response->data.auth.authoritative = authoritative;
4641     goto done;
4642     }
4643    
4644     @@ -2526,6 +2532,7 @@ done:
4645     }
4646    
4647     set_auth_errors(state->response, result);
4648     + state->response->data.auth.authoritative = authoritative;
4649    
4650     return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
4651     }
4652     diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c
4653     index b7912db43df..40cab81b5ea 100644
4654     --- a/source3/winbindd/winbindd_pam_auth_crap.c
4655     +++ b/source3/winbindd/winbindd_pam_auth_crap.c
4656     @@ -24,6 +24,7 @@
4657    
4658     struct winbindd_pam_auth_crap_state {
4659     struct winbindd_response *response;
4660     + bool authoritative;
4661     uint32_t flags;
4662     };
4663    
4664     @@ -45,7 +46,7 @@ struct tevent_req *winbindd_pam_auth_crap_send(
4665     if (req == NULL) {
4666     return NULL;
4667     }
4668     -
4669     + state->authoritative = true;
4670     state->flags = request->flags;
4671    
4672     if (state->flags & WBFLAG_PAM_AUTH_PAC) {
4673     @@ -124,6 +125,11 @@ struct tevent_req *winbindd_pam_auth_crap_send(
4674    
4675     domain = find_auth_domain(request->flags, auth_domain);
4676     if (domain == NULL) {
4677     + /*
4678     + * We don't know the domain so
4679     + * we're not authoritative
4680     + */
4681     + state->authoritative = false;
4682     tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
4683     return tevent_req_post(req, ev);
4684     }
4685     @@ -184,6 +190,7 @@ NTSTATUS winbindd_pam_auth_crap_recv(struct tevent_req *req,
4686    
4687     if (tevent_req_is_nterror(req, &status)) {
4688     set_auth_errors(response, status);
4689     + response->data.auth.authoritative = state->authoritative;
4690     return status;
4691     }
4692    
4693     diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
4694     index 3245c70bb8e..315eb366a52 100644
4695     --- a/source3/winbindd/winbindd_util.c
4696     +++ b/source3/winbindd/winbindd_util.c
4697     @@ -2062,6 +2062,13 @@ void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
4698    
4699     void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
4700     {
4701     + /*
4702     + * Make sure we start with authoritative=true,
4703     + * it will only set to false if we don't know the
4704     + * domain.
4705     + */
4706     + resp->data.auth.authoritative = true;
4707     +
4708     resp->data.auth.nt_status = NT_STATUS_V(result);
4709     fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
4710    
4711     --
4712     2.39.0
4713    
4714    
4715     From fc3b3940208c2f03ea3aeb4b6f7e609fa9f90648 Mon Sep 17 00:00:00 2001
4716     From: Stefan Metzmacher <metze@samba.org>
4717     Date: Mon, 4 Oct 2021 17:29:34 +0200
4718     Subject: [PATCH 056/142] CVE-2020-25717: s4:auth/ntlm: make sure
4719     auth_check_password() defaults to r->out.authoritative = true
4720    
4721     We need to make sure that temporary failures don't trigger a fallback
4722     to the local SAM that silently ignores the domain name part for users.
4723    
4724     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
4725    
4726     Signed-off-by: Stefan Metzmacher <metze@samba.org>
4727     ---
4728     source4/auth/ntlm/auth.c | 5 +++++
4729     1 file changed, 5 insertions(+)
4730    
4731     diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
4732     index 3a3fa7eaa59..f754bd5cd44 100644
4733     --- a/source4/auth/ntlm/auth.c
4734     +++ b/source4/auth/ntlm/auth.c
4735     @@ -169,6 +169,11 @@ _PUBLIC_ NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
4736     /*TODO: create a new event context here! */
4737     ev = auth_ctx->event_ctx;
4738    
4739     + /*
4740     + * We are authoritative by default
4741     + */
4742     + *pauthoritative = 1;
4743     +
4744     subreq = auth_check_password_send(mem_ctx,
4745     ev,
4746     auth_ctx,
4747     --
4748     2.39.0
4749    
4750    
4751     From ecd3a8af56dcd1aad43999a253175aa04b298eef Mon Sep 17 00:00:00 2001
4752     From: Stefan Metzmacher <metze@samba.org>
4753     Date: Tue, 26 Oct 2021 17:42:41 +0200
4754     Subject: [PATCH 057/142] CVE-2020-25717: s4:torture: start with authoritative
4755     = 1
4756    
4757     This is not strictly needed, but makes it easier to audit
4758     that we don't miss important places.
4759    
4760     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
4761    
4762     Signed-off-by: Stefan Metzmacher <metze@samba.org>
4763     ---
4764     source4/torture/rpc/samlogon.c | 4 ++--
4765     source4/torture/rpc/schannel.c | 2 +-
4766     2 files changed, 3 insertions(+), 3 deletions(-)
4767    
4768     diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c
4769     index e689dfd5e98..957cb410712 100644
4770     --- a/source4/torture/rpc/samlogon.c
4771     +++ b/source4/torture/rpc/samlogon.c
4772     @@ -1385,7 +1385,7 @@ static bool test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
4773    
4774     union netr_LogonLevel logon;
4775     union netr_Validation validation;
4776     - uint8_t authoritative = 0;
4777     + uint8_t authoritative = 1;
4778     uint32_t flags = 0;
4779    
4780     ZERO_STRUCT(logon);
4781     @@ -1498,7 +1498,7 @@ bool test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
4782    
4783     union netr_LogonLevel logon;
4784     union netr_Validation validation;
4785     - uint8_t authoritative = 0;
4786     + uint8_t authoritative = 1;
4787     struct dcerpc_binding_handle *b = p->binding_handle;
4788    
4789     ZERO_STRUCT(a);
4790     diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
4791     index c237c82bbe7..72d0bf28fdd 100644
4792     --- a/source4/torture/rpc/schannel.c
4793     +++ b/source4/torture/rpc/schannel.c
4794     @@ -50,7 +50,7 @@ bool test_netlogon_ex_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
4795     struct netr_NetworkInfo ninfo;
4796     union netr_LogonLevel logon;
4797     union netr_Validation validation;
4798     - uint8_t authoritative = 0;
4799     + uint8_t authoritative = 1;
4800     uint32_t _flags = 0;
4801     DATA_BLOB names_blob, chal, lm_resp, nt_resp;
4802     int i;
4803     --
4804     2.39.0
4805    
4806    
4807     From 3feb493c3dd5383712a41729ed6f770695acb8b7 Mon Sep 17 00:00:00 2001
4808     From: Stefan Metzmacher <metze@samba.org>
4809     Date: Tue, 26 Oct 2021 17:42:41 +0200
4810     Subject: [PATCH 058/142] CVE-2020-25717: s4:smb_server: start with
4811     authoritative = 1
4812    
4813     This is not strictly needed, but makes it easier to audit
4814     that we don't miss important places.
4815    
4816     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
4817    
4818     Signed-off-by: Stefan Metzmacher <metze@samba.org>
4819     ---
4820     source4/smb_server/smb/sesssetup.c | 4 ++--
4821     1 file changed, 2 insertions(+), 2 deletions(-)
4822    
4823     diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c
4824     index 13f13934412..5e817eecd4b 100644
4825     --- a/source4/smb_server/smb/sesssetup.c
4826     +++ b/source4/smb_server/smb/sesssetup.c
4827     @@ -102,7 +102,7 @@ static void sesssetup_old_send(struct tevent_req *subreq)
4828     struct auth_session_info *session_info;
4829     struct smbsrv_session *smb_sess;
4830     NTSTATUS status;
4831     - uint8_t authoritative = 0;
4832     + uint8_t authoritative = 1;
4833     uint32_t flags;
4834    
4835     status = auth_check_password_recv(subreq, req, &user_info_dc,
4836     @@ -243,7 +243,7 @@ static void sesssetup_nt1_send(struct tevent_req *subreq)
4837     struct auth_user_info_dc *user_info_dc = NULL;
4838     struct auth_session_info *session_info;
4839     struct smbsrv_session *smb_sess;
4840     - uint8_t authoritative = 0;
4841     + uint8_t authoritative = 1;
4842     uint32_t flags;
4843     NTSTATUS status;
4844    
4845     --
4846     2.39.0
4847    
4848    
4849     From e1a1787d1d3b64adc743eab4f626068b438d0e5c Mon Sep 17 00:00:00 2001
4850     From: Stefan Metzmacher <metze@samba.org>
4851     Date: Tue, 26 Oct 2021 17:42:41 +0200
4852     Subject: [PATCH 059/142] CVE-2020-25717: s4:auth_simple: start with
4853     authoritative = 1
4854    
4855     This is not strictly needed, but makes it easier to audit
4856     that we don't miss important places.
4857    
4858     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
4859    
4860     Signed-off-by: Stefan Metzmacher <metze@samba.org>
4861     ---
4862     source4/auth/ntlm/auth_simple.c | 2 +-
4863     1 file changed, 1 insertion(+), 1 deletion(-)
4864    
4865     diff --git a/source4/auth/ntlm/auth_simple.c b/source4/auth/ntlm/auth_simple.c
4866     index fcd9050979d..da8f094a838 100644
4867     --- a/source4/auth/ntlm/auth_simple.c
4868     +++ b/source4/auth/ntlm/auth_simple.c
4869     @@ -150,7 +150,7 @@ static void authenticate_ldap_simple_bind_done(struct tevent_req *subreq)
4870     const struct tsocket_address *local_address = user_info->local_host;
4871     const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
4872     struct auth_user_info_dc *user_info_dc = NULL;
4873     - uint8_t authoritative = 0;
4874     + uint8_t authoritative = 1;
4875     uint32_t flags = 0;
4876     NTSTATUS nt_status;
4877    
4878     --
4879     2.39.0
4880    
4881    
4882     From e09409714301455ba7bbed1d80a9c90c05257aaf Mon Sep 17 00:00:00 2001
4883     From: Stefan Metzmacher <metze@samba.org>
4884     Date: Tue, 26 Oct 2021 17:42:41 +0200
4885     Subject: [PATCH 060/142] CVE-2020-25717: s3:ntlm_auth: start with
4886     authoritative = 1
4887    
4888     This is not strictly needed, but makes it easier to audit
4889     that we don't miss important places.
4890    
4891     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
4892    
4893     Signed-off-by: Stefan Metzmacher <metze@samba.org>
4894     ---
4895     source3/utils/ntlm_auth.c | 4 ++--
4896     source3/utils/ntlm_auth_diagnostics.c | 10 +++++-----
4897     2 files changed, 7 insertions(+), 7 deletions(-)
4898    
4899     diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
4900     index 36c32e4a3dc..3f70732a837 100644
4901     --- a/source3/utils/ntlm_auth.c
4902     +++ b/source3/utils/ntlm_auth.c
4903     @@ -1766,7 +1766,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
4904     TALLOC_FREE(mem_ctx);
4905    
4906     } else {
4907     - uint8_t authoritative = 0;
4908     + uint8_t authoritative = 1;
4909    
4910     if (!domain) {
4911     domain = smb_xstrdup(get_winbind_domain());
4912     @@ -2235,7 +2235,7 @@ static bool check_auth_crap(void)
4913     char *hex_lm_key;
4914     char *hex_user_session_key;
4915     char *error_string;
4916     - uint8_t authoritative = 0;
4917     + uint8_t authoritative = 1;
4918    
4919     setbuf(stdout, NULL);
4920    
4921     diff --git a/source3/utils/ntlm_auth_diagnostics.c b/source3/utils/ntlm_auth_diagnostics.c
4922     index 41591a8de33..fc0fc19bacb 100644
4923     --- a/source3/utils/ntlm_auth_diagnostics.c
4924     +++ b/source3/utils/ntlm_auth_diagnostics.c
4925     @@ -54,7 +54,7 @@ static bool test_lm_ntlm_broken(enum ntlm_break break_which)
4926     DATA_BLOB lm_response = data_blob(NULL, 24);
4927     DATA_BLOB nt_response = data_blob(NULL, 24);
4928     DATA_BLOB session_key = data_blob(NULL, 16);
4929     - uint8_t authoritative = 0;
4930     + uint8_t authoritative = 1;
4931     uchar lm_key[8];
4932     uchar user_session_key[16];
4933     uchar lm_hash[16];
4934     @@ -177,7 +177,7 @@ static bool test_ntlm_in_lm(void)
4935     NTSTATUS nt_status;
4936     uint32_t flags = 0;
4937     DATA_BLOB nt_response = data_blob(NULL, 24);
4938     - uint8_t authoritative = 0;
4939     + uint8_t authoritative = 1;
4940     uchar lm_key[8];
4941     uchar lm_hash[16];
4942     uchar user_session_key[16];
4943     @@ -245,7 +245,7 @@ static bool test_ntlm_in_both(void)
4944     uint32_t flags = 0;
4945     DATA_BLOB nt_response = data_blob(NULL, 24);
4946     DATA_BLOB session_key = data_blob(NULL, 16);
4947     - uint8_t authoritative = 0;
4948     + uint8_t authoritative = 1;
4949     uint8_t lm_key[8];
4950     uint8_t lm_hash[16];
4951     uint8_t user_session_key[16];
4952     @@ -322,7 +322,7 @@ static bool test_lmv2_ntlmv2_broken(enum ntlm_break break_which)
4953     DATA_BLOB lmv2_response = data_blob_null;
4954     DATA_BLOB ntlmv2_session_key = data_blob_null;
4955     DATA_BLOB names_blob = NTLMv2_generate_names_blob(NULL, get_winbind_netbios_name(), get_winbind_domain());
4956     - uint8_t authoritative = 0;
4957     + uint8_t authoritative = 1;
4958     uchar user_session_key[16];
4959     DATA_BLOB chall = get_challenge();
4960     char *error_string;
4961     @@ -452,7 +452,7 @@ static bool test_plaintext(enum ntlm_break break_which)
4962     char *password;
4963     smb_ucs2_t *nt_response_ucs2;
4964     size_t converted_size;
4965     - uint8_t authoritative = 0;
4966     + uint8_t authoritative = 1;
4967     uchar user_session_key[16];
4968     uchar lm_key[16];
4969     static const uchar zeros[8] = { 0, };
4970     --
4971     2.39.0
4972    
4973    
4974     From 26570ee2e981cc5d44eeeed020a051a4771470fe Mon Sep 17 00:00:00 2001
4975     From: Stefan Metzmacher <metze@samba.org>
4976     Date: Tue, 26 Oct 2021 17:42:41 +0200
4977     Subject: [PATCH 061/142] CVE-2020-25717: s3:torture: start with authoritative
4978     = 1
4979    
4980     This is not strictly needed, but makes it easier to audit
4981     that we don't miss important places.
4982    
4983     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
4984    
4985     Signed-off-by: Stefan Metzmacher <metze@samba.org>
4986    
4987     [scabrero@samba.org Backported to 4.10 due to missing commit
4988     a5548af018643f2e78c482e33ef0e6073db149e4 to check return value
4989     of SMBOWFencrypt()]
4990     ---
4991     source3/torture/pdbtest.c | 2 +-
4992     1 file changed, 1 insertion(+), 1 deletion(-)
4993    
4994     diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c
4995     index 64bc45e6a7c..48190e78bf8 100644
4996     --- a/source3/torture/pdbtest.c
4997     +++ b/source3/torture/pdbtest.c
4998     @@ -277,7 +277,7 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
4999     struct netr_SamInfo6 *info6_wbc = NULL;
5000     NTSTATUS status;
5001     bool ok;
5002     - uint8_t authoritative = 0;
5003     + uint8_t authoritative = 1;
5004    
5005     SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8,
5006     local_nt_response);
5007     --
5008     2.39.0
5009    
5010    
5011     From 36af26aac042ce48ae912d0ab7ce398280d81c93 Mon Sep 17 00:00:00 2001
5012     From: Stefan Metzmacher <metze@samba.org>
5013     Date: Tue, 26 Oct 2021 17:42:41 +0200
5014     Subject: [PATCH 062/142] CVE-2020-25717: s3:rpcclient: start with
5015     authoritative = 1
5016    
5017     This is not strictly needed, but makes it easier to audit
5018     that we don't miss important places.
5019    
5020     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
5021    
5022     Signed-off-by: Stefan Metzmacher <metze@samba.org>
5023     ---
5024     source3/rpcclient/cmd_netlogon.c | 2 +-
5025     1 file changed, 1 insertion(+), 1 deletion(-)
5026    
5027     diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
5028     index 631740562c6..30fa1ed7816 100644
5029     --- a/source3/rpcclient/cmd_netlogon.c
5030     +++ b/source3/rpcclient/cmd_netlogon.c
5031     @@ -496,7 +496,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
5032     uint32_t logon_param = 0;
5033     const char *workstation = NULL;
5034     struct netr_SamInfo3 *info3 = NULL;
5035     - uint8_t authoritative = 0;
5036     + uint8_t authoritative = 1;
5037     uint32_t flags = 0;
5038     uint16_t validation_level;
5039     union netr_Validation *validation = NULL;
5040     --
5041     2.39.0
5042    
5043    
5044     From 8eec50d65a10baa4e282c4a833c3cb202cd33255 Mon Sep 17 00:00:00 2001
5045     From: Stefan Metzmacher <metze@samba.org>
5046     Date: Tue, 26 Oct 2021 17:42:41 +0200
5047     Subject: [PATCH 063/142] CVE-2020-25717: s3:auth: start with authoritative = 1
5048    
5049     This is not strictly needed, but makes it easier to audit
5050     that we don't miss important places.
5051    
5052     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
5053    
5054     Signed-off-by: Stefan Metzmacher <metze@samba.org>
5055    
5056     [scabrero@samba.org Backported to 4.10 due to missing commits
5057     7f75dec865256049e99f7fcf46317cd2d53e95d1 and
5058     434030ba711e677fdd167a255d05c1cd4db943b7]
5059     ---
5060     source3/auth/auth_generic.c | 2 +-
5061     source3/auth/auth_samba4.c | 2 +-
5062     2 files changed, 2 insertions(+), 2 deletions(-)
5063    
5064     diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
5065     index 0e9c423efef..4ef2270cb34 100644
5066     --- a/source3/auth/auth_generic.c
5067     +++ b/source3/auth/auth_generic.c
5068     @@ -415,7 +415,7 @@ NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context,
5069     {
5070     NTSTATUS nt_status;
5071     void *server_info;
5072     - uint8_t authoritative = 0;
5073     + uint8_t authoritative = 1;
5074    
5075     if (auth_context->check_ntlm_password_send != NULL) {
5076     struct tevent_context *ev = NULL;
5077     diff --git a/source3/auth/auth_samba4.c b/source3/auth/auth_samba4.c
5078     index a71c75631d7..bf7ccb4348c 100644
5079     --- a/source3/auth/auth_samba4.c
5080     +++ b/source3/auth/auth_samba4.c
5081     @@ -118,7 +118,7 @@ static NTSTATUS check_samba4_security(const struct auth_context *auth_context,
5082     NTSTATUS nt_status;
5083     struct auth_user_info_dc *user_info_dc;
5084     struct auth4_context *auth4_context;
5085     - uint8_t authoritative = 0;
5086     + uint8_t authoritative = 1;
5087    
5088     nt_status = make_auth4_context_s4(auth_context, mem_ctx, &auth4_context);
5089     if (!NT_STATUS_IS_OK(nt_status)) {
5090     --
5091     2.39.0
5092    
5093    
5094     From 46bc67c24c83940ef56cfa5dbbdb8544c290f200 Mon Sep 17 00:00:00 2001
5095     From: Stefan Metzmacher <metze@samba.org>
5096     Date: Tue, 26 Oct 2021 17:42:41 +0200
5097     Subject: [PATCH 064/142] CVE-2020-25717: auth/ntlmssp: start with
5098     authoritative = 1
5099    
5100     This is not strictly needed, but makes it easier to audit
5101     that we don't miss important places.
5102    
5103     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
5104    
5105     Signed-off-by: Stefan Metzmacher <metze@samba.org>
5106     ---
5107     auth/ntlmssp/ntlmssp_server.c | 2 +-
5108     1 file changed, 1 insertion(+), 1 deletion(-)
5109    
5110     diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
5111     index 140e89daeb1..eebada670be 100644
5112     --- a/auth/ntlmssp/ntlmssp_server.c
5113     +++ b/auth/ntlmssp/ntlmssp_server.c
5114     @@ -830,7 +830,7 @@ static void ntlmssp_server_auth_done(struct tevent_req *subreq)
5115     struct gensec_security *gensec_security = state->gensec_security;
5116     struct gensec_ntlmssp_context *gensec_ntlmssp = state->gensec_ntlmssp;
5117     struct auth4_context *auth_context = gensec_security->auth_context;
5118     - uint8_t authoritative = 0;
5119     + uint8_t authoritative = 1;
5120     NTSTATUS status;
5121    
5122     status = auth_context->check_ntlm_password_recv(subreq,
5123     --
5124     2.39.0
5125    
5126    
5127     From 986642f066c3fdf187a8799898196a23cb9d532c Mon Sep 17 00:00:00 2001
5128     From: Samuel Cabrero <scabrero@samba.org>
5129     Date: Tue, 28 Sep 2021 10:43:40 +0200
5130     Subject: [PATCH 065/142] CVE-2020-25717: loadparm: Add new parameter "min
5131     domain uid"
5132    
5133     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
5134     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
5135    
5136     Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
5137    
5138     Signed-off-by: Samuel Cabrero <scabrero@samba.org>
5139     Signed-off-by: Stefan Metzmacher <metze@samba.org>
5140    
5141     [abartlet@samba.org Backported from master/4.15 due to
5142     conflicts with other new parameters]
5143     ---
5144     docs-xml/smbdotconf/security/mindomainuid.xml | 17 +++++++++++++++++
5145     docs-xml/smbdotconf/winbind/idmapconfig.xml | 4 ++++
5146     lib/param/loadparm.c | 4 ++++
5147     source3/param/loadparm.c | 2 ++
5148     4 files changed, 27 insertions(+)
5149     create mode 100644 docs-xml/smbdotconf/security/mindomainuid.xml
5150    
5151     diff --git a/docs-xml/smbdotconf/security/mindomainuid.xml b/docs-xml/smbdotconf/security/mindomainuid.xml
5152     new file mode 100644
5153     index 00000000000..46ae795d730
5154     --- /dev/null
5155     +++ b/docs-xml/smbdotconf/security/mindomainuid.xml
5156     @@ -0,0 +1,17 @@
5157     +<samba:parameter name="min domain uid"
5158     + type="integer"
5159     + context="G"
5160     + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
5161     +<description>
5162     + <para>
5163     + The integer parameter specifies the minimum uid allowed when mapping a
5164     + local account to a domain account.
5165     + </para>
5166     +
5167     + <para>
5168     + Note that this option interacts with the configured <emphasis>idmap ranges</emphasis>!
5169     + </para>
5170     +</description>
5171     +
5172     +<value type="default">1000</value>
5173     +</samba:parameter>
5174     diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml
5175     index 1374040fb29..f70f11df757 100644
5176     --- a/docs-xml/smbdotconf/winbind/idmapconfig.xml
5177     +++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml
5178     @@ -80,6 +80,9 @@
5179     authoritative for a unix ID to SID mapping, so it must be set
5180     for each individually configured domain and for the default
5181     configuration. The configured ranges must be mutually disjoint.
5182     + </para>
5183     + <para>
5184     + Note that the low value interacts with the <smbconfoption name="min domain uid"/> option!
5185     </para></listitem>
5186     </varlistentry>
5187    
5188     @@ -115,4 +118,5 @@
5189     </programlisting>
5190    
5191     </description>
5192     +<related>min domain uid</related>
5193     </samba:parameter>
5194     diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
5195     index 4c3dfff24f3..4aa91f4d404 100644
5196     --- a/lib/param/loadparm.c
5197     +++ b/lib/param/loadparm.c
5198     @@ -3015,6 +3015,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
5199     lpcfg_do_global_parameter(
5200     lp_ctx, "ldap max search request size", "256000");
5201    
5202     + lpcfg_do_global_parameter(lp_ctx,
5203     + "min domain uid",
5204     + "1000");
5205     +
5206     for (i = 0; parm_table[i].label; i++) {
5207     if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
5208     lp_ctx->flags[i] |= FLAG_DEFAULT;
5209     diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
5210     index 0db44e92d19..57d1d909099 100644
5211     --- a/source3/param/loadparm.c
5212     +++ b/source3/param/loadparm.c
5213     @@ -963,6 +963,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
5214     Globals.ldap_max_authenticated_request_size = 16777216;
5215     Globals.ldap_max_search_request_size = 256000;
5216    
5217     + Globals.min_domain_uid = 1000;
5218     +
5219     /* Now put back the settings that were set with lp_set_cmdline() */
5220     apply_lp_set_cmdline();
5221     }
5222     --
5223     2.39.0
5224    
5225    
5226     From 16fa6601a3517c723e90dfb8b1a086df2616e668 Mon Sep 17 00:00:00 2001
5227     From: Stefan Metzmacher <metze@samba.org>
5228     Date: Fri, 8 Oct 2021 19:57:18 +0200
5229     Subject: [PATCH 066/142] CVE-2020-25717: s3:auth: let
5230     auth3_generate_session_info_pac() forward the low level errors
5231    
5232     Mapping everything to ACCESS_DENIED makes it hard to debug problems,
5233     which may happen because of our more restrictive behaviour in future.
5234    
5235     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
5236     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
5237    
5238     Signed-off-by: Stefan Metzmacher <metze@samba.org>
5239     ---
5240     source3/auth/auth_generic.c | 2 +-
5241     1 file changed, 1 insertion(+), 1 deletion(-)
5242    
5243     diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
5244     index 4ef2270cb34..26a38f92b30 100644
5245     --- a/source3/auth/auth_generic.c
5246     +++ b/source3/auth/auth_generic.c
5247     @@ -166,7 +166,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
5248     if (!NT_STATUS_IS_OK(status)) {
5249     DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
5250     nt_errstr(status)));
5251     - status = NT_STATUS_ACCESS_DENIED;
5252     + status = nt_status_squash(status);
5253     goto done;
5254     }
5255    
5256     --
5257     2.39.0
5258    
5259    
5260     From 10a4bdbe4a16fec1bd9b212736a9d26500e0981e Mon Sep 17 00:00:00 2001
5261     From: Samuel Cabrero <scabrero@samba.org>
5262     Date: Tue, 28 Sep 2021 10:45:11 +0200
5263     Subject: [PATCH 067/142] CVE-2020-25717: s3:auth: Check minimum domain uid
5264    
5265     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
5266     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
5267    
5268     Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
5269    
5270     Signed-off-by: Samuel Cabrero <scabrero@samba.org>
5271     Signed-off-by: Stefan Metzmacher <metze@samba.org>
5272     ---
5273     source3/auth/auth_util.c | 16 ++++++++++++++++
5274     1 file changed, 16 insertions(+)
5275    
5276     diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
5277     index 8ff20c33759..8801d3f0f0b 100644
5278     --- a/source3/auth/auth_util.c
5279     +++ b/source3/auth/auth_util.c
5280     @@ -2078,6 +2078,22 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
5281     }
5282     }
5283     goto out;
5284     + } else if ((lp_security() == SEC_ADS || lp_security() == SEC_DOMAIN) &&
5285     + !is_myname(domain) && pwd->pw_uid < lp_min_domain_uid()) {
5286     + /*
5287     + * !is_myname(domain) because when smbd starts tries to setup
5288     + * the guest user info, calling this function with nobody
5289     + * username. Nobody is usually uid 65535 but it can be changed
5290     + * to a regular user with 'guest account' parameter
5291     + */
5292     + nt_status = NT_STATUS_INVALID_TOKEN;
5293     + DBG_NOTICE("Username '%s%s%s' is invalid on this system, "
5294     + "it does not meet 'min domain uid' "
5295     + "restriction (%u < %u): %s\n",
5296     + nt_domain, lp_winbind_separator(), nt_username,
5297     + pwd->pw_uid, lp_min_domain_uid(),
5298     + nt_errstr(nt_status));
5299     + goto out;
5300     }
5301    
5302     result = make_server_info(tmp_ctx);
5303     --
5304     2.39.0
5305    
5306    
5307     From 58bea3837cfbeba5cd5c56060a42117fffedbda4 Mon Sep 17 00:00:00 2001
5308     From: Stefan Metzmacher <metze@samba.org>
5309     Date: Fri, 8 Oct 2021 17:40:30 +0200
5310     Subject: [PATCH 068/142] CVE-2020-25717: s3:auth: we should not try to
5311     autocreate the guest account
5312    
5313     We should avoid autocreation of users as much as possible.
5314    
5315     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
5316     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
5317    
5318     Signed-off-by: Stefan Metzmacher <metze@samba.org>
5319     ---
5320     source3/auth/user_krb5.c | 2 +-
5321     1 file changed, 1 insertion(+), 1 deletion(-)
5322    
5323     diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
5324     index 8998f9c8f8a..074e8c7eb71 100644
5325     --- a/source3/auth/user_krb5.c
5326     +++ b/source3/auth/user_krb5.c
5327     @@ -155,7 +155,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
5328     if (!fuser) {
5329     return NT_STATUS_NO_MEMORY;
5330     }
5331     - pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
5332     + pw = smb_getpwnam(mem_ctx, fuser, &unixuser, false);
5333     }
5334    
5335     /* extra sanity check that the guest account is valid */
5336     --
5337     2.39.0
5338    
5339    
5340     From e78afbcff415d78cb29b65204fefeb0355d6651e Mon Sep 17 00:00:00 2001
5341     From: Stefan Metzmacher <metze@samba.org>
5342     Date: Fri, 8 Oct 2021 18:08:20 +0200
5343     Subject: [PATCH 069/142] CVE-2020-25717: s3:auth: no longer let
5344     check_account() autocreate local users
5345    
5346     So far we autocreated local user accounts based on just the
5347     account_name (just ignoring any domain part).
5348    
5349     This only happens via a possible 'add user script',
5350     which is not typically defined on domain members
5351     and on NT4 DCs local users already exist in the
5352     local passdb anyway.
5353    
5354     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
5355     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
5356    
5357     Signed-off-by: Stefan Metzmacher <metze@samba.org>
5358     ---
5359     source3/auth/auth_util.c | 2 +-
5360     1 file changed, 1 insertion(+), 1 deletion(-)
5361    
5362     diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
5363     index 8801d3f0f0b..6ee500493e6 100644
5364     --- a/source3/auth/auth_util.c
5365     +++ b/source3/auth/auth_util.c
5366     @@ -1873,7 +1873,7 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
5367     return NT_STATUS_NO_MEMORY;
5368     }
5369    
5370     - passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, true );
5371     + passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, false);
5372     if (!passwd) {
5373     DEBUG(3, ("Failed to find authenticated user %s via "
5374     "getpwnam(), denying access.\n", dom_user));
5375     --
5376     2.39.0
5377    
5378    
5379     From a3ffab81c235aae479262cca73cf4361f76f7f9d Mon Sep 17 00:00:00 2001
5380     From: Ralph Boehme <slow@samba.org>
5381     Date: Fri, 8 Oct 2021 12:33:16 +0200
5382     Subject: [PATCH 070/142] CVE-2020-25717: s3:auth: remove fallbacks in
5383     smb_getpwnam()
5384    
5385     So far we tried getpwnam("DOMAIN\account") first and
5386     always did a fallback to getpwnam("account") completely
5387     ignoring the domain part, this just causes problems
5388     as we mix "DOMAIN1\account", "DOMAIN2\account",
5389     and "account"!
5390    
5391     As we require a running winbindd for domain member setups
5392     we should no longer do a fallback to just "account" for
5393     users served by winbindd!
5394    
5395     For users of the local SAM don't use this code path,
5396     as check_sam_security() doesn't call check_account().
5397    
5398     The only case where smb_getpwnam("account") happens is
5399     when map_username() via ("username map [script]") mapped
5400     "DOMAIN\account" to something without '\', but that is
5401     explicitly desired by the admin.
5402    
5403     Note: use 'git show -w'
5404    
5405     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
5406     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
5407    
5408     Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
5409    
5410     Signed-off-by: Ralph Boehme <slow@samba.org>
5411     Signed-off-by: Stefan Metzmacher <metze@samba.org>
5412     ---
5413     source3/auth/auth_util.c | 77 ++++++++++++++++++++++------------------
5414     1 file changed, 42 insertions(+), 35 deletions(-)
5415    
5416     diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
5417     index 6ee500493e6..161e05c2106 100644
5418     --- a/source3/auth/auth_util.c
5419     +++ b/source3/auth/auth_util.c
5420     @@ -1908,7 +1908,7 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser,
5421     {
5422     struct passwd *pw = NULL;
5423     char *p = NULL;
5424     - char *username = NULL;
5425     + const char *username = NULL;
5426    
5427     /* we only save a copy of the username it has been mangled
5428     by winbindd use default domain */
5429     @@ -1927,48 +1927,55 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser,
5430     /* code for a DOMAIN\user string */
5431    
5432     if ( p ) {
5433     - pw = Get_Pwnam_alloc( mem_ctx, domuser );
5434     - if ( pw ) {
5435     - /* make sure we get the case of the username correct */
5436     - /* work around 'winbind use default domain = yes' */
5437     -
5438     - if ( lp_winbind_use_default_domain() &&
5439     - !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
5440     - char *domain;
5441     -
5442     - /* split the domain and username into 2 strings */
5443     - *p = '\0';
5444     - domain = username;
5445     -
5446     - *p_save_username = talloc_asprintf(mem_ctx,
5447     - "%s%c%s",
5448     - domain,
5449     - *lp_winbind_separator(),
5450     - pw->pw_name);
5451     - if (!*p_save_username) {
5452     - TALLOC_FREE(pw);
5453     - return NULL;
5454     - }
5455     - } else {
5456     - *p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
5457     - }
5458     + const char *domain = NULL;
5459    
5460     - /* whew -- done! */
5461     - return pw;
5462     + /* split the domain and username into 2 strings */
5463     + *p = '\0';
5464     + domain = username;
5465     + p++;
5466     + username = p;
5467     +
5468     + if (strequal(domain, get_global_sam_name())) {
5469     + /*
5470     + * This typically don't happen
5471     + * as check_sam_Security()
5472     + * don't call make_server_info_info3()
5473     + * and thus check_account().
5474     + *
5475     + * But we better keep this.
5476     + */
5477     + goto username_only;
5478     }
5479    
5480     - /* setup for lookup of just the username */
5481     - /* remember that p and username are overlapping memory */
5482     -
5483     - p++;
5484     - username = talloc_strdup(mem_ctx, p);
5485     - if (!username) {
5486     + pw = Get_Pwnam_alloc( mem_ctx, domuser );
5487     + if (pw == NULL) {
5488     return NULL;
5489     }
5490     + /* make sure we get the case of the username correct */
5491     + /* work around 'winbind use default domain = yes' */
5492     +
5493     + if ( lp_winbind_use_default_domain() &&
5494     + !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
5495     + *p_save_username = talloc_asprintf(mem_ctx,
5496     + "%s%c%s",
5497     + domain,
5498     + *lp_winbind_separator(),
5499     + pw->pw_name);
5500     + if (!*p_save_username) {
5501     + TALLOC_FREE(pw);
5502     + return NULL;
5503     + }
5504     + } else {
5505     + *p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
5506     + }
5507     +
5508     + /* whew -- done! */
5509     + return pw;
5510     +
5511     }
5512    
5513     /* just lookup a plain username */
5514     -
5515     +username_only:
5516     pw = Get_Pwnam_alloc(mem_ctx, username);
5517    
5518     /* Create local user if requested but only if winbindd
5519     --
5520     2.39.0
5521    
5522    
5523     From 9a1bb168388205f5a2bfa459a5da63c5046eaa7a Mon Sep 17 00:00:00 2001
5524     From: Stefan Metzmacher <metze@samba.org>
5525     Date: Mon, 4 Oct 2021 18:03:55 +0200
5526     Subject: [PATCH 071/142] CVE-2020-25717: s3:auth: don't let create_local_token
5527     depend on !winbind_ping()
5528    
5529     We always require a running winbindd on a domain member, so
5530     we should better fail a request instead of silently alter
5531     the behaviour, which results in a different unix token, just
5532     because winbindd might be restarted.
5533    
5534     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
5535     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
5536    
5537     Signed-off-by: Stefan Metzmacher <metze@samba.org>
5538     ---
5539     source3/auth/auth_util.c | 10 ++++------
5540     1 file changed, 4 insertions(+), 6 deletions(-)
5541    
5542     diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
5543     index 161e05c2106..c0e5cfd7fa8 100644
5544     --- a/source3/auth/auth_util.c
5545     +++ b/source3/auth/auth_util.c
5546     @@ -551,13 +551,11 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
5547     }
5548    
5549     /*
5550     - * If winbind is not around, we can not make much use of the SIDs the
5551     - * domain controller provided us with. Likewise if the user name was
5552     - * mapped to some local unix user.
5553     + * If the user name was mapped to some local unix user,
5554     + * we can not make much use of the SIDs the
5555     + * domain controller provided us with.
5556     */
5557     -
5558     - if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
5559     - (server_info->nss_token)) {
5560     + if (server_info->nss_token) {
5561     char *found_username = NULL;
5562     status = create_token_from_username(session_info,
5563     server_info->unix_name,
5564     --
5565     2.39.0
5566    
5567    
5568     From bbe5c6693ba6954dab5bfef9f8c3778164cd879e Mon Sep 17 00:00:00 2001
5569     From: Alexander Bokovoy <ab@samba.org>
5570     Date: Wed, 11 Nov 2020 18:50:45 +0200
5571     Subject: [PATCH 072/142] CVE-2020-25717: Add FreeIPA domain controller role
5572    
5573     As we want to reduce use of 'classic domain controller' role but FreeIPA
5574     relies on it internally, add a separate role to mark FreeIPA domain
5575     controller role.
5576    
5577     It means that role won't result in ROLE_STANDALONE.
5578    
5579     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
5580     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
5581    
5582     Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
5583    
5584     Signed-off-by: Alexander Bokovoy <ab@samba.org>
5585     Signed-off-by: Stefan Metzmacher <metze@samba.org>
5586    
5587     [abartlet@samba.org Backported due to conflict with DEBUG
5588     statements and IPA branding changes in comments]
5589     ---
5590     docs-xml/smbdotconf/security/serverrole.xml | 7 ++++
5591     lib/param/loadparm_server_role.c | 2 ++
5592     lib/param/param_table.c | 1 +
5593     lib/param/util.c | 1 +
5594     libcli/netlogon/netlogon.c | 2 +-
5595     libds/common/roles.h | 1 +
5596     source3/auth/auth.c | 3 ++
5597     source3/auth/auth_sam.c | 2 ++
5598     source3/include/smb_macros.h | 2 +-
5599     source3/lib/netapi/joindomain.c | 1 +
5600     source3/param/loadparm.c | 4 ++-
5601     source3/passdb/lookup_sid.c | 1 -
5602     source3/passdb/machine_account_secrets.c | 7 ++--
5603     source3/registry/reg_backend_prod_options.c | 1 +
5604     source3/rpc_server/dssetup/srv_dssetup_nt.c | 1 +
5605     source3/smbd/server.c | 2 +-
5606     source3/winbindd/winbindd_misc.c | 2 +-
5607     source3/winbindd/winbindd_util.c | 40 ++++++++++++++++-----
5608     source4/auth/ntlm/auth.c | 1 +
5609     source4/kdc/kdc-heimdal.c | 1 +
5610     source4/rpc_server/samr/dcesrv_samr.c | 2 ++
5611     21 files changed, 65 insertions(+), 19 deletions(-)
5612    
5613     diff --git a/docs-xml/smbdotconf/security/serverrole.xml b/docs-xml/smbdotconf/security/serverrole.xml
5614     index 9511c61c96d..b8b83a127b5 100644
5615     --- a/docs-xml/smbdotconf/security/serverrole.xml
5616     +++ b/docs-xml/smbdotconf/security/serverrole.xml
5617     @@ -78,6 +78,13 @@
5618     url="http://wiki.samba.org/index.php/Samba4/HOWTO">Samba4
5619     HOWTO</ulink></para>
5620    
5621     + <para><anchor id="IPA-DC"/><emphasis>SERVER ROLE = IPA DOMAIN CONTROLLER</emphasis></para>
5622     +
5623     + <para>This mode of operation runs Samba in a hybrid mode for IPA
5624     + domain controller, providing forest trust to Active Directory.
5625     + This role requires special configuration performed by IPA installers
5626     + and should not be used manually by any administrator.
5627     + </para>
5628     </description>
5629    
5630     <related>security</related>
5631     diff --git a/lib/param/loadparm_server_role.c b/lib/param/loadparm_server_role.c
5632     index 7a6bc770723..a78d1ab9cf3 100644
5633     --- a/lib/param/loadparm_server_role.c
5634     +++ b/lib/param/loadparm_server_role.c
5635     @@ -42,6 +42,7 @@ static const struct srv_role_tab {
5636     { ROLE_DOMAIN_BDC, "ROLE_DOMAIN_BDC" },
5637     { ROLE_DOMAIN_PDC, "ROLE_DOMAIN_PDC" },
5638     { ROLE_ACTIVE_DIRECTORY_DC, "ROLE_ACTIVE_DIRECTORY_DC" },
5639     + { ROLE_IPA_DC, "ROLE_IPA_DC"},
5640     { 0, NULL }
5641     };
5642    
5643     @@ -140,6 +141,7 @@ bool lp_is_security_and_server_role_valid(int server_role, int security)
5644     case ROLE_DOMAIN_PDC:
5645     case ROLE_DOMAIN_BDC:
5646     case ROLE_ACTIVE_DIRECTORY_DC:
5647     + case ROLE_IPA_DC:
5648     if (security == SEC_USER) {
5649     valid = true;
5650     }
5651     diff --git a/lib/param/param_table.c b/lib/param/param_table.c
5652     index f9d3b55adf2..aed205d1944 100644
5653     --- a/lib/param/param_table.c
5654     +++ b/lib/param/param_table.c
5655     @@ -100,6 +100,7 @@ static const struct enum_list enum_server_role[] = {
5656     {ROLE_ACTIVE_DIRECTORY_DC, "active directory domain controller"},
5657     {ROLE_ACTIVE_DIRECTORY_DC, "domain controller"},
5658     {ROLE_ACTIVE_DIRECTORY_DC, "dc"},
5659     + {ROLE_IPA_DC, "IPA primary domain controller"},
5660     {-1, NULL}
5661     };
5662    
5663     diff --git a/lib/param/util.c b/lib/param/util.c
5664     index cd8e74b9d8f..9a0fc102de8 100644
5665     --- a/lib/param/util.c
5666     +++ b/lib/param/util.c
5667     @@ -255,6 +255,7 @@ const char *lpcfg_sam_name(struct loadparm_context *lp_ctx)
5668     case ROLE_DOMAIN_BDC:
5669     case ROLE_DOMAIN_PDC:
5670     case ROLE_ACTIVE_DIRECTORY_DC:
5671     + case ROLE_IPA_DC:
5672     return lpcfg_workgroup(lp_ctx);
5673     default:
5674     return lpcfg_netbios_name(lp_ctx);
5675     diff --git a/libcli/netlogon/netlogon.c b/libcli/netlogon/netlogon.c
5676     index 58a331d70ad..838bdf84c87 100644
5677     --- a/libcli/netlogon/netlogon.c
5678     +++ b/libcli/netlogon/netlogon.c
5679     @@ -93,7 +93,7 @@ NTSTATUS pull_netlogon_samlogon_response(DATA_BLOB *data, TALLOC_CTX *mem_ctx,
5680     if (ndr->offset < ndr->data_size) {
5681     TALLOC_FREE(ndr);
5682     /*
5683     - * We need to handle a bug in FreeIPA (at least <= 4.1.2).
5684     + * We need to handle a bug in IPA (at least <= 4.1.2).
5685     *
5686     * They include the ip address information without setting
5687     * NETLOGON_NT_VERSION_5EX_WITH_IP, while using
5688     diff --git a/libds/common/roles.h b/libds/common/roles.h
5689     index 4772c8d7d3f..03ba1915b21 100644
5690     --- a/libds/common/roles.h
5691     +++ b/libds/common/roles.h
5692     @@ -33,6 +33,7 @@ enum server_role {
5693    
5694     /* not in samr.idl */
5695     ROLE_ACTIVE_DIRECTORY_DC = 4,
5696     + ROLE_IPA_DC = 5,
5697    
5698     /* To determine the role automatically, this is not a valid role */
5699     ROLE_AUTO = 100
5700     diff --git a/source3/auth/auth.c b/source3/auth/auth.c
5701     index 0a96d591808..c5bfe9ac626 100644
5702     --- a/source3/auth/auth.c
5703     +++ b/source3/auth/auth.c
5704     @@ -529,6 +529,7 @@ NTSTATUS make_auth3_context_for_ntlm(TALLOC_CTX *mem_ctx,
5705     break;
5706     case ROLE_DOMAIN_BDC:
5707     case ROLE_DOMAIN_PDC:
5708     + case ROLE_IPA_DC:
5709     DEBUG(5,("Making default auth method list for DC\n"));
5710     methods = "anonymous sam winbind sam_ignoredomain";
5711     break;
5712     @@ -557,6 +558,7 @@ NTSTATUS make_auth3_context_for_netlogon(TALLOC_CTX *mem_ctx,
5713     switch (lp_server_role()) {
5714     case ROLE_DOMAIN_BDC:
5715     case ROLE_DOMAIN_PDC:
5716     + case ROLE_IPA_DC:
5717     methods = "sam_netlogon3 winbind";
5718     break;
5719    
5720     @@ -578,6 +580,7 @@ NTSTATUS make_auth3_context_for_winbind(TALLOC_CTX *mem_ctx,
5721     case ROLE_DOMAIN_MEMBER:
5722     case ROLE_DOMAIN_BDC:
5723     case ROLE_DOMAIN_PDC:
5724     + case ROLE_IPA_DC:
5725     methods = "sam";
5726     break;
5727     case ROLE_ACTIVE_DIRECTORY_DC:
5728     diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
5729     index f9764d87e3c..d0b29083d46 100644
5730     --- a/source3/auth/auth_sam.c
5731     +++ b/source3/auth/auth_sam.c
5732     @@ -139,6 +139,7 @@ static NTSTATUS auth_samstrict_auth(const struct auth_context *auth_context,
5733     break;
5734     case ROLE_DOMAIN_PDC:
5735     case ROLE_DOMAIN_BDC:
5736     + case ROLE_IPA_DC:
5737     if ( !is_local_name && !is_my_domain ) {
5738     DEBUG(6,("check_samstrict_security: %s is not one of my local names or domain name (DC)\n",
5739     effective_domain));
5740     @@ -209,6 +210,7 @@ static NTSTATUS auth_sam_netlogon3_auth(const struct auth_context *auth_context,
5741     switch (lp_server_role()) {
5742     case ROLE_DOMAIN_PDC:
5743     case ROLE_DOMAIN_BDC:
5744     + case ROLE_IPA_DC:
5745     break;
5746     default:
5747     DBG_ERR("Invalid server role\n");
5748     diff --git a/source3/include/smb_macros.h b/source3/include/smb_macros.h
5749     index 06d24744960..346401510c2 100644
5750     --- a/source3/include/smb_macros.h
5751     +++ b/source3/include/smb_macros.h
5752     @@ -213,7 +213,7 @@ copy an IP address from one buffer to another
5753     Check to see if we are a DC for this domain
5754     *****************************************************************************/
5755    
5756     -#define IS_DC (lp_server_role()==ROLE_DOMAIN_PDC || lp_server_role()==ROLE_DOMAIN_BDC || lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC)
5757     +#define IS_DC (lp_server_role()==ROLE_DOMAIN_PDC || lp_server_role()==ROLE_DOMAIN_BDC || lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC || lp_server_role() == ROLE_IPA_DC)
5758     #define IS_AD_DC (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC)
5759    
5760     /*
5761     diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c
5762     index 8d0752f4531..0344c0e0416 100644
5763     --- a/source3/lib/netapi/joindomain.c
5764     +++ b/source3/lib/netapi/joindomain.c
5765     @@ -369,6 +369,7 @@ WERROR NetGetJoinInformation_l(struct libnetapi_ctx *ctx,
5766     case ROLE_DOMAIN_MEMBER:
5767     case ROLE_DOMAIN_PDC:
5768     case ROLE_DOMAIN_BDC:
5769     + case ROLE_IPA_DC:
5770     *r->out.name_type = NetSetupDomainName;
5771     break;
5772     case ROLE_STANDALONE:
5773     diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
5774     index 57d1d909099..98e05d13d59 100644
5775     --- a/source3/param/loadparm.c
5776     +++ b/source3/param/loadparm.c
5777     @@ -4321,6 +4321,7 @@ int lp_default_server_announce(void)
5778     default_server_announce |= SV_TYPE_DOMAIN_MEMBER;
5779     break;
5780     case ROLE_DOMAIN_PDC:
5781     + case ROLE_IPA_DC:
5782     default_server_announce |= SV_TYPE_DOMAIN_CTRL;
5783     break;
5784     case ROLE_DOMAIN_BDC:
5785     @@ -4346,7 +4347,8 @@ int lp_default_server_announce(void)
5786     bool lp_domain_master(void)
5787     {
5788     if (Globals._domain_master == Auto)
5789     - return (lp_server_role() == ROLE_DOMAIN_PDC);
5790     + return (lp_server_role() == ROLE_DOMAIN_PDC ||
5791     + lp_server_role() == ROLE_IPA_DC);
5792    
5793     return (bool)Globals._domain_master;
5794     }
5795     diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
5796     index 186ba17fda6..839da5cfbf4 100644
5797     --- a/source3/passdb/lookup_sid.c
5798     +++ b/source3/passdb/lookup_sid.c
5799     @@ -117,7 +117,6 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
5800     if (((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) &&
5801     strequal(domain, get_global_sam_name()))
5802     {
5803     -
5804     /* It's our own domain, lookup the name in passdb */
5805     if (lookup_global_sam_name(name, flags, &rid, &type)) {
5806     sid_compose(&sid, get_global_sam_sid(), rid);
5807     diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
5808     index dfc21f295a1..b60cf56c490 100644
5809     --- a/source3/passdb/machine_account_secrets.c
5810     +++ b/source3/passdb/machine_account_secrets.c
5811     @@ -198,7 +198,8 @@ bool secrets_fetch_domain_guid(const char *domain, struct GUID *guid)
5812     dyn_guid = (struct GUID *)secrets_fetch(key, &size);
5813    
5814     if (!dyn_guid) {
5815     - if (lp_server_role() == ROLE_DOMAIN_PDC) {
5816     + if (lp_server_role() == ROLE_DOMAIN_PDC ||
5817     + lp_server_role() == ROLE_IPA_DC) {
5818     new_guid = GUID_random();
5819     if (!secrets_store_domain_guid(domain, &new_guid))
5820     return False;
5821     @@ -314,9 +315,7 @@ static const char *trust_keystr(const char *domain)
5822    
5823     enum netr_SchannelType get_default_sec_channel(void)
5824     {
5825     - if (lp_server_role() == ROLE_DOMAIN_BDC ||
5826     - lp_server_role() == ROLE_DOMAIN_PDC ||
5827     - lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
5828     + if (IS_DC) {
5829     return SEC_CHAN_BDC;
5830     } else {
5831     return SEC_CHAN_WKSTA;
5832     diff --git a/source3/registry/reg_backend_prod_options.c b/source3/registry/reg_backend_prod_options.c
5833     index 655c587ac40..7bd3f324c37 100644
5834     --- a/source3/registry/reg_backend_prod_options.c
5835     +++ b/source3/registry/reg_backend_prod_options.c
5836     @@ -40,6 +40,7 @@ static int prod_options_fetch_values(const char *key, struct regval_ctr *regvals
5837     switch (lp_server_role()) {
5838     case ROLE_DOMAIN_PDC:
5839     case ROLE_DOMAIN_BDC:
5840     + case ROLE_IPA_DC:
5841     value_ascii = "LanmanNT";
5842     break;
5843     case ROLE_STANDALONE:
5844     diff --git a/source3/rpc_server/dssetup/srv_dssetup_nt.c b/source3/rpc_server/dssetup/srv_dssetup_nt.c
5845     index 7e3efa8504e..aa896e15ac4 100644
5846     --- a/source3/rpc_server/dssetup/srv_dssetup_nt.c
5847     +++ b/source3/rpc_server/dssetup/srv_dssetup_nt.c
5848     @@ -62,6 +62,7 @@ static WERROR fill_dsrole_dominfo_basic(TALLOC_CTX *ctx,
5849     basic->domain = get_global_sam_name();
5850     break;
5851     case ROLE_DOMAIN_PDC:
5852     + case ROLE_IPA_DC:
5853     basic->role = DS_ROLE_PRIMARY_DC;
5854     basic->domain = get_global_sam_name();
5855     break;
5856     diff --git a/source3/smbd/server.c b/source3/smbd/server.c
5857     index 7d96a5762ec..d263507b22f 100644
5858     --- a/source3/smbd/server.c
5859     +++ b/source3/smbd/server.c
5860     @@ -1969,7 +1969,7 @@ extern void build_options(bool screen);
5861     exit_daemon("smbd can not open secrets.tdb", EACCES);
5862     }
5863    
5864     - if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC) {
5865     + if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC || lp_server_role() == ROLE_IPA_DC) {
5866     struct loadparm_context *lp_ctx = loadparm_init_s3(NULL, loadparm_s3_helpers());
5867     if (!open_schannel_session_store(NULL, lp_ctx)) {
5868     exit_daemon("ERROR: Samba cannot open schannel store for secured NETLOGON operations.", EACCES);
5869     diff --git a/source3/winbindd/winbindd_misc.c b/source3/winbindd/winbindd_misc.c
5870     index cc0701e597a..f09b029fd13 100644
5871     --- a/source3/winbindd/winbindd_misc.c
5872     +++ b/source3/winbindd/winbindd_misc.c
5873     @@ -75,7 +75,7 @@ static char *get_trust_type_string(TALLOC_CTX *mem_ctx,
5874     case SEC_CHAN_BDC: {
5875     int role = lp_server_role();
5876    
5877     - if (role == ROLE_DOMAIN_PDC) {
5878     + if (role == ROLE_DOMAIN_PDC || role == ROLE_IPA_DC) {
5879     s = talloc_strdup(mem_ctx, "PDC");
5880     if (s == NULL) {
5881     return NULL;
5882     diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
5883     index 315eb366a52..04e79e70f6b 100644
5884     --- a/source3/winbindd/winbindd_util.c
5885     +++ b/source3/winbindd/winbindd_util.c
5886     @@ -1225,15 +1225,37 @@ bool init_domain_list(void)
5887     secure_channel_type = SEC_CHAN_LOCAL;
5888     }
5889    
5890     - status = add_trusted_domain(get_global_sam_name(),
5891     - NULL,
5892     - get_global_sam_sid(),
5893     - LSA_TRUST_TYPE_DOWNLEVEL,
5894     - trust_flags,
5895     - 0, /* trust_attribs */
5896     - secure_channel_type,
5897     - NULL,
5898     - &domain);
5899     + if ((pdb_domain_info != NULL) && (role == ROLE_IPA_DC)) {
5900     + /* This is IPA DC that presents itself as
5901     + * an Active Directory domain controller to trusted AD
5902     + * forests but in fact is a classic domain controller.
5903     + */
5904     + trust_flags = NETR_TRUST_FLAG_PRIMARY;
5905     + trust_flags |= NETR_TRUST_FLAG_IN_FOREST;
5906     + trust_flags |= NETR_TRUST_FLAG_NATIVE;
5907     + trust_flags |= NETR_TRUST_FLAG_OUTBOUND;
5908     + trust_flags |= NETR_TRUST_FLAG_TREEROOT;
5909     + status = add_trusted_domain(pdb_domain_info->name,
5910     + pdb_domain_info->dns_domain,
5911     + &pdb_domain_info->sid,
5912     + LSA_TRUST_TYPE_UPLEVEL,
5913     + trust_flags,
5914     + LSA_TRUST_ATTRIBUTE_WITHIN_FOREST,
5915     + secure_channel_type,
5916     + NULL,
5917     + &domain);
5918     + TALLOC_FREE(pdb_domain_info);
5919     + } else {
5920     + status = add_trusted_domain(get_global_sam_name(),
5921     + NULL,
5922     + get_global_sam_sid(),
5923     + LSA_TRUST_TYPE_DOWNLEVEL,
5924     + trust_flags,
5925     + 0, /* trust_attribs */
5926     + secure_channel_type,
5927     + NULL,
5928     + &domain);
5929     + }
5930     if (!NT_STATUS_IS_OK(status)) {
5931     DBG_ERR("Failed to add local SAM to "
5932     "domain to winbindd's internal list\n");
5933     diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
5934     index f754bd5cd44..7dab02b5c4d 100644
5935     --- a/source4/auth/ntlm/auth.c
5936     +++ b/source4/auth/ntlm/auth.c
5937     @@ -773,6 +773,7 @@ const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *
5938     case ROLE_DOMAIN_BDC:
5939     case ROLE_DOMAIN_PDC:
5940     case ROLE_ACTIVE_DIRECTORY_DC:
5941     + case ROLE_IPA_DC:
5942     auth_methods = str_list_make(mem_ctx, "anonymous sam winbind sam_ignoredomain", NULL);
5943     break;
5944     }
5945     diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c
5946     index b5de5a790d4..49aa560470c 100644
5947     --- a/source4/kdc/kdc-heimdal.c
5948     +++ b/source4/kdc/kdc-heimdal.c
5949     @@ -276,6 +276,7 @@ static NTSTATUS kdc_task_init(struct task_server *task)
5950     return NT_STATUS_INVALID_DOMAIN_ROLE;
5951     case ROLE_DOMAIN_PDC:
5952     case ROLE_DOMAIN_BDC:
5953     + case ROLE_IPA_DC:
5954     task_server_terminate(
5955     task, "Cannot start KDC as a 'classic Samba' DC", false);
5956     return NT_STATUS_INVALID_DOMAIN_ROLE;
5957     diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
5958     index 51fed4da62b..1f09b721408 100644
5959     --- a/source4/rpc_server/samr/dcesrv_samr.c
5960     +++ b/source4/rpc_server/samr/dcesrv_samr.c
5961     @@ -568,6 +568,7 @@ static NTSTATUS dcesrv_samr_info_DomGeneralInformation(struct samr_domain_state
5962     break;
5963     case ROLE_DOMAIN_PDC:
5964     case ROLE_DOMAIN_BDC:
5965     + case ROLE_IPA_DC:
5966     case ROLE_AUTO:
5967     return NT_STATUS_INTERNAL_ERROR;
5968     case ROLE_DOMAIN_MEMBER:
5969     @@ -675,6 +676,7 @@ static NTSTATUS dcesrv_samr_info_DomInfo7(struct samr_domain_state *state,
5970     break;
5971     case ROLE_DOMAIN_PDC:
5972     case ROLE_DOMAIN_BDC:
5973     + case ROLE_IPA_DC:
5974     case ROLE_AUTO:
5975     return NT_STATUS_INTERNAL_ERROR;
5976     case ROLE_DOMAIN_MEMBER:
5977     --
5978     2.39.0
5979    
5980    
5981     From 3a8b4d3b410508dfb0538376046a5b38c53f9568 Mon Sep 17 00:00:00 2001
5982     From: Stefan Metzmacher <metze@samba.org>
5983     Date: Tue, 5 Oct 2021 18:11:57 +0200
5984     Subject: [PATCH 073/142] CVE-2020-25717: auth/gensec: always require a PAC in
5985     domain mode (DC or member)
5986    
5987     AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set
5988     on the service account, which can only be explicitly configured,
5989     but that's an invalid configuration!
5990    
5991     We still try to support standalone servers in an MIT realm,
5992     as legacy setup.
5993    
5994     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
5995     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
5996    
5997     Signed-off-by: Stefan Metzmacher <metze@samba.org>
5998     ---
5999     auth/gensec/gensec_util.c | 27 +++++++++++++++++++++++----
6000     1 file changed, 23 insertions(+), 4 deletions(-)
6001    
6002     diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
6003     index e185acc0c20..694661b53b5 100644
6004     --- a/auth/gensec/gensec_util.c
6005     +++ b/auth/gensec/gensec_util.c
6006     @@ -25,6 +25,8 @@
6007     #include "auth/gensec/gensec_internal.h"
6008     #include "auth/common_auth.h"
6009     #include "../lib/util/asn1.h"
6010     +#include "param/param.h"
6011     +#include "libds/common/roles.h"
6012    
6013     #undef DBGC_CLASS
6014     #define DBGC_CLASS DBGC_AUTH
6015     @@ -46,10 +48,27 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
6016     session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
6017    
6018     if (!pac_blob) {
6019     - if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
6020     - DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
6021     - principal_string));
6022     - return NT_STATUS_ACCESS_DENIED;
6023     + enum server_role server_role =
6024     + lpcfg_server_role(gensec_security->settings->lp_ctx);
6025     +
6026     + /*
6027     + * For any domain setup (DC or member) we require having
6028     + * a PAC, as the service ticket comes from an AD DC,
6029     + * which will always provide a PAC, unless
6030     + * UF_NO_AUTH_DATA_REQUIRED is configured for our
6031     + * account, but that's just an invalid configuration,
6032     + * the admin configured for us!
6033     + *
6034     + * As a legacy case, we still allow kerberos tickets from an MIT
6035     + * realm, but only in standalone mode. In that mode we'll only
6036     + * ever accept a kerberos authentication with a keytab file
6037     + * being explicitly configured via the 'keytab method' option.
6038     + */
6039     + if (server_role != ROLE_STANDALONE) {
6040     + DBG_WARNING("Unable to find PAC in ticket from %s, "
6041     + "failing to allow access\n",
6042     + principal_string);
6043     + return NT_STATUS_NO_IMPERSONATION_TOKEN;
6044     }
6045     DBG_NOTICE("Unable to find PAC for %s, resorting to local "
6046     "user lookup\n", principal_string);
6047     --
6048     2.39.0
6049    
6050    
6051     From 15cca0f7ee6f4b8d96b6b650b2d009b030a2bc5f Mon Sep 17 00:00:00 2001
6052     From: Stefan Metzmacher <metze@samba.org>
6053     Date: Mon, 11 Oct 2021 23:17:19 +0200
6054     Subject: [PATCH 074/142] CVE-2020-25717: s4:auth: remove unused
6055     auth_generate_session_info_principal()
6056    
6057     We'll require a PAC at the main gensec layer already.
6058    
6059     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
6060     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
6061    
6062     Signed-off-by: Stefan Metzmacher <metze@samba.org>
6063    
6064     [abartlet@samba.org Backported from master/4.15 as
6065     check_password is sync in 4.14]
6066     ---
6067     source4/auth/auth.h | 8 ------
6068     source4/auth/ntlm/auth.c | 49 ++++--------------------------------
6069     source4/auth/ntlm/auth_sam.c | 12 ---------
6070     3 files changed, 5 insertions(+), 64 deletions(-)
6071    
6072     diff --git a/source4/auth/auth.h b/source4/auth/auth.h
6073     index 51895c9259f..f16d0649de2 100644
6074     --- a/source4/auth/auth.h
6075     +++ b/source4/auth/auth.h
6076     @@ -73,14 +73,6 @@ struct auth_operations {
6077     TALLOC_CTX *mem_ctx,
6078     struct auth_user_info_dc **interim_info,
6079     bool *authoritative);
6080     -
6081     - /* Lookup a 'session info interim' return based only on the principal or DN */
6082     - NTSTATUS (*get_user_info_dc_principal)(TALLOC_CTX *mem_ctx,
6083     - struct auth4_context *auth_context,
6084     - const char *principal,
6085     - struct ldb_dn *user_dn,
6086     - struct auth_user_info_dc **interim_info);
6087     - uint32_t flags;
6088     };
6089    
6090     struct auth_method_context {
6091     diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
6092     index 7dab02b5c4d..2765fd1b13c 100644
6093     --- a/source4/auth/ntlm/auth.c
6094     +++ b/source4/auth/ntlm/auth.c
6095     @@ -86,48 +86,6 @@ _PUBLIC_ NTSTATUS auth_get_challenge(struct auth4_context *auth_ctx, uint8_t cha
6096     return NT_STATUS_OK;
6097     }
6098    
6099     -/****************************************************************************
6100     -Used in the gensec_gssapi and gensec_krb5 server-side code, where the
6101     -PAC isn't available, and for tokenGroups in the DSDB stack.
6102     -
6103     - Supply either a principal or a DN
6104     -****************************************************************************/
6105     -static NTSTATUS auth_generate_session_info_principal(struct auth4_context *auth_ctx,
6106     - TALLOC_CTX *mem_ctx,
6107     - const char *principal,
6108     - struct ldb_dn *user_dn,
6109     - uint32_t session_info_flags,
6110     - struct auth_session_info **session_info)
6111     -{
6112     - NTSTATUS nt_status;
6113     - struct auth_method_context *method;
6114     - struct auth_user_info_dc *user_info_dc;
6115     -
6116     - for (method = auth_ctx->methods; method; method = method->next) {
6117     - if (!method->ops->get_user_info_dc_principal) {
6118     - continue;
6119     - }
6120     -
6121     - nt_status = method->ops->get_user_info_dc_principal(mem_ctx, auth_ctx, principal, user_dn, &user_info_dc);
6122     - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
6123     - continue;
6124     - }
6125     - if (!NT_STATUS_IS_OK(nt_status)) {
6126     - return nt_status;
6127     - }
6128     -
6129     - nt_status = auth_generate_session_info_wrapper(auth_ctx, mem_ctx,
6130     - user_info_dc,
6131     - user_info_dc->info->account_name,
6132     - session_info_flags, session_info);
6133     - talloc_free(user_info_dc);
6134     -
6135     - return nt_status;
6136     - }
6137     -
6138     - return NT_STATUS_NOT_IMPLEMENTED;
6139     -}
6140     -
6141     /**
6142     * Check a user's Plaintext, LM or NTLM password.
6143     * (sync version)
6144     @@ -663,8 +621,11 @@ static NTSTATUS auth_generate_session_info_pac(struct auth4_context *auth_ctx,
6145     TALLOC_CTX *tmp_ctx;
6146    
6147     if (!pac_blob) {
6148     - return auth_generate_session_info_principal(auth_ctx, mem_ctx, principal_name,
6149     - NULL, session_info_flags, session_info);
6150     + /*
6151     + * This should already be catched at the main
6152     + * gensec layer, but better check twice
6153     + */
6154     + return NT_STATUS_INTERNAL_ERROR;
6155     }
6156    
6157     tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context");
6158     diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
6159     index fb88cb87f66..a8c7d8b4b85 100644
6160     --- a/source4/auth/ntlm/auth_sam.c
6161     +++ b/source4/auth/ntlm/auth_sam.c
6162     @@ -854,28 +854,16 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
6163     return NT_STATUS_OK;
6164     }
6165    
6166     -/* Wrapper for the auth subsystem pointer */
6167     -static NTSTATUS authsam_get_user_info_dc_principal_wrapper(TALLOC_CTX *mem_ctx,
6168     - struct auth4_context *auth_context,
6169     - const char *principal,
6170     - struct ldb_dn *user_dn,
6171     - struct auth_user_info_dc **user_info_dc)
6172     -{
6173     - return authsam_get_user_info_dc_principal(mem_ctx, auth_context->lp_ctx, auth_context->sam_ctx,
6174     - principal, user_dn, user_info_dc);
6175     -}
6176     static const struct auth_operations sam_ignoredomain_ops = {
6177     .name = "sam_ignoredomain",
6178     .want_check = authsam_ignoredomain_want_check,
6179     .check_password = authsam_check_password_internals,
6180     - .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper,
6181     };
6182    
6183     static const struct auth_operations sam_ops = {
6184     .name = "sam",
6185     .want_check = authsam_want_check,
6186     .check_password = authsam_check_password_internals,
6187     - .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper,
6188     };
6189    
6190     _PUBLIC_ NTSTATUS auth4_sam_init(TALLOC_CTX *);
6191     --
6192     2.39.0
6193    
6194    
6195     From ec14a33f17e638870c997b56d4b5ce9096cbb27a Mon Sep 17 00:00:00 2001
6196     From: Stefan Metzmacher <metze@samba.org>
6197     Date: Tue, 21 Sep 2021 12:27:28 +0200
6198     Subject: [PATCH 075/142] CVE-2020-25717: s3:ntlm_auth: fix memory leaks in
6199     ntlm_auth_generate_session_info_pac()
6200    
6201     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
6202     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
6203    
6204     Signed-off-by: Stefan Metzmacher <metze@samba.org>
6205     ---
6206     source3/utils/ntlm_auth.c | 18 ++++++++++++------
6207     1 file changed, 12 insertions(+), 6 deletions(-)
6208    
6209     diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
6210     index 3f70732a837..fefdd32bf11 100644
6211     --- a/source3/utils/ntlm_auth.c
6212     +++ b/source3/utils/ntlm_auth.c
6213     @@ -827,23 +827,27 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c
6214     if (!p) {
6215     DEBUG(3, ("[%s] Doesn't look like a valid principal\n",
6216     princ_name));
6217     - return NT_STATUS_LOGON_FAILURE;
6218     + status = NT_STATUS_LOGON_FAILURE;
6219     + goto done;
6220     }
6221    
6222     user = talloc_strndup(mem_ctx, princ_name, p - princ_name);
6223     if (!user) {
6224     - return NT_STATUS_NO_MEMORY;
6225     + status = NT_STATUS_NO_MEMORY;
6226     + goto done;
6227     }
6228    
6229     realm = talloc_strdup(talloc_tos(), p + 1);
6230     if (!realm) {
6231     - return NT_STATUS_NO_MEMORY;
6232     + status = NT_STATUS_NO_MEMORY;
6233     + goto done;
6234     }
6235    
6236     if (!strequal(realm, lp_realm())) {
6237     DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm));
6238     if (!lp_allow_trusted_domains()) {
6239     - return NT_STATUS_LOGON_FAILURE;
6240     + status = NT_STATUS_LOGON_FAILURE;
6241     + goto done;
6242     }
6243     }
6244    
6245     @@ -851,7 +855,8 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c
6246     domain = talloc_strdup(mem_ctx,
6247     logon_info->info3.base.logon_domain.string);
6248     if (!domain) {
6249     - return NT_STATUS_NO_MEMORY;
6250     + status = NT_STATUS_NO_MEMORY;
6251     + goto done;
6252     }
6253     DEBUG(10, ("Domain is [%s] (using PAC)\n", domain));
6254     } else {
6255     @@ -881,7 +886,8 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c
6256     domain = talloc_strdup(mem_ctx, realm);
6257     }
6258     if (!domain) {
6259     - return NT_STATUS_NO_MEMORY;
6260     + status = NT_STATUS_NO_MEMORY;
6261     + goto done;
6262     }
6263     DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain));
6264     }
6265     --
6266     2.39.0
6267    
6268    
6269     From 9e036a77eca721c4ea23c3f629d9e504d5780f79 Mon Sep 17 00:00:00 2001
6270     From: Stefan Metzmacher <metze@samba.org>
6271     Date: Tue, 21 Sep 2021 12:44:01 +0200
6272     Subject: [PATCH 076/142] CVE-2020-25717: s3:ntlm_auth: let
6273     ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO
6274     only
6275    
6276     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
6277     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
6278    
6279     Signed-off-by: Stefan Metzmacher <metze@samba.org>
6280     ---
6281     source3/utils/ntlm_auth.c | 91 ++++++++++++---------------------------
6282     1 file changed, 28 insertions(+), 63 deletions(-)
6283    
6284     diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
6285     index fefdd32bf11..ff2fd30a9ae 100644
6286     --- a/source3/utils/ntlm_auth.c
6287     +++ b/source3/utils/ntlm_auth.c
6288     @@ -799,10 +799,8 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c
6289     struct PAC_LOGON_INFO *logon_info = NULL;
6290     char *unixuser;
6291     NTSTATUS status;
6292     - char *domain = NULL;
6293     - char *realm = NULL;
6294     - char *user = NULL;
6295     - char *p;
6296     + const char *domain = "";
6297     + const char *user = "";
6298    
6299     tmp_ctx = talloc_new(mem_ctx);
6300     if (!tmp_ctx) {
6301     @@ -819,79 +817,46 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c
6302     if (!NT_STATUS_IS_OK(status)) {
6303     goto done;
6304     }
6305     - }
6306     -
6307     - DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
6308     -
6309     - p = strchr_m(princ_name, '@');
6310     - if (!p) {
6311     - DEBUG(3, ("[%s] Doesn't look like a valid principal\n",
6312     - princ_name));
6313     - status = NT_STATUS_LOGON_FAILURE;
6314     + } else {
6315     + status = NT_STATUS_ACCESS_DENIED;
6316     + DBG_WARNING("Kerberos ticket for[%s] has no PAC: %s\n",
6317     + princ_name, nt_errstr(status));
6318     goto done;
6319     }
6320    
6321     - user = talloc_strndup(mem_ctx, princ_name, p - princ_name);
6322     - if (!user) {
6323     - status = NT_STATUS_NO_MEMORY;
6324     - goto done;
6325     + if (logon_info->info3.base.account_name.string != NULL) {
6326     + user = logon_info->info3.base.account_name.string;
6327     + } else {
6328     + user = "";
6329     + }
6330     + if (logon_info->info3.base.logon_domain.string != NULL) {
6331     + domain = logon_info->info3.base.logon_domain.string;
6332     + } else {
6333     + domain = "";
6334     }
6335    
6336     - realm = talloc_strdup(talloc_tos(), p + 1);
6337     - if (!realm) {
6338     - status = NT_STATUS_NO_MEMORY;
6339     + if (strlen(user) == 0 || strlen(domain) == 0) {
6340     + status = NT_STATUS_ACCESS_DENIED;
6341     + DBG_WARNING("Kerberos ticket for[%s] has invalid "
6342     + "account_name[%s]/logon_domain[%s]: %s\n",
6343     + princ_name,
6344     + logon_info->info3.base.account_name.string,
6345     + logon_info->info3.base.logon_domain.string,
6346     + nt_errstr(status));
6347     goto done;
6348     }
6349    
6350     - if (!strequal(realm, lp_realm())) {
6351     - DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm));
6352     + DBG_NOTICE("Kerberos ticket principal name is [%s] "
6353     + "account_name[%s]/logon_domain[%s]\n",
6354     + princ_name, user, domain);
6355     +
6356     + if (!strequal(domain, lp_workgroup())) {
6357     if (!lp_allow_trusted_domains()) {
6358     status = NT_STATUS_LOGON_FAILURE;
6359     goto done;
6360     }
6361     }
6362    
6363     - if (logon_info && logon_info->info3.base.logon_domain.string) {
6364     - domain = talloc_strdup(mem_ctx,
6365     - logon_info->info3.base.logon_domain.string);
6366     - if (!domain) {
6367     - status = NT_STATUS_NO_MEMORY;
6368     - goto done;
6369     - }
6370     - DEBUG(10, ("Domain is [%s] (using PAC)\n", domain));
6371     - } else {
6372     -
6373     - /* If we have winbind running, we can (and must) shorten the
6374     - username by using the short netbios name. Otherwise we will
6375     - have inconsistent user names. With Kerberos, we get the
6376     - fully qualified realm, with ntlmssp we get the short
6377     - name. And even w2k3 does use ntlmssp if you for example
6378     - connect to an ip address. */
6379     -
6380     - wbcErr wbc_status;
6381     - struct wbcDomainInfo *info = NULL;
6382     -
6383     - DEBUG(10, ("Mapping [%s] to short name using winbindd\n",
6384     - realm));
6385     -
6386     - wbc_status = wbcDomainInfo(realm, &info);
6387     -
6388     - if (WBC_ERROR_IS_OK(wbc_status)) {
6389     - domain = talloc_strdup(mem_ctx,
6390     - info->short_name);
6391     - wbcFreeMemory(info);
6392     - } else {
6393     - DEBUG(3, ("Could not find short name: %s\n",
6394     - wbcErrorString(wbc_status)));
6395     - domain = talloc_strdup(mem_ctx, realm);
6396     - }
6397     - if (!domain) {
6398     - status = NT_STATUS_NO_MEMORY;
6399     - goto done;
6400     - }
6401     - DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain));
6402     - }
6403     -
6404     unixuser = talloc_asprintf(tmp_ctx, "%s%c%s", domain, winbind_separator(), user);
6405     if (!unixuser) {
6406     status = NT_STATUS_NO_MEMORY;
6407     --
6408     2.39.0
6409    
6410    
6411     From 4c01fd62e30b8e1137e7de01ecb41c94550dac24 Mon Sep 17 00:00:00 2001
6412     From: Stefan Metzmacher <metze@samba.org>
6413     Date: Mon, 4 Oct 2021 19:42:20 +0200
6414     Subject: [PATCH 077/142] CVE-2020-25717: s3:auth: let
6415     auth3_generate_session_info_pac() delegate everything to
6416     make_server_info_wbcAuthUserInfo()
6417    
6418     This consolidates the code paths used for NTLMSSP and Kerberos!
6419    
6420     I checked what we were already doing for NTLMSSP, which is this:
6421    
6422     a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx()
6423     b) as a domain member we require a valid response from winbindd,
6424     otherwise we'll return NT_STATUS_NO_LOGON_SERVERS
6425     c) we call make_server_info_wbcAuthUserInfo(), which internally
6426     calls make_server_info_info3()
6427     d) auth_check_ntlm_password() calls
6428     smb_pam_accountcheck(unix_username, rhost), where rhost
6429     is only an ipv4 or ipv6 address (without reverse dns lookup)
6430     e) from auth3_check_password_send/auth3_check_password_recv()
6431     server_returned_info will be passed to auth3_generate_session_info(),
6432     triggered by gensec_session_info(), which means we'll call into
6433     create_local_token() in order to transform auth_serversupplied_info
6434     into auth_session_info.
6435    
6436     For Kerberos gensec_session_info() will call
6437     auth3_generate_session_info_pac() via the gensec_generate_session_info_pac()
6438     helper function. The current logic is this:
6439    
6440     a) gensec_generate_session_info_pac() is the function that
6441     evaluates the 'gensec:require_pac', which defaulted to 'no'
6442     before.
6443     b) auth3_generate_session_info_pac() called
6444     wbcAuthenticateUserEx() in order to pass the PAC blob
6445     to winbindd, but only to prime its cache, e.g. netsamlogon cache
6446     and others. Most failures were just ignored.
6447     c) If the PAC blob is available, it extracted the PAC_LOGON_INFO
6448     from it.
6449     d) Then we called the horrible get_user_from_kerberos_info() function:
6450     - It uses a first part of the tickets principal name (before the @)
6451     as username and combines that with the 'logon_info->base.logon_domain'
6452     if the logon_info (PAC) is present.
6453     - As a fallback without a PAC it's tries to ask winbindd for a mapping
6454     from realm to netbios domain name.
6455     - Finally is falls back to using the realm as netbios domain name
6456     With this information is builds 'userdomain+winbind_separator+useraccount'
6457     and calls map_username() followed by smb_getpwnam() with create=true,
6458     Note this is similar to the make_server_info_info3() => check_account()
6459     => smb_getpwnam() logic under 3.
6460     - It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name
6461     instead of the ip address as rhost.
6462     - It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the
6463     guest account.
6464     e) We called create_info3_from_pac_logon_info()
6465     f) make_session_info_krb5() calls gets called and triggers this:
6466     - If get_user_from_kerberos_info() mapped to guest, it calls
6467     make_server_info_guest()
6468     - If create_info3_from_pac_logon_info() created a info3 from logon_info,
6469     it calls make_server_info_info3()
6470     - Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with
6471     a fallback to make_server_info_pw()
6472     From there it calls create_local_token()
6473    
6474     I tried to change auth3_generate_session_info_pac() to behave similar
6475     to auth_winbind.c together with auth3_generate_session_info() as
6476     a domain member, as we now rely on a PAC:
6477    
6478     a) As domain member we require a PAC and always call wbcAuthenticateUserEx()
6479     and require a valid response!
6480     b) we call make_server_info_wbcAuthUserInfo(), which internally
6481     calls make_server_info_info3(). Note make_server_info_info3()
6482     handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest()
6483     internally.
6484     c) Similar to auth_check_ntlm_password() we now call
6485     smb_pam_accountcheck(unix_username, rhost), where rhost
6486     is only an ipv4 or ipv6 address (without reverse dns lookup)
6487     d) From there it calls create_local_token()
6488    
6489     As standalone server (in an MIT realm) we continue
6490     with the already existing code logic, which works without a PAC:
6491     a) we keep smb_getpwnam() with create=true logic as it
6492     also requires an explicit 'add user script' option.
6493     b) In the following commits we assert that there's
6494     actually no PAC in this mode, which means we can
6495     remove unused and confusing code.
6496    
6497     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
6498     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
6499    
6500     Signed-off-by: Stefan Metzmacher <metze@samba.org>
6501    
6502     [abartlet@samba.org Backported due to change in structure
6503     initialization with { 0 } to zero ]
6504     [abartlet@samba.org backported to 4.12 due to conflict
6505     with code not present to reload shared on krb5 login]
6506     ---
6507     source3/auth/auth_generic.c | 139 ++++++++++++++++++++++++++++--------
6508     1 file changed, 110 insertions(+), 29 deletions(-)
6509    
6510     diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
6511     index 26a38f92b30..3099e8f9057 100644
6512     --- a/source3/auth/auth_generic.c
6513     +++ b/source3/auth/auth_generic.c
6514     @@ -46,6 +46,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
6515     uint32_t session_info_flags,
6516     struct auth_session_info **session_info)
6517     {
6518     + enum server_role server_role = lp_server_role();
6519     TALLOC_CTX *tmp_ctx;
6520     struct PAC_LOGON_INFO *logon_info = NULL;
6521     struct netr_SamInfo3 *info3_copy = NULL;
6522     @@ -54,39 +55,59 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
6523     char *ntuser;
6524     char *ntdomain;
6525     char *username;
6526     - char *rhost;
6527     + const char *rhost;
6528     struct passwd *pw;
6529     NTSTATUS status;
6530     - int rc;
6531    
6532     tmp_ctx = talloc_new(mem_ctx);
6533     if (!tmp_ctx) {
6534     return NT_STATUS_NO_MEMORY;
6535     }
6536    
6537     - if (pac_blob) {
6538     -#ifdef HAVE_KRB5
6539     - struct wbcAuthUserParams params = {};
6540     + if (tsocket_address_is_inet(remote_address, "ip")) {
6541     + rhost = tsocket_address_inet_addr_string(
6542     + remote_address, tmp_ctx);
6543     + if (rhost == NULL) {
6544     + status = NT_STATUS_NO_MEMORY;
6545     + goto done;
6546     + }
6547     + } else {
6548     + rhost = "127.0.0.1";
6549     + }
6550     +
6551     + if (server_role != ROLE_STANDALONE) {
6552     + struct wbcAuthUserParams params = { 0 };
6553     struct wbcAuthUserInfo *info = NULL;
6554     struct wbcAuthErrorInfo *err = NULL;
6555     + struct auth_serversupplied_info *server_info = NULL;
6556     + char *original_user_name = NULL;
6557     + char *p = NULL;
6558     wbcErr wbc_err;
6559    
6560     + if (pac_blob == NULL) {
6561     + /*
6562     + * This should already be catched at the main
6563     + * gensec layer, but better check twice
6564     + */
6565     + status = NT_STATUS_INTERNAL_ERROR;
6566     + goto done;
6567     + }
6568     +
6569     /*
6570     * Let winbind decode the PAC.
6571     * This will also store the user
6572     * data in the netsamlogon cache.
6573     *
6574     - * We need to do this *before* we
6575     - * call get_user_from_kerberos_info()
6576     - * as that does a user lookup that
6577     - * expects info in the netsamlogon cache.
6578     - *
6579     - * See BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259
6580     + * This used to be a cache prime
6581     + * optimization, but now we delegate
6582     + * all logic to winbindd, as we require
6583     + * winbindd as domain member anyway.
6584     */
6585     params.level = WBC_AUTH_USER_LEVEL_PAC;
6586     params.password.pac.data = pac_blob->data;
6587     params.password.pac.length = pac_blob->length;
6588    
6589     + /* we are contacting the privileged pipe */
6590     become_root();
6591     wbc_err = wbcAuthenticateUserEx(&params, &info, &err);
6592     unbecome_root();
6593     @@ -99,18 +120,90 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
6594     */
6595    
6596     switch (wbc_err) {
6597     - case WBC_ERR_WINBIND_NOT_AVAILABLE:
6598     case WBC_ERR_SUCCESS:
6599     break;
6600     + case WBC_ERR_WINBIND_NOT_AVAILABLE:
6601     + status = NT_STATUS_NO_LOGON_SERVERS;
6602     + DBG_ERR("winbindd not running - "
6603     + "but required as domain member: %s\n",
6604     + nt_errstr(status));
6605     + goto done;
6606     case WBC_ERR_AUTH_ERROR:
6607     status = NT_STATUS(err->nt_status);
6608     wbcFreeMemory(err);
6609     goto done;
6610     + case WBC_ERR_NO_MEMORY:
6611     + status = NT_STATUS_NO_MEMORY;
6612     + goto done;
6613     default:
6614     status = NT_STATUS_LOGON_FAILURE;
6615     goto done;
6616     }
6617    
6618     + status = make_server_info_wbcAuthUserInfo(tmp_ctx,
6619     + info->account_name,
6620     + info->domain_name,
6621     + info, &server_info);
6622     + if (!NT_STATUS_IS_OK(status)) {
6623     + DEBUG(10, ("make_server_info_wbcAuthUserInfo failed: %s\n",
6624     + nt_errstr(status)));
6625     + goto done;
6626     + }
6627     +
6628     + /* We skip doing this step if the caller asked us not to */
6629     + if (!(server_info->guest)) {
6630     + const char *unix_username = server_info->unix_name;
6631     +
6632     + /* We might not be root if we are an RPC call */
6633     + become_root();
6634     + status = smb_pam_accountcheck(unix_username, rhost);
6635     + unbecome_root();
6636     +
6637     + if (!NT_STATUS_IS_OK(status)) {
6638     + DEBUG(3, ("check_ntlm_password: PAM Account for user [%s] "
6639     + "FAILED with error %s\n",
6640     + unix_username, nt_errstr(status)));
6641     + goto done;
6642     + }
6643     +
6644     + DEBUG(5, ("check_ntlm_password: PAM Account for user [%s] "
6645     + "succeeded\n", unix_username));
6646     + }
6647     +
6648     + DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
6649     +
6650     + p = strchr_m(princ_name, '@');
6651     + if (!p) {
6652     + DEBUG(3, ("[%s] Doesn't look like a valid principal\n",
6653     + princ_name));
6654     + status = NT_STATUS_LOGON_FAILURE;
6655     + goto done;
6656     + }
6657     +
6658     + original_user_name = talloc_strndup(tmp_ctx, princ_name, p - princ_name);
6659     + if (original_user_name == NULL) {
6660     + status = NT_STATUS_NO_MEMORY;
6661     + goto done;
6662     + }
6663     +
6664     + status = create_local_token(mem_ctx,
6665     + server_info,
6666     + NULL,
6667     + original_user_name,
6668     + session_info);
6669     + if (!NT_STATUS_IS_OK(status)) {
6670     + DEBUG(10, ("create_local_token failed: %s\n",
6671     + nt_errstr(status)));
6672     + goto done;
6673     + }
6674     +
6675     + goto session_info_ready;
6676     + }
6677     +
6678     + /* This is the standalone legacy code path */
6679     +
6680     + if (pac_blob != NULL) {
6681     +#ifdef HAVE_KRB5
6682     status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
6683     NULL, NULL, 0, &logon_info);
6684     #else
6685     @@ -121,22 +214,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
6686     }
6687     }
6688    
6689     - rc = get_remote_hostname(remote_address,
6690     - &rhost,
6691     - tmp_ctx);
6692     - if (rc < 0) {
6693     - status = NT_STATUS_NO_MEMORY;
6694     - goto done;
6695     - }
6696     - if (strequal(rhost, "UNKNOWN")) {
6697     - rhost = tsocket_address_inet_addr_string(remote_address,
6698     - tmp_ctx);
6699     - if (rhost == NULL) {
6700     - status = NT_STATUS_NO_MEMORY;
6701     - goto done;
6702     - }
6703     - }
6704     -
6705     status = get_user_from_kerberos_info(tmp_ctx, rhost,
6706     princ_name, logon_info,
6707     &is_mapped, &is_guest,
6708     @@ -170,6 +247,8 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
6709     goto done;
6710     }
6711    
6712     +session_info_ready:
6713     +
6714     /* setup the string used by %U */
6715     set_current_user_info((*session_info)->unix_info->sanitized_username,
6716     (*session_info)->unix_info->unix_name,
6717     @@ -179,7 +258,9 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
6718     lp_load_with_shares(get_dyn_CONFIGFILE());
6719    
6720     DEBUG(5, (__location__ "OK: user: %s domain: %s client: %s\n",
6721     - ntuser, ntdomain, rhost));
6722     + (*session_info)->info->account_name,
6723     + (*session_info)->info->domain_name,
6724     + rhost));
6725    
6726     status = NT_STATUS_OK;
6727    
6728     --
6729     2.39.0
6730    
6731    
6732     From 2d7cd152d95e091447731b3699be9654ca13cffc Mon Sep 17 00:00:00 2001
6733     From: Stefan Metzmacher <metze@samba.org>
6734     Date: Tue, 5 Oct 2021 17:14:01 +0200
6735     Subject: [PATCH 078/142] CVE-2020-25717: selftest: configure 'ktest' env with
6736     winbindd and idmap_autorid
6737    
6738     The 'ktest' environment was/is designed to test kerberos in an active
6739     directory member setup. It was created at a time we wanted to test
6740     smbd/winbindd with kerberos without having the source4 ad dc available.
6741    
6742     This still applies to testing the build with system krb5 libraries
6743     but without relying on a running ad dc.
6744    
6745     As a domain member setup requires a running winbindd, we should test it
6746     that way, in order to reflect a valid setup.
6747    
6748     As a side effect it provides a way to demonstrate that we can accept
6749     smb connections authenticated via kerberos, but no connection to
6750     a domain controller! In order get this working offline, we need an
6751     idmap backend with ID_TYPE_BOTH support, so we use 'autorid', which
6752     should be the default choice.
6753    
6754     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
6755     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
6756    
6757     Signed-off-by: Stefan Metzmacher <metze@samba.org>
6758    
6759     [scabrero@samba.org Backported to 4.11 Run winbindd in offline mode
6760     but keep the user name mapping to avoid having to backport fixes
6761     for bso#14539]
6762     ---
6763     selftest/target/Samba3.pm | 2 +-
6764     1 file changed, 1 insertion(+), 1 deletion(-)
6765    
6766     diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
6767     index bbbefea44b7..7034127ef0b 100755
6768     --- a/selftest/target/Samba3.pm
6769     +++ b/selftest/target/Samba3.pm
6770     @@ -1176,7 +1176,7 @@ $ret->{USERNAME} = KTEST/Administrator
6771     # access the share for tests.
6772     chmod 0777, "$prefix/share";
6773    
6774     - if (not $self->check_or_start($ret, "yes", "no", "yes")) {
6775     + if (not $self->check_or_start($ret, "yes", "offline", "yes")) {
6776     return undef;
6777     }
6778     return $ret;
6779     --
6780     2.39.0
6781    
6782    
6783     From 6b4c3693d4ae3c54fd4c890b71829ac582436dee Mon Sep 17 00:00:00 2001
6784     From: Stefan Metzmacher <metze@samba.org>
6785     Date: Tue, 5 Oct 2021 18:12:49 +0200
6786     Subject: [PATCH 079/142] CVE-2020-25717: s3:auth: let
6787     auth3_generate_session_info_pac() reject a PAC in standalone mode
6788    
6789     We should be strict in standalone mode, that we only support MIT realms
6790     without a PAC in order to keep the code sane.
6791    
6792     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
6793    
6794     Signed-off-by: Stefan Metzmacher <metze@samba.org>
6795    
6796     [abartlet@samba.org Backported to Samba 4.12 has conflcits
6797     as the share reload code is in a different spot]
6798     ---
6799     source3/auth/auth_generic.c | 29 +++++++++--------------------
6800     1 file changed, 9 insertions(+), 20 deletions(-)
6801    
6802     diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
6803     index 3099e8f9057..23f746c078e 100644
6804     --- a/source3/auth/auth_generic.c
6805     +++ b/source3/auth/auth_generic.c
6806     @@ -48,8 +48,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
6807     {
6808     enum server_role server_role = lp_server_role();
6809     TALLOC_CTX *tmp_ctx;
6810     - struct PAC_LOGON_INFO *logon_info = NULL;
6811     - struct netr_SamInfo3 *info3_copy = NULL;
6812     bool is_mapped;
6813     bool is_guest;
6814     char *ntuser;
6815     @@ -203,19 +201,20 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
6816     /* This is the standalone legacy code path */
6817    
6818     if (pac_blob != NULL) {
6819     -#ifdef HAVE_KRB5
6820     - status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
6821     - NULL, NULL, 0, &logon_info);
6822     -#else
6823     - status = NT_STATUS_ACCESS_DENIED;
6824     -#endif
6825     + /*
6826     + * In standalone mode we don't expect a PAC!
6827     + * we only support MIT realms
6828     + */
6829     + status = NT_STATUS_BAD_TOKEN_TYPE;
6830     + DBG_WARNING("Unexpected PAC for [%s] in standalone mode - %s\n",
6831     + princ_name, nt_errstr(status));
6832     if (!NT_STATUS_IS_OK(status)) {
6833     goto done;
6834     }
6835     }
6836    
6837     status = get_user_from_kerberos_info(tmp_ctx, rhost,
6838     - princ_name, logon_info,
6839     + princ_name, NULL,
6840     &is_mapped, &is_guest,
6841     &ntuser, &ntdomain,
6842     &username, &pw);
6843     @@ -226,19 +225,9 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
6844     goto done;
6845     }
6846    
6847     - /* Get the info3 from the PAC data if we have it */
6848     - if (logon_info) {
6849     - status = create_info3_from_pac_logon_info(tmp_ctx,
6850     - logon_info,
6851     - &info3_copy);
6852     - if (!NT_STATUS_IS_OK(status)) {
6853     - goto done;
6854     - }
6855     - }
6856     -
6857     status = make_session_info_krb5(mem_ctx,
6858     ntuser, ntdomain, username, pw,
6859     - info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
6860     + NULL, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
6861     session_info);
6862     if (!NT_STATUS_IS_OK(status)) {
6863     DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
6864     --
6865     2.39.0
6866    
6867    
6868     From 6f6a1fedb97d119a7f15831f7295b1774e806ba8 Mon Sep 17 00:00:00 2001
6869     From: Stefan Metzmacher <metze@samba.org>
6870     Date: Fri, 8 Oct 2021 17:59:59 +0200
6871     Subject: [PATCH 080/142] CVE-2020-25717: s3:auth: simplify
6872     get_user_from_kerberos_info() by removing the unused logon_info argument
6873    
6874     This code is only every called in standalone mode on a MIT realm,
6875     it means we never have a PAC and we also don't have winbindd arround.
6876    
6877     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
6878    
6879     Signed-off-by: Stefan Metzmacher <metze@samba.org>
6880     ---
6881     source3/auth/auth_generic.c | 2 +-
6882     source3/auth/proto.h | 1 -
6883     source3/auth/user_krb5.c | 57 +++++++------------------------------
6884     3 files changed, 11 insertions(+), 49 deletions(-)
6885    
6886     diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
6887     index 23f746c078e..a11aae713f5 100644
6888     --- a/source3/auth/auth_generic.c
6889     +++ b/source3/auth/auth_generic.c
6890     @@ -214,7 +214,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
6891     }
6892    
6893     status = get_user_from_kerberos_info(tmp_ctx, rhost,
6894     - princ_name, NULL,
6895     + princ_name,
6896     &is_mapped, &is_guest,
6897     &ntuser, &ntdomain,
6898     &username, &pw);
6899     diff --git a/source3/auth/proto.h b/source3/auth/proto.h
6900     index fcfd1f36ca2..1ed3f4a2f77 100644
6901     --- a/source3/auth/proto.h
6902     +++ b/source3/auth/proto.h
6903     @@ -416,7 +416,6 @@ struct PAC_LOGON_INFO;
6904     NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
6905     const char *cli_name,
6906     const char *princ_name,
6907     - struct PAC_LOGON_INFO *logon_info,
6908     bool *is_mapped,
6909     bool *mapped_to_guest,
6910     char **ntuser,
6911     diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
6912     index 074e8c7eb71..7b69ca6c222 100644
6913     --- a/source3/auth/user_krb5.c
6914     +++ b/source3/auth/user_krb5.c
6915     @@ -31,7 +31,6 @@
6916     NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
6917     const char *cli_name,
6918     const char *princ_name,
6919     - struct PAC_LOGON_INFO *logon_info,
6920     bool *is_mapped,
6921     bool *mapped_to_guest,
6922     char **ntuser,
6923     @@ -40,8 +39,8 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
6924     struct passwd **_pw)
6925     {
6926     NTSTATUS status;
6927     - char *domain = NULL;
6928     - char *realm = NULL;
6929     + const char *domain = NULL;
6930     + const char *realm = NULL;
6931     char *user = NULL;
6932     char *p;
6933     char *fuser = NULL;
6934     @@ -62,55 +61,16 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
6935     return NT_STATUS_NO_MEMORY;
6936     }
6937    
6938     - realm = talloc_strdup(talloc_tos(), p + 1);
6939     - if (!realm) {
6940     - return NT_STATUS_NO_MEMORY;
6941     - }
6942     + realm = p + 1;
6943    
6944     if (!strequal(realm, lp_realm())) {
6945     DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm));
6946     if (!lp_allow_trusted_domains()) {
6947     return NT_STATUS_LOGON_FAILURE;
6948     }
6949     - }
6950     -
6951     - if (logon_info && logon_info->info3.base.logon_domain.string) {
6952     - domain = talloc_strdup(mem_ctx,
6953     - logon_info->info3.base.logon_domain.string);
6954     - if (!domain) {
6955     - return NT_STATUS_NO_MEMORY;
6956     - }
6957     - DEBUG(10, ("Domain is [%s] (using PAC)\n", domain));
6958     + domain = realm;
6959     } else {
6960     -
6961     - /* If we have winbind running, we can (and must) shorten the
6962     - username by using the short netbios name. Otherwise we will
6963     - have inconsistent user names. With Kerberos, we get the
6964     - fully qualified realm, with ntlmssp we get the short
6965     - name. And even w2k3 does use ntlmssp if you for example
6966     - connect to an ip address. */
6967     -
6968     - wbcErr wbc_status;
6969     - struct wbcDomainInfo *info = NULL;
6970     -
6971     - DEBUG(10, ("Mapping [%s] to short name using winbindd\n",
6972     - realm));
6973     -
6974     - wbc_status = wbcDomainInfo(realm, &info);
6975     -
6976     - if (WBC_ERROR_IS_OK(wbc_status)) {
6977     - domain = talloc_strdup(mem_ctx,
6978     - info->short_name);
6979     - wbcFreeMemory(info);
6980     - } else {
6981     - DEBUG(3, ("Could not find short name: %s\n",
6982     - wbcErrorString(wbc_status)));
6983     - domain = talloc_strdup(mem_ctx, realm);
6984     - }
6985     - if (!domain) {
6986     - return NT_STATUS_NO_MEMORY;
6987     - }
6988     - DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain));
6989     + domain = lp_workgroup();
6990     }
6991    
6992     fuser = talloc_asprintf(mem_ctx,
6993     @@ -175,7 +135,11 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
6994     return NT_STATUS_NO_MEMORY;
6995     }
6996     *ntuser = user;
6997     - *ntdomain = domain;
6998     + *ntdomain = talloc_strdup(mem_ctx, domain);
6999     + if (*ntdomain == NULL) {
7000     + return NT_STATUS_NO_MEMORY;
7001     + }
7002     +
7003     *_pw = pw;
7004    
7005     return NT_STATUS_OK;
7006     @@ -282,7 +246,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
7007     NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
7008     const char *cli_name,
7009     const char *princ_name,
7010     - struct PAC_LOGON_INFO *logon_info,
7011     bool *is_mapped,
7012     bool *mapped_to_guest,
7013     char **ntuser,
7014     --
7015     2.39.0
7016    
7017    
7018     From 8fd8d952c4396484f822c51f71667baaf49402b4 Mon Sep 17 00:00:00 2001
7019     From: Stefan Metzmacher <metze@samba.org>
7020     Date: Fri, 8 Oct 2021 18:03:04 +0200
7021     Subject: [PATCH 081/142] CVE-2020-25717: s3:auth: simplify
7022     make_session_info_krb5() by removing unused arguments
7023    
7024     This is only ever be called in standalone mode with an MIT realm,
7025     so we don't have a PAC/info3 structure.
7026    
7027     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
7028    
7029     Signed-off-by: Stefan Metzmacher <metze@samba.org>
7030     ---
7031     source3/auth/auth_generic.c | 2 +-
7032     source3/auth/proto.h | 2 --
7033     source3/auth/user_krb5.c | 20 +-------------------
7034     3 files changed, 2 insertions(+), 22 deletions(-)
7035    
7036     diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
7037     index a11aae713f5..4dd1af784bf 100644
7038     --- a/source3/auth/auth_generic.c
7039     +++ b/source3/auth/auth_generic.c
7040     @@ -227,7 +227,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
7041    
7042     status = make_session_info_krb5(mem_ctx,
7043     ntuser, ntdomain, username, pw,
7044     - NULL, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
7045     + is_guest, is_mapped,
7046     session_info);
7047     if (!NT_STATUS_IS_OK(status)) {
7048     DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
7049     diff --git a/source3/auth/proto.h b/source3/auth/proto.h
7050     index 1ed3f4a2f77..c00ac70fd3f 100644
7051     --- a/source3/auth/proto.h
7052     +++ b/source3/auth/proto.h
7053     @@ -427,9 +427,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
7054     char *ntdomain,
7055     char *username,
7056     struct passwd *pw,
7057     - const struct netr_SamInfo3 *info3,
7058     bool mapped_to_guest, bool username_was_mapped,
7059     - DATA_BLOB *session_key,
7060     struct auth_session_info **session_info);
7061    
7062     /* The following definitions come from auth/auth_samba4.c */
7063     diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
7064     index 7b69ca6c222..b8f37cbeee0 100644
7065     --- a/source3/auth/user_krb5.c
7066     +++ b/source3/auth/user_krb5.c
7067     @@ -150,9 +150,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
7068     char *ntdomain,
7069     char *username,
7070     struct passwd *pw,
7071     - const struct netr_SamInfo3 *info3,
7072     bool mapped_to_guest, bool username_was_mapped,
7073     - DATA_BLOB *session_key,
7074     struct auth_session_info **session_info)
7075     {
7076     NTSTATUS status;
7077     @@ -166,20 +164,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
7078     return status;
7079     }
7080    
7081     - } else if (info3) {
7082     - /* pass the unmapped username here since map_username()
7083     - will be called again in make_server_info_info3() */
7084     -
7085     - status = make_server_info_info3(mem_ctx,
7086     - ntuser, ntdomain,
7087     - &server_info,
7088     - info3);
7089     - if (!NT_STATUS_IS_OK(status)) {
7090     - DEBUG(1, ("make_server_info_info3 failed: %s!\n",
7091     - nt_errstr(status)));
7092     - return status;
7093     - }
7094     -
7095     } else {
7096     /*
7097     * We didn't get a PAC, we have to make up the user
7098     @@ -231,7 +215,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
7099    
7100     server_info->nss_token |= username_was_mapped;
7101    
7102     - status = create_local_token(mem_ctx, server_info, session_key, ntuser, session_info);
7103     + status = create_local_token(mem_ctx, server_info, NULL, ntuser, session_info);
7104     talloc_free(server_info);
7105     if (!NT_STATUS_IS_OK(status)) {
7106     DEBUG(10,("failed to create local token: %s\n",
7107     @@ -261,9 +245,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
7108     char *ntdomain,
7109     char *username,
7110     struct passwd *pw,
7111     - const struct netr_SamInfo3 *info3,
7112     bool mapped_to_guest, bool username_was_mapped,
7113     - DATA_BLOB *session_key,
7114     struct auth_session_info **session_info)
7115     {
7116     return NT_STATUS_NOT_IMPLEMENTED;
7117     --
7118     2.39.0
7119    
7120    
7121     From bf0696ec4f3080ebd0b61cac5a05a9284ccabda8 Mon Sep 17 00:00:00 2001
7122     From: Joseph Sutton <josephsutton@catalyst.net.nz>
7123     Date: Wed, 1 Sep 2021 15:39:19 +1200
7124     Subject: [PATCH 082/142] krb5pac.idl: Add ticket checksum PAC buffer type
7125    
7126     Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
7127     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7128     Reviewed-by: Isaac Boukris <iboukris@samba.org>
7129     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
7130     (cherry picked from commit ff2f38fae79220e16765e17671972f9a55eb7cce)
7131     ---
7132     librpc/idl/krb5pac.idl | 4 +++-
7133     1 file changed, 3 insertions(+), 1 deletion(-)
7134    
7135     diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
7136     index f27e7243ee4..711b7f94b6c 100644
7137     --- a/librpc/idl/krb5pac.idl
7138     +++ b/librpc/idl/krb5pac.idl
7139     @@ -112,7 +112,8 @@ interface krb5pac
7140     PAC_TYPE_KDC_CHECKSUM = 7,
7141     PAC_TYPE_LOGON_NAME = 10,
7142     PAC_TYPE_CONSTRAINED_DELEGATION = 11,
7143     - PAC_TYPE_UPN_DNS_INFO = 12
7144     + PAC_TYPE_UPN_DNS_INFO = 12,
7145     + PAC_TYPE_TICKET_CHECKSUM = 16
7146     } PAC_TYPE;
7147    
7148     typedef struct {
7149     @@ -128,6 +129,7 @@ interface krb5pac
7150     [case(PAC_TYPE_CONSTRAINED_DELEGATION)][subcontext(0xFFFFFC01)]
7151     PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation;
7152     [case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info;
7153     + [case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum;
7154     /* when new PAC info types are added they are supposed to be done
7155     in such a way that they are backwards compatible with existing
7156     servers. This makes it safe to just use a [default] for
7157     --
7158     2.39.0
7159    
7160    
7161     From 7a9f618fdbf32872594f47dd4bc83ce087af4bbc Mon Sep 17 00:00:00 2001
7162     From: Joseph Sutton <josephsutton@catalyst.net.nz>
7163     Date: Wed, 1 Sep 2021 15:40:59 +1200
7164     Subject: [PATCH 083/142] security.idl: Add well-known SIDs for FAST
7165    
7166     Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
7167     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7168     Reviewed-by: Isaac Boukris <iboukris@samba.org>
7169     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
7170     (cherry picked from commit 0092b4a3ed58b2c256d4dd9117cce927a3edde12)
7171     ---
7172     librpc/idl/security.idl | 3 +++
7173     1 file changed, 3 insertions(+)
7174    
7175     diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
7176     index 5930f448955..e6065a35691 100644
7177     --- a/librpc/idl/security.idl
7178     +++ b/librpc/idl/security.idl
7179     @@ -292,6 +292,9 @@ interface security
7180     const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY = "S-1-18-1";
7181     const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2";
7182    
7183     + const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496";
7184     + const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497";
7185     +
7186     /*
7187     * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
7188     */
7189     --
7190     2.39.0
7191    
7192    
7193     From 7713b56a8a8b26e05aa9a517348e3f95da1144a7 Mon Sep 17 00:00:00 2001
7194     From: Joseph Sutton <josephsutton@catalyst.net.nz>
7195     Date: Wed, 29 Sep 2021 16:15:26 +1300
7196     Subject: [PATCH 084/142] krb5pac.idl: Add missing buffer type values
7197    
7198     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
7199    
7200     Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
7201     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7202     Backported-by: Andreas Schneider <asn@samba.org>
7203     ---
7204     librpc/idl/krb5pac.idl | 3 +++
7205     1 file changed, 3 insertions(+)
7206    
7207     diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
7208     index 711b7f94b6c..141894ec5f1 100644
7209     --- a/librpc/idl/krb5pac.idl
7210     +++ b/librpc/idl/krb5pac.idl
7211     @@ -113,6 +113,9 @@ interface krb5pac
7212     PAC_TYPE_LOGON_NAME = 10,
7213     PAC_TYPE_CONSTRAINED_DELEGATION = 11,
7214     PAC_TYPE_UPN_DNS_INFO = 12,
7215     + PAC_TYPE_CLIENT_CLAIMS_INFO = 13,
7216     + PAC_TYPE_DEVICE_INFO = 14,
7217     + PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
7218     PAC_TYPE_TICKET_CHECKSUM = 16
7219     } PAC_TYPE;
7220    
7221     --
7222     2.39.0
7223    
7224    
7225     From a85bf1d86d6e081c781cc93a8e7aaa049c3818d0 Mon Sep 17 00:00:00 2001
7226     From: Joseph Sutton <josephsutton@catalyst.net.nz>
7227     Date: Tue, 26 Oct 2021 20:33:38 +1300
7228     Subject: [PATCH 085/142] CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO
7229     PAC buffer type
7230    
7231     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
7232    
7233     Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
7234     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7235     ---
7236     librpc/idl/krb5pac.idl | 14 +++++++++++++-
7237     1 file changed, 13 insertions(+), 1 deletion(-)
7238    
7239     diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
7240     index 141894ec5f1..4bfec2de5e6 100644
7241     --- a/librpc/idl/krb5pac.idl
7242     +++ b/librpc/idl/krb5pac.idl
7243     @@ -97,6 +97,16 @@ interface krb5pac
7244     PAC_UPN_DNS_FLAGS flags;
7245     } PAC_UPN_DNS_INFO;
7246    
7247     + typedef [bitmap32bit] bitmap {
7248     + PAC_ATTRIBUTE_FLAG_PAC_WAS_REQUESTED = 0x00000001,
7249     + PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY = 0x00000002
7250     + } PAC_ATTRIBUTE_INFO_FLAGS;
7251     +
7252     + typedef struct {
7253     + uint32 flags_length; /* length in bits */
7254     + PAC_ATTRIBUTE_INFO_FLAGS flags;
7255     + } PAC_ATTRIBUTES_INFO;
7256     +
7257     typedef [public] struct {
7258     PAC_LOGON_INFO *info;
7259     } PAC_LOGON_INFO_CTR;
7260     @@ -116,7 +126,8 @@ interface krb5pac
7261     PAC_TYPE_CLIENT_CLAIMS_INFO = 13,
7262     PAC_TYPE_DEVICE_INFO = 14,
7263     PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
7264     - PAC_TYPE_TICKET_CHECKSUM = 16
7265     + PAC_TYPE_TICKET_CHECKSUM = 16,
7266     + PAC_TYPE_ATTRIBUTES_INFO = 17
7267     } PAC_TYPE;
7268    
7269     typedef struct {
7270     @@ -133,6 +144,7 @@ interface krb5pac
7271     PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation;
7272     [case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info;
7273     [case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum;
7274     + [case(PAC_TYPE_ATTRIBUTES_INFO)] PAC_ATTRIBUTES_INFO attributes_info;
7275     /* when new PAC info types are added they are supposed to be done
7276     in such a way that they are backwards compatible with existing
7277     servers. This makes it safe to just use a [default] for
7278     --
7279     2.39.0
7280    
7281    
7282     From 57e4c415ecae66ee984a30eb66d5d248e0e8587d Mon Sep 17 00:00:00 2001
7283     From: Joseph Sutton <josephsutton@catalyst.net.nz>
7284     Date: Tue, 26 Oct 2021 20:33:49 +1300
7285     Subject: [PATCH 086/142] CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC
7286     buffer type
7287    
7288     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
7289    
7290     Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
7291     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7292     ---
7293     librpc/idl/krb5pac.idl | 8 +++++++-
7294     1 file changed, 7 insertions(+), 1 deletion(-)
7295    
7296     diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
7297     index 4bfec2de5e6..f750359a069 100644
7298     --- a/librpc/idl/krb5pac.idl
7299     +++ b/librpc/idl/krb5pac.idl
7300     @@ -107,6 +107,10 @@ interface krb5pac
7301     PAC_ATTRIBUTE_INFO_FLAGS flags;
7302     } PAC_ATTRIBUTES_INFO;
7303    
7304     + typedef struct {
7305     + dom_sid sid;
7306     + } PAC_REQUESTER_SID;
7307     +
7308     typedef [public] struct {
7309     PAC_LOGON_INFO *info;
7310     } PAC_LOGON_INFO_CTR;
7311     @@ -127,7 +131,8 @@ interface krb5pac
7312     PAC_TYPE_DEVICE_INFO = 14,
7313     PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
7314     PAC_TYPE_TICKET_CHECKSUM = 16,
7315     - PAC_TYPE_ATTRIBUTES_INFO = 17
7316     + PAC_TYPE_ATTRIBUTES_INFO = 17,
7317     + PAC_TYPE_REQUESTER_SID = 18
7318     } PAC_TYPE;
7319    
7320     typedef struct {
7321     @@ -145,6 +150,7 @@ interface krb5pac
7322     [case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info;
7323     [case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum;
7324     [case(PAC_TYPE_ATTRIBUTES_INFO)] PAC_ATTRIBUTES_INFO attributes_info;
7325     + [case(PAC_TYPE_REQUESTER_SID)] PAC_REQUESTER_SID requester_sid;
7326     /* when new PAC info types are added they are supposed to be done
7327     in such a way that they are backwards compatible with existing
7328     servers. This makes it safe to just use a [default] for
7329     --
7330     2.39.0
7331    
7332    
7333     From 7782a97868ead29b6e87fa98dcef8dbc2706b67d Mon Sep 17 00:00:00 2001
7334     From: Andrew Bartlett <abartlet@samba.org>
7335     Date: Mon, 27 Sep 2021 11:20:19 +1300
7336     Subject: [PATCH 087/142] CVE-2020-25721 krb5pac: Add new buffers for
7337     samAccountName and objectSID
7338    
7339     These appear when PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID is set.
7340    
7341     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
7342    
7343     Signed-off-by: Andrew Bartlett <abartlet@samba.org>
7344     Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
7345     ---
7346     librpc/idl/krb5pac.idl | 18 ++++++++++++++++--
7347     librpc/ndr/ndr_krb5pac.c | 4 ++--
7348     2 files changed, 18 insertions(+), 4 deletions(-)
7349    
7350     diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
7351     index f750359a069..94b9160d6eb 100644
7352     --- a/librpc/idl/krb5pac.idl
7353     +++ b/librpc/idl/krb5pac.idl
7354     @@ -86,15 +86,29 @@ interface krb5pac
7355     } PAC_CONSTRAINED_DELEGATION;
7356    
7357     typedef [bitmap32bit] bitmap {
7358     - PAC_UPN_DNS_FLAG_CONSTRUCTED = 0x00000001
7359     + PAC_UPN_DNS_FLAG_CONSTRUCTED = 0x00000001,
7360     + PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID = 0x00000002
7361     } PAC_UPN_DNS_FLAGS;
7362    
7363     + typedef struct {
7364     + [value(2*strlen_m(samaccountname))] uint16 samaccountname_size;
7365     + [relative_short,subcontext(0),subcontext_size(samaccountname_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *samaccountname;
7366     + [value(ndr_size_dom_sid(objectsid, ndr->flags))] uint16 objectsid_size;
7367     + [relative_short,subcontext(0),subcontext_size(objectsid_size)] dom_sid *objectsid;
7368     + } PAC_UPN_DNS_INFO_SAM_NAME_AND_SID;
7369     +
7370     + typedef [nodiscriminant] union {
7371     + [case(PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID)] PAC_UPN_DNS_INFO_SAM_NAME_AND_SID sam_name_and_sid;
7372     + [default];
7373     + } PAC_UPN_DNS_INFO_EX;
7374     +
7375     typedef struct {
7376     [value(2*strlen_m(upn_name))] uint16 upn_name_size;
7377     [relative_short,subcontext(0),subcontext_size(upn_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *upn_name;
7378     [value(2*strlen_m(dns_domain_name))] uint16 dns_domain_name_size;
7379     [relative_short,subcontext(0),subcontext_size(dns_domain_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *dns_domain_name;
7380     PAC_UPN_DNS_FLAGS flags;
7381     + [switch_is(flags & PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID)] PAC_UPN_DNS_INFO_EX ex;
7382     } PAC_UPN_DNS_INFO;
7383    
7384     typedef [bitmap32bit] bitmap {
7385     @@ -160,7 +174,7 @@ interface krb5pac
7386    
7387     typedef [public,nopush,nopull] struct {
7388     PAC_TYPE type;
7389     - [value(_ndr_size_PAC_INFO(info, type, 0))] uint32 _ndr_size;
7390     + [value(_ndr_size_PAC_INFO(info, type, LIBNDR_FLAG_ALIGN8))] uint32 _ndr_size;
7391     /*
7392     * We need to have two subcontexts to get the padding right,
7393     * the outer subcontext uses NDR_ROUND(_ndr_size, 8), while
7394     diff --git a/librpc/ndr/ndr_krb5pac.c b/librpc/ndr/ndr_krb5pac.c
7395     index a9ae2c4a789..57b28df9e52 100644
7396     --- a/librpc/ndr/ndr_krb5pac.c
7397     +++ b/librpc/ndr/ndr_krb5pac.c
7398     @@ -41,7 +41,7 @@ enum ndr_err_code ndr_push_PAC_BUFFER(struct ndr_push *ndr, int ndr_flags, const
7399     if (ndr_flags & NDR_SCALARS) {
7400     NDR_CHECK(ndr_push_align(ndr, 4));
7401     NDR_CHECK(ndr_push_PAC_TYPE(ndr, NDR_SCALARS, r->type));
7402     - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, _ndr_size_PAC_INFO(r->info,r->type,0)));
7403     + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, _ndr_size_PAC_INFO(r->info,r->type,LIBNDR_FLAG_ALIGN8)));
7404     {
7405     uint32_t _flags_save_PAC_INFO = ndr->flags;
7406     ndr_set_flags(&ndr->flags, LIBNDR_FLAG_ALIGN8);
7407     @@ -59,7 +59,7 @@ enum ndr_err_code ndr_push_PAC_BUFFER(struct ndr_push *ndr, int ndr_flags, const
7408     {
7409     struct ndr_push *_ndr_info_pad;
7410     struct ndr_push *_ndr_info;
7411     - size_t _ndr_size = _ndr_size_PAC_INFO(r->info, r->type, 0);
7412     + size_t _ndr_size = _ndr_size_PAC_INFO(r->info, r->type, LIBNDR_FLAG_ALIGN8);
7413     NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_info_pad, 0, NDR_ROUND(_ndr_size, 8)));
7414     NDR_CHECK(ndr_push_subcontext_start(_ndr_info_pad, &_ndr_info, 0, _ndr_size));
7415     NDR_CHECK(ndr_push_set_switch_value(_ndr_info, r->info, r->type));
7416     --
7417     2.39.0
7418    
7419    
7420     From 44e8dd1a9a3c02dee31497fe20411758fce1acf9 Mon Sep 17 00:00:00 2001
7421     From: Alexander Bokovoy <ab@samba.org>
7422     Date: Fri, 12 Nov 2021 19:06:01 +0200
7423     Subject: [PATCH 088/142] IPA DC: add missing checks
7424    
7425     When introducing FreeIPA support, two places were forgotten:
7426    
7427     - schannel gensec module needs to be aware of IPA DC
7428     - _lsa_QueryInfoPolicy should treat IPA DC as PDC
7429    
7430     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14903
7431    
7432     Signed-off-by: Alexander Bokovoy <ab@samba.org>
7433     Reviewed-by: Guenther Deschner <gd@samba.org>
7434    
7435     Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
7436     Autobuild-Date(master): Sat Nov 13 07:01:26 UTC 2021 on sn-devel-184
7437    
7438     (cherry picked from commit c69b66f649c1d47a7367f7efe25b8df32369a3a5)
7439     ---
7440     auth/gensec/schannel.c | 1 +
7441     source3/rpc_server/lsa/srv_lsa_nt.c | 1 +
7442     2 files changed, 2 insertions(+)
7443    
7444     diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
7445     index 71e9afdf48e..f23c1effb23 100644
7446     --- a/auth/gensec/schannel.c
7447     +++ b/auth/gensec/schannel.c
7448     @@ -740,6 +740,7 @@ static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
7449     case ROLE_DOMAIN_BDC:
7450     case ROLE_DOMAIN_PDC:
7451     case ROLE_ACTIVE_DIRECTORY_DC:
7452     + case ROLE_IPA_DC:
7453     return NT_STATUS_OK;
7454     default:
7455     return NT_STATUS_NOT_IMPLEMENTED;
7456     diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
7457     index 57bfc596005..3f77856457e 100644
7458     --- a/source3/rpc_server/lsa/srv_lsa_nt.c
7459     +++ b/source3/rpc_server/lsa/srv_lsa_nt.c
7460     @@ -672,6 +672,7 @@ NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p,
7461     switch (lp_server_role()) {
7462     case ROLE_DOMAIN_PDC:
7463     case ROLE_DOMAIN_BDC:
7464     + case ROLE_IPA_DC:
7465     name = get_global_sam_name();
7466     sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid());
7467     if (!sid) {
7468     --
7469     2.39.0
7470    
7471    
7472     From c64bcd68614871cdddc9fe37c860729f490b4da1 Mon Sep 17 00:00:00 2001
7473     From: Stefan Metzmacher <metze@samba.org>
7474     Date: Fri, 12 Nov 2021 15:27:58 +0100
7475     Subject: [PATCH 089/142] CVE-2020-25717: idmap_nss: verify that the name of
7476     the sid belongs to the configured domain
7477    
7478     We already check the sid belongs to the domain, but checking the name
7479     too feels better and make it easier to understand.
7480    
7481     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
7482    
7483     Signed-off-by: Stefan Metzmacher <metze@samba.org>
7484     Reviewed-by: Ralph Boehme <slow@samba.org>
7485    
7486     [abartlet@samba.org backorted from commit bfd093648b4af51d104096c0cb3535e8706671e5
7487     as header libcli/security/dom_sid.h was not present for struct dom_sid_buf]
7488    
7489     [abartlet@samba.org fix CVE marker]
7490     ---
7491     source3/winbindd/idmap_nss.c | 27 ++++++++++++++++++++++-----
7492     1 file changed, 22 insertions(+), 5 deletions(-)
7493    
7494     diff --git a/source3/winbindd/idmap_nss.c b/source3/winbindd/idmap_nss.c
7495     index 3fe98cbc729..243b67ccafd 100644
7496     --- a/source3/winbindd/idmap_nss.c
7497     +++ b/source3/winbindd/idmap_nss.c
7498     @@ -25,6 +25,7 @@
7499     #include "nsswitch/winbind_client.h"
7500     #include "idmap.h"
7501     #include "lib/winbind_util.h"
7502     +#include "libcli/security/dom_sid.h"
7503    
7504     #undef DBGC_CLASS
7505     #define DBGC_CLASS DBGC_IDMAP
7506     @@ -135,18 +136,21 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma
7507     for (i = 0; ids[i]; i++) {
7508     struct group *gr;
7509     enum lsa_SidType type;
7510     - const char *p = NULL;
7511     + const char *_domain = NULL;
7512     + const char *_name = NULL;
7513     + char *domain = NULL;
7514     char *name = NULL;
7515     bool ret;
7516    
7517     /* by default calls to winbindd are disabled
7518     the following call will not recurse so this is safe */
7519     (void)winbind_on();
7520     - ret = winbind_lookup_sid(talloc_tos(), ids[i]->sid, NULL,
7521     - &p, &type);
7522     + ret = winbind_lookup_sid(talloc_tos(),
7523     + ids[i]->sid,
7524     + &_domain,
7525     + &_name,
7526     + &type);
7527     (void)winbind_off();
7528     - name = discard_const_p(char, p);
7529     -
7530     if (!ret) {
7531     /* TODO: how do we know if the name is really not mapped,
7532     * or something just failed ? */
7533     @@ -154,6 +158,18 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma
7534     continue;
7535     }
7536    
7537     + domain = discard_const_p(char, _domain);
7538     + name = discard_const_p(char, _name);
7539     +
7540     + if (!strequal(domain, dom->name)) {
7541     + struct dom_sid_buf buf;
7542     + DBG_ERR("DOMAIN[%s] ignoring SID[%s] belongs to %s [%s\\%s]\n",
7543     + dom->name, dom_sid_str_buf(ids[i]->sid, &buf),
7544     + sid_type_lookup(type), domain, name);
7545     + ids[i]->status = ID_UNMAPPED;
7546     + continue;
7547     + }
7548     +
7549     switch (type) {
7550     case SID_NAME_USER: {
7551     struct passwd *pw;
7552     @@ -186,6 +202,7 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma
7553     ids[i]->status = ID_UNKNOWN;
7554     break;
7555     }
7556     + TALLOC_FREE(domain);
7557     TALLOC_FREE(name);
7558     }
7559     return NT_STATUS_OK;
7560     --
7561     2.39.0
7562    
7563    
7564     From c7d277ef2c902482eca00fc981bf340a088fbfe1 Mon Sep 17 00:00:00 2001
7565     From: Joseph Sutton <josephsutton@catalyst.net.nz>
7566     Date: Fri, 12 Nov 2021 20:53:30 +1300
7567     Subject: [PATCH 090/142] CVE-2020-25717: nsswitch/nsstest.c: Lower 'non
7568     existent uid' to make room for new accounts
7569    
7570     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
7571    
7572     Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
7573     Reviewed-by: Stefan Metzmacher <metze@samba.org>
7574     Reviewed-by: Ralph Boehme <slow@samba.org>
7575     (cherry picked from commit fdbee5e074ebd76d659613b8b7114d70f938c38a)
7576     ---
7577     nsswitch/nsstest.c | 2 +-
7578     1 file changed, 1 insertion(+), 1 deletion(-)
7579    
7580     diff --git a/nsswitch/nsstest.c b/nsswitch/nsstest.c
7581     index 46f96795f39..8ce7493d1b6 100644
7582     --- a/nsswitch/nsstest.c
7583     +++ b/nsswitch/nsstest.c
7584     @@ -460,7 +460,7 @@ static void nss_test_errors(void)
7585     printf("ERROR Non existent user gave error %d\n", last_error);
7586     }
7587    
7588     - pwd = getpwuid(0xFFF0);
7589     + pwd = getpwuid(0xFF00);
7590     if (pwd || last_error != NSS_STATUS_NOTFOUND) {
7591     total_errors++;
7592     printf("ERROR Non existent uid gave error %d\n", last_error);
7593     --
7594     2.39.0
7595    
7596    
7597     From 0ff9bba35a043267a2781c294f5832378cd6da54 Mon Sep 17 00:00:00 2001
7598     From: Andrew Bartlett <abartlet@samba.org>
7599     Date: Fri, 12 Nov 2021 16:10:31 +1300
7600     Subject: [PATCH 091/142] CVE-2020-25717: s3:auth: Fallback to a SID/UID based
7601     mapping if the named based lookup fails
7602     MIME-Version: 1.0
7603     Content-Type: text/plain; charset=UTF-8
7604     Content-Transfer-Encoding: 8bit
7605    
7606     Before the CVE-2020-25717 fixes we had a fallback from
7607     getpwnam('DOMAIN\user') to getpwnam('user') which was very dangerous and
7608     unpredictable.
7609    
7610     Now we do the fallback based on sid_to_uid() followed by
7611     getpwuid() on the returned uid.
7612    
7613     This obsoletes 'username map [script]' based workaround adviced
7614     for CVE-2020-25717, when nss_winbindd is not used or
7615     idmap_nss is actually used.
7616    
7617     In future we may decide to prefer or only do the SID/UID based
7618     lookup, but for now we want to keep this unchanged as much as possible.
7619    
7620     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
7621    
7622     Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
7623    
7624     Signed-off-by: Andrew Bartlett <abartlet@samba.org>
7625     Signed-off-by: Stefan Metzmacher <metze@samba.org>
7626    
7627     [metze@samba.org moved the new logic into the fallback codepath only
7628     in order to avoid behavior changes as much as possible]
7629     Reviewed-by: Ralph Boehme <slow@samba.org>
7630    
7631     Autobuild-User(master): Ralph Böhme <slow@samba.org>
7632     Autobuild-Date(master): Mon Nov 15 19:01:56 UTC 2021 on sn-devel-184
7633    
7634     [abartlet@samba.org backported from commit 0a546be05295a7e4a552f9f4f0c74aeb2e9a0d6e
7635     as usage.py is not present in Samba 4.10]
7636     ---
7637     source3/auth/auth_util.c | 34 +++++++++++++++++++++++++++++++++-
7638     1 file changed, 33 insertions(+), 1 deletion(-)
7639    
7640     diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
7641     index c0e5cfd7fa8..b463059f259 100644
7642     --- a/source3/auth/auth_util.c
7643     +++ b/source3/auth/auth_util.c
7644     @@ -1837,7 +1837,9 @@ const struct auth_session_info *get_session_info_system(void)
7645     ***************************************************************************/
7646    
7647     static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
7648     - const char *username, char **found_username,
7649     + const char *username,
7650     + const struct dom_sid *sid,
7651     + char **found_username,
7652     struct passwd **pwd,
7653     bool *username_was_mapped)
7654     {
7655     @@ -1872,6 +1874,31 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
7656     }
7657    
7658     passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, false);
7659     + if (!passwd && !*username_was_mapped) {
7660     + struct dom_sid_buf buf;
7661     + uid_t uid;
7662     + bool ok;
7663     +
7664     + DBG_DEBUG("Failed to find authenticated user %s via "
7665     + "getpwnam(), fallback to sid_to_uid(%s).\n",
7666     + dom_user, dom_sid_str_buf(sid, &buf));
7667     +
7668     + ok = sid_to_uid(sid, &uid);
7669     + if (!ok) {
7670     + DBG_ERR("Failed to convert SID %s to a UID (dom_user[%s])\n",
7671     + dom_sid_str_buf(sid, &buf), dom_user);
7672     + return NT_STATUS_NO_SUCH_USER;
7673     + }
7674     + passwd = getpwuid_alloc(mem_ctx, uid);
7675     + if (!passwd) {
7676     + DBG_ERR("Failed to find local account with UID %lld for SID %s (dom_user[%s])\n",
7677     + (long long)uid,
7678     + dom_sid_str_buf(sid, &buf),
7679     + dom_user);
7680     + return NT_STATUS_NO_SUCH_USER;
7681     + }
7682     + real_username = talloc_strdup(mem_ctx, passwd->pw_name);
7683     + }
7684     if (!passwd) {
7685     DEBUG(3, ("Failed to find authenticated user %s via "
7686     "getpwnam(), denying access.\n", dom_user));
7687     @@ -2017,6 +2044,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
7688     bool username_was_mapped;
7689     struct passwd *pwd;
7690     struct auth_serversupplied_info *result;
7691     + struct dom_sid sid;
7692     TALLOC_CTX *tmp_ctx = talloc_stackframe();
7693    
7694     /*
7695     @@ -2063,9 +2091,13 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
7696    
7697     /* this call will try to create the user if necessary */
7698    
7699     + sid_copy(&sid, info3->base.domain_sid);
7700     + sid_append_rid(&sid, info3->base.rid);
7701     +
7702     nt_status = check_account(tmp_ctx,
7703     nt_domain,
7704     nt_username,
7705     + &sid,
7706     &found_username,
7707     &pwd,
7708     &username_was_mapped);
7709     --
7710     2.39.0
7711    
7712    
7713     From f035c041e42594bacfe7c3f4e5ea5d05399e1c5a Mon Sep 17 00:00:00 2001
7714     From: Ralph Boehme <slow@samba.org>
7715     Date: Fri, 26 Nov 2021 10:57:17 +0100
7716     Subject: [PATCH 092/142] CVE-2020-25717: s3-auth: fix MIT Realm regression
7717    
7718     This looks like a regression introduced by the recent security fixes. This
7719     commit should hopefully fixes it.
7720    
7721     As a quick solution it might be possible to use the username map script based on
7722     the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're not
7723     sure this behaves identical, but it might work in the standalone server case.
7724    
7725     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922
7726    
7727     Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html
7728    
7729     Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
7730    
7731     Signed-off-by: Ralph Boehme <slow@samba.org>
7732     Signed-off-by: Stefan Metzmacher <metze@samba.org>
7733     (cherry picked from commit 1e61de8306604a0d3858342df8a1d2412d8d418b)
7734     ---
7735     source3/auth/user_krb5.c | 9 +++++++++
7736     1 file changed, 9 insertions(+)
7737    
7738     diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
7739     index b8f37cbeee0..169bf563368 100644
7740     --- a/source3/auth/user_krb5.c
7741     +++ b/source3/auth/user_krb5.c
7742     @@ -46,6 +46,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
7743     char *fuser = NULL;
7744     char *unixuser = NULL;
7745     struct passwd *pw = NULL;
7746     + bool may_retry = false;
7747    
7748     DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
7749    
7750     @@ -71,6 +72,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
7751     domain = realm;
7752     } else {
7753     domain = lp_workgroup();
7754     + may_retry = true;
7755     }
7756    
7757     fuser = talloc_asprintf(mem_ctx,
7758     @@ -89,6 +91,13 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
7759     *mapped_to_guest = false;
7760    
7761     pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
7762     + if (may_retry && pw == NULL && !*is_mapped) {
7763     + fuser = talloc_strdup(mem_ctx, user);
7764     + if (!fuser) {
7765     + return NT_STATUS_NO_MEMORY;
7766     + }
7767     + pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
7768     + }
7769     if (pw) {
7770     if (!unixuser) {
7771     return NT_STATUS_NO_MEMORY;
7772     --
7773     2.39.0
7774    
7775    
7776     From 8b8d1b20b16381c305c23ce03a559b8c7de67f5d Mon Sep 17 00:00:00 2001
7777     From: Ralph Boehme <slow@samba.org>
7778     Date: Thu, 13 Jan 2022 16:48:01 +0100
7779     Subject: [PATCH 093/142] CVE-2021-44142: libadouble: add defines for icon
7780     lengths
7781    
7782     From https://www.ietf.org/rfc/rfc1740.txt
7783    
7784     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
7785    
7786     Signed-off-by: Ralph Boehme <slow@samba.org>
7787     ---
7788     source3/modules/vfs_fruit.c | 2 ++
7789     1 file changed, 2 insertions(+)
7790    
7791     diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
7792     index afad70ce180..3a35620bfe4 100644
7793     --- a/source3/modules/vfs_fruit.c
7794     +++ b/source3/modules/vfs_fruit.c
7795     @@ -283,6 +283,8 @@ typedef enum {ADOUBLE_META, ADOUBLE_RSRC} adouble_type_t;
7796     #define ADEDLEN_MACFILEI 4
7797     #define ADEDLEN_PRODOSFILEI 8
7798     #define ADEDLEN_MSDOSFILEI 2
7799     +#define ADEDLEN_ICONBW 128
7800     +#define ADEDLEN_ICONCOL 1024
7801     #define ADEDLEN_DID 4
7802     #define ADEDLEN_PRIVDEV 8
7803     #define ADEDLEN_PRIVINO 8
7804     --
7805     2.39.0
7806    
7807    
7808     From 3f2e9a6de36c086cff0bb3296f00c85a37a2653c Mon Sep 17 00:00:00 2001
7809     From: Ralph Boehme <slow@samba.org>
7810     Date: Sat, 20 Nov 2021 16:36:42 +0100
7811     Subject: [PATCH 094/142] CVE-2021-44142: smbd: add Netatalk xattr used by
7812     vfs_fruit to the list of private Samba xattrs
7813    
7814     This is an internal xattr that should not be user visible.
7815    
7816     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
7817    
7818     Signed-off-by: Ralph Boehme <slow@samba.org>
7819     [slow@samba.org: conflict due to changed includes in source3/smbd/trans2.c]
7820     ---
7821     source3/smbd/trans2.c | 11 +++++++++++
7822     1 file changed, 11 insertions(+)
7823    
7824     diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
7825     index f8d987bbe63..406087c0419 100644
7826     --- a/source3/smbd/trans2.c
7827     +++ b/source3/smbd/trans2.c
7828     @@ -176,6 +176,16 @@ void aapl_force_zero_file_id(struct smbd_server_connection *sconn)
7829     Refuse to allow clients to overwrite our private xattrs.
7830     ****************************************************************************/
7831    
7832     +/*
7833     + * Taken from vfs_fruit.c
7834     + */
7835     +#define NETATALK_META_XATTR "org.netatalk.Metadata"
7836     +#if defined(HAVE_ATTROPEN)
7837     +#define AFPINFO_EA_NETATALK NETATALK_META_XATTR
7838     +#else
7839     +#define AFPINFO_EA_NETATALK "user." NETATALK_META_XATTR
7840     +#endif
7841     +
7842     bool samba_private_attr_name(const char *unix_ea_name)
7843     {
7844     static const char * const prohibited_ea_names[] = {
7845     @@ -183,6 +193,7 @@ bool samba_private_attr_name(const char *unix_ea_name)
7846     SAMBA_XATTR_DOS_ATTRIB,
7847     SAMBA_XATTR_MARKER,
7848     XATTR_NTACL_NAME,
7849     + AFPINFO_EA_NETATALK,
7850     NULL
7851     };
7852    
7853     --
7854     2.39.0
7855    
7856    
7857     From 00287584703e9e91e804e0f182bd844b7c436716 Mon Sep 17 00:00:00 2001
7858     From: Ralph Boehme <slow@samba.org>
7859     Date: Fri, 26 Nov 2021 07:19:32 +0100
7860     Subject: [PATCH 095/142] CVE-2021-44142: libadouble: harden ad_unpack_xattrs()
7861    
7862     This ensures ad_unpack_xattrs() is only called for an ad_type of ADOUBLE_RSRC,
7863     which is used for parsing ._ AppleDouble sidecar files, and the buffer
7864     ad->ad_data is AD_XATTR_MAX_HDR_SIZE bytes large which is a prerequisite for all
7865     buffer out-of-bounds access checks in ad_unpack_xattrs().
7866    
7867     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
7868    
7869     Signed-off-by: Ralph Boehme <slow@samba.org>
7870     ---
7871     source3/modules/vfs_fruit.c | 22 ++++++++++++++++++----
7872     1 file changed, 18 insertions(+), 4 deletions(-)
7873    
7874     diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
7875     index 3a35620bfe4..76139e51047 100644
7876     --- a/source3/modules/vfs_fruit.c
7877     +++ b/source3/modules/vfs_fruit.c
7878     @@ -728,14 +728,27 @@ static bool ad_pack(struct adouble *ad)
7879     static bool ad_unpack_xattrs(struct adouble *ad)
7880     {
7881     struct ad_xattr_header *h = &ad->adx_header;
7882     + size_t bufsize = talloc_get_size(ad->ad_data);
7883     const char *p = ad->ad_data;
7884     uint32_t hoff;
7885     uint32_t i;
7886    
7887     + if (ad->ad_type != ADOUBLE_RSRC) {
7888     + return false;
7889     + }
7890     +
7891     if (ad_getentrylen(ad, ADEID_FINDERI) <= ADEDLEN_FINDERI) {
7892     return true;
7893     }
7894    
7895     + /*
7896     + * Ensure the buffer ad->ad_data was allocated by ad_alloc() for an
7897     + * ADOUBLE_RSRC type (._ AppleDouble file on-disk).
7898     + */
7899     + if (bufsize != AD_XATTR_MAX_HDR_SIZE) {
7900     + return false;
7901     + }
7902     +
7903     /* 2 bytes padding */
7904     hoff = ad_getentryoff(ad, ADEID_FINDERI) + ADEDLEN_FINDERI + 2;
7905    
7906     @@ -985,11 +998,12 @@ static bool ad_unpack(struct adouble *ad, const size_t nentries,
7907     ad->ad_eid[eid].ade_len = len;
7908     }
7909    
7910     - ok = ad_unpack_xattrs(ad);
7911     - if (!ok) {
7912     - return false;
7913     + if (ad->ad_type == ADOUBLE_RSRC) {
7914     + ok = ad_unpack_xattrs(ad);
7915     + if (!ok) {
7916     + return false;
7917     + }
7918     }
7919     -
7920     return true;
7921     }
7922    
7923     --
7924     2.39.0
7925    
7926    
7927     From 94141fa38e082e4ab50be6c2f79c8506e72bc274 Mon Sep 17 00:00:00 2001
7928     From: Ralph Boehme <slow@samba.org>
7929     Date: Thu, 25 Nov 2021 15:04:03 +0100
7930     Subject: [PATCH 096/142] CVE-2021-44142: libadouble: add basic cmocka tests
7931    
7932     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
7933    
7934     Signed-off-by: Ralph Boehme <slow@samba.org>
7935     [slow@samba.org: conflict due to missing test in selftest/tests.py]
7936     ---
7937     selftest/knownfail.d/samba.unittests.adouble | 3 +
7938     selftest/tests.py | 2 +
7939     source3/lib/test_adouble.c | 393 +++++++++++++++++++
7940     source3/wscript_build | 5 +
7941     4 files changed, 403 insertions(+)
7942     create mode 100644 selftest/knownfail.d/samba.unittests.adouble
7943     create mode 100644 source3/lib/test_adouble.c
7944    
7945     diff --git a/selftest/knownfail.d/samba.unittests.adouble b/selftest/knownfail.d/samba.unittests.adouble
7946     new file mode 100644
7947     index 00000000000..8b0314f2fae
7948     --- /dev/null
7949     +++ b/selftest/knownfail.d/samba.unittests.adouble
7950     @@ -0,0 +1,3 @@
7951     +^samba.unittests.adouble.parse_abouble_finderinfo2\(none\)
7952     +^samba.unittests.adouble.parse_abouble_finderinfo3\(none\)
7953     +^samba.unittests.adouble.parse_abouble_date2\(none\)
7954     diff --git a/selftest/tests.py b/selftest/tests.py
7955     index e3f7d9acb4a..4bc4d301c4c 100644
7956     --- a/selftest/tests.py
7957     +++ b/selftest/tests.py
7958     @@ -260,3 +260,5 @@ plantestsuite("samba.unittests.ntlm_check", "none",
7959     [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")])
7960     plantestsuite("samba.unittests.test_registry_regfio", "none",
7961     [os.path.join(bindir(), "default/source3/test_registry_regfio")])
7962     +plantestsuite("samba.unittests.adouble", "none",
7963     + [os.path.join(bindir(), "test_adouble")])
7964     diff --git a/source3/lib/test_adouble.c b/source3/lib/test_adouble.c
7965     new file mode 100644
7966     index 00000000000..667d2a7542e
7967     --- /dev/null
7968     +++ b/source3/lib/test_adouble.c
7969     @@ -0,0 +1,393 @@
7970     +/*
7971     + * Unix SMB/CIFS implementation.
7972     + *
7973     + * Copyright (C) 2021 Ralph Boehme <slow@samba.org>
7974     + *
7975     + * This program is free software; you can redistribute it and/or modify
7976     + * it under the terms of the GNU General Public License as published by
7977     + * the Free Software Foundation; either version 3 of the License, or
7978     + * (at your option) any later version.
7979     + *
7980     + * This program is distributed in the hope that it will be useful,
7981     + * but WITHOUT ANY WARRANTY; without even the implied warranty of
7982     + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
7983     + * GNU General Public License for more details.
7984     + *
7985     + * You should have received a copy of the GNU General Public License
7986     + * along with this program. If not, see <http://www.gnu.org/licenses/>.
7987     + */
7988     +
7989     +#include "includes.h"
7990     +extern NTSTATUS vfs_fruit_init(TALLOC_CTX *mem_ctx);
7991     +
7992     +#include "vfs_fruit.c"
7993     +#include <cmocka.h>
7994     +
7995     +
7996     +static int setup_talloc_context(void **state)
7997     +{
7998     + TALLOC_CTX *frame = talloc_stackframe();
7999     +
8000     + *state = frame;
8001     + return 0;
8002     +}
8003     +
8004     +static int teardown_talloc_context(void **state)
8005     +{
8006     + TALLOC_CTX *frame = *state;
8007     +
8008     + TALLOC_FREE(frame);
8009     + return 0;
8010     +}
8011     +
8012     +/*
8013     + * Basic and sane buffer.
8014     + */
8015     +static uint8_t ad_basic[] = {
8016     + 0x00, 0x05, 0x16, 0x07, /* Magic */
8017     + 0x00, 0x02, 0x00, 0x00, /* Version */
8018     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8019     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8020     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8021     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8022     + 0x00, 0x02, /* Count */
8023     + /* adentry 1: FinderInfo */
8024     + 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */
8025     + 0x00, 0x00, 0x00, 0x32, /* offset */
8026     + 0x00, 0x00, 0x00, 0x20, /* length */
8027     + /* adentry 2: Resourcefork */
8028     + 0x00, 0x00, 0x00, 0x02, /* eid: Resourcefork */
8029     + 0x00, 0x00, 0x00, 0x52, /* offset */
8030     + 0xff, 0xff, 0xff, 0x00, /* length */
8031     + /* FinderInfo data: 32 bytes */
8032     + 0x00, 0x00, 0x00, 0x00,
8033     + 0x00, 0x00, 0x00, 0x00,
8034     + 0x00, 0x00, 0x00, 0x00,
8035     + 0x00, 0x00, 0x00, 0x00,
8036     + 0x00, 0x00, 0x00, 0x00,
8037     + 0x00, 0x00, 0x00, 0x00,
8038     + 0x00, 0x00, 0x00, 0x00,
8039     + 0x00, 0x00, 0x00, 0x00,
8040     +};
8041     +
8042     +/*
8043     + * An empty FinderInfo entry.
8044     + */
8045     +static uint8_t ad_finderinfo1[] = {
8046     + 0x00, 0x05, 0x16, 0x07, /* Magic */
8047     + 0x00, 0x02, 0x00, 0x00, /* Version */
8048     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8049     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8050     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8051     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8052     + 0x00, 0x02, /* Count */
8053     + /* adentry 1: FinderInfo */
8054     + 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */
8055     + 0x00, 0x00, 0x00, 0x52, /* off: points at end of buffer */
8056     + 0x00, 0x00, 0x00, 0x00, /* len: 0, so off+len don't exceed bufferlen */
8057     + /* adentry 2: Resourcefork */
8058     + 0x00, 0x00, 0x00, 0x02, /* eid: Resourcefork */
8059     + 0x00, 0x00, 0x00, 0x52, /* offset */
8060     + 0xff, 0xff, 0xff, 0x00, /* length */
8061     + /* FinderInfo data: 32 bytes */
8062     + 0x00, 0x00, 0x00, 0x00,
8063     + 0x00, 0x00, 0x00, 0x00,
8064     + 0x00, 0x00, 0x00, 0x00,
8065     + 0x00, 0x00, 0x00, 0x00,
8066     + 0x00, 0x00, 0x00, 0x00,
8067     + 0x00, 0x00, 0x00, 0x00,
8068     + 0x00, 0x00, 0x00, 0x00,
8069     + 0x00, 0x00, 0x00, 0x00,
8070     +};
8071     +
8072     +/*
8073     + * A dangerous FinderInfo with correct length exceeding buffer by one byte.
8074     + */
8075     +static uint8_t ad_finderinfo2[] = {
8076     + 0x00, 0x05, 0x16, 0x07, /* Magic */
8077     + 0x00, 0x02, 0x00, 0x00, /* Version */
8078     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8079     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8080     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8081     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8082     + 0x00, 0x02, /* Count */
8083     + /* adentry 1: FinderInfo */
8084     + 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */
8085     + 0x00, 0x00, 0x00, 0x33, /* off: points at beginng of data + 1 */
8086     + 0x00, 0x00, 0x00, 0x20, /* len: 32, so off+len exceeds bufferlen by 1 */
8087     + /* adentry 2: Resourcefork */
8088     + 0x00, 0x00, 0x00, 0x02, /* eid: Resourcefork */
8089     + 0x00, 0x00, 0x00, 0x52, /* offset */
8090     + 0xff, 0xff, 0xff, 0x00, /* length */
8091     + /* FinderInfo data: 32 bytes */
8092     + 0x00, 0x00, 0x00, 0x00,
8093     + 0x00, 0x00, 0x00, 0x00,
8094     + 0x00, 0x00, 0x00, 0x00,
8095     + 0x00, 0x00, 0x00, 0x00,
8096     + 0x00, 0x00, 0x00, 0x00,
8097     + 0x00, 0x00, 0x00, 0x00,
8098     + 0x00, 0x00, 0x00, 0x00,
8099     + 0x00, 0x00, 0x00, 0x00,
8100     +};
8101     +
8102     +static uint8_t ad_finderinfo3[] = {
8103     + 0x00, 0x05, 0x16, 0x07, /* Magic */
8104     + 0x00, 0x02, 0x00, 0x00, /* Version */
8105     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8106     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8107     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8108     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8109     + 0x00, 0x02, /* Count */
8110     + /* adentry 1: FinderInfo */
8111     + 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */
8112     + 0x00, 0x00, 0x00, 0x33, /* off: points at beginng of data + 1 */
8113     + 0x00, 0x00, 0x00, 0x1f, /* len: 31, so off+len don't exceed buf */
8114     + /* adentry 2: Resourcefork */
8115     + 0x00, 0x00, 0x00, 0x02, /* eid: Resourcefork */
8116     + 0x00, 0x00, 0x00, 0x52, /* offset */
8117     + 0xff, 0xff, 0xff, 0x00, /* length */
8118     + /* FinderInfo data: 32 bytes */
8119     + 0x00, 0x00, 0x00, 0x00,
8120     + 0x00, 0x00, 0x00, 0x00,
8121     + 0x00, 0x00, 0x00, 0x00,
8122     + 0x00, 0x00, 0x00, 0x00,
8123     + 0x00, 0x00, 0x00, 0x00,
8124     + 0x00, 0x00, 0x00, 0x00,
8125     + 0x00, 0x00, 0x00, 0x00,
8126     + 0x00, 0x00, 0x00, 0x00,
8127     +};
8128     +
8129     +/*
8130     + * A dangerous name entry.
8131     + */
8132     +static uint8_t ad_name[] = {
8133     + 0x00, 0x05, 0x16, 0x07, /* Magic */
8134     + 0x00, 0x02, 0x00, 0x00, /* Version */
8135     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8136     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8137     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8138     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8139     + 0x00, 0x02, /* Count */
8140     + /* adentry 1: FinderInfo */
8141     + 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */
8142     + 0x00, 0x00, 0x00, 0x32, /* offset */
8143     + 0x00, 0x00, 0x00, 0x20, /* length */
8144     + /* adentry 2: Name */
8145     + 0x00, 0x00, 0x00, 0x03, /* eid: Name */
8146     + 0x00, 0x00, 0x00, 0x52, /* off: points at end of buffer */
8147     + 0x00, 0x00, 0x00, 0x01, /* len: 1, so off+len exceeds bufferlen */
8148     + /* FinderInfo data: 32 bytes */
8149     + 0x00, 0x00, 0x00, 0x00,
8150     + 0x00, 0x00, 0x00, 0x00,
8151     + 0x00, 0x00, 0x00, 0x00,
8152     + 0x00, 0x00, 0x00, 0x00,
8153     + 0x00, 0x00, 0x00, 0x00,
8154     + 0x00, 0x00, 0x00, 0x00,
8155     + 0x00, 0x00, 0x00, 0x00,
8156     + 0x00, 0x00, 0x00, 0x00,
8157     +};
8158     +
8159     +/*
8160     + * A empty ADEID_FILEDATESI entry.
8161     + */
8162     +static uint8_t ad_date1[] = {
8163     + 0x00, 0x05, 0x16, 0x07, /* Magic */
8164     + 0x00, 0x02, 0x00, 0x00, /* Version */
8165     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8166     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8167     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8168     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8169     + 0x00, 0x02, /* Count */
8170     + /* adentry 1: FinderInfo */
8171     + 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */
8172     + 0x00, 0x00, 0x00, 0x32, /* offset */
8173     + 0x00, 0x00, 0x00, 0x20, /* length */
8174     + /* adentry 2: Dates */
8175     + 0x00, 0x00, 0x00, 0x08, /* eid: dates */
8176     + 0x00, 0x00, 0x00, 0x52, /* off: end of buffer */
8177     + 0x00, 0x00, 0x00, 0x00, /* len: 0, empty entry, valid */
8178     + /* FinderInfo data: 32 bytes */
8179     + 0x00, 0x00, 0x00, 0x00,
8180     + 0x00, 0x00, 0x00, 0x00,
8181     + 0x00, 0x00, 0x00, 0x00,
8182     + 0x00, 0x00, 0x00, 0x00,
8183     + 0x00, 0x00, 0x00, 0x00,
8184     + 0x00, 0x00, 0x00, 0x00,
8185     + 0x00, 0x00, 0x00, 0x00,
8186     + 0x00, 0x00, 0x00, 0x00,
8187     +};
8188     +
8189     +/*
8190     + * A dangerous ADEID_FILEDATESI entry, invalid length.
8191     + */
8192     +static uint8_t ad_date2[] = {
8193     + 0x00, 0x05, 0x16, 0x07, /* Magic */
8194     + 0x00, 0x02, 0x00, 0x00, /* Version */
8195     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8196     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8197     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8198     + 0x00, 0x00, 0x00, 0x00, /* Filler */
8199     + 0x00, 0x02, /* Count */
8200     + /* adentry 1: FinderInfo */
8201     + 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */
8202     + 0x00, 0x00, 0x00, 0x32, /* offset */
8203     + 0x00, 0x00, 0x00, 0x20, /* length */
8204     + /* adentry 2: Dates */
8205     + 0x00, 0x00, 0x00, 0x08, /* eid: dates */
8206     + 0x00, 0x00, 0x00, 0x43, /* off: FinderInfo buf but one byte short */
8207     + 0x00, 0x00, 0x00, 0x0f, /* len: 15, so off+len don't exceed bufferlen */
8208     + /* FinderInfo data: 32 bytes */
8209     + 0x00, 0x00, 0x00, 0x00,
8210     + 0x00, 0x00, 0x00, 0x00,
8211     + 0x00, 0x00, 0x00, 0x00,
8212     + 0x00, 0x00, 0x00, 0x00,
8213     + 0x00, 0x00, 0x00, 0x00,
8214     + 0x00, 0x00, 0x00, 0x00,
8215     + 0x00, 0x00, 0x00, 0x00,
8216     + 0x00, 0x00, 0x00, 0x00,
8217     +};
8218     +
8219     +static struct adouble *parse_adouble(TALLOC_CTX *mem_ctx,
8220     + uint8_t *adbuf,
8221     + size_t adsize,
8222     + off_t filesize)
8223     +{
8224     + struct adouble *ad = NULL;
8225     + bool ok;
8226     +
8227     + ad = talloc_zero(mem_ctx, struct adouble);
8228     + ad->ad_data = talloc_zero_size(ad, adsize);
8229     + assert_non_null(ad);
8230     +
8231     + memcpy(ad->ad_data, adbuf, adsize);
8232     +
8233     + ok = ad_unpack(ad, 2, filesize);
8234     + if (!ok) {
8235     + return NULL;
8236     + }
8237     +
8238     + return ad;
8239     +}
8240     +
8241     +static void parse_abouble_basic(void **state)
8242     +{
8243     + TALLOC_CTX *frame = *state;
8244     + struct adouble *ad = NULL;
8245     + char *p = NULL;
8246     +
8247     + ad = parse_adouble(frame, ad_basic, sizeof(ad_basic), 0xffffff52);
8248     + assert_non_null(ad);
8249     +
8250     + p = ad_get_entry(ad, ADEID_FINDERI);
8251     + assert_non_null(p);
8252     +
8253     + return;
8254     +}
8255     +
8256     +static void parse_abouble_finderinfo1(void **state)
8257     +{
8258     + TALLOC_CTX *frame = *state;
8259     + struct adouble *ad = NULL;
8260     + char *p = NULL;
8261     +
8262     + ad = parse_adouble(frame,
8263     + ad_finderinfo1,
8264     + sizeof(ad_finderinfo1),
8265     + 0xffffff52);
8266     + assert_non_null(ad);
8267     +
8268     + p = ad_get_entry(ad, ADEID_FINDERI);
8269     + assert_null(p);
8270     +
8271     + return;
8272     +}
8273     +
8274     +static void parse_abouble_finderinfo2(void **state)
8275     +{
8276     + TALLOC_CTX *frame = *state;
8277     + struct adouble *ad = NULL;
8278     +
8279     + ad = parse_adouble(frame,
8280     + ad_finderinfo2,
8281     + sizeof(ad_finderinfo2),
8282     + 0xffffff52);
8283     + assert_null(ad);
8284     +
8285     + return;
8286     +}
8287     +
8288     +static void parse_abouble_finderinfo3(void **state)
8289     +{
8290     + TALLOC_CTX *frame = *state;
8291     + struct adouble *ad = NULL;
8292     +
8293     + ad = parse_adouble(frame,
8294     + ad_finderinfo3,
8295     + sizeof(ad_finderinfo3),
8296     + 0xffffff52);
8297     + assert_null(ad);
8298     +
8299     + return;
8300     +}
8301     +
8302     +static void parse_abouble_name(void **state)
8303     +{
8304     + TALLOC_CTX *frame = *state;
8305     + struct adouble *ad = NULL;
8306     +
8307     + ad = parse_adouble(frame, ad_name, sizeof(ad_name), 0x52);
8308     + assert_null(ad);
8309     +
8310     + return;
8311     +}
8312     +
8313     +static void parse_abouble_date1(void **state)
8314     +{
8315     + TALLOC_CTX *frame = *state;
8316     + struct adouble *ad = NULL;
8317     + char *p = NULL;
8318     +
8319     + ad = parse_adouble(frame, ad_date1, sizeof(ad_date1), 0x52);
8320     + assert_non_null(ad);
8321     +
8322     + p = ad_get_entry(ad, ADEID_FILEDATESI);
8323     + assert_null(p);
8324     +
8325     + return;
8326     +}
8327     +
8328     +static void parse_abouble_date2(void **state)
8329     +{
8330     + TALLOC_CTX *frame = *state;
8331     + struct adouble *ad = NULL;
8332     +
8333     + ad = parse_adouble(frame, ad_date2, sizeof(ad_date2), 0x52);
8334     + assert_null(ad);
8335     +
8336     + return;
8337     +}
8338     +
8339     +int main(int argc, char *argv[])
8340     +{
8341     + int rc;
8342     + const struct CMUnitTest tests[] = {
8343     + cmocka_unit_test(parse_abouble_basic),
8344     + cmocka_unit_test(parse_abouble_finderinfo1),
8345     + cmocka_unit_test(parse_abouble_finderinfo2),
8346     + cmocka_unit_test(parse_abouble_finderinfo3),
8347     + cmocka_unit_test(parse_abouble_name),
8348     + cmocka_unit_test(parse_abouble_date1),
8349     + cmocka_unit_test(parse_abouble_date2),
8350     + };
8351     +
8352     + if (argc == 2) {
8353     + cmocka_set_test_filter(argv[1]);
8354     + }
8355     + cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
8356     +
8357     + rc = cmocka_run_group_tests(tests,
8358     + setup_talloc_context,
8359     + teardown_talloc_context);
8360     +
8361     + return rc;
8362     +}
8363     diff --git a/source3/wscript_build b/source3/wscript_build
8364     index 26e251f442a..5230ae32934 100644
8365     --- a/source3/wscript_build
8366     +++ b/source3/wscript_build
8367     @@ -1080,6 +1080,11 @@ bld.SAMBA3_SUBSYSTEM('SPOOLSSD',
8368    
8369     ########################## BINARIES #################################
8370    
8371     +bld.SAMBA3_BINARY('test_adouble',
8372     + source='lib/test_adouble.c',
8373     + deps='smbd_base STRING_REPLACE cmocka OFFLOAD_TOKEN',
8374     + install=False)
8375     +
8376     bld.SAMBA3_BINARY('smbd/smbd',
8377     source='smbd/server.c smbd/smbd_cleanupd.c',
8378     deps='''
8379     --
8380     2.39.0
8381    
8382    
8383     From 5c1c2ea3dbe554f621014bb2b3133c0859dce2da Mon Sep 17 00:00:00 2001
8384     From: Ralph Boehme <slow@samba.org>
8385     Date: Thu, 13 Jan 2022 17:03:02 +0100
8386     Subject: [PATCH 097/142] CVE-2021-44142: libadouble: harden parsing code
8387    
8388     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
8389    
8390     Signed-off-by: Ralph Boehme <slow@samba.org>
8391     ---
8392     selftest/knownfail.d/samba.unittests.adouble | 3 -
8393     source3/modules/vfs_fruit.c | 114 ++++++++++++++++---
8394     2 files changed, 100 insertions(+), 17 deletions(-)
8395     delete mode 100644 selftest/knownfail.d/samba.unittests.adouble
8396    
8397     diff --git a/selftest/knownfail.d/samba.unittests.adouble b/selftest/knownfail.d/samba.unittests.adouble
8398     deleted file mode 100644
8399     index 8b0314f2fae..00000000000
8400     --- a/selftest/knownfail.d/samba.unittests.adouble
8401     +++ /dev/null
8402     @@ -1,3 +0,0 @@
8403     -^samba.unittests.adouble.parse_abouble_finderinfo2\(none\)
8404     -^samba.unittests.adouble.parse_abouble_finderinfo3\(none\)
8405     -^samba.unittests.adouble.parse_abouble_date2\(none\)
8406     diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
8407     index 76139e51047..17e97d15bdb 100644
8408     --- a/source3/modules/vfs_fruit.c
8409     +++ b/source3/modules/vfs_fruit.c
8410     @@ -540,6 +540,94 @@ static AfpInfo *afpinfo_new(TALLOC_CTX *ctx);
8411     static ssize_t afpinfo_pack(const AfpInfo *ai, char *buf);
8412     static AfpInfo *afpinfo_unpack(TALLOC_CTX *ctx, const void *data);
8413    
8414     +/*
8415     + * All entries besides FinderInfo and resource fork must fit into the
8416     + * buffer. FinderInfo is special as it may be larger then the default 32 bytes
8417     + * if it contains marshalled xattrs, which we will fixup that in
8418     + * ad_convert(). The first 32 bytes however must also be part of the buffer.
8419     + *
8420     + * The resource fork is never accessed directly by the ad_data buf.
8421     + */
8422     +static bool ad_entry_check_size(uint32_t eid,
8423     + size_t bufsize,
8424     + uint32_t off,
8425     + uint32_t got_len)
8426     +{
8427     + struct {
8428     + off_t expected_len;
8429     + bool fixed_size;
8430     + bool minimum_size;
8431     + } ad_checks[] = {
8432     + [ADEID_DFORK] = {-1, false, false}, /* not applicable */
8433     + [ADEID_RFORK] = {-1, false, false}, /* no limit */
8434     + [ADEID_NAME] = {ADEDLEN_NAME, false, false},
8435     + [ADEID_COMMENT] = {ADEDLEN_COMMENT, false, false},
8436     + [ADEID_ICONBW] = {ADEDLEN_ICONBW, true, false},
8437     + [ADEID_ICONCOL] = {ADEDLEN_ICONCOL, false, false},
8438     + [ADEID_FILEI] = {ADEDLEN_FILEI, true, false},
8439     + [ADEID_FILEDATESI] = {ADEDLEN_FILEDATESI, true, false},
8440     + [ADEID_FINDERI] = {ADEDLEN_FINDERI, false, true},
8441     + [ADEID_MACFILEI] = {ADEDLEN_MACFILEI, true, false},
8442     + [ADEID_PRODOSFILEI] = {ADEDLEN_PRODOSFILEI, true, false},
8443     + [ADEID_MSDOSFILEI] = {ADEDLEN_MSDOSFILEI, true, false},
8444     + [ADEID_SHORTNAME] = {ADEDLEN_SHORTNAME, false, false},
8445     + [ADEID_AFPFILEI] = {ADEDLEN_AFPFILEI, true, false},
8446     + [ADEID_DID] = {ADEDLEN_DID, true, false},
8447     + [ADEID_PRIVDEV] = {ADEDLEN_PRIVDEV, true, false},
8448     + [ADEID_PRIVINO] = {ADEDLEN_PRIVINO, true, false},
8449     + [ADEID_PRIVSYN] = {ADEDLEN_PRIVSYN, true, false},
8450     + [ADEID_PRIVID] = {ADEDLEN_PRIVID, true, false},
8451     + };
8452     +
8453     + if (eid >= ADEID_MAX) {
8454     + return false;
8455     + }
8456     + if (got_len == 0) {
8457     + /* Entry present, but empty, allow */
8458     + return true;
8459     + }
8460     + if (ad_checks[eid].expected_len == 0) {
8461     + /*
8462     + * Shouldn't happen: implicitly initialized to zero because
8463     + * explicit initializer missing.
8464     + */
8465     + return false;
8466     + }
8467     + if (ad_checks[eid].expected_len == -1) {
8468     + /* Unused or no limit */
8469     + return true;
8470     + }
8471     + if (ad_checks[eid].fixed_size) {
8472     + if (ad_checks[eid].expected_len != got_len) {
8473     + /* Wrong size fo fixed size entry. */
8474     + return false;
8475     + }
8476     + } else {
8477     + if (ad_checks[eid].minimum_size) {
8478     + if (got_len < ad_checks[eid].expected_len) {
8479     + /*
8480     + * Too small for variable sized entry with
8481     + * minimum size.
8482     + */
8483     + return false;
8484     + }
8485     + } else {
8486     + if (got_len > ad_checks[eid].expected_len) {
8487     + /* Too big for variable sized entry. */
8488     + return false;
8489     + }
8490     + }
8491     + }
8492     + if (off + got_len < off) {
8493     + /* wrap around */
8494     + return false;
8495     + }
8496     + if (off + got_len > bufsize) {
8497     + /* overflow */
8498     + return false;
8499     + }
8500     + return true;
8501     +}
8502    
8503     /**
8504     * Return a pointer to an AppleDouble entry
8505     @@ -548,8 +636,15 @@ static AfpInfo *afpinfo_unpack(TALLOC_CTX *ctx, const void *data);
8506     **/
8507     static char *ad_get_entry(const struct adouble *ad, int eid)
8508     {
8509     + size_t bufsize = talloc_get_size(ad->ad_data);
8510     off_t off = ad_getentryoff(ad, eid);
8511     size_t len = ad_getentrylen(ad, eid);
8512     + bool valid;
8513     +
8514     + valid = ad_entry_check_size(eid, bufsize, off, len);
8515     + if (!valid) {
8516     + return NULL;
8517     + }
8518    
8519     if (off == 0 || len == 0) {
8520     return NULL;
8521     @@ -935,20 +1030,11 @@ static bool ad_unpack(struct adouble *ad, const size_t nentries,
8522     return false;
8523     }
8524    
8525     - /*
8526     - * All entries besides FinderInfo and resource fork
8527     - * must fit into the buffer. FinderInfo is special as
8528     - * it may be larger then the default 32 bytes (if it
8529     - * contains marshalled xattrs), but we will fixup that
8530     - * in ad_convert(). And the resource fork is never
8531     - * accessed directly by the ad_data buf (also see
8532     - * comment above) anyway.
8533     - */
8534     - if ((eid != ADEID_RFORK) &&
8535     - (eid != ADEID_FINDERI) &&
8536     - ((off + len) > bufsize)) {
8537     - DEBUG(1, ("bogus eid %d: off: %" PRIu32 ", len: %" PRIu32 "\n",
8538     - eid, off, len));
8539     + ok = ad_entry_check_size(eid, bufsize, off, len);
8540     + if (!ok) {
8541     + DBG_ERR("bogus eid [%"PRIu32"] bufsize [%zu] "
8542     + "off [%"PRIu32"] len [%"PRIu32"]\n",
8543     + eid, bufsize, off, len);
8544     return false;
8545     }
8546    
8547     --
8548     2.39.0
8549    
8550    
8551     From 2c1f15a39367493733e4d275c3709a6497225917 Mon Sep 17 00:00:00 2001
8552     From: Christof Schmitt <cs@samba.org>
8553     Date: Fri, 5 Mar 2021 15:48:29 -0700
8554     Subject: [PATCH 098/142] winbind: Only use unixid2sid mapping when module
8555     reports ID_MAPPED
8556    
8557     Only consider a mapping to be valid when the idmap module reports
8558     ID_MAPPED. Otherwise return the null SID.
8559    
8560     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14663
8561    
8562     Signed-off-by: Christof Schmitt <cs@samba.org>
8563     Reviewed-by: Volker Lendecke <vl@samba.org>
8564     (cherry picked from commit db2afa57e4aa926b478db1be4d693edbdf4d2a23)
8565     (cherry picked from commit 3aa06edf38bc4002f031476baa50712fd1a67f4d)
8566     ---
8567     source3/winbindd/winbindd_dual_srv.c | 6 ++++--
8568     1 file changed, 4 insertions(+), 2 deletions(-)
8569    
8570     diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
8571     index 0842241e02e..94331163006 100644
8572     --- a/source3/winbindd/winbindd_dual_srv.c
8573     +++ b/source3/winbindd/winbindd_dual_srv.c
8574     @@ -275,8 +275,10 @@ NTSTATUS _wbint_UnixIDs2Sids(struct pipes_struct *p,
8575     }
8576    
8577     for (i=0; i<r->in.num_ids; i++) {
8578     - r->out.xids[i] = maps[i]->xid;
8579     - sid_copy(&r->out.sids[i], maps[i]->sid);
8580     + if (maps[i]->status == ID_MAPPED) {
8581     + r->out.xids[i] = maps[i]->xid;
8582     + sid_copy(&r->out.sids[i], maps[i]->sid);
8583     + }
8584     }
8585    
8586     TALLOC_FREE(maps);
8587     --
8588     2.39.0
8589    
8590    
8591     From 754ece447c2dea8cccbe8740df5aff75dca7b646 Mon Sep 17 00:00:00 2001
8592     From: Christof Schmitt <cs@samba.org>
8593     Date: Fri, 5 Mar 2021 16:01:13 -0700
8594     Subject: [PATCH 099/142] idmap_rfc2307: Do not return SID from unixids_to_sids
8595     on type mismatch
8596    
8597     The call to winbind_lookup_name already wrote the result in the id_map
8598     array. The later check for the type detected a mismatch, but that did
8599     not remove the SID from the result struct.
8600    
8601     Change this by first assigning the SID to a temporary variable and only
8602     write it to the id_map array after the type checks.
8603    
8604     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14663
8605    
8606     Signed-off-by: Christof Schmitt <cs@samba.org>
8607     (cherry picked from commit 79dd4b133c37451c98fe7f7c45da881e89e91ffc)
8608     (cherry picked from commit af37d5abae924d095e7b35620d850cf1f19021c4)
8609     ---
8610     source3/winbindd/idmap_rfc2307.c | 4 +++-
8611     source3/winbindd/winbindd_dual_srv.c | 2 ++
8612     2 files changed, 5 insertions(+), 1 deletion(-)
8613    
8614     diff --git a/source3/winbindd/idmap_rfc2307.c b/source3/winbindd/idmap_rfc2307.c
8615     index e3bf58d8165..2fffaec6cca 100644
8616     --- a/source3/winbindd/idmap_rfc2307.c
8617     +++ b/source3/winbindd/idmap_rfc2307.c
8618     @@ -228,6 +228,7 @@ static void idmap_rfc2307_map_sid_results(struct idmap_rfc2307_context *ctx,
8619    
8620     for (i = 0; i < count; i++) {
8621     char *name;
8622     + struct dom_sid sid;
8623     enum lsa_SidType lsa_type;
8624     struct id_map *map;
8625     uint32_t id;
8626     @@ -276,7 +277,7 @@ static void idmap_rfc2307_map_sid_results(struct idmap_rfc2307_context *ctx,
8627     the following call will not recurse so this is safe */
8628     (void)winbind_on();
8629     /* Lookup name from PDC using lsa_lookup_names() */
8630     - b = winbind_lookup_name(dom_name, name, map->sid, &lsa_type);
8631     + b = winbind_lookup_name(dom_name, name, &sid, &lsa_type);
8632     (void)winbind_off();
8633    
8634     if (!b) {
8635     @@ -300,6 +301,7 @@ static void idmap_rfc2307_map_sid_results(struct idmap_rfc2307_context *ctx,
8636     }
8637    
8638     map->status = ID_MAPPED;
8639     + sid_copy(map->sid, &sid);
8640     }
8641     }
8642    
8643     diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
8644     index 94331163006..34375b3858f 100644
8645     --- a/source3/winbindd/winbindd_dual_srv.c
8646     +++ b/source3/winbindd/winbindd_dual_srv.c
8647     @@ -278,6 +278,8 @@ NTSTATUS _wbint_UnixIDs2Sids(struct pipes_struct *p,
8648     if (maps[i]->status == ID_MAPPED) {
8649     r->out.xids[i] = maps[i]->xid;
8650     sid_copy(&r->out.sids[i], maps[i]->sid);
8651     + } else {
8652     + r->out.sids[i] = (struct dom_sid) { 0 };
8653     }
8654     }
8655    
8656     --
8657     2.39.0
8658    
8659    
8660     From f831d80dde35ba0e29014a9e4f34cb3ce6eb6161 Mon Sep 17 00:00:00 2001
8661     From: Christof Schmitt <cs@samba.org>
8662     Date: Fri, 5 Mar 2021 16:07:54 -0700
8663     Subject: [PATCH 100/142] idmap_nss: Do not return SID from unixids_to_sids on
8664     type mismatch
8665    
8666     The call to winbind_lookup_name already wrote the result in the id_map
8667     array. The later check for the type detected a mismatch, but that did
8668     not remove the SID from the result struct.
8669    
8670     Change this by first assigning the SID to a temporary variable and only
8671     write it to the id_map array after the type checks.
8672    
8673     BUG: https://bugzilla.samba.org/show_bug.cgi?id=14663
8674    
8675     Signed-off-by: Christof Schmitt <cs@samba.org>
8676     Reviewed-by: Volker Lendecke <vl@samba.org>
8677    
8678     Autobuild-User(master): Volker Lendecke <vl@samba.org>
8679     Autobuild-Date(master): Thu Mar 11 08:38:41 UTC 2021 on sn-devel-184
8680    
8681     (cherry picked from commit 0e789ba1802ca22e5a01abd6e93ef66cd45566a7)
8682     (cherry picked from commit 3f366878d33cf977230137021f6376936b2a1862)
8683     ---
8684     source3/winbindd/idmap_nss.c | 5 ++++-
8685     1 file changed, 4 insertions(+), 1 deletion(-)
8686    
8687     diff --git a/source3/winbindd/idmap_nss.c b/source3/winbindd/idmap_nss.c
8688     index 243b67ccafd..e4bf1923786 100644
8689     --- a/source3/winbindd/idmap_nss.c
8690     +++ b/source3/winbindd/idmap_nss.c
8691     @@ -56,6 +56,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma
8692     struct passwd *pw;
8693     struct group *gr;
8694     const char *name;
8695     + struct dom_sid sid;
8696     enum lsa_SidType type;
8697     bool ret;
8698    
8699     @@ -87,7 +88,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma
8700     the following call will not recurse so this is safe */
8701     (void)winbind_on();
8702     /* Lookup name from PDC using lsa_lookup_names() */
8703     - ret = winbind_lookup_name(dom->name, name, ids[i]->sid, &type);
8704     + ret = winbind_lookup_name(dom->name, name, &sid, &type);
8705     (void)winbind_off();
8706    
8707     if (!ret) {
8708     @@ -100,6 +101,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma
8709     switch (type) {
8710     case SID_NAME_USER:
8711     if (ids[i]->xid.type == ID_TYPE_UID) {
8712     + sid_copy(ids[i]->sid, &sid);
8713     ids[i]->status = ID_MAPPED;
8714     }
8715     break;
8716     @@ -108,6 +110,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma
8717     case SID_NAME_ALIAS:
8718     case SID_NAME_WKN_GRP:
8719     if (ids[i]->xid.type == ID_TYPE_GID) {
8720     + sid_copy(ids[i]->sid, &sid);
8721     ids[i]->status = ID_MAPPED;
8722     }
8723     break;
8724     --
8725     2.39.0
8726    
8727    
8728     From 4ef3d95fb680cf278e68b6794459ff7bce1489aa Mon Sep 17 00:00:00 2001
8729     From: Andreas Schneider <asn@samba.org>
8730     Date: Tue, 23 Nov 2021 15:48:57 +0100
8731     Subject: [PATCH 101/142] s3:winbind: Fix possible NULL pointer dereference
8732    
8733     BUG: https://bugzilla.redhat.com/show_bug.cgi?id=2019888
8734    
8735     Signed-off-by: Andreas Schneider <asn@samba.org>
8736     Rewiewed-by: Jeremy Allison <jra@samba.org>
8737    
8738     Autobuild-User(master): Jeremy Allison <jra@samba.org>
8739     Autobuild-Date(master): Mon Nov 29 19:40:50 UTC 2021 on sn-devel-184
8740    
8741     (cherry picked from commit cbf312f02bc86f9325fb89f6f5441bc61fd3974f)
8742     ---
8743     source3/winbindd/winbindd_util.c | 3 +++
8744     1 file changed, 3 insertions(+)
8745    
8746     diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
8747     index 04e79e70f6b..d1bd81b2372 100644
8748     --- a/source3/winbindd/winbindd_util.c
8749     +++ b/source3/winbindd/winbindd_util.c
8750     @@ -1691,6 +1691,9 @@ char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
8751     }
8752    
8753     tmp_user = talloc_strdup(mem_ctx, user);
8754     + if (tmp_user == NULL) {
8755     + return NULL;
8756     + }
8757     if (!strlower_m(tmp_user)) {
8758     TALLOC_FREE(tmp_user);
8759     return NULL;
8760     --
8761     2.39.0
8762    
8763    
8764     From 95c9485bb600e965f24712534850d1a7fd325c44 Mon Sep 17 00:00:00 2001
8765     From: Ralph Boehme <slow@samba.org>
8766     Date: Tue, 6 Dec 2022 16:00:36 +0100
8767     Subject: [PATCH 102/142] CVE-2022-38023 docs-xml: improve wording for several
8768     options: "takes precedence" -> "overrides"
8769    
8770     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
8771    
8772     Signed-off-by: Ralph Boehme <slow@samba.org>
8773     Reviewed-by: Stefan Metzmacher <metze@samba.org>
8774     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
8775     (cherry picked from commit 8ec62694a94c346e6ba8f3144a417c9984a1c8b9)
8776     ---
8777     docs-xml/smbdotconf/logon/rejectmd5clients.xml | 2 +-
8778     docs-xml/smbdotconf/security/serverschannel.xml | 2 +-
8779     docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 2 +-
8780     docs-xml/smbdotconf/winbind/requirestrongkey.xml | 2 +-
8781     4 files changed, 4 insertions(+), 4 deletions(-)
8782    
8783     diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
8784     index 41684ef1080..0bb9f6f6c8e 100644
8785     --- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml
8786     +++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
8787     @@ -10,7 +10,7 @@
8788     <para>You can set this to yes if all domain members support aes.
8789     This will prevent downgrade attacks.</para>
8790    
8791     - <para>This option takes precedence to the 'allow nt4 crypto' option.</para>
8792     + <para>This option overrides the 'allow nt4 crypto' option.</para>
8793     </description>
8794    
8795     <value type="default">no</value>
8796     diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
8797     index b682d086f76..79e4e73a95c 100644
8798     --- a/docs-xml/smbdotconf/security/serverschannel.xml
8799     +++ b/docs-xml/smbdotconf/security/serverschannel.xml
8800     @@ -59,7 +59,7 @@
8801     See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
8802     </para>
8803    
8804     - <para>This option takes precedence to the <smbconfoption name="server schannel"/> option.</para>
8805     + <para>This option overrides the <smbconfoption name="server schannel"/> option.</para>
8806    
8807     <programlisting>
8808     server require schannel:LEGACYCOMPUTER1$ = no
8809     diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
8810     index 37656293aa4..151b4676c57 100644
8811     --- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
8812     +++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
8813     @@ -15,7 +15,7 @@
8814     <para>The behavior can be controlled per netbios domain
8815     by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>
8816    
8817     - <para>This option takes precedence to the <smbconfoption name="require strong key"/> option.</para>
8818     + <para>This option overrides the <smbconfoption name="require strong key"/> option.</para>
8819     </description>
8820    
8821     <value type="default">no</value>
8822     diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
8823     index 4db62bfb02d..b17620ec8f1 100644
8824     --- a/docs-xml/smbdotconf/winbind/requirestrongkey.xml
8825     +++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
8826     @@ -19,7 +19,7 @@
8827    
8828     <para>This option yields precedence to the <smbconfoption name="reject md5 servers"/> option.</para>
8829    
8830     - <para>This option takes precedence to the <smbconfoption name="client schannel"/> option.</para>
8831     + <para>This option overrides the <smbconfoption name="client schannel"/> option.</para>
8832     </description>
8833    
8834     <value type="default">yes</value>
8835     --
8836     2.39.0
8837    
8838    
8839     From d6ab8377e55e4bda76c86de9bba1ddee30361481 Mon Sep 17 00:00:00 2001
8840     From: Ralph Boehme <slow@samba.org>
8841     Date: Tue, 6 Dec 2022 16:05:26 +0100
8842     Subject: [PATCH 103/142] CVE-2022-38023 docs-xml: improve wording for several
8843     options: "yields precedence" -> "is over-riden"
8844    
8845     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
8846    
8847     Signed-off-by: Ralph Boehme <slow@samba.org>
8848     Reviewed-by: Stefan Metzmacher <metze@samba.org>
8849     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
8850     (cherry picked from commit 830e865ba5648f6520bc552ffd71b61f754b8251)
8851     ---
8852     docs-xml/smbdotconf/logon/allownt4crypto.xml | 2 +-
8853     docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml | 2 +-
8854     docs-xml/smbdotconf/security/clientschannel.xml | 2 +-
8855     docs-xml/smbdotconf/security/serverschannel.xml | 2 +-
8856     docs-xml/smbdotconf/winbind/requirestrongkey.xml | 2 +-
8857     5 files changed, 5 insertions(+), 5 deletions(-)
8858    
8859     diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
8860     index 03dc8fa93f7..06afcef73b1 100644
8861     --- a/docs-xml/smbdotconf/logon/allownt4crypto.xml
8862     +++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
8863     @@ -18,7 +18,7 @@
8864    
8865     <para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
8866    
8867     - <para>This option yields precedence to the 'reject md5 clients' option.</para>
8868     + <para>This option is over-ridden by the 'reject md5 clients' option.</para>
8869     </description>
8870    
8871     <value type="default">no</value>
8872     diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
8873     index 03531adbfb3..8bccab391cc 100644
8874     --- a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
8875     +++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
8876     @@ -15,7 +15,7 @@
8877     <para>The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc,
8878     winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option.</para>
8879    
8880     - <para>This option yields precedence to the implementation specific restrictions.
8881     + <para>This option is over-ridden by the implementation specific restrictions.
8882     E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
8883     The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
8884     </para>
8885     diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
8886     index 5b07da95050..d124ad48181 100644
8887     --- a/docs-xml/smbdotconf/security/clientschannel.xml
8888     +++ b/docs-xml/smbdotconf/security/clientschannel.xml
8889     @@ -23,7 +23,7 @@
8890     <para>Note that for active directory domains this is hardcoded to
8891     <smbconfoption name="client schannel">yes</smbconfoption>.</para>
8892    
8893     - <para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>
8894     + <para>This option is over-ridden by the <smbconfoption name="require strong key"/> option.</para>
8895     </description>
8896     <value type="default">yes</value>
8897     <value type="example">auto</value>
8898     diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
8899     index 79e4e73a95c..3e66df1c203 100644
8900     --- a/docs-xml/smbdotconf/security/serverschannel.xml
8901     +++ b/docs-xml/smbdotconf/security/serverschannel.xml
8902     @@ -23,7 +23,7 @@
8903     <para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.
8904     </para>
8905    
8906     - <para>This option yields precedence to the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>
8907     + <para>This option is over-ridden by the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>
8908    
8909     </description>
8910    
8911     diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
8912     index b17620ec8f1..9c1c1d7af14 100644
8913     --- a/docs-xml/smbdotconf/winbind/requirestrongkey.xml
8914     +++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
8915     @@ -17,7 +17,7 @@
8916    
8917     <para>Note for active directory domain this option is hardcoded to 'yes'</para>
8918    
8919     - <para>This option yields precedence to the <smbconfoption name="reject md5 servers"/> option.</para>
8920     + <para>This option is over-ridden by the <smbconfoption name="reject md5 servers"/> option.</para>
8921    
8922     <para>This option overrides the <smbconfoption name="client schannel"/> option.</para>
8923     </description>
8924     --
8925     2.39.0
8926    
8927    
8928     From 976080e72039b68ab66b757f1c3cb258eaca23df Mon Sep 17 00:00:00 2001
8929     From: Stefan Metzmacher <metze@samba.org>
8930     Date: Wed, 30 Nov 2022 14:46:59 +0100
8931     Subject: [PATCH 104/142] CVE-2022-38023 libcli/auth: pass lp_ctx to
8932     netlogon_creds_cli_set_global_db()
8933    
8934     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
8935    
8936     Signed-off-by: Stefan Metzmacher <metze@samba.org>
8937     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
8938     Reviewed-by: Ralph Boehme <slow@samba.org>
8939     (cherry picked from commit 992f39a2c8a58301ceeb965f401e29cd64c5a209)
8940     ---
8941     libcli/auth/netlogon_creds_cli.c | 3 ++-
8942     libcli/auth/netlogon_creds_cli.h | 2 +-
8943     source3/rpc_client/cli_netlogon.c | 2 +-
8944     source3/utils/destroy_netlogon_creds_cli.c | 2 +-
8945     4 files changed, 5 insertions(+), 4 deletions(-)
8946    
8947     diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
8948     index 0f6ca11ff96..c9873a5748e 100644
8949     --- a/libcli/auth/netlogon_creds_cli.c
8950     +++ b/libcli/auth/netlogon_creds_cli.c
8951     @@ -201,7 +201,8 @@ static NTSTATUS netlogon_creds_cli_context_common(
8952    
8953     static struct db_context *netlogon_creds_cli_global_db;
8954    
8955     -NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db)
8956     +NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx,
8957     + struct db_context **db)
8958     {
8959     if (netlogon_creds_cli_global_db != NULL) {
8960     return NT_STATUS_INVALID_PARAMETER_MIX;
8961     diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
8962     index 56a2dd9bc77..2ce5de9d305 100644
8963     --- a/libcli/auth/netlogon_creds_cli.h
8964     +++ b/libcli/auth/netlogon_creds_cli.h
8965     @@ -31,7 +31,7 @@ struct messaging_context;
8966     struct dcerpc_binding_handle;
8967     struct db_context;
8968    
8969     -NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db);
8970     +NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, struct db_context **db);
8971     NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
8972     void netlogon_creds_cli_close_global_db(void);
8973    
8974     diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
8975     index f073f0d925e..b784064f17e 100644
8976     --- a/source3/rpc_client/cli_netlogon.c
8977     +++ b/source3/rpc_client/cli_netlogon.c
8978     @@ -76,7 +76,7 @@ NTSTATUS rpccli_pre_open_netlogon_creds(void)
8979     return NT_STATUS_NO_MEMORY;
8980     }
8981    
8982     - status = netlogon_creds_cli_set_global_db(&global_db);
8983     + status = netlogon_creds_cli_set_global_db(lp_ctx, &global_db);
8984     TALLOC_FREE(frame);
8985     if (!NT_STATUS_IS_OK(status)) {
8986     return status;
8987     diff --git a/source3/utils/destroy_netlogon_creds_cli.c b/source3/utils/destroy_netlogon_creds_cli.c
8988     index 137ac8393e7..95a650f4654 100644
8989     --- a/source3/utils/destroy_netlogon_creds_cli.c
8990     +++ b/source3/utils/destroy_netlogon_creds_cli.c
8991     @@ -83,7 +83,7 @@ int main(int argc, const char *argv[])
8992     goto done;
8993     }
8994    
8995     - status = netlogon_creds_cli_set_global_db(&global_db);
8996     + status = netlogon_creds_cli_set_global_db(lp_ctx, &global_db);
8997     if (!NT_STATUS_IS_OK(status)) {
8998     fprintf(stderr,
8999     "netlogon_creds_cli_set_global_db failed: %s\n",
9000     --
9001     2.39.0
9002    
9003    
9004     From dfe17c3453980d53445a2cc6221cb8728fc9e3cf Mon Sep 17 00:00:00 2001
9005     From: Stefan Metzmacher <metze@samba.org>
9006     Date: Wed, 30 Nov 2022 14:47:33 +0100
9007     Subject: [PATCH 105/142] CVE-2022-38023 libcli/auth: add/use
9008     netlogon_creds_cli_warn_options()
9009    
9010     This warns the admin about insecure options
9011    
9012     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
9013    
9014     Signed-off-by: Stefan Metzmacher <metze@samba.org>
9015     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
9016     Reviewed-by: Ralph Boehme <slow@samba.org>
9017    
9018     (similar to commit 7e7adf86e59e8a673fbe87de46cef0d62221e800)
9019     [jsutton@samba.org Replaced call to tevent_cached_getpid() with one to
9020     getpid()]
9021     ---
9022     libcli/auth/netlogon_creds_cli.c | 66 ++++++++++++++++++++++++++++++++
9023     libcli/auth/netlogon_creds_cli.h | 2 +
9024     2 files changed, 68 insertions(+)
9025    
9026     diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
9027     index c9873a5748e..20a3da5060f 100644
9028     --- a/libcli/auth/netlogon_creds_cli.c
9029     +++ b/libcli/auth/netlogon_creds_cli.c
9030     @@ -204,6 +204,8 @@ static struct db_context *netlogon_creds_cli_global_db;
9031     NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx,
9032     struct db_context **db)
9033     {
9034     + netlogon_creds_cli_warn_options(lp_ctx);
9035     +
9036     if (netlogon_creds_cli_global_db != NULL) {
9037     return NT_STATUS_INVALID_PARAMETER_MIX;
9038     }
9039     @@ -218,6 +220,8 @@ NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx)
9040     struct db_context *global_db;
9041     int hash_size, tdb_flags;
9042    
9043     + netlogon_creds_cli_warn_options(lp_ctx);
9044     +
9045     if (netlogon_creds_cli_global_db != NULL) {
9046     return NT_STATUS_OK;
9047     }
9048     @@ -258,6 +262,68 @@ void netlogon_creds_cli_close_global_db(void)
9049     TALLOC_FREE(netlogon_creds_cli_global_db);
9050     }
9051    
9052     +void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx)
9053     +{
9054     + bool global_reject_md5_servers = lpcfg_reject_md5_servers(lp_ctx);
9055     + bool global_require_strong_key = lpcfg_require_strong_key(lp_ctx);
9056     + int global_client_schannel = lpcfg_client_schannel(lp_ctx);
9057     + bool global_seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx);
9058     + static bool warned_global_reject_md5_servers = false;
9059     + static bool warned_global_require_strong_key = false;
9060     + static bool warned_global_client_schannel = false;
9061     + static bool warned_global_seal_secure_channel = false;
9062     + static int warned_global_pid = 0;
9063     + int current_pid = getpid();
9064     +
9065     + if (warned_global_pid != current_pid) {
9066     + warned_global_reject_md5_servers = false;
9067     + warned_global_require_strong_key = false;
9068     + warned_global_client_schannel = false;
9069     + warned_global_seal_secure_channel = false;
9070     + warned_global_pid = current_pid;
9071     + }
9072     +
9073     + if (!global_reject_md5_servers && !warned_global_reject_md5_servers) {
9074     + /*
9075     + * We want admins to notice their misconfiguration!
9076     + */
9077     + DBG_ERR("CVE-2022-38023 (and others): "
9078     + "Please configure 'reject md5 servers = yes' (the default), "
9079     + "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
9080     + warned_global_reject_md5_servers = true;
9081     + }
9082     +
9083     + if (!global_require_strong_key && !warned_global_require_strong_key) {
9084     + /*
9085     + * We want admins to notice their misconfiguration!
9086     + */
9087     + DBG_ERR("CVE-2022-38023 (and others): "
9088     + "Please configure 'require strong key = yes' (the default), "
9089     + "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
9090     + warned_global_require_strong_key = true;
9091     + }
9092     +
9093     + if (global_client_schannel != true && !warned_global_client_schannel) {
9094     + /*
9095     + * We want admins to notice their misconfiguration!
9096     + */
9097     + DBG_ERR("CVE-2022-38023 (and others): "
9098     + "Please configure 'client schannel = yes' (the default), "
9099     + "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
9100     + warned_global_client_schannel = true;
9101     + }
9102     +
9103     + if (!global_seal_secure_channel && !warned_global_seal_secure_channel) {
9104     + /*
9105     + * We want admins to notice their misconfiguration!
9106     + */
9107     + DBG_ERR("CVE-2022-38023 (and others): "
9108     + "Please configure 'winbind sealed pipes = yes' (the default), "
9109     + "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
9110     + warned_global_seal_secure_channel = true;
9111     + }
9112     +}
9113     +
9114     NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
9115     struct messaging_context *msg_ctx,
9116     const char *client_account,
9117     diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
9118     index 2ce5de9d305..e4e0232e92f 100644
9119     --- a/libcli/auth/netlogon_creds_cli.h
9120     +++ b/libcli/auth/netlogon_creds_cli.h
9121     @@ -35,6 +35,8 @@ NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, struc
9122     NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
9123     void netlogon_creds_cli_close_global_db(void);
9124    
9125     +void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx);
9126     +
9127     NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
9128     struct messaging_context *msg_ctx,
9129     const char *client_account,
9130     --
9131     2.39.0
9132    
9133    
9134     From 75c44fdccf18bfa34530f05937e8e3305b2c927e Mon Sep 17 00:00:00 2001
9135     From: Stefan Metzmacher <metze@samba.org>
9136     Date: Wed, 30 Nov 2022 16:16:05 +0100
9137     Subject: [PATCH 106/142] CVE-2022-38023 s3:net: add and use
9138     net_warn_member_options() helper
9139    
9140     This makes sure domain member related 'net' commands print warnings
9141     about unsecure smb.conf options.
9142    
9143     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
9144    
9145     Signed-off-by: Stefan Metzmacher <metze@samba.org>
9146     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
9147     Reviewed-by: Ralph Boehme <slow@samba.org>
9148     (cherry picked from commit 1fdf1d55a5dd550bdb16d037b5dc995c33c1a67a)
9149     ---
9150     source3/utils/net.c | 6 ++++++
9151     source3/utils/net_ads.c | 14 ++++++++++++++
9152     source3/utils/net_dom.c | 2 ++
9153     source3/utils/net_join.c | 2 ++
9154     source3/utils/net_proto.h | 2 ++
9155     source3/utils/net_rpc.c | 10 ++++++++++
9156     source3/utils/net_util.c | 15 +++++++++++++++
9157     7 files changed, 51 insertions(+)
9158    
9159     diff --git a/source3/utils/net.c b/source3/utils/net.c
9160     index 8350e8c0967..c17dd972c3f 100644
9161     --- a/source3/utils/net.c
9162     +++ b/source3/utils/net.c
9163     @@ -83,6 +83,8 @@ enum netr_SchannelType get_sec_channel_type(const char *param)
9164    
9165     static int net_changetrustpw(struct net_context *c, int argc, const char **argv)
9166     {
9167     + net_warn_member_options();
9168     +
9169     if (net_ads_check_our_domain(c) == 0)
9170     return net_ads_changetrustpw(c, argc, argv);
9171    
9172     @@ -110,6 +112,8 @@ static int net_primarytrust_dumpinfo(struct net_context *c, int argc,
9173     return 1;
9174     }
9175    
9176     + net_warn_member_options();
9177     +
9178     if (c->opt_stdin) {
9179     set_line_buffering(stdin);
9180     set_line_buffering(stdout);
9181     @@ -185,6 +189,8 @@ static int net_changesecretpw(struct net_context *c, int argc,
9182     return 1;
9183     }
9184    
9185     + net_warn_member_options();
9186     +
9187     if(c->opt_force) {
9188     struct secrets_domain_info1 *info = NULL;
9189     struct secrets_domain_info1_change *prev = NULL;
9190     diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
9191     index 3cf8fbbf7c8..32a7b2d7f7f 100644
9192     --- a/source3/utils/net_ads.c
9193     +++ b/source3/utils/net_ads.c
9194     @@ -1290,6 +1290,8 @@ static int net_ads_status(struct net_context *c, int argc, const char **argv)
9195     return 0;
9196     }
9197    
9198     + net_warn_member_options();
9199     +
9200     if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
9201     return -1;
9202     }
9203     @@ -1431,6 +1433,8 @@ static NTSTATUS net_ads_join_ok(struct net_context *c)
9204     return NT_STATUS_ACCESS_DENIED;
9205     }
9206    
9207     + net_warn_member_options();
9208     +
9209     net_use_krb_machine_account(c);
9210    
9211     get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip);
9212     @@ -1461,6 +1465,8 @@ int net_ads_testjoin(struct net_context *c, int argc, const char **argv)
9213     return 0;
9214     }
9215    
9216     + net_warn_member_options();
9217     +
9218     /* Display success or failure */
9219     status = net_ads_join_ok(c);
9220     if (!NT_STATUS_IS_OK(status)) {
9221     @@ -1846,6 +1852,8 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
9222     if (c->display_usage)
9223     return net_ads_join_usage(c, argc, argv);
9224    
9225     + net_warn_member_options();
9226     +
9227     if (!modify_config) {
9228    
9229     werr = check_ads_config();
9230     @@ -2732,6 +2740,8 @@ int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
9231     return -1;
9232     }
9233    
9234     + net_warn_member_options();
9235     +
9236     net_use_krb_machine_account(c);
9237    
9238     use_in_memory_ccache();
9239     @@ -3001,6 +3011,8 @@ static int net_ads_keytab_add(struct net_context *c,
9240     return 0;
9241     }
9242    
9243     + net_warn_member_options();
9244     +
9245     d_printf(_("Processing principals to add...\n"));
9246     if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
9247     return -1;
9248     @@ -3040,6 +3052,8 @@ static int net_ads_keytab_create(struct net_context *c, int argc, const char **a
9249     return 0;
9250     }
9251    
9252     + net_warn_member_options();
9253     +
9254     if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
9255     return -1;
9256     }
9257     diff --git a/source3/utils/net_dom.c b/source3/utils/net_dom.c
9258     index 1e45c59220c..db6e34e52de 100644
9259     --- a/source3/utils/net_dom.c
9260     +++ b/source3/utils/net_dom.c
9261     @@ -154,6 +154,8 @@ static int net_dom_join(struct net_context *c, int argc, const char **argv)
9262     return net_dom_usage(c, argc, argv);
9263     }
9264    
9265     + net_warn_member_options();
9266     +
9267     if (c->opt_host) {
9268     server_name = c->opt_host;
9269     }
9270     diff --git a/source3/utils/net_join.c b/source3/utils/net_join.c
9271     index 1493dff74d7..f67f08f79a8 100644
9272     --- a/source3/utils/net_join.c
9273     +++ b/source3/utils/net_join.c
9274     @@ -39,6 +39,8 @@ int net_join(struct net_context *c, int argc, const char **argv)
9275     return 0;
9276     }
9277    
9278     + net_warn_member_options();
9279     +
9280     if (net_ads_check_our_domain(c) == 0) {
9281     if (net_ads_join(c, argc, argv) == 0)
9282     return 0;
9283     diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
9284     index 22fe39e0f1c..38581a796cb 100644
9285     --- a/source3/utils/net_proto.h
9286     +++ b/source3/utils/net_proto.h
9287     @@ -423,6 +423,8 @@ int net_run_function(struct net_context *c, int argc, const char **argv,
9288     const char *whoami, struct functable *table);
9289     void net_display_usage_from_functable(struct functable *table);
9290    
9291     +void net_warn_member_options(void);
9292     +
9293     const char *net_share_type_str(int num_type);
9294    
9295     NTSTATUS net_scan_dc(struct net_context *c,
9296     diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
9297     index f2d63d2af65..52c2ec37a89 100644
9298     --- a/source3/utils/net_rpc.c
9299     +++ b/source3/utils/net_rpc.c
9300     @@ -370,6 +370,8 @@ static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
9301     return 0;
9302     }
9303    
9304     + net_warn_member_options();
9305     +
9306     mem_ctx = talloc_init("net_rpc_oldjoin");
9307     if (!mem_ctx) {
9308     return -1;
9309     @@ -489,6 +491,8 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
9310     return 0;
9311     }
9312    
9313     + net_warn_member_options();
9314     +
9315     mem_ctx = talloc_init("net_rpc_testjoin");
9316     if (!mem_ctx) {
9317     return -1;
9318     @@ -563,6 +567,8 @@ static int net_rpc_join_newstyle(struct net_context *c, int argc, const char **a
9319     return 0;
9320     }
9321    
9322     + net_warn_member_options();
9323     +
9324     mem_ctx = talloc_init("net_rpc_join_newstyle");
9325     if (!mem_ctx) {
9326     return -1;
9327     @@ -684,6 +690,8 @@ int net_rpc_join(struct net_context *c, int argc, const char **argv)
9328     return -1;
9329     }
9330    
9331     + net_warn_member_options();
9332     +
9333     if (strlen(lp_netbios_name()) > 15) {
9334     d_printf(_("Our netbios name can be at most 15 chars long, "
9335     "\"%s\" is %u chars long\n"),
9336     @@ -814,6 +822,8 @@ int net_rpc_info(struct net_context *c, int argc, const char **argv)
9337     return 0;
9338     }
9339    
9340     + net_warn_member_options();
9341     +
9342     return run_rpc_command(c, NULL, &ndr_table_samr,
9343     NET_FLAGS_PDC, rpc_info_internals,
9344     argc, argv);
9345     diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
9346     index a84b4f5500e..94a8dc9defe 100644
9347     --- a/source3/utils/net_util.c
9348     +++ b/source3/utils/net_util.c
9349     @@ -29,6 +29,8 @@
9350     #include "secrets.h"
9351     #include "../libcli/security/security.h"
9352     #include "libsmb/libsmb.h"
9353     +#include "libcli/auth/netlogon_creds_cli.h"
9354     +#include "lib/param/param.h"
9355    
9356     NTSTATUS net_rpc_lookup_name(struct net_context *c,
9357     TALLOC_CTX *mem_ctx, struct cli_state *cli,
9358     @@ -534,6 +536,19 @@ void net_display_usage_from_functable(struct functable *table)
9359     }
9360     }
9361    
9362     +void net_warn_member_options(void)
9363     +{
9364     + TALLOC_CTX *frame = talloc_stackframe();
9365     + struct loadparm_context *lp_ctx = NULL;
9366     +
9367     + lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
9368     + if (lp_ctx != NULL) {
9369     + netlogon_creds_cli_warn_options(lp_ctx);
9370     + }
9371     +
9372     + TALLOC_FREE(frame);
9373     +}
9374     +
9375     const char *net_share_type_str(int num_type)
9376     {
9377     switch(num_type) {
9378     --
9379     2.39.0
9380    
9381    
9382     From 9d7eba489e7f798dd3115439da1bc92a87059ce1 Mon Sep 17 00:00:00 2001
9383     From: Stefan Metzmacher <metze@samba.org>
9384     Date: Wed, 30 Nov 2022 14:59:36 +0100
9385     Subject: [PATCH 107/142] CVE-2022-38023 s3:winbindd: also allow per domain
9386     "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN"
9387    
9388     This avoids advising insecure defaults for the global options.
9389    
9390     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
9391    
9392     Signed-off-by: Stefan Metzmacher <metze@samba.org>
9393     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
9394     Reviewed-by: Ralph Boehme <slow@samba.org>
9395     (cherry picked from commit d60828f6391307a59abaa02b72b6a8acf66b2fef)
9396     ---
9397     source3/winbindd/winbindd_cm.c | 41 +++++++++++++++++++++++++++-------
9398     1 file changed, 33 insertions(+), 8 deletions(-)
9399    
9400     diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
9401     index 502331f7260..1a8017cf4cc 100644
9402     --- a/source3/winbindd/winbindd_cm.c
9403     +++ b/source3/winbindd/winbindd_cm.c
9404     @@ -2734,6 +2734,8 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
9405     struct netlogon_creds_cli_context *p_creds;
9406     struct cli_credentials *creds = NULL;
9407     bool retry = false; /* allow one retry attempt for expired session */
9408     + bool sealed_pipes = true;
9409     + bool strong_key = true;
9410    
9411     if (sid_check_is_our_sam(&domain->sid)) {
9412     if (domain->rodc == false || need_rw_dc == false) {
9413     @@ -2907,14 +2909,24 @@ retry:
9414    
9415     anonymous:
9416    
9417     + sealed_pipes = lp_winbind_sealed_pipes();
9418     + sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes",
9419     + domain->name,
9420     + sealed_pipes);
9421     + strong_key = lp_require_strong_key();
9422     + strong_key = lp_parm_bool(-1, "require strong key",
9423     + domain->name,
9424     + strong_key);
9425     +
9426     /* Finally fall back to anonymous. */
9427     - if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
9428     + if (sealed_pipes || strong_key) {
9429     status = NT_STATUS_DOWNGRADE_DETECTED;
9430     DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
9431     "without connection level security, "
9432     - "must set 'winbind sealed pipes = false' and "
9433     - "'require strong key = false' to proceed: %s\n",
9434     - domain->name, nt_errstr(status)));
9435     + "must set 'winbind sealed pipes:%s = false' and "
9436     + "'require strong key:%s = false' to proceed: %s\n",
9437     + domain->name, domain->name, domain->name,
9438     + nt_errstr(status)));
9439     goto done;
9440     }
9441     status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr,
9442     @@ -3061,6 +3073,8 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
9443     struct netlogon_creds_cli_context *p_creds;
9444     struct cli_credentials *creds = NULL;
9445     bool retry = false; /* allow one retry attempt for expired session */
9446     + bool sealed_pipes = true;
9447     + bool strong_key = true;
9448    
9449     retry:
9450     result = init_dc_connection_rpc(domain, false);
9451     @@ -3216,13 +3230,24 @@ retry:
9452     goto done;
9453     }
9454    
9455     - if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
9456     + sealed_pipes = lp_winbind_sealed_pipes();
9457     + sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes",
9458     + domain->name,
9459     + sealed_pipes);
9460     + strong_key = lp_require_strong_key();
9461     + strong_key = lp_parm_bool(-1, "require strong key",
9462     + domain->name,
9463     + strong_key);
9464     +
9465     + /* Finally fall back to anonymous. */
9466     + if (sealed_pipes || strong_key) {
9467     result = NT_STATUS_DOWNGRADE_DETECTED;
9468     DEBUG(1, ("Unwilling to make LSA connection to domain %s "
9469     "without connection level security, "
9470     - "must set 'winbind sealed pipes = false' and "
9471     - "'require strong key = false' to proceed: %s\n",
9472     - domain->name, nt_errstr(result)));
9473     + "must set 'winbind sealed pipes:%s = false' and "
9474     + "'require strong key:%s = false' to proceed: %s\n",
9475     + domain->name, domain->name, domain->name,
9476     + nt_errstr(result)));
9477     goto done;
9478     }
9479    
9480     --
9481     2.39.0
9482    
9483    
9484     From b310b2672f80a717188675b6c762d184436a190c Mon Sep 17 00:00:00 2001
9485     From: Stefan Metzmacher <metze@samba.org>
9486     Date: Thu, 24 Nov 2022 18:22:23 +0100
9487     Subject: [PATCH 108/142] CVE-2022-38023 docs-xml/smbdotconf: change 'reject
9488     md5 servers' default to yes
9489    
9490     AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no
9491     reason to allow md5 servers by default.
9492    
9493     Note the change in netlogon_creds_cli_context_global() is only cosmetic,
9494     but avoids confusion while reading the code. Check with:
9495    
9496     git show -U35 libcli/auth/netlogon_creds_cli.c
9497    
9498     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
9499    
9500     Signed-off-by: Stefan Metzmacher <metze@samba.org>
9501     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
9502     Reviewed-by: Ralph Boehme <slow@samba.org>
9503     (cherry picked from commit 1c6c1129905d0c7a60018e7bf0f17a0fd198a584)
9504     ---
9505     docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 7 +++++--
9506     lib/param/loadparm.c | 1 +
9507     libcli/auth/netlogon_creds_cli.c | 4 ++--
9508     source3/param/loadparm.c | 1 +
9509     4 files changed, 9 insertions(+), 4 deletions(-)
9510    
9511     diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
9512     index 151b4676c57..3bc4eaf7b02 100644
9513     --- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
9514     +++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
9515     @@ -13,10 +13,13 @@
9516     This will prevent downgrade attacks.</para>
9517    
9518     <para>The behavior can be controlled per netbios domain
9519     - by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>
9520     + by using 'reject md5 servers:NETBIOSDOMAIN = no' as option.</para>
9521     +
9522     + <para>The default changed from 'no' to 'yes, with the patches for CVE-2022-38023,
9523     + see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
9524    
9525     <para>This option overrides the <smbconfoption name="require strong key"/> option.</para>
9526     </description>
9527    
9528     -<value type="default">no</value>
9529     +<value type="default">yes</value>
9530     </samba:parameter>
9531     diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
9532     index 4aa91f4d404..dc659a449ea 100644
9533     --- a/lib/param/loadparm.c
9534     +++ b/lib/param/loadparm.c
9535     @@ -2733,6 +2733,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
9536     lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
9537     lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "True");
9538     lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
9539     + lpcfg_do_global_parameter(lp_ctx, "reject md5 servers", "True");
9540     lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
9541     lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
9542     lpcfg_do_global_parameter_var(lp_ctx, "gpo update command", "%s/samba-gpupdate", dyn_SCRIPTSBINDIR);
9543     diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
9544     index 20a3da5060f..0558cb237a4 100644
9545     --- a/libcli/auth/netlogon_creds_cli.c
9546     +++ b/libcli/auth/netlogon_creds_cli.c
9547     @@ -340,8 +340,8 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
9548     const char *client_computer;
9549     uint32_t proposed_flags;
9550     uint32_t required_flags = 0;
9551     - bool reject_md5_servers = false;
9552     - bool require_strong_key = false;
9553     + bool reject_md5_servers = true;
9554     + bool require_strong_key = true;
9555     int require_sign_or_seal = true;
9556     bool seal_secure_channel = true;
9557     enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
9558     diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
9559     index 98e05d13d59..fbc987e119a 100644
9560     --- a/source3/param/loadparm.c
9561     +++ b/source3/param/loadparm.c
9562     @@ -657,6 +657,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
9563     Globals.client_schannel = true;
9564     Globals.winbind_sealed_pipes = true;
9565     Globals.require_strong_key = true;
9566     + Globals.reject_md5_servers = true;
9567     Globals.server_schannel = true;
9568     Globals.read_raw = true;
9569     Globals.write_raw = true;
9570     --
9571     2.39.0
9572    
9573    
9574     From b62fb90dd434c99131086f27cb74cf2c109fb9d2 Mon Sep 17 00:00:00 2001
9575     From: Stefan Metzmacher <metze@samba.org>
9576     Date: Tue, 6 Dec 2022 10:56:29 +0100
9577     Subject: [PATCH 109/142] CVE-2022-38023 s4:rpc_server/netlogon: 'server
9578     schannel != yes' warning to dcesrv_interface_netlogon_bind
9579    
9580     This will simplify the following changes.
9581    
9582     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
9583    
9584     Signed-off-by: Stefan Metzmacher <metze@samba.org>
9585     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
9586     Reviewed-by: Ralph Boehme <slow@samba.org>
9587     (cherry picked from commit e060ea5b3edbe3cba492062c9605f88fae212ee0)
9588     ---
9589     source4/rpc_server/netlogon/dcerpc_netlogon.c | 26 +++++++++++--------
9590     1 file changed, 15 insertions(+), 11 deletions(-)
9591    
9592     diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
9593     index 7668a9eb923..e7f8cd5c075 100644
9594     --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
9595     +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
9596     @@ -60,6 +60,21 @@
9597     static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context *context,
9598     const struct dcesrv_interface *iface)
9599     {
9600     + struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx;
9601     + int schannel = lpcfg_server_schannel(lp_ctx);
9602     + bool schannel_global_required = (schannel == true);
9603     + static bool warned_global_schannel_once = false;
9604     +
9605     + if (!schannel_global_required && !warned_global_schannel_once) {
9606     + /*
9607     + * We want admins to notice their misconfiguration!
9608     + */
9609     + D_ERR("CVE-2020-1472(ZeroLogon): "
9610     + "Please configure 'server schannel = yes' (the default), "
9611     + "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
9612     + warned_global_schannel_once = true;
9613     + }
9614     +
9615     return dcesrv_interface_bind_reject_connect(context, iface);
9616     }
9617    
9618     @@ -629,7 +644,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9619     enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
9620     uint16_t opnum = dce_call->pkt.u.request.opnum;
9621     const char *opname = "<unknown>";
9622     - static bool warned_global_once = false;
9623    
9624     if (opnum < ndr_table_netlogon.num_calls) {
9625     opname = ndr_table_netlogon.calls[opnum].name;
9626     @@ -681,16 +695,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9627     return NT_STATUS_ACCESS_DENIED;
9628     }
9629    
9630     - if (!schannel_global_required && !warned_global_once) {
9631     - /*
9632     - * We want admins to notice their misconfiguration!
9633     - */
9634     - DBG_ERR("CVE-2020-1472(ZeroLogon): "
9635     - "Please configure 'server schannel = yes', "
9636     - "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
9637     - warned_global_once = true;
9638     - }
9639     -
9640     if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
9641     DBG_ERR("CVE-2020-1472(ZeroLogon): "
9642     "%s request (opnum[%u]) WITH schannel from "
9643     --
9644     2.39.0
9645    
9646    
9647     From dbddee016499bddab42870226eda0b19facca936 Mon Sep 17 00:00:00 2001
9648     From: Stefan Metzmacher <metze@samba.org>
9649     Date: Mon, 12 Dec 2022 14:03:50 +0100
9650     Subject: [PATCH 110/142] CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx
9651     variable to dcesrv_netr_creds_server_step_check()
9652    
9653     This will simplify the following changes.
9654    
9655     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
9656    
9657     Signed-off-by: Stefan Metzmacher <metze@samba.org>
9658     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
9659     Reviewed-by: Ralph Boehme <slow@samba.org>
9660     (cherry picked from commit 7baabbe9819cd5a2714e7ea4e57a0c23062c0150)
9661     ---
9662     source4/rpc_server/netlogon/dcerpc_netlogon.c | 7 ++++---
9663     1 file changed, 4 insertions(+), 3 deletions(-)
9664    
9665     diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
9666     index e7f8cd5c075..bd3a36e60cc 100644
9667     --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
9668     +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
9669     @@ -635,8 +635,9 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9670     struct netr_Authenticator *return_authenticator,
9671     struct netlogon_creds_CredentialState **creds_out)
9672     {
9673     + struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
9674     NTSTATUS nt_status;
9675     - int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx);
9676     + int schannel = lpcfg_server_schannel(lp_ctx);
9677     bool schannel_global_required = (schannel == true);
9678     bool schannel_required = schannel_global_required;
9679     const char *explicit_opt = NULL;
9680     @@ -652,7 +653,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9681     dcesrv_call_auth_info(dce_call, &auth_type, NULL);
9682    
9683     nt_status = schannel_check_creds_state(mem_ctx,
9684     - dce_call->conn->dce_ctx->lp_ctx,
9685     + lp_ctx,
9686     computer_name,
9687     received_authenticator,
9688     return_authenticator,
9689     @@ -667,7 +668,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9690     * need the explicit_opt pointer in order to
9691     * adjust the debug messages.
9692     */
9693     - explicit_opt = lpcfg_get_parametric(dce_call->conn->dce_ctx->lp_ctx,
9694     + explicit_opt = lpcfg_get_parametric(lp_ctx,
9695     NULL,
9696     "server require schannel",
9697     creds->account_name);
9698     --
9699     2.39.0
9700    
9701    
9702     From da1c4d9055c0b7fcb5e6952e3e63c7089b2b0432 Mon Sep 17 00:00:00 2001
9703     From: Stefan Metzmacher <metze@samba.org>
9704     Date: Mon, 12 Dec 2022 14:03:50 +0100
9705     Subject: [PATCH 111/142] CVE-2022-38023 s4:rpc_server/netlogon: add
9706     talloc_stackframe() to dcesrv_netr_creds_server_step_check()
9707    
9708     This will simplify the following changes.
9709    
9710     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
9711    
9712     Signed-off-by: Stefan Metzmacher <metze@samba.org>
9713     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
9714     Reviewed-by: Ralph Boehme <slow@samba.org>
9715     (cherry picked from commit 0e6a2ba83ef1be3c6a0f5514c21395121621a145)
9716     ---
9717     source4/rpc_server/netlogon/dcerpc_netlogon.c | 32 +++++++++++--------
9718     1 file changed, 19 insertions(+), 13 deletions(-)
9719    
9720     diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
9721     index bd3a36e60cc..b842fa6a556 100644
9722     --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
9723     +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
9724     @@ -636,6 +636,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9725     struct netlogon_creds_CredentialState **creds_out)
9726     {
9727     struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
9728     + TALLOC_CTX *frame = talloc_stackframe();
9729     NTSTATUS nt_status;
9730     int schannel = lpcfg_server_schannel(lp_ctx);
9731     bool schannel_global_required = (schannel == true);
9732     @@ -679,6 +680,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9733     if (schannel_required) {
9734     if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
9735     *creds_out = creds;
9736     + TALLOC_FREE(frame);
9737     return NT_STATUS_OK;
9738     }
9739    
9740     @@ -686,13 +688,15 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9741     "%s request (opnum[%u]) without schannel from "
9742     "client_account[%s] client_computer_name[%s]\n",
9743     opname, opnum,
9744     - log_escape(mem_ctx, creds->account_name),
9745     - log_escape(mem_ctx, creds->computer_name));
9746     + log_escape(frame, creds->account_name),
9747     + log_escape(frame, creds->computer_name));
9748     DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
9749     - "'server require schannel:%s = no' is needed! \n",
9750     - log_escape(mem_ctx, creds->account_name));
9751     + "'server require schannel:%s = no' "
9752     + "might be needed for a legacy client.\n",
9753     + log_escape(frame, creds->account_name));
9754     TALLOC_FREE(creds);
9755     ZERO_STRUCTP(return_authenticator);
9756     + TALLOC_FREE(frame);
9757     return NT_STATUS_ACCESS_DENIED;
9758     }
9759    
9760     @@ -701,13 +705,14 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9761     "%s request (opnum[%u]) WITH schannel from "
9762     "client_account[%s] client_computer_name[%s]\n",
9763     opname, opnum,
9764     - log_escape(mem_ctx, creds->account_name),
9765     - log_escape(mem_ctx, creds->computer_name));
9766     + log_escape(frame, creds->account_name),
9767     + log_escape(frame, creds->computer_name));
9768     DBG_ERR("CVE-2020-1472(ZeroLogon): "
9769     "Option 'server require schannel:%s = no' not needed!?\n",
9770     - log_escape(mem_ctx, creds->account_name));
9771     + log_escape(frame, creds->account_name));
9772    
9773     *creds_out = creds;
9774     + TALLOC_FREE(frame);
9775     return NT_STATUS_OK;
9776     }
9777    
9778     @@ -717,24 +722,25 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9779     "%s request (opnum[%u]) without schannel from "
9780     "client_account[%s] client_computer_name[%s]\n",
9781     opname, opnum,
9782     - log_escape(mem_ctx, creds->account_name),
9783     - log_escape(mem_ctx, creds->computer_name));
9784     + log_escape(frame, creds->account_name),
9785     + log_escape(frame, creds->computer_name));
9786     DBG_INFO("CVE-2020-1472(ZeroLogon): "
9787     "Option 'server require schannel:%s = no' still needed!\n",
9788     - log_escape(mem_ctx, creds->account_name));
9789     + log_escape(frame, creds->account_name));
9790     } else {
9791     DBG_ERR("CVE-2020-1472(ZeroLogon): "
9792     "%s request (opnum[%u]) without schannel from "
9793     "client_account[%s] client_computer_name[%s]\n",
9794     opname, opnum,
9795     - log_escape(mem_ctx, creds->account_name),
9796     - log_escape(mem_ctx, creds->computer_name));
9797     + log_escape(frame, creds->account_name),
9798     + log_escape(frame, creds->computer_name));
9799     DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
9800     "'server require schannel:%s = no' might be needed!\n",
9801     - log_escape(mem_ctx, creds->account_name));
9802     + log_escape(frame, creds->account_name));
9803     }
9804    
9805     *creds_out = creds;
9806     + TALLOC_FREE(frame);
9807     return NT_STATUS_OK;
9808     }
9809    
9810     --
9811     2.39.0
9812    
9813    
9814     From 01d4d64eaca505da9c542f2149c0bd362ad180d1 Mon Sep 17 00:00:00 2001
9815     From: Stefan Metzmacher <metze@samba.org>
9816     Date: Wed, 30 Nov 2022 12:37:03 +0100
9817     Subject: [PATCH 112/142] CVE-2022-38023 s4:rpc_server/netlogon: re-order
9818     checking in dcesrv_netr_creds_server_step_check()
9819    
9820     This will simplify the following changes.
9821    
9822     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
9823    
9824     Signed-off-by: Stefan Metzmacher <metze@samba.org>
9825     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
9826     Reviewed-by: Ralph Boehme <slow@samba.org>
9827     (cherry picked from commit ec62151a2fb49ecbeaa3bf924f49a956832b735e)
9828     ---
9829     source4/rpc_server/netlogon/dcerpc_netlogon.c | 41 +++++++++----------
9830     1 file changed, 19 insertions(+), 22 deletions(-)
9831    
9832     diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
9833     index b842fa6a556..9b3a933abca 100644
9834     --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
9835     +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
9836     @@ -677,13 +677,27 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9837     schannel_required = lp_bool(explicit_opt);
9838     }
9839    
9840     - if (schannel_required) {
9841     - if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
9842     - *creds_out = creds;
9843     - TALLOC_FREE(frame);
9844     - return NT_STATUS_OK;
9845     + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
9846     + if (!schannel_required) {
9847     + DBG_ERR("CVE-2020-1472(ZeroLogon): "
9848     + "%s request (opnum[%u]) WITH schannel from "
9849     + "client_account[%s] client_computer_name[%s]\n",
9850     + opname, opnum,
9851     + log_escape(frame, creds->account_name),
9852     + log_escape(frame, creds->computer_name));
9853     + }
9854     + if (explicit_opt != NULL && !schannel_required) {
9855     + DBG_ERR("CVE-2020-1472(ZeroLogon): "
9856     + "Option 'server require schannel:%s = no' not needed!?\n",
9857     + log_escape(frame, creds->account_name));
9858     }
9859    
9860     + *creds_out = creds;
9861     + TALLOC_FREE(frame);
9862     + return NT_STATUS_OK;
9863     + }
9864     +
9865     + if (schannel_required) {
9866     DBG_ERR("CVE-2020-1472(ZeroLogon): "
9867     "%s request (opnum[%u]) without schannel from "
9868     "client_account[%s] client_computer_name[%s]\n",
9869     @@ -700,23 +714,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9870     return NT_STATUS_ACCESS_DENIED;
9871     }
9872    
9873     - if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
9874     - DBG_ERR("CVE-2020-1472(ZeroLogon): "
9875     - "%s request (opnum[%u]) WITH schannel from "
9876     - "client_account[%s] client_computer_name[%s]\n",
9877     - opname, opnum,
9878     - log_escape(frame, creds->account_name),
9879     - log_escape(frame, creds->computer_name));
9880     - DBG_ERR("CVE-2020-1472(ZeroLogon): "
9881     - "Option 'server require schannel:%s = no' not needed!?\n",
9882     - log_escape(frame, creds->account_name));
9883     -
9884     - *creds_out = creds;
9885     - TALLOC_FREE(frame);
9886     - return NT_STATUS_OK;
9887     - }
9888     -
9889     -
9890     if (explicit_opt != NULL) {
9891     DBG_INFO("CVE-2020-1472(ZeroLogon): "
9892     "%s request (opnum[%u]) without schannel from "
9893     --
9894     2.39.0
9895    
9896    
9897     From 90531a4cb89b0d390261de1920f17a8ea7a9cbcb Mon Sep 17 00:00:00 2001
9898     From: Stefan Metzmacher <metze@samba.org>
9899     Date: Wed, 30 Nov 2022 12:37:03 +0100
9900     Subject: [PATCH 113/142] CVE-2022-38023 s4:rpc_server/netlogon: improve
9901     CVE-2020-1472(ZeroLogon) debug messages
9902    
9903     In order to avoid generating useless debug messages during make test,
9904     we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3'
9905     and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings.
9906    
9907     Review with: git show -w
9908    
9909     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
9910    
9911     Signed-off-by: Stefan Metzmacher <metze@samba.org>
9912     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
9913     Reviewed-by: Ralph Boehme <slow@samba.org>
9914     (cherry picked from commit 16ee03efc194d9c1c2c746f63236b977a419918d)
9915     ---
9916     source4/rpc_server/netlogon/dcerpc_netlogon.c | 147 +++++++++++++-----
9917     1 file changed, 106 insertions(+), 41 deletions(-)
9918    
9919     diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
9920     index 9b3a933abca..8084061aabc 100644
9921     --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
9922     +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
9923     @@ -643,15 +643,34 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9924     bool schannel_required = schannel_global_required;
9925     const char *explicit_opt = NULL;
9926     struct netlogon_creds_CredentialState *creds = NULL;
9927     + int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL,
9928     + "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
9929     + int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
9930     + "CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
9931     + unsigned int dbg_lvl = DBGLVL_DEBUG;
9932     enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
9933     + enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
9934     uint16_t opnum = dce_call->pkt.u.request.opnum;
9935     const char *opname = "<unknown>";
9936     + const char *reason = "<unknown>";
9937    
9938     if (opnum < ndr_table_netlogon.num_calls) {
9939     opname = ndr_table_netlogon.calls[opnum].name;
9940     }
9941    
9942     - dcesrv_call_auth_info(dce_call, &auth_type, NULL);
9943     + dcesrv_call_auth_info(dce_call, &auth_type, &auth_level);
9944     +
9945     + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
9946     + if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
9947     + reason = "WITH SEALED";
9948     + } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
9949     + reason = "WITH SIGNED";
9950     + } else {
9951     + smb_panic("Schannel without SIGN/SEAL");
9952     + }
9953     + } else {
9954     + reason = "WITHOUT";
9955     + }
9956    
9957     nt_status = schannel_check_creds_state(mem_ctx,
9958     lp_ctx,
9959     @@ -678,62 +697,108 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9960     }
9961    
9962     if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
9963     - if (!schannel_required) {
9964     - DBG_ERR("CVE-2020-1472(ZeroLogon): "
9965     - "%s request (opnum[%u]) WITH schannel from "
9966     - "client_account[%s] client_computer_name[%s]\n",
9967     - opname, opnum,
9968     - log_escape(frame, creds->account_name),
9969     - log_escape(frame, creds->computer_name));
9970     + nt_status = NT_STATUS_OK;
9971     +
9972     + if (explicit_opt != NULL && !schannel_required) {
9973     + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
9974     + } else if (!schannel_required) {
9975     + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
9976     }
9977     +
9978     + DEBUG(dbg_lvl, (
9979     + "CVE-2020-1472(ZeroLogon): "
9980     + "%s request (opnum[%u]) %s schannel from "
9981     + "client_account[%s] client_computer_name[%s] %s\n",
9982     + opname, opnum, reason,
9983     + log_escape(frame, creds->account_name),
9984     + log_escape(frame, creds->computer_name),
9985     + nt_errstr(nt_status)));
9986     +
9987     if (explicit_opt != NULL && !schannel_required) {
9988     - DBG_ERR("CVE-2020-1472(ZeroLogon): "
9989     - "Option 'server require schannel:%s = no' not needed!?\n",
9990     - log_escape(frame, creds->account_name));
9991     + DEBUG(CVE_2020_1472_warn_level, (
9992     + "CVE-2020-1472(ZeroLogon): "
9993     + "Option 'server require schannel:%s = no' not needed for '%s'!\n",
9994     + log_escape(frame, creds->account_name),
9995     + log_escape(frame, creds->computer_name)));
9996     }
9997    
9998     *creds_out = creds;
9999     TALLOC_FREE(frame);
10000     - return NT_STATUS_OK;
10001     + return nt_status;
10002     }
10003    
10004     if (schannel_required) {
10005     - DBG_ERR("CVE-2020-1472(ZeroLogon): "
10006     - "%s request (opnum[%u]) without schannel from "
10007     - "client_account[%s] client_computer_name[%s]\n",
10008     - opname, opnum,
10009     - log_escape(frame, creds->account_name),
10010     - log_escape(frame, creds->computer_name));
10011     - DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
10012     - "'server require schannel:%s = no' "
10013     - "might be needed for a legacy client.\n",
10014     - log_escape(frame, creds->account_name));
10015     + nt_status = NT_STATUS_ACCESS_DENIED;
10016     +
10017     + if (explicit_opt != NULL) {
10018     + dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
10019     + } else {
10020     + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
10021     + }
10022     +
10023     + DEBUG(dbg_lvl, (
10024     + "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
10025     + "%s request (opnum[%u]) %s schannel from "
10026     + "client_account[%s] client_computer_name[%s] %s\n",
10027     + opname, opnum, reason,
10028     + log_escape(frame, creds->account_name),
10029     + log_escape(frame, creds->computer_name),
10030     + nt_errstr(nt_status)));
10031     + if (explicit_opt != NULL) {
10032     + D_NOTICE("CVE-2020-1472(ZeroLogon): Option "
10033     + "'server require schannel:%s = yes' "
10034     + "rejects access for client.\n",
10035     + log_escape(frame, creds->account_name));
10036     + } else {
10037     + DEBUG(CVE_2020_1472_error_level, (
10038     + "CVE-2020-1472(ZeroLogon): Check if option "
10039     + "'server require schannel:%s = no' "
10040     + "might be needed for a legacy client.\n",
10041     + log_escape(frame, creds->account_name)));
10042     + }
10043     TALLOC_FREE(creds);
10044     ZERO_STRUCTP(return_authenticator);
10045     TALLOC_FREE(frame);
10046     - return NT_STATUS_ACCESS_DENIED;
10047     + return nt_status;
10048     }
10049    
10050     + nt_status = NT_STATUS_OK;
10051     +
10052     if (explicit_opt != NULL) {
10053     - DBG_INFO("CVE-2020-1472(ZeroLogon): "
10054     - "%s request (opnum[%u]) without schannel from "
10055     - "client_account[%s] client_computer_name[%s]\n",
10056     - opname, opnum,
10057     - log_escape(frame, creds->account_name),
10058     - log_escape(frame, creds->computer_name));
10059     - DBG_INFO("CVE-2020-1472(ZeroLogon): "
10060     - "Option 'server require schannel:%s = no' still needed!\n",
10061     - log_escape(frame, creds->account_name));
10062     + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
10063     } else {
10064     - DBG_ERR("CVE-2020-1472(ZeroLogon): "
10065     - "%s request (opnum[%u]) without schannel from "
10066     - "client_account[%s] client_computer_name[%s]\n",
10067     - opname, opnum,
10068     - log_escape(frame, creds->account_name),
10069     - log_escape(frame, creds->computer_name));
10070     - DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
10071     - "'server require schannel:%s = no' might be needed!\n",
10072     - log_escape(frame, creds->account_name));
10073     + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
10074     + }
10075     +
10076     + DEBUG(dbg_lvl, (
10077     + "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
10078     + "%s request (opnum[%u]) %s schannel from "
10079     + "client_account[%s] client_computer_name[%s] %s\n",
10080     + opname, opnum, reason,
10081     + log_escape(frame, creds->account_name),
10082     + log_escape(frame, creds->computer_name),
10083     + nt_errstr(nt_status)));
10084     +
10085     + if (explicit_opt != NULL) {
10086     + D_INFO("CVE-2020-1472(ZeroLogon): Option "
10087     + "'server require schannel:%s = no' "
10088     + "still needed for '%s'!\n",
10089     + log_escape(frame, creds->account_name),
10090     + log_escape(frame, creds->computer_name));
10091     + } else {
10092     + /*
10093     + * admins should set
10094     + * server require schannel:COMPUTER$ = no
10095     + * in order to avoid the level 0 messages.
10096     + * Over time they can switch the global value
10097     + * to be strict.
10098     + */
10099     + DEBUG(CVE_2020_1472_error_level, (
10100     + "CVE-2020-1472(ZeroLogon): "
10101     + "Please use 'server require schannel:%s = no' "
10102     + "for '%s' to avoid this warning!\n",
10103     + log_escape(frame, creds->account_name),
10104     + log_escape(frame, creds->computer_name)));
10105     }
10106    
10107     *creds_out = creds;
10108     --
10109     2.39.0
10110    
10111    
10112     From 2ea49737a5cac8ead895da30d40f18019103b285 Mon Sep 17 00:00:00 2001
10113     From: Stefan Metzmacher <metze@samba.org>
10114     Date: Wed, 30 Nov 2022 12:26:01 +0100
10115     Subject: [PATCH 114/142] CVE-2022-38023 selftest:Samba4: avoid global 'server
10116     schannel = auto'
10117    
10118     Instead of using the generic deprecated option use the specific
10119     server require schannel:COMPUTERACCOUNT = no in order to allow
10120     legacy tests for pass.
10121    
10122     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
10123    
10124     Signed-off-by: Stefan Metzmacher <metze@samba.org>
10125     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
10126     Reviewed-by: Ralph Boehme <slow@samba.org>
10127     (cherry picked from commit 63c96ea6c02981795e67336401143f2a8836992c)
10128     ---
10129     selftest/target/Samba4.pm | 37 ++++++++++++++++++++++++++++++++++---
10130     1 file changed, 34 insertions(+), 3 deletions(-)
10131    
10132     diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
10133     index 0f644661176..8dad74cae43 100755
10134     --- a/selftest/target/Samba4.pm
10135     +++ b/selftest/target/Samba4.pm
10136     @@ -1708,7 +1708,24 @@ sub provision_ad_dc_ntvfs($$)
10137     dsdb event notification = true
10138     dsdb password event notification = true
10139     dsdb group change notification = true
10140     - server schannel = auto
10141     +
10142     + CVE_2020_1472:warn_about_unused_debug_level = 3
10143     + server require schannel:schannel0\$ = no
10144     + server require schannel:schannel1\$ = no
10145     + server require schannel:schannel2\$ = no
10146     + server require schannel:schannel3\$ = no
10147     + server require schannel:schannel4\$ = no
10148     + server require schannel:schannel5\$ = no
10149     + server require schannel:schannel6\$ = no
10150     + server require schannel:schannel7\$ = no
10151     + server require schannel:schannel8\$ = no
10152     + server require schannel:schannel9\$ = no
10153     + server require schannel:schannel10\$ = no
10154     + server require schannel:schannel11\$ = no
10155     + server require schannel:torturetest\$ = no
10156     +
10157     + # needed for 'samba.tests.auth_log' tests
10158     + server require schannel:LOCALDC\$ = no
10159     ";
10160     my $extra_provision_options = ["--use-ntvfs"];
10161     my $ret = $self->provision($prefix,
10162     @@ -2085,8 +2102,22 @@ sub provision_ad_dc($$$$$$)
10163     lpq cache time = 0
10164     print notify backchannel = yes
10165    
10166     - server schannel = auto
10167     - auth event notification = true
10168     + CVE_2020_1472:warn_about_unused_debug_level = 3
10169     + server require schannel:schannel0\$ = no
10170     + server require schannel:schannel1\$ = no
10171     + server require schannel:schannel2\$ = no
10172     + server require schannel:schannel3\$ = no
10173     + server require schannel:schannel4\$ = no
10174     + server require schannel:schannel5\$ = no
10175     + server require schannel:schannel6\$ = no
10176     + server require schannel:schannel7\$ = no
10177     + server require schannel:schannel8\$ = no
10178     + server require schannel:schannel9\$ = no
10179     + server require schannel:schannel10\$ = no
10180     + server require schannel:schannel11\$ = no
10181     + server require schannel:torturetest\$ = no
10182     +
10183     + auth event notification = true
10184     dsdb event notification = true
10185     dsdb password event notification = true
10186     dsdb group change notification = true
10187     --
10188     2.39.0
10189    
10190    
10191     From a9ad04a6a886c4f17120fcf585bba7b979752d3c Mon Sep 17 00:00:00 2001
10192     From: Stefan Metzmacher <metze@samba.org>
10193     Date: Mon, 28 Nov 2022 15:02:13 +0100
10194     Subject: [PATCH 115/142] CVE-2022-38023 s4:torture: use
10195     NETLOGON_NEG_SUPPORTS_AES by default
10196    
10197     For generic tests we should use the best available features.
10198    
10199     And AES will be required by default soon.
10200    
10201     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
10202    
10203     Signed-off-by: Stefan Metzmacher <metze@samba.org>
10204     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
10205     Reviewed-by: Ralph Boehme <slow@samba.org>
10206     (cherry picked from commit cfd55a22cda113fbb2bfa373b54091dde1ea6e66)
10207     ---
10208     source4/torture/ntp/ntp_signd.c | 2 +-
10209     source4/torture/rpc/lsa.c | 4 ++--
10210     source4/torture/rpc/netlogon.c | 18 +++++++++---------
10211     source4/torture/rpc/samba3rpc.c | 15 ++++++++++++---
10212     4 files changed, 24 insertions(+), 15 deletions(-)
10213    
10214     diff --git a/source4/torture/ntp/ntp_signd.c b/source4/torture/ntp/ntp_signd.c
10215     index d2a41819fcf..66f2b8956a2 100644
10216     --- a/source4/torture/ntp/ntp_signd.c
10217     +++ b/source4/torture/ntp/ntp_signd.c
10218     @@ -68,7 +68,7 @@ static bool test_ntp_signd(struct torture_context *tctx,
10219     uint32_t rid;
10220     const char *machine_name;
10221     const struct samr_Password *pwhash = cli_credentials_get_nt_hash(credentials, mem_ctx);
10222     - uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
10223     + uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
10224    
10225     struct sign_request sign_req;
10226     struct signed_reply signed_reply;
10227     diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
10228     index 7bdc0cf679a..52e220ce225 100644
10229     --- a/source4/torture/rpc/lsa.c
10230     +++ b/source4/torture/rpc/lsa.c
10231     @@ -4260,7 +4260,7 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p,
10232     torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b");
10233    
10234     ok = check_pw_with_ServerAuthenticate3(p1, tctx,
10235     - NETLOGON_NEG_AUTH2_ADS_FLAGS,
10236     + NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
10237     server_name,
10238     incoming_creds, &creds);
10239     torture_assert_int_equal(tctx, ok, expected_result,
10240     @@ -4357,7 +4357,7 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p,
10241     torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b");
10242    
10243     ok = check_pw_with_ServerAuthenticate3(p2, tctx,
10244     - NETLOGON_NEG_AUTH2_ADS_FLAGS,
10245     + NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
10246     server_name,
10247     incoming_creds, &creds);
10248     torture_assert(tctx, ok, "check_pw_with_ServerAuthenticate3 with changed password");
10249     diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
10250     index 97c16688bc9..1fceeae88cc 100644
10251     --- a/source4/torture/rpc/netlogon.c
10252     +++ b/source4/torture/rpc/netlogon.c
10253     @@ -189,7 +189,7 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
10254    
10255     /* This allows the tests to continue against the more fussy windows 2008 */
10256     if (NT_STATUS_EQUAL(a.out.result, NT_STATUS_DOWNGRADE_DETECTED)) {
10257     - return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
10258     + return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
10259     credentials,
10260     cli_credentials_get_secure_channel_type(credentials),
10261     creds_out);
10262     @@ -423,7 +423,7 @@ bool test_SetupCredentialsDowngrade(struct torture_context *tctx,
10263     "ServerAuthenticate3 failed");
10264     torture_assert_ntstatus_equal(tctx, a.out.result, NT_STATUS_DOWNGRADE_DETECTED, "ServerAuthenticate3 should have failed");
10265    
10266     - negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
10267     + negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
10268     creds = netlogon_creds_client_init(tctx, a.in.account_name,
10269     a.in.computer_name,
10270     a.in.secure_channel_type,
10271     @@ -490,7 +490,7 @@ static bool test_ServerReqChallenge(
10272     const char *machine_name;
10273     struct dcerpc_binding_handle *b = p->binding_handle;
10274     struct netr_ServerAuthenticate2 a;
10275     - uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
10276     + uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
10277     uint32_t out_negotiate_flags = 0;
10278     const struct samr_Password *mach_password = NULL;
10279     enum netr_SchannelType sec_chan_type = 0;
10280     @@ -562,7 +562,7 @@ static bool test_ServerReqChallenge_zero_challenge(
10281     const char *machine_name;
10282     struct dcerpc_binding_handle *b = p->binding_handle;
10283     struct netr_ServerAuthenticate2 a;
10284     - uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
10285     + uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
10286     uint32_t out_negotiate_flags = 0;
10287     const struct samr_Password *mach_password = NULL;
10288     enum netr_SchannelType sec_chan_type = 0;
10289     @@ -639,7 +639,7 @@ static bool test_ServerReqChallenge_5_repeats(
10290     const char *machine_name;
10291     struct dcerpc_binding_handle *b = p->binding_handle;
10292     struct netr_ServerAuthenticate2 a;
10293     - uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
10294     + uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
10295     uint32_t out_negotiate_flags = 0;
10296     const struct samr_Password *mach_password = NULL;
10297     enum netr_SchannelType sec_chan_type = 0;
10298     @@ -723,7 +723,7 @@ static bool test_ServerReqChallenge_4_repeats(
10299     const char *machine_name;
10300     struct dcerpc_binding_handle *b = p->binding_handle;
10301     struct netr_ServerAuthenticate2 a;
10302     - uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
10303     + uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
10304     uint32_t out_negotiate_flags = 0;
10305     const struct samr_Password *mach_password = NULL;
10306     enum netr_SchannelType sec_chan_type = 0;
10307     @@ -3459,7 +3459,7 @@ static bool test_netr_GetForestTrustInformation(struct torture_context *tctx,
10308     struct dcerpc_pipe *p = NULL;
10309     struct dcerpc_binding_handle *b = NULL;
10310    
10311     - if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
10312     + if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
10313     machine_credentials, &creds)) {
10314     return false;
10315     }
10316     @@ -4398,7 +4398,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx,
10317    
10318     torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n");
10319    
10320     - if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
10321     + if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
10322     machine_credentials, &creds)) {
10323     return false;
10324     }
10325     @@ -4973,7 +4973,7 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx,
10326    
10327     torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT);
10328    
10329     - if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
10330     + if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
10331     machine_credentials, &creds)) {
10332     return false;
10333     }
10334     diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c
10335     index 9cd479c9baf..6fc4ed326d2 100644
10336     --- a/source4/torture/rpc/samba3rpc.c
10337     +++ b/source4/torture/rpc/samba3rpc.c
10338     @@ -1074,7 +1074,7 @@ static bool auth2(struct torture_context *tctx,
10339     goto done;
10340     }
10341    
10342     - negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
10343     + negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
10344     E_md4hash(cli_credentials_get_password(wks_cred), mach_pw.hash);
10345    
10346     a.in.server_name = talloc_asprintf(
10347     @@ -1264,10 +1264,19 @@ static bool schan(struct torture_context *tctx,
10348     E_md4hash(cli_credentials_get_password(user_creds),
10349     pinfo.ntpassword.hash);
10350    
10351     - netlogon_creds_arcfour_crypt(creds_state, pinfo.ntpassword.hash, 16);
10352     -
10353     logon.password = &pinfo;
10354    
10355     + /*
10356     + * We don't use this here:
10357     + *
10358     + * netlogon_creds_encrypt_samlogon_logon(creds_state,
10359     + * NetlogonInteractiveInformation,
10360     + * &logon);
10361     + *
10362     + * in order to detect bugs
10363     + */
10364     + netlogon_creds_aes_encrypt(creds_state, pinfo.ntpassword.hash, 16);
10365     +
10366     r.in.logon_level = NetlogonInteractiveInformation;
10367     r.in.logon = &logon;
10368     r.out.return_authenticator = &return_authenticator;
10369     --
10370     2.39.0
10371    
10372    
10373     From 6088b76def86b8f56511707c69b6cdd016722715 Mon Sep 17 00:00:00 2001
10374     From: Stefan Metzmacher <metze@samba.org>
10375     Date: Fri, 25 Nov 2022 09:54:17 +0100
10376     Subject: [PATCH 116/142] CVE-2022-38023 s4:rpc_server/netlogon: split out
10377     dcesrv_netr_ServerAuthenticate3_check_downgrade()
10378    
10379     We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
10380     which means we'll need the downgrade detection in more places.
10381    
10382     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
10383    
10384     Signed-off-by: Stefan Metzmacher <metze@samba.org>
10385     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
10386     Reviewed-by: Ralph Boehme <slow@samba.org>
10387     (cherry picked from commit b6339fd1dcbe903e73efeea074ab0bd04ef83561)
10388     ---
10389     source4/rpc_server/netlogon/dcerpc_netlogon.c | 114 ++++++++++--------
10390     1 file changed, 67 insertions(+), 47 deletions(-)
10391    
10392     diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
10393     index 8084061aabc..6a00fe4efcf 100644
10394     --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
10395     +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
10396     @@ -128,6 +128,67 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal
10397     return NT_STATUS_OK;
10398     }
10399    
10400     +static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
10401     + struct dcesrv_call_state *dce_call,
10402     + struct netr_ServerAuthenticate3 *r,
10403     + struct netlogon_server_pipe_state *pipe_state,
10404     + uint32_t negotiate_flags,
10405     + NTSTATUS orig_status)
10406     +{
10407     + struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
10408     + bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx);
10409     + bool reject_des_client = !allow_nt4_crypto;
10410     + bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
10411     +
10412     + if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
10413     + reject_des_client = false;
10414     + }
10415     +
10416     + if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
10417     + reject_des_client = false;
10418     + reject_md5_client = false;
10419     + }
10420     +
10421     + if (reject_des_client || reject_md5_client) {
10422     + /*
10423     + * Here we match Windows 2012 and return no flags.
10424     + */
10425     + *r->out.negotiate_flags = 0;
10426     + return NT_STATUS_DOWNGRADE_DETECTED;
10427     + }
10428     +
10429     + /*
10430     + * This talloc_free is important to prevent re-use of the
10431     + * challenge. We have to delay it this far due to NETApp
10432     + * servers per:
10433     + * https://bugzilla.samba.org/show_bug.cgi?id=11291
10434     + */
10435     + TALLOC_FREE(pipe_state);
10436     +
10437     + /*
10438     + * At this point we must also cleanup the TDB cache
10439     + * entry, if we fail the client needs to call
10440     + * netr_ServerReqChallenge again.
10441     + *
10442     + * Note: this handles a non existing record just fine,
10443     + * the r->in.computer_name might not be the one used
10444     + * in netr_ServerReqChallenge(), but we are trying to
10445     + * just tidy up the normal case to prevent re-use.
10446     + */
10447     + schannel_delete_challenge(dce_call->conn->dce_ctx->lp_ctx,
10448     + r->in.computer_name);
10449     +
10450     + /*
10451     + * According to Microsoft (see bugid #6099)
10452     + * Windows 7 looks at the negotiate_flags
10453     + * returned in this structure *even if the
10454     + * call fails with access denied!
10455     + */
10456     + *r->out.negotiate_flags = negotiate_flags;
10457     +
10458     + return orig_status;
10459     +}
10460     +
10461     /*
10462     * Do the actual processing of a netr_ServerAuthenticate3 message.
10463     * called from dcesrv_netr_ServerAuthenticate3, which handles the logging.
10464     @@ -155,11 +216,9 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10465     "objectSid", "samAccountName", NULL};
10466     uint32_t server_flags = 0;
10467     uint32_t negotiate_flags = 0;
10468     - bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(dce_call->conn->dce_ctx->lp_ctx);
10469     - bool reject_des_client = !allow_nt4_crypto;
10470     - bool reject_md5_client = lpcfg_reject_md5_clients(dce_call->conn->dce_ctx->lp_ctx);
10471    
10472     ZERO_STRUCTP(r->out.return_credentials);
10473     + *r->out.negotiate_flags = 0;
10474     *r->out.rid = 0;
10475    
10476     pipe_state = dcesrv_iface_state_find_conn(dce_call,
10477     @@ -238,52 +297,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10478    
10479     negotiate_flags = *r->in.negotiate_flags & server_flags;
10480    
10481     - if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
10482     - reject_des_client = false;
10483     - }
10484     -
10485     - if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
10486     - reject_des_client = false;
10487     - reject_md5_client = false;
10488     - }
10489     -
10490     - if (reject_des_client || reject_md5_client) {
10491     - /*
10492     - * Here we match Windows 2012 and return no flags.
10493     - */
10494     - *r->out.negotiate_flags = 0;
10495     - return NT_STATUS_DOWNGRADE_DETECTED;
10496     + nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade(
10497     + dce_call, r, pipe_state, negotiate_flags,
10498     + NT_STATUS_OK);
10499     + if (!NT_STATUS_IS_OK(nt_status)) {
10500     + return nt_status;
10501     }
10502    
10503     - /*
10504     - * This talloc_free is important to prevent re-use of the
10505     - * challenge. We have to delay it this far due to NETApp
10506     - * servers per:
10507     - * https://bugzilla.samba.org/show_bug.cgi?id=11291
10508     - */
10509     - TALLOC_FREE(pipe_state);
10510     -
10511     - /*
10512     - * At this point we must also cleanup the TDB cache
10513     - * entry, if we fail the client needs to call
10514     - * netr_ServerReqChallenge again.
10515     - *
10516     - * Note: this handles a non existing record just fine,
10517     - * the r->in.computer_name might not be the one used
10518     - * in netr_ServerReqChallenge(), but we are trying to
10519     - * just tidy up the normal case to prevent re-use.
10520     - */
10521     - schannel_delete_challenge(dce_call->conn->dce_ctx->lp_ctx,
10522     - r->in.computer_name);
10523     -
10524     - /*
10525     - * According to Microsoft (see bugid #6099)
10526     - * Windows 7 looks at the negotiate_flags
10527     - * returned in this structure *even if the
10528     - * call fails with access denied!
10529     - */
10530     - *r->out.negotiate_flags = negotiate_flags;
10531     -
10532     switch (r->in.secure_channel_type) {
10533     case SEC_CHAN_WKSTA:
10534     case SEC_CHAN_DNS_DOMAIN:
10535     --
10536     2.39.0
10537    
10538    
10539     From 3e43111a1417414b545fcc46a72e701cf6e71c59 Mon Sep 17 00:00:00 2001
10540     From: Stefan Metzmacher <metze@samba.org>
10541     Date: Thu, 24 Nov 2022 18:26:18 +0100
10542     Subject: [PATCH 117/142] CVE-2022-38023 docs-xml/smbdotconf: change 'reject
10543     md5 clients' default to yes
10544    
10545     AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0,
10546     so there's no reason to allow md5 clients by default.
10547     However some third party domain members may need it.
10548    
10549     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
10550    
10551     Signed-off-by: Stefan Metzmacher <metze@samba.org>
10552     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
10553     Reviewed-by: Ralph Boehme <slow@samba.org>
10554     (cherry picked from commit c8e53394b98b128ed460a6111faf05dfbad980d1)
10555     ---
10556     docs-xml/smbdotconf/logon/rejectmd5clients.xml | 11 ++++++++---
10557     lib/param/loadparm.c | 1 +
10558     selftest/target/Samba4.pm | 4 ++++
10559     source3/param/loadparm.c | 1 +
10560     4 files changed, 14 insertions(+), 3 deletions(-)
10561    
10562     diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
10563     index 0bb9f6f6c8e..edcbe02e99a 100644
10564     --- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml
10565     +++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
10566     @@ -7,11 +7,16 @@
10567     only in 'active directory domain controller' mode), will
10568     reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
10569    
10570     - <para>You can set this to yes if all domain members support aes.
10571     - This will prevent downgrade attacks.</para>
10572     + <para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows
10573     + starting with Server 2008R2 and Windows 7, it's available in Samba
10574     + starting with 4.0, however third party domain members like NetApp ONTAP
10575     + still uses RC4 (HMAC-MD5), see https://www.samba.org/samba/security/CVE-2022-38023.html for more details.</para>
10576     +
10577     + <para>The default changed from 'no' to 'yes', with the patches for CVE-2022-38023,
10578     + see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
10579    
10580     <para>This option overrides the 'allow nt4 crypto' option.</para>
10581     </description>
10582    
10583     -<value type="default">no</value>
10584     +<value type="default">yes</value>
10585     </samba:parameter>
10586     diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
10587     index dc659a449ea..77a80176f7d 100644
10588     --- a/lib/param/loadparm.c
10589     +++ b/lib/param/loadparm.c
10590     @@ -2790,6 +2790,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
10591     lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template");
10592    
10593     lpcfg_do_global_parameter(lp_ctx, "server schannel", "True");
10594     + lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True");
10595    
10596     lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True");
10597    
10598     diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
10599     index 8dad74cae43..7e3d7c9de8e 100755
10600     --- a/selftest/target/Samba4.pm
10601     +++ b/selftest/target/Samba4.pm
10602     @@ -1709,6 +1709,8 @@ sub provision_ad_dc_ntvfs($$)
10603     dsdb password event notification = true
10604     dsdb group change notification = true
10605    
10606     + reject md5 clients = no
10607     +
10608     CVE_2020_1472:warn_about_unused_debug_level = 3
10609     server require schannel:schannel0\$ = no
10610     server require schannel:schannel1\$ = no
10611     @@ -2102,6 +2104,8 @@ sub provision_ad_dc($$$$$$)
10612     lpq cache time = 0
10613     print notify backchannel = yes
10614    
10615     + reject md5 clients = no
10616     +
10617     CVE_2020_1472:warn_about_unused_debug_level = 3
10618     server require schannel:schannel0\$ = no
10619     server require schannel:schannel1\$ = no
10620     diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
10621     index fbc987e119a..1cf468b1009 100644
10622     --- a/source3/param/loadparm.c
10623     +++ b/source3/param/loadparm.c
10624     @@ -659,6 +659,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
10625     Globals.require_strong_key = true;
10626     Globals.reject_md5_servers = true;
10627     Globals.server_schannel = true;
10628     + Globals.reject_md5_clients = true;
10629     Globals.read_raw = true;
10630     Globals.write_raw = true;
10631     Globals.null_passwords = false;
10632     --
10633     2.39.0
10634    
10635    
10636     From 886878d18d22eb4a2f3b63663e0ffe284ed9788b Mon Sep 17 00:00:00 2001
10637     From: Stefan Metzmacher <metze@samba.org>
10638     Date: Fri, 25 Nov 2022 10:31:08 +0100
10639     Subject: [PATCH 118/142] CVE-2022-38023 s4:rpc_server/netlogon: defer
10640     downgrade check until we found the account in our SAM
10641    
10642     We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
10643     which means we'll need use the account name from our SAM.
10644    
10645     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
10646    
10647     Signed-off-by: Stefan Metzmacher <metze@samba.org>
10648     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
10649     Reviewed-by: Ralph Boehme <slow@samba.org>
10650     (cherry picked from commit b09f51eefc311bbb1525efd1dc7b9a837f7ec3c2)
10651     ---
10652     source4/rpc_server/netlogon/dcerpc_netlogon.c | 76 +++++++++++++------
10653     1 file changed, 53 insertions(+), 23 deletions(-)
10654    
10655     diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
10656     index 6a00fe4efcf..1c180343252 100644
10657     --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
10658     +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
10659     @@ -297,13 +297,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10660    
10661     negotiate_flags = *r->in.negotiate_flags & server_flags;
10662    
10663     - nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade(
10664     - dce_call, r, pipe_state, negotiate_flags,
10665     - NT_STATUS_OK);
10666     - if (!NT_STATUS_IS_OK(nt_status)) {
10667     - return nt_status;
10668     - }
10669     -
10670     switch (r->in.secure_channel_type) {
10671     case SEC_CHAN_WKSTA:
10672     case SEC_CHAN_DNS_DOMAIN:
10673     @@ -312,11 +305,15 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10674     case SEC_CHAN_RODC:
10675     break;
10676     case SEC_CHAN_NULL:
10677     - return NT_STATUS_INVALID_PARAMETER;
10678     + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10679     + dce_call, r, pipe_state, negotiate_flags,
10680     + NT_STATUS_INVALID_PARAMETER);
10681     default:
10682     DEBUG(1, ("Client asked for an invalid secure channel type: %d\n",
10683     r->in.secure_channel_type));
10684     - return NT_STATUS_INVALID_PARAMETER;
10685     + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10686     + dce_call, r, pipe_state, negotiate_flags,
10687     + NT_STATUS_INVALID_PARAMETER);
10688     }
10689    
10690     sam_ctx = samdb_connect(mem_ctx,
10691     @@ -326,7 +323,9 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10692     dce_call->conn->remote_address,
10693     0);
10694     if (sam_ctx == NULL) {
10695     - return NT_STATUS_INVALID_SYSTEM_SERVICE;
10696     + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10697     + dce_call, r, pipe_state, negotiate_flags,
10698     + NT_STATUS_INVALID_SYSTEM_SERVICE);
10699     }
10700    
10701     if (r->in.secure_channel_type == SEC_CHAN_DOMAIN ||
10702     @@ -355,16 +354,22 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10703     encoded_name = ldb_binary_encode_string(mem_ctx,
10704     r->in.account_name);
10705     if (encoded_name == NULL) {
10706     - return NT_STATUS_NO_MEMORY;
10707     + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10708     + dce_call, r, pipe_state, negotiate_flags,
10709     + NT_STATUS_NO_MEMORY);
10710     }
10711    
10712     len = strlen(encoded_name);
10713     if (len < 2) {
10714     - return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
10715     + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10716     + dce_call, r, pipe_state, negotiate_flags,
10717     + NT_STATUS_NO_TRUST_SAM_ACCOUNT);
10718     }
10719    
10720     if (require_trailer && encoded_name[len - 1] != trailer) {
10721     - return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
10722     + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10723     + dce_call, r, pipe_state, negotiate_flags,
10724     + NT_STATUS_NO_TRUST_SAM_ACCOUNT);
10725     }
10726     encoded_name[len - 1] = '\0';
10727    
10728     @@ -382,30 +387,42 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10729     "but there's no tdo for [%s] => [%s] \n",
10730     log_escape(mem_ctx, r->in.account_name),
10731     encoded_name));
10732     - return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
10733     + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10734     + dce_call, r, pipe_state, negotiate_flags,
10735     + NT_STATUS_NO_TRUST_SAM_ACCOUNT);
10736     }
10737     if (!NT_STATUS_IS_OK(nt_status)) {
10738     - return nt_status;
10739     + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10740     + dce_call, r, pipe_state, negotiate_flags,
10741     + nt_status);
10742     }
10743    
10744     nt_status = dsdb_trust_get_incoming_passwords(tdo_msg, mem_ctx,
10745     &curNtHash,
10746     &prevNtHash);
10747     if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) {
10748     - return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
10749     + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10750     + dce_call, r, pipe_state, negotiate_flags,
10751     + NT_STATUS_NO_TRUST_SAM_ACCOUNT);
10752     }
10753     if (!NT_STATUS_IS_OK(nt_status)) {
10754     - return nt_status;
10755     + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10756     + dce_call, r, pipe_state, negotiate_flags,
10757     + nt_status);
10758     }
10759    
10760     flatname = ldb_msg_find_attr_as_string(tdo_msg, "flatName", NULL);
10761     if (flatname == NULL) {
10762     - return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
10763     + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10764     + dce_call, r, pipe_state, negotiate_flags,
10765     + NT_STATUS_NO_TRUST_SAM_ACCOUNT);
10766     }
10767    
10768     *trust_account_for_search = talloc_asprintf(mem_ctx, "%s$", flatname);
10769     if (*trust_account_for_search == NULL) {
10770     - return NT_STATUS_NO_MEMORY;
10771     + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10772     + dce_call, r, pipe_state, negotiate_flags,
10773     + NT_STATUS_NO_MEMORY);
10774     }
10775     } else {
10776     *trust_account_for_search = r->in.account_name;
10777     @@ -420,14 +437,18 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10778     if (num_records == 0) {
10779     DEBUG(3,("Couldn't find user [%s] in samdb.\n",
10780     log_escape(mem_ctx, r->in.account_name)));
10781     - return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
10782     + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10783     + dce_call, r, pipe_state, negotiate_flags,
10784     + NT_STATUS_NO_TRUST_SAM_ACCOUNT);
10785     }
10786    
10787     if (num_records > 1) {
10788     DEBUG(0,("Found %d records matching user [%s]\n",
10789     num_records,
10790     log_escape(mem_ctx, r->in.account_name)));
10791     - return NT_STATUS_INTERNAL_DB_CORRUPTION;
10792     + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10793     + dce_call, r, pipe_state, negotiate_flags,
10794     + NT_STATUS_INTERNAL_DB_CORRUPTION);
10795     }
10796    
10797     *trust_account_in_db = ldb_msg_find_attr_as_string(msgs[0],
10798     @@ -436,9 +457,18 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10799     if (*trust_account_in_db == NULL) {
10800     DEBUG(0,("No samAccountName returned in record matching user [%s]\n",
10801     r->in.account_name));
10802     - return NT_STATUS_INTERNAL_DB_CORRUPTION;
10803     + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10804     + dce_call, r, pipe_state, negotiate_flags,
10805     + NT_STATUS_INTERNAL_DB_CORRUPTION);
10806     }
10807     -
10808     +
10809     + nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade(
10810     + dce_call, r, pipe_state, negotiate_flags,
10811     + NT_STATUS_OK);
10812     + if (!NT_STATUS_IS_OK(nt_status)) {
10813     + return nt_status;
10814     + }
10815     +
10816     user_account_control = ldb_msg_find_attr_as_uint(msgs[0], "userAccountControl", 0);
10817    
10818     if (user_account_control & UF_ACCOUNTDISABLE) {
10819     --
10820     2.39.0
10821    
10822    
10823     From ed628f5bf355801023c1bb2ac4aabd06c5c878a6 Mon Sep 17 00:00:00 2001
10824     From: Stefan Metzmacher <metze@samba.org>
10825     Date: Fri, 25 Nov 2022 13:13:36 +0100
10826     Subject: [PATCH 119/142] CVE-2022-38023 s4:rpc_server/netlogon: add 'server
10827     reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4
10828     crypto:COMPUTERACCOUNT = yes'
10829    
10830     This makes it more flexible when we change the global default to
10831     'reject md5 servers = yes'.
10832    
10833     'allow nt4 crypto = no' is already the default.
10834    
10835     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
10836    
10837     Signed-off-by: Stefan Metzmacher <metze@samba.org>
10838     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
10839     Reviewed-by: Ralph Boehme <slow@samba.org>
10840     (cherry picked from commit 69b36541606d7064de9648cd54b35adfdf8f0e8f)
10841     ---
10842     source4/rpc_server/netlogon/dcerpc_netlogon.c | 58 ++++++++++++++++++-
10843     1 file changed, 55 insertions(+), 3 deletions(-)
10844    
10845     diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
10846     index 1c180343252..b605daea794 100644
10847     --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
10848     +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
10849     @@ -133,12 +133,48 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
10850     struct netr_ServerAuthenticate3 *r,
10851     struct netlogon_server_pipe_state *pipe_state,
10852     uint32_t negotiate_flags,
10853     + const char *trust_account_in_db,
10854     NTSTATUS orig_status)
10855     {
10856     struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
10857     - bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx);
10858     - bool reject_des_client = !allow_nt4_crypto;
10859     - bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
10860     + bool global_allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx);
10861     + bool account_allow_nt4_crypto = global_allow_nt4_crypto;
10862     + const char *explicit_nt4_opt = NULL;
10863     + bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
10864     + bool account_reject_md5_client = global_reject_md5_client;
10865     + const char *explicit_md5_opt = NULL;
10866     + bool reject_des_client;
10867     + bool allow_nt4_crypto;
10868     + bool reject_md5_client;
10869     +
10870     + /*
10871     + * We don't use lpcfg_parm_bool(), as we
10872     + * need the explicit_opt pointer in order to
10873     + * adjust the debug messages.
10874     + */
10875     +
10876     + if (trust_account_in_db != NULL) {
10877     + explicit_nt4_opt = lpcfg_get_parametric(lp_ctx,
10878     + NULL,
10879     + "allow nt4 crypto",
10880     + trust_account_in_db);
10881     + }
10882     + if (explicit_nt4_opt != NULL) {
10883     + account_allow_nt4_crypto = lp_bool(explicit_nt4_opt);
10884     + }
10885     + allow_nt4_crypto = account_allow_nt4_crypto;
10886     + if (trust_account_in_db != NULL) {
10887     + explicit_md5_opt = lpcfg_get_parametric(lp_ctx,
10888     + NULL,
10889     + "server reject md5 schannel",
10890     + trust_account_in_db);
10891     + }
10892     + if (explicit_md5_opt != NULL) {
10893     + account_reject_md5_client = lp_bool(explicit_md5_opt);
10894     + }
10895     + reject_md5_client = account_reject_md5_client;
10896     +
10897     + reject_des_client = !allow_nt4_crypto;
10898    
10899     if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
10900     reject_des_client = false;
10901     @@ -307,12 +343,14 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10902     case SEC_CHAN_NULL:
10903     return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10904     dce_call, r, pipe_state, negotiate_flags,
10905     + NULL, /* trust_account_in_db */
10906     NT_STATUS_INVALID_PARAMETER);
10907     default:
10908     DEBUG(1, ("Client asked for an invalid secure channel type: %d\n",
10909     r->in.secure_channel_type));
10910     return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10911     dce_call, r, pipe_state, negotiate_flags,
10912     + NULL, /* trust_account_in_db */
10913     NT_STATUS_INVALID_PARAMETER);
10914     }
10915    
10916     @@ -325,6 +363,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10917     if (sam_ctx == NULL) {
10918     return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10919     dce_call, r, pipe_state, negotiate_flags,
10920     + NULL, /* trust_account_in_db */
10921     NT_STATUS_INVALID_SYSTEM_SERVICE);
10922     }
10923    
10924     @@ -356,6 +395,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10925     if (encoded_name == NULL) {
10926     return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10927     dce_call, r, pipe_state, negotiate_flags,
10928     + NULL, /* trust_account_in_db */
10929     NT_STATUS_NO_MEMORY);
10930     }
10931    
10932     @@ -363,12 +403,14 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10933     if (len < 2) {
10934     return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10935     dce_call, r, pipe_state, negotiate_flags,
10936     + NULL, /* trust_account_in_db */
10937     NT_STATUS_NO_TRUST_SAM_ACCOUNT);
10938     }
10939    
10940     if (require_trailer && encoded_name[len - 1] != trailer) {
10941     return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10942     dce_call, r, pipe_state, negotiate_flags,
10943     + NULL, /* trust_account_in_db */
10944     NT_STATUS_NO_TRUST_SAM_ACCOUNT);
10945     }
10946     encoded_name[len - 1] = '\0';
10947     @@ -389,11 +431,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10948     encoded_name));
10949     return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10950     dce_call, r, pipe_state, negotiate_flags,
10951     + NULL, /* trust_account_in_db */
10952     NT_STATUS_NO_TRUST_SAM_ACCOUNT);
10953     }
10954     if (!NT_STATUS_IS_OK(nt_status)) {
10955     return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10956     dce_call, r, pipe_state, negotiate_flags,
10957     + NULL, /* trust_account_in_db */
10958     nt_status);
10959     }
10960    
10961     @@ -403,11 +447,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10962     if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) {
10963     return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10964     dce_call, r, pipe_state, negotiate_flags,
10965     + NULL, /* trust_account_in_db */
10966     NT_STATUS_NO_TRUST_SAM_ACCOUNT);
10967     }
10968     if (!NT_STATUS_IS_OK(nt_status)) {
10969     return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10970     dce_call, r, pipe_state, negotiate_flags,
10971     + NULL, /* trust_account_in_db */
10972     nt_status);
10973     }
10974    
10975     @@ -415,6 +461,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10976     if (flatname == NULL) {
10977     return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10978     dce_call, r, pipe_state, negotiate_flags,
10979     + NULL, /* trust_account_in_db */
10980     NT_STATUS_NO_TRUST_SAM_ACCOUNT);
10981     }
10982    
10983     @@ -422,6 +469,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10984     if (*trust_account_for_search == NULL) {
10985     return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10986     dce_call, r, pipe_state, negotiate_flags,
10987     + NULL, /* trust_account_in_db */
10988     NT_STATUS_NO_MEMORY);
10989     }
10990     } else {
10991     @@ -439,6 +487,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10992     log_escape(mem_ctx, r->in.account_name)));
10993     return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10994     dce_call, r, pipe_state, negotiate_flags,
10995     + NULL, /* trust_account_in_db */
10996     NT_STATUS_NO_TRUST_SAM_ACCOUNT);
10997     }
10998    
10999     @@ -448,6 +497,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
11000     log_escape(mem_ctx, r->in.account_name)));
11001     return dcesrv_netr_ServerAuthenticate3_check_downgrade(
11002     dce_call, r, pipe_state, negotiate_flags,
11003     + NULL, /* trust_account_in_db */
11004     NT_STATUS_INTERNAL_DB_CORRUPTION);
11005     }
11006    
11007     @@ -459,11 +509,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
11008     r->in.account_name));
11009     return dcesrv_netr_ServerAuthenticate3_check_downgrade(
11010     dce_call, r, pipe_state, negotiate_flags,
11011     + NULL, /* trust_account_in_db */
11012     NT_STATUS_INTERNAL_DB_CORRUPTION);
11013     }
11014    
11015     nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade(
11016     dce_call, r, pipe_state, negotiate_flags,
11017     + *trust_account_in_db,
11018     NT_STATUS_OK);
11019     if (!NT_STATUS_IS_OK(nt_status)) {
11020     return nt_status;
11021     --
11022     2.39.0
11023    
11024    
11025     From b15c69701d065504588671187a5cec9eea9dcf57 Mon Sep 17 00:00:00 2001
11026     From: Stefan Metzmacher <metze@samba.org>
11027     Date: Fri, 25 Nov 2022 13:31:14 +0100
11028     Subject: [PATCH 120/142] CVE-2022-38023 docs-xml/smbdotconf: document "allow
11029     nt4 crypto:COMPUTERACCOUNT = no"
11030    
11031     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
11032    
11033     Signed-off-by: Stefan Metzmacher <metze@samba.org>
11034     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
11035     Reviewed-by: Ralph Boehme <slow@samba.org>
11036     (cherry picked from commit bd429d025981b445bf63935063e8e302bfab3f9b)
11037     ---
11038     docs-xml/smbdotconf/logon/allownt4crypto.xml | 76 +++++++++++++++++++-
11039     1 file changed, 74 insertions(+), 2 deletions(-)
11040    
11041     diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
11042     index 06afcef73b1..bbd03a42db7 100644
11043     --- a/docs-xml/smbdotconf/logon/allownt4crypto.xml
11044     +++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
11045     @@ -1,11 +1,18 @@
11046     <samba:parameter name="allow nt4 crypto"
11047     context="G"
11048     type="boolean"
11049     + deprecated="1"
11050     xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
11051     <description>
11052     + <para>
11053     + This option is deprecated and will be removed in future,
11054     + as it is a security problem if not set to "no" (which will be
11055     + the hardcoded behavior in future).
11056     + </para>
11057     +
11058     <para>This option controls whether the netlogon server (currently
11059     only in 'active directory domain controller' mode), will
11060     - reject clients which does not support NETLOGON_NEG_STRONG_KEYS
11061     + reject clients which do not support NETLOGON_NEG_STRONG_KEYS
11062     nor NETLOGON_NEG_SUPPORTS_AES.</para>
11063    
11064     <para>This option was added with Samba 4.2.0. It may lock out clients
11065     @@ -18,8 +25,73 @@
11066    
11067     <para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
11068    
11069     - <para>This option is over-ridden by the 'reject md5 clients' option.</para>
11070     + <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' instead!
11071     + Which is available with the patches for
11072     + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
11073     + see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink></para>
11074     +
11075     + <para>
11076     + Samba will log an error in the log files at log level 0
11077     + if legacy a client is rejected or allowed without an explicit,
11078     + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' option
11079     + for the client. The message will indicate
11080     + the explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
11081     + line to be added, if the legacy client software requires it. (The log level can be adjusted with
11082     + '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
11083     + in order to complain only at a higher log level).
11084     + </para>
11085     +
11086     + <para>This allows admins to use "yes" only for a short grace period,
11087     + in order to collect the explicit
11088     + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para>
11089     +
11090     + <para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para>
11091     </description>
11092    
11093     <value type="default">no</value>
11094     </samba:parameter>
11095     +
11096     +<samba:parameter name="allow nt4 crypto:COMPUTERACCOUNT"
11097     + context="G"
11098     + type="string"
11099     + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
11100     +<description>
11101     +
11102     + <para>If you still have legacy domain members which required 'allow nt4 crypto = yes',
11103     + it is possible to specify an explicit exception per computer account
11104     + by using 'allow nt4 crypto:COMPUTERACCOUNT = yes' as option.
11105     + Note that COMPUTERACCOUNT has to be the sAMAccountName value of
11106     + the computer account (including the trailing '$' sign).
11107     + </para>
11108     +
11109     + <para>
11110     + Samba will log a complaint in the log files at log level 0
11111     + about the security problem if the option is set to "yes",
11112     + but the related computer does not require it.
11113     + (The log level can be adjusted with
11114     + '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
11115     + in order to complain only at a higher log level).
11116     + </para>
11117     +
11118     + <para>
11119     + Samba will log a warning in the log files at log level 5,
11120     + if a setting is still needed for the specified computer account.
11121     + </para>
11122     +
11123     + <para>
11124     + See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
11125     + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
11126     + </para>
11127     +
11128     + <para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para>
11129     +
11130     + <para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para>
11131     +
11132     + <programlisting>
11133     + allow nt4 crypto:LEGACYCOMPUTER1$ = yes
11134     + allow nt4 crypto:NASBOX$ = yes
11135     + allow nt4 crypto:LEGACYCOMPUTER2$ = yes
11136     + </programlisting>
11137     +</description>
11138     +
11139     +</samba:parameter>
11140     --
11141     2.39.0
11142    
11143    
11144     From bbc9f54fdc1ebbfc0c27b61aff43a63a16aed9d9 Mon Sep 17 00:00:00 2001
11145     From: Stefan Metzmacher <metze@samba.org>
11146     Date: Fri, 25 Nov 2022 14:02:11 +0100
11147     Subject: [PATCH 121/142] CVE-2022-38023 docs-xml/smbdotconf: document "server
11148     reject md5 schannel:COMPUTERACCOUNT"
11149    
11150     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
11151    
11152     Signed-off-by: Stefan Metzmacher <metze@samba.org>
11153     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
11154     Reviewed-by: Ralph Boehme <slow@samba.org>
11155     (cherry picked from commit 2ad302b42254e3c2800aaf11669fe2e6d55fa8a1)
11156     ---
11157     docs-xml/smbdotconf/logon/allownt4crypto.xml | 13 ++-
11158     .../smbdotconf/logon/rejectmd5clients.xml | 96 ++++++++++++++++++-
11159     2 files changed, 103 insertions(+), 6 deletions(-)
11160    
11161     diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
11162     index bbd03a42db7..ee63e6cc245 100644
11163     --- a/docs-xml/smbdotconf/logon/allownt4crypto.xml
11164     +++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
11165     @@ -45,7 +45,9 @@
11166     in order to collect the explicit
11167     '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para>
11168    
11169     - <para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para>
11170     + <para>This option is over-ridden by the effective value of 'yes' from
11171     + the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
11172     + and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
11173     </description>
11174    
11175     <value type="default">no</value>
11176     @@ -85,12 +87,19 @@
11177    
11178     <para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para>
11179    
11180     - <para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para>
11181     + <para>This option is over-ridden by the effective value of 'yes' from
11182     + the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
11183     + and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
11184     + <para>Which means '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
11185     + is only useful in combination with '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'</para>
11186    
11187     <programlisting>
11188     allow nt4 crypto:LEGACYCOMPUTER1$ = yes
11189     + server reject md5 schannel:LEGACYCOMPUTER1$ = no
11190     allow nt4 crypto:NASBOX$ = yes
11191     + server reject md5 schannel:NASBOX$ = no
11192     allow nt4 crypto:LEGACYCOMPUTER2$ = yes
11193     + server reject md5 schannel:LEGACYCOMPUTER2$ = no
11194     </programlisting>
11195     </description>
11196    
11197     diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
11198     index edcbe02e99a..fe7701d9277 100644
11199     --- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml
11200     +++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
11201     @@ -1,8 +1,15 @@
11202     <samba:parameter name="reject md5 clients"
11203     context="G"
11204     type="boolean"
11205     + deprecated="1"
11206     xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
11207     <description>
11208     + <para>
11209     + This option is deprecated and will be removed in a future release,
11210     + as it is a security problem if not set to "yes" (which will be
11211     + the hardcoded behavior in the future).
11212     + </para>
11213     +
11214     <para>This option controls whether the netlogon server (currently
11215     only in 'active directory domain controller' mode), will
11216     reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
11217     @@ -10,13 +17,94 @@
11218     <para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows
11219     starting with Server 2008R2 and Windows 7, it's available in Samba
11220     starting with 4.0, however third party domain members like NetApp ONTAP
11221     - still uses RC4 (HMAC-MD5), see https://www.samba.org/samba/security/CVE-2022-38023.html for more details.</para>
11222     + still uses RC4 (HMAC-MD5), see
11223     + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">https://www.samba.org/samba/security/CVE-2022-38023.html</ulink>
11224     + for more details.
11225     + </para>
11226     +
11227     + <para>The default changed from 'no' to 'yes', with the patches for
11228     + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
11229     + see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
11230     + </para>
11231     +
11232     + <para><emphasis>Avoid using this option!</emphasis> Use an explicit per machine account
11233     + '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' instead!
11234     + Which is available with the patches for
11235     + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
11236     + see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
11237     + </para>
11238    
11239     - <para>The default changed from 'no' to 'yes', with the patches for CVE-2022-38023,
11240     - see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
11241     + <para>
11242     + Samba will log an error in the log files at log level 0
11243     + if legacy a client is rejected or allowed without an explicit,
11244     + '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' option
11245     + for the client. The message will indicate
11246     + the explicit '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'
11247     + line to be added, if the legacy client software requires it. (The log level can be adjusted with
11248     + '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
11249     + in order to complain only at a higher log level).
11250     + </para>
11251    
11252     - <para>This option overrides the 'allow nt4 crypto' option.</para>
11253     + <para>This allows admins to use "no" only for a short grace period,
11254     + in order to collect the explicit
11255     + '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' options.</para>
11256     +
11257     + <para>When set to 'yes' this option overrides the
11258     + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and
11259     + '<smbconfoption name="allow nt4 crypto"/>' options and implies
11260     + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'.
11261     + </para>
11262     </description>
11263    
11264     <value type="default">yes</value>
11265     </samba:parameter>
11266     +
11267     +<samba:parameter name="server reject md5 schannel:COMPUTERACCOUNT"
11268     + context="G"
11269     + type="string"
11270     + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
11271     +<description>
11272     +
11273     + <para>If you still have legacy domain members or trusted domains,
11274     + which required "reject md5 clients = no" before,
11275     + it is possible to specify an explicit exception per computer account
11276     + by setting 'server reject md5 schannel:COMPUTERACCOUNT = no'.
11277     + Note that COMPUTERACCOUNT has to be the sAMAccountName value of
11278     + the computer account (including the trailing '$' sign).
11279     + </para>
11280     +
11281     + <para>
11282     + Samba will log a complaint in the log files at log level 0
11283     + about the security problem if the option is set to "no",
11284     + but the related computer does not require it.
11285     + (The log level can be adjusted with
11286     + '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
11287     + in order to complain only at a higher log level).
11288     + </para>
11289     +
11290     + <para>
11291     + Samba will log a warning in the log files at log level 5
11292     + if a setting is still needed for the specified computer account.
11293     + </para>
11294     +
11295     + <para>
11296     + See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
11297     + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
11298     + </para>
11299     +
11300     + <para>This option overrides the <smbconfoption name="reject md5 clients"/> option.</para>
11301     +
11302     + <para>When set to 'yes' this option overrides the
11303     + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and
11304     + '<smbconfoption name="allow nt4 crypto"/>' options and implies
11305     + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'.
11306     + </para>
11307     +
11308     + <programlisting>
11309     + server reject md5 schannel:LEGACYCOMPUTER1$ = no
11310     + server reject md5 schannel:NASBOX$ = no
11311     + server reject md5 schannel:LEGACYCOMPUTER2$ = no
11312     + </programlisting>
11313     +</description>
11314     +
11315     +</samba:parameter>
11316     --
11317     2.39.0
11318    
11319    
11320     From 88311bae73bfdd2863ee94f421ef89266bff97f0 Mon Sep 17 00:00:00 2001
11321     From: Stefan Metzmacher <metze@samba.org>
11322     Date: Fri, 25 Nov 2022 13:13:36 +0100
11323     Subject: [PATCH 122/142] CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject
11324     md5 servers' and 'allow nt4 crypto' misconfigurations
11325    
11326     This allows the admin to notice what's wrong in order to adjust the
11327     configuration if required.
11328    
11329     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
11330    
11331     Signed-off-by: Stefan Metzmacher <metze@samba.org>
11332     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
11333     Reviewed-by: Ralph Boehme <slow@samba.org>
11334     (cherry picked from commit 43df4be35950f491864ae8ada05d51b42a556381)
11335     ---
11336     source4/rpc_server/netlogon/dcerpc_netlogon.c | 121 ++++++++++++++++++
11337     1 file changed, 121 insertions(+)
11338    
11339     diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
11340     index b605daea794..b93ff08abcd 100644
11341     --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
11342     +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
11343     @@ -61,10 +61,34 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context
11344     const struct dcesrv_interface *iface)
11345     {
11346     struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx;
11347     + bool global_allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx);
11348     + bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
11349     int schannel = lpcfg_server_schannel(lp_ctx);
11350     bool schannel_global_required = (schannel == true);
11351     + static bool warned_global_nt4_once = false;
11352     + static bool warned_global_md5_once = false;
11353     static bool warned_global_schannel_once = false;
11354    
11355     + if (global_allow_nt4_crypto && !warned_global_nt4_once) {
11356     + /*
11357     + * We want admins to notice their misconfiguration!
11358     + */
11359     + D_ERR("CVE-2022-38023 (and others): "
11360     + "Please configure 'allow nt4 crypto = no' (the default), "
11361     + "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
11362     + warned_global_nt4_once = true;
11363     + }
11364     +
11365     + if (!global_reject_md5_client && !warned_global_md5_once) {
11366     + /*
11367     + * We want admins to notice their misconfiguration!
11368     + */
11369     + D_ERR("CVE-2022-38023: "
11370     + "Please configure 'reject md5 clients = yes' (the default), "
11371     + "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
11372     + warned_global_md5_once = true;
11373     + }
11374     +
11375     if (!schannel_global_required && !warned_global_schannel_once) {
11376     /*
11377     * We want admins to notice their misconfiguration!
11378     @@ -146,6 +170,12 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
11379     bool reject_des_client;
11380     bool allow_nt4_crypto;
11381     bool reject_md5_client;
11382     + bool need_des = true;
11383     + bool need_md5 = true;
11384     + int CVE_2022_38023_warn_level = lpcfg_parm_int(lp_ctx, NULL,
11385     + "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR);
11386     + int CVE_2022_38023_error_level = lpcfg_parm_int(lp_ctx, NULL,
11387     + "CVE_2022_38023", "error_debug_level", DBGLVL_ERR);
11388    
11389     /*
11390     * We don't use lpcfg_parm_bool(), as we
11391     @@ -177,19 +207,62 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
11392     reject_des_client = !allow_nt4_crypto;
11393    
11394     if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
11395     + need_des = false;
11396     reject_des_client = false;
11397     }
11398    
11399     if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
11400     + need_des = false;
11401     + need_md5 = false;
11402     reject_des_client = false;
11403     reject_md5_client = false;
11404     }
11405    
11406     if (reject_des_client || reject_md5_client) {
11407     + TALLOC_CTX *frame = talloc_stackframe();
11408     +
11409     + DEBUG(CVE_2022_38023_error_level, (
11410     + "CVE-2022-38023: "
11411     + "client_account[%s] computer_name[%s] "
11412     + "schannel_type[%u] "
11413     + "client_negotiate_flags[0x%x] "
11414     + "%s%s%s "
11415     + "NT_STATUS_DOWNGRADE_DETECTED "
11416     + "reject_des[%u] reject_md5[%u]\n",
11417     + log_escape(frame, r->in.account_name),
11418     + log_escape(frame, r->in.computer_name),
11419     + r->in.secure_channel_type,
11420     + (unsigned)*r->in.negotiate_flags,
11421     + trust_account_in_db ? "real_account[" : "",
11422     + trust_account_in_db ? trust_account_in_db : "",
11423     + trust_account_in_db ? "]" : "",
11424     + reject_des_client,
11425     + reject_md5_client));
11426     + if (trust_account_in_db == NULL) {
11427     + goto return_downgrade;
11428     + }
11429     +
11430     + if (reject_md5_client && explicit_md5_opt == NULL) {
11431     + DEBUG(CVE_2022_38023_error_level, (
11432     + "CVE-2022-38023: Check if option "
11433     + "'server reject md5 schannel:%s = no' "
11434     + "might be needed for a legacy client.\n",
11435     + trust_account_in_db));
11436     + }
11437     + if (reject_des_client && explicit_nt4_opt == NULL) {
11438     + DEBUG(CVE_2022_38023_error_level, (
11439     + "CVE-2022-38023: Check if option "
11440     + "'allow nt4 crypto:%s = yes' "
11441     + "might be needed for a legacy client.\n",
11442     + trust_account_in_db));
11443     + }
11444     +
11445     +return_downgrade:
11446     /*
11447     * Here we match Windows 2012 and return no flags.
11448     */
11449     *r->out.negotiate_flags = 0;
11450     + TALLOC_FREE(frame);
11451     return NT_STATUS_DOWNGRADE_DETECTED;
11452     }
11453    
11454     @@ -222,6 +295,54 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
11455     */
11456     *r->out.negotiate_flags = negotiate_flags;
11457    
11458     + if (!NT_STATUS_IS_OK(orig_status) || trust_account_in_db == NULL) {
11459     + return orig_status;
11460     + }
11461     +
11462     + if (global_reject_md5_client && account_reject_md5_client && explicit_md5_opt) {
11463     + D_INFO("CVE-2022-38023: Check if option "
11464     + "'server reject md5 schannel:%s = yes' not needed!?\n",
11465     + trust_account_in_db);
11466     + } else if (need_md5 && !account_reject_md5_client && explicit_md5_opt) {
11467     + D_INFO("CVE-2022-38023: Check if option "
11468     + "'server reject md5 schannel:%s = no' "
11469     + "still needed for a legacy client.\n",
11470     + trust_account_in_db);
11471     + } else if (need_md5 && explicit_md5_opt == NULL) {
11472     + DEBUG(CVE_2022_38023_error_level, (
11473     + "CVE-2022-38023: Check if option "
11474     + "'server reject md5 schannel:%s = no' "
11475     + "might be needed for a legacy client.\n",
11476     + trust_account_in_db));
11477     + } else if (!account_reject_md5_client && explicit_md5_opt) {
11478     + DEBUG(CVE_2022_38023_warn_level, (
11479     + "CVE-2022-38023: Check if option "
11480     + "'server reject md5 schannel:%s = no' not needed!?\n",
11481     + trust_account_in_db));
11482     + }
11483     +
11484     + if (!global_allow_nt4_crypto && !account_allow_nt4_crypto && explicit_nt4_opt) {
11485     + D_INFO("CVE-2022-38023: Check if option "
11486     + "'allow nt4 crypto:%s = no' not needed!?\n",
11487     + trust_account_in_db);
11488     + } else if (need_des && account_allow_nt4_crypto && explicit_nt4_opt) {
11489     + D_INFO("CVE-2022-38023: Check if option "
11490     + "'allow nt4 crypto:%s = yes' "
11491     + "still needed for a legacy client.\n",
11492     + trust_account_in_db);
11493     + } else if (need_des && explicit_nt4_opt == NULL) {
11494     + DEBUG(CVE_2022_38023_error_level, (
11495     + "CVE-2022-38023: Check if option "
11496     + "'allow nt4 crypto:%s = yes' "
11497     + "might be needed for a legacy client.\n",
11498     + trust_account_in_db));
11499     + } else if (account_allow_nt4_crypto && explicit_nt4_opt) {
11500     + DEBUG(CVE_2022_38023_warn_level, (
11501     + "CVE-2022-38023: Check if option "
11502     + "'allow nt4 crypto:%s = yes' not needed!?\n",
11503     + trust_account_in_db));
11504     + }
11505     +
11506     return orig_status;
11507     }
11508    
11509     --
11510     2.39.0
11511    
11512    
11513     From 73230d08dd1ec2390e52b24f0398d328a55e5866 Mon Sep 17 00:00:00 2001
11514     From: Stefan Metzmacher <metze@samba.org>
11515     Date: Wed, 30 Nov 2022 14:57:20 +0100
11516     Subject: [PATCH 123/142] CVE-2022-38023 selftest:Samba4: avoid global 'allow
11517     nt4 crypto = yes' and 'reject md5 clients = no'
11518    
11519     Instead of using the generic deprecated option use the specific
11520     allow nt4 crypto:COMPUTERACCOUNT = yes and
11521     server reject md5 schannel:COMPUTERACCOUNT = no
11522     in order to allow legacy tests for pass.
11523    
11524     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
11525    
11526     Signed-off-by: Stefan Metzmacher <metze@samba.org>
11527     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
11528     Reviewed-by: Ralph Boehme <slow@samba.org>
11529     (backported from commit 7ae3735810c2db32fa50f309f8af3c76ffa29768)
11530     ---
11531     selftest/target/Samba4.pm | 60 ++++++++++++++++++++++++++++++++++-----
11532     1 file changed, 53 insertions(+), 7 deletions(-)
11533    
11534     diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
11535     index 7e3d7c9de8e..aafb9ee14ca 100755
11536     --- a/selftest/target/Samba4.pm
11537     +++ b/selftest/target/Samba4.pm
11538     @@ -1700,7 +1700,6 @@ sub provision_ad_dc_ntvfs($$)
11539     my $extra_conf_options = "netbios aliases = localDC1-a
11540     server services = +winbind -winbindd
11541     ldap server require strong auth = allow_sasl_over_tls
11542     - allow nt4 crypto = yes
11543     raw NTLMv2 auth = yes
11544     lsa over netlogon = yes
11545     rpc server port = 1027
11546     @@ -1709,9 +1708,19 @@ sub provision_ad_dc_ntvfs($$)
11547     dsdb password event notification = true
11548     dsdb group change notification = true
11549    
11550     - reject md5 clients = no
11551     -
11552     CVE_2020_1472:warn_about_unused_debug_level = 3
11553     + CVE_2022_38023:warn_about_unused_debug_level = 3
11554     + allow nt4 crypto:torturetest\$ = yes
11555     + server reject md5 schannel:schannel2\$ = no
11556     + server reject md5 schannel:schannel3\$ = no
11557     + server reject md5 schannel:schannel8\$ = no
11558     + server reject md5 schannel:schannel9\$ = no
11559     + server reject md5 schannel:torturetest\$ = no
11560     + server reject md5 schannel:tests4u2proxywk\$ = no
11561     + server reject md5 schannel:tests4u2selfbdc\$ = no
11562     + server reject md5 schannel:tests4u2selfwk\$ = no
11563     + server reject md5 schannel:torturepacbdc\$ = no
11564     + server reject md5 schannel:torturepacwksta\$ = no
11565     server require schannel:schannel0\$ = no
11566     server require schannel:schannel1\$ = no
11567     server require schannel:schannel2\$ = no
11568     @@ -1770,6 +1779,13 @@ sub provision_fl2000dc($$)
11569     my $extra_conf_options = "
11570     spnego:simulate_w2k=yes
11571     ntlmssp_server:force_old_spnego=yes
11572     +
11573     + CVE_2022_38023:warn_about_unused_debug_level = 3
11574     + server reject md5 schannel:tests4u2proxywk\$ = no
11575     + server reject md5 schannel:tests4u2selfbdc\$ = no
11576     + server reject md5 schannel:tests4u2selfwk\$ = no
11577     + server reject md5 schannel:torturepacbdc\$ = no
11578     + server reject md5 schannel:torturepacwksta\$ = no
11579     ";
11580     my $extra_provision_options = ["--use-ntvfs"];
11581     # This environment uses plain text secrets
11582     @@ -1818,7 +1834,16 @@ sub provision_fl2003dc($$$)
11583     my $extra_conf_options = "allow dns updates = nonsecure and secure
11584     dcesrv:header signing = no
11585     dcesrv:max auth states = 0
11586     - dns forwarder = 127.0.0.$swiface1 127.0.0.$swiface2";
11587     + dns forwarder = 127.0.0.$swiface1 127.0.0.$swiface2
11588     +
11589     + CVE_2022_38023:warn_about_unused_debug_level = 3
11590     + server reject md5 schannel:tests4u2proxywk\$ = no
11591     + server reject md5 schannel:tests4u2selfbdc\$ = no
11592     + server reject md5 schannel:tests4u2selfwk\$ = no
11593     + server reject md5 schannel:torturepacbdc\$ = no
11594     + server reject md5 schannel:torturepacwksta\$ = no
11595     +";
11596     +
11597     my $extra_provision_options = ["--use-ntvfs"];
11598     my $ret = $self->provision($prefix,
11599     "domain controller",
11600     @@ -1874,8 +1899,18 @@ sub provision_fl2008r2dc($$$)
11601     my ($self, $prefix, $dcvars) = @_;
11602    
11603     print "PROVISIONING DC WITH FOREST LEVEL 2008r2...\n";
11604     - my $extra_conf_options = "ldap server require strong auth = no";
11605     + my $extra_conf_options = "
11606     + ldap server require strong auth = no
11607     +
11608     + CVE_2022_38023:warn_about_unused_debug_level = 3
11609     + server reject md5 schannel:tests4u2proxywk\$ = no
11610     + server reject md5 schannel:tests4u2selfbdc\$ = no
11611     + server reject md5 schannel:tests4u2selfwk\$ = no
11612     + server reject md5 schannel:torturepacbdc\$ = no
11613     + server reject md5 schannel:torturepacwksta\$ = no
11614     +";
11615     my $extra_provision_options = ["--use-ntvfs"];
11616     +
11617     my $ret = $self->provision($prefix,
11618     "domain controller",
11619     "dc7",
11620     @@ -2104,9 +2139,20 @@ sub provision_ad_dc($$$$$$)
11621     lpq cache time = 0
11622     print notify backchannel = yes
11623    
11624     - reject md5 clients = no
11625     -
11626     CVE_2020_1472:warn_about_unused_debug_level = 3
11627     + CVE_2022_38023:warn_about_unused_debug_level = 3
11628     + CVE_2022_38023:error_debug_level = 2
11629     + server reject md5 schannel:schannel2\$ = no
11630     + server reject md5 schannel:schannel3\$ = no
11631     + server reject md5 schannel:schannel8\$ = no
11632     + server reject md5 schannel:schannel9\$ = no
11633     + server reject md5 schannel:torturetest\$ = no
11634     + server reject md5 schannel:tests4u2proxywk\$ = no
11635     + server reject md5 schannel:tests4u2selfbdc\$ = no
11636     + server reject md5 schannel:tests4u2selfwk\$ = no
11637     + server reject md5 schannel:torturepacbdc\$ = no
11638     + server reject md5 schannel:torturepacwksta\$ = no
11639     + server reject md5 schannel:samlogontest\$ = no
11640     server require schannel:schannel0\$ = no
11641     server require schannel:schannel1\$ = no
11642     server require schannel:schannel2\$ = no
11643     --
11644     2.39.0
11645    
11646    
11647     From 2efdacb36c42985595284db6db90953feecc6e1a Mon Sep 17 00:00:00 2001
11648     From: Stefan Metzmacher <metze@samba.org>
11649     Date: Wed, 30 Nov 2022 16:57:24 +0100
11650     Subject: [PATCH 124/142] CVE-2022-38023 s4:rpc_server/netlogon: split out
11651     dcesrv_netr_check_schannel() function
11652    
11653     This will allow us to reuse the function in other places.
11654     As it will also get some additional checks soon.
11655    
11656     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
11657    
11658     Signed-off-by: Stefan Metzmacher <metze@samba.org>
11659     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
11660     Reviewed-by: Ralph Boehme <slow@samba.org>
11661     (cherry picked from commit f43dc4f0bd60d4e127b714565147f82435aa4f07)
11662     ---
11663     source4/rpc_server/netlogon/dcerpc_netlogon.c | 84 +++++++++++--------
11664     1 file changed, 51 insertions(+), 33 deletions(-)
11665    
11666     diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
11667     index b93ff08abcd..94adb74165f 100644
11668     --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
11669     +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
11670     @@ -845,18 +845,11 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_ca
11671     return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &r3);
11672     }
11673    
11674     -/*
11675     - * NOTE: The following functions are nearly identical to the ones available in
11676     - * source3/rpc_server/srv_nelog_nt.c
11677     - * The reason we keep 2 copies is that they use different structures to
11678     - * represent the auth_info and the decrpc pipes.
11679     - */
11680     -static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call,
11681     - TALLOC_CTX *mem_ctx,
11682     - const char *computer_name,
11683     - struct netr_Authenticator *received_authenticator,
11684     - struct netr_Authenticator *return_authenticator,
11685     - struct netlogon_creds_CredentialState **creds_out)
11686     +static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
11687     + const struct netlogon_creds_CredentialState *creds,
11688     + enum dcerpc_AuthType auth_type,
11689     + enum dcerpc_AuthLevel auth_level,
11690     + uint16_t opnum)
11691     {
11692     struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
11693     TALLOC_CTX *frame = talloc_stackframe();
11694     @@ -865,15 +858,11 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
11695     bool schannel_global_required = (schannel == true);
11696     bool schannel_required = schannel_global_required;
11697     const char *explicit_opt = NULL;
11698     - struct netlogon_creds_CredentialState *creds = NULL;
11699     int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL,
11700     "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
11701     int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
11702     "CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
11703     unsigned int dbg_lvl = DBGLVL_DEBUG;
11704     - enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
11705     - enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
11706     - uint16_t opnum = dce_call->pkt.u.request.opnum;
11707     const char *opname = "<unknown>";
11708     const char *reason = "<unknown>";
11709    
11710     @@ -881,8 +870,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
11711     opname = ndr_table_netlogon.calls[opnum].name;
11712     }
11713    
11714     - dcesrv_call_auth_info(dce_call, &auth_type, &auth_level);
11715     -
11716     if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
11717     if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
11718     reason = "WITH SEALED";
11719     @@ -895,17 +882,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
11720     reason = "WITHOUT";
11721     }
11722    
11723     - nt_status = schannel_check_creds_state(mem_ctx,
11724     - lp_ctx,
11725     - computer_name,
11726     - received_authenticator,
11727     - return_authenticator,
11728     - &creds);
11729     - if (!NT_STATUS_IS_OK(nt_status)) {
11730     - ZERO_STRUCTP(return_authenticator);
11731     - return nt_status;
11732     - }
11733     -
11734     /*
11735     * We don't use lpcfg_parm_bool(), as we
11736     * need the explicit_opt pointer in order to
11737     @@ -945,7 +921,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
11738     log_escape(frame, creds->computer_name)));
11739     }
11740    
11741     - *creds_out = creds;
11742     TALLOC_FREE(frame);
11743     return nt_status;
11744     }
11745     @@ -979,8 +954,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
11746     "might be needed for a legacy client.\n",
11747     log_escape(frame, creds->account_name)));
11748     }
11749     - TALLOC_FREE(creds);
11750     - ZERO_STRUCTP(return_authenticator);
11751     TALLOC_FREE(frame);
11752     return nt_status;
11753     }
11754     @@ -1024,11 +997,56 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
11755     log_escape(frame, creds->computer_name)));
11756     }
11757    
11758     - *creds_out = creds;
11759     TALLOC_FREE(frame);
11760     return NT_STATUS_OK;
11761     }
11762    
11763     +/*
11764     + * NOTE: The following functions are nearly identical to the ones available in
11765     + * source3/rpc_server/srv_nelog_nt.c
11766     + * The reason we keep 2 copies is that they use different structures to
11767     + * represent the auth_info and the decrpc pipes.
11768     + */
11769     +static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call,
11770     + TALLOC_CTX *mem_ctx,
11771     + const char *computer_name,
11772     + struct netr_Authenticator *received_authenticator,
11773     + struct netr_Authenticator *return_authenticator,
11774     + struct netlogon_creds_CredentialState **creds_out)
11775     +{
11776     + NTSTATUS nt_status;
11777     + struct netlogon_creds_CredentialState *creds = NULL;
11778     + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
11779     + enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
11780     +
11781     + dcesrv_call_auth_info(dce_call, &auth_type, &auth_level);
11782     +
11783     + nt_status = schannel_check_creds_state(mem_ctx,
11784     + dce_call->conn->dce_ctx->lp_ctx,
11785     + computer_name,
11786     + received_authenticator,
11787     + return_authenticator,
11788     + &creds);
11789     + if (!NT_STATUS_IS_OK(nt_status)) {
11790     + ZERO_STRUCTP(return_authenticator);
11791     + return nt_status;
11792     + }
11793     +
11794     + nt_status = dcesrv_netr_check_schannel(dce_call,
11795     + creds,
11796     + auth_type,
11797     + auth_level,
11798     + dce_call->pkt.u.request.opnum);
11799     + if (!NT_STATUS_IS_OK(nt_status)) {
11800     + TALLOC_FREE(creds);
11801     + ZERO_STRUCTP(return_authenticator);
11802     + return nt_status;
11803     + }
11804     +
11805     + *creds_out = creds;
11806     + return NT_STATUS_OK;
11807     +}
11808     +
11809     /*
11810     Change the machine account password for the currently connected
11811     client. Supplies only the NT#.
11812     --
11813     2.39.0
11814    
11815    
11816     From b95d07ebad63544c585a43590bdeaf5247cbaf46 Mon Sep 17 00:00:00 2001
11817     From: Stefan Metzmacher <metze@samba.org>
11818     Date: Wed, 30 Nov 2022 17:15:36 +0100
11819     Subject: [PATCH 125/142] CVE-2022-38023 s4:rpc_server/netlogon: make sure all
11820     dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
11821    
11822     We'll soon add some additional contraints in dcesrv_netr_check_schannel(),
11823     which are also required for dcesrv_netr_LogonSamLogonEx().
11824    
11825     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
11826    
11827     Signed-off-by: Stefan Metzmacher <metze@samba.org>
11828     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
11829     Reviewed-by: Ralph Boehme <slow@samba.org>
11830     (cherry picked from commit 689507457f5e6666488732f91a355a2183fb1662)
11831     ---
11832     source4/rpc_server/netlogon/dcerpc_netlogon.c | 36 +++++++++++++++----
11833     1 file changed, 29 insertions(+), 7 deletions(-)
11834    
11835     diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
11836     index 94adb74165f..f4413d7a03b 100644
11837     --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
11838     +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
11839     @@ -1408,6 +1408,35 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base_call(struct dcesrv_netr_LogonSamL
11840     struct auth_usersupplied_info *user_info = NULL;
11841     NTSTATUS nt_status;
11842     struct tevent_req *subreq = NULL;
11843     + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
11844     + enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
11845     +
11846     + dcesrv_call_auth_info(dce_call, &auth_type, &auth_level);
11847     +
11848     + switch (dce_call->pkt.u.request.opnum) {
11849     + case NDR_NETR_LOGONSAMLOGON:
11850     + case NDR_NETR_LOGONSAMLOGONWITHFLAGS:
11851     + /*
11852     + * These already called dcesrv_netr_check_schannel()
11853     + * via dcesrv_netr_creds_server_step_check()
11854     + */
11855     + break;
11856     + case NDR_NETR_LOGONSAMLOGONEX:
11857     + default:
11858     + if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
11859     + return NT_STATUS_ACCESS_DENIED;
11860     + }
11861     +
11862     + nt_status = dcesrv_netr_check_schannel(dce_call,
11863     + creds,
11864     + auth_type,
11865     + auth_level,
11866     + dce_call->pkt.u.request.opnum);
11867     + if (!NT_STATUS_IS_OK(nt_status)) {
11868     + return nt_status;
11869     + }
11870     + break;
11871     + }
11872    
11873     *r->out.authoritative = 1;
11874    
11875     @@ -1739,7 +1768,6 @@ static void dcesrv_netr_LogonSamLogon_base_reply(
11876     static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
11877     struct netr_LogonSamLogonEx *r)
11878     {
11879     - enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
11880     struct dcesrv_netr_LogonSamLogon_base_state *state;
11881     NTSTATUS nt_status;
11882    
11883     @@ -1777,12 +1805,6 @@ static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call,
11884     return nt_status;
11885     }
11886    
11887     - dcesrv_call_auth_info(dce_call, &auth_type, NULL);
11888     -
11889     - if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
11890     - return NT_STATUS_ACCESS_DENIED;
11891     - }
11892     -
11893     nt_status = dcesrv_netr_LogonSamLogon_base_call(state);
11894    
11895     if (dce_call->state_flags & DCESRV_CALL_STATE_FLAG_ASYNC) {
11896     --
11897     2.39.0
11898    
11899    
11900     From 5e5019dbdf9b49e07bd5f88bafa7275d5d076166 Mon Sep 17 00:00:00 2001
11901     From: Stefan Metzmacher <metze@samba.org>
11902     Date: Fri, 25 Nov 2022 16:53:35 +0100
11903     Subject: [PATCH 126/142] CVE-2022-38023 docs-xml/smbdotconf: add "server
11904     schannel require seal[:COMPUTERACCOUNT]" options
11905    
11906     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
11907    
11908     Signed-off-by: Stefan Metzmacher <metze@samba.org>
11909     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
11910     Reviewed-by: Ralph Boehme <slow@samba.org>
11911     (cherry picked from commit 7732a4b0bde1d9f98a0371f17d22648495329470)
11912     ---
11913     .../smbdotconf/security/serverschannel.xml | 43 ++++++-
11914     .../security/serverschannelrequireseal.xml | 118 ++++++++++++++++++
11915     lib/param/loadparm.c | 1 +
11916     source3/param/loadparm.c | 1 +
11917     4 files changed, 157 insertions(+), 6 deletions(-)
11918     create mode 100644 docs-xml/smbdotconf/security/serverschannelrequireseal.xml
11919    
11920     diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
11921     index 3e66df1c203..42a657912ca 100644
11922     --- a/docs-xml/smbdotconf/security/serverschannel.xml
11923     +++ b/docs-xml/smbdotconf/security/serverschannel.xml
11924     @@ -12,19 +12,37 @@
11925     the hardcoded behavior in future).
11926     </para>
11927    
11928     - <para>
11929     - Samba will complain in the log files at log level 0,
11930     - about the security problem if the option is not set to "yes".
11931     + <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' instead!
11932     </para>
11933     +
11934     + <para>
11935     + Samba will log an error in the log files at log level 0
11936     + if legacy a client is rejected or allowed without an explicit,
11937     + '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' option
11938     + for the client. The message will indicate
11939     + the explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>'
11940     + line to be added, if the legacy client software requires it. (The log level can be adjusted with
11941     + '<smbconfoption name="CVE_2020_1472:error_debug_level">1</smbconfoption>'
11942     + in order to complain only at a higher log level).
11943     + </para>
11944     +
11945     <para>
11946     - See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
11947     + This allows admins to use "auto" only for a short grace period,
11948     + in order to collect the explicit
11949     + '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' options.
11950     </para>
11951    
11952     - <para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.
11953     + <para>
11954     + See <ulink url="https://www.samba.org/samba/security/CVE-2020-1472.html">CVE-2020-1472(ZeroLogon)</ulink>,
11955     + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=14497">https://bugzilla.samba.org/show_bug.cgi?id=14497</ulink>.
11956     </para>
11957    
11958     <para>This option is over-ridden by the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>
11959    
11960     + <para>This option is over-ridden by the effective value of 'yes' from
11961     + the '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>'
11962     + and/or '<smbconfoption name="server schannel require seal"/>' options.</para>
11963     +
11964     </description>
11965    
11966     <value type="default">yes</value>
11967     @@ -48,6 +66,9 @@
11968     about the security problem if the option is not set to "no",
11969     but the related computer is actually using the netlogon
11970     secure channel (schannel) feature.
11971     + (The log level can be adjusted with
11972     + '<smbconfoption name="CVE_2020_1472:warn_about_unused_debug_level">1</smbconfoption>'
11973     + in order to complain only at a higher log level).
11974     </para>
11975    
11976     <para>
11977     @@ -56,15 +77,25 @@
11978     </para>
11979    
11980     <para>
11981     - See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
11982     + See <ulink url="https://www.samba.org/samba/security/CVE-2020-1472.html">CVE-2020-1472(ZeroLogon)</ulink>,
11983     + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=14497">https://bugzilla.samba.org/show_bug.cgi?id=14497</ulink>.
11984     </para>
11985    
11986     <para>This option overrides the <smbconfoption name="server schannel"/> option.</para>
11987    
11988     + <para>This option is over-ridden by the effective value of 'yes' from
11989     + the '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>'
11990     + and/or '<smbconfoption name="server schannel require seal"/>' options.</para>
11991     + <para>Which means '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>'
11992     + is only useful in combination with '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>'</para>
11993     +
11994     <programlisting>
11995     server require schannel:LEGACYCOMPUTER1$ = no
11996     + server require schannel seal:LEGACYCOMPUTER1$ = no
11997     server require schannel:NASBOX$ = no
11998     + server require schannel seal:NASBOX$ = no
11999     server require schannel:LEGACYCOMPUTER2$ = no
12000     + server require schannel seal:LEGACYCOMPUTER2$ = no
12001     </programlisting>
12002     </description>
12003    
12004     diff --git a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
12005     new file mode 100644
12006     index 00000000000..d4620d1252d
12007     --- /dev/null
12008     +++ b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
12009     @@ -0,0 +1,118 @@
12010     +<samba:parameter name="server schannel require seal"
12011     + context="G"
12012     + type="boolean"
12013     + deprecated="1"
12014     + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
12015     +<description>
12016     +
12017     + <para>
12018     + This option is deprecated and will be removed in future,
12019     + as it is a security problem if not set to "yes" (which will be
12020     + the hardcoded behavior in future).
12021     + </para>
12022     +
12023     + <para>
12024     + This option controls whether the netlogon server (currently
12025     + only in 'active directory domain controller' mode), will
12026     + reject the usage of netlogon secure channel without privacy/enryption.
12027     + </para>
12028     +
12029     + <para>
12030     + The option is modelled after the registry key available on Windows.
12031     + </para>
12032     +
12033     + <programlisting>
12034     + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSeal=2
12035     + </programlisting>
12036     +
12037     + <para>
12038     + <emphasis>Avoid using this option!</emphasis> Use the per computer account specific option
12039     + '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>' instead!
12040     + Which is available with the patches for
12041     + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
12042     + see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
12043     + </para>
12044     +
12045     + <para>
12046     + Samba will log an error in the log files at log level 0
12047     + if legacy a client is rejected or allowed without an explicit,
12048     + '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' option
12049     + for the client. The message will indicate
12050     + the explicit '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>'
12051     + line to be added, if the legacy client software requires it. (The log level can be adjusted with
12052     + '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
12053     + in order to complain only at a higher log level).
12054     + </para>
12055     +
12056     + <para>This allows admins to use "no" only for a short grace period,
12057     + in order to collect the explicit
12058     + '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' options.</para>
12059     +
12060     + <para>
12061     + When set to 'yes' this option overrides the
12062     + '<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and
12063     + '<smbconfoption name="server schannel"/>' options and implies
12064     + '<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'.
12065     + </para>
12066     +
12067     + <para>
12068     + This option is over-ridden by the <smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/> option.
12069     + </para>
12070     +
12071     +</description>
12072     +
12073     +<value type="default">yes</value>
12074     +</samba:parameter>
12075     +
12076     +<samba:parameter name="server schannel require seal:COMPUTERACCOUNT"
12077     + context="G"
12078     + type="string"
12079     + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
12080     +<description>
12081     +
12082     + <para>
12083     + If you still have legacy domain members, which required "server schannel require seal = no" before,
12084     + it is possible to specify explicit exception per computer account
12085     + by using 'server schannel require seal:COMPUTERACCOUNT = no' as option.
12086     + Note that COMPUTERACCOUNT has to be the sAMAccountName value of
12087     + the computer account (including the trailing '$' sign).
12088     + </para>
12089     +
12090     + <para>
12091     + Samba will log a complaint in the log files at log level 0
12092     + about the security problem if the option is set to "no",
12093     + but the related computer does not require it.
12094     + (The log level can be adjusted with
12095     + '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
12096     + in order to complain only at a higher log level).
12097     + </para>
12098     +
12099     + <para>
12100     + Samba will warn in the log files at log level 5,
12101     + if a setting is still needed for the specified computer account.
12102     + </para>
12103     +
12104     + <para>
12105     + See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
12106     + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
12107     + </para>
12108     +
12109     + <para>
12110     + This option overrides the '<smbconfoption name="server schannel require seal"/>' option.
12111     + </para>
12112     +
12113     + <para>
12114     + When set to 'yes' this option overrides the
12115     + '<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and
12116     + '<smbconfoption name="server schannel"/>' options and implies
12117     + '<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'.
12118     + </para>
12119     +
12120     + <programlisting>
12121     + server require schannel seal:LEGACYCOMPUTER1$ = no
12122     + server require schannel seal:NASBOX$ = no
12123     + server require schannel seal:LEGACYCOMPUTER2$ = no
12124     + </programlisting>
12125     +</description>
12126     +
12127     +</samba:parameter>
12128     diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
12129     index 77a80176f7d..4b3976ebdb6 100644
12130     --- a/lib/param/loadparm.c
12131     +++ b/lib/param/loadparm.c
12132     @@ -2790,6 +2790,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
12133     lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template");
12134    
12135     lpcfg_do_global_parameter(lp_ctx, "server schannel", "True");
12136     + lpcfg_do_global_parameter(lp_ctx, "server schannel require seal", "True");
12137     lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True");
12138    
12139     lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True");
12140     diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
12141     index 1cf468b1009..8dab202fc17 100644
12142     --- a/source3/param/loadparm.c
12143     +++ b/source3/param/loadparm.c
12144     @@ -659,6 +659,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
12145     Globals.require_strong_key = true;
12146     Globals.reject_md5_servers = true;
12147     Globals.server_schannel = true;
12148     + Globals.server_schannel_require_seal = true;
12149     Globals.reject_md5_clients = true;
12150     Globals.read_raw = true;
12151     Globals.write_raw = true;
12152     --
12153     2.39.0
12154    
12155    
12156     From 83be39efadc4c4fad4a873e23016e1c5a8d65380 Mon Sep 17 00:00:00 2001
12157     From: Stefan Metzmacher <metze@samba.org>
12158     Date: Fri, 2 Dec 2022 14:31:26 +0100
12159     Subject: [PATCH 127/142] CVE-2022-38023 s4:rpc_server/netlogon: add a per
12160     connection cache to dcesrv_netr_check_schannel()
12161    
12162     It's enough to warn the admin once per connection.
12163    
12164     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
12165    
12166     Signed-off-by: Stefan Metzmacher <metze@samba.org>
12167     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
12168     Reviewed-by: Ralph Boehme <slow@samba.org>
12169     (cherry picked from commit 3c57608e1109c1d6e8bb8fbad2ef0b5d79d00e1a)
12170     ---
12171     source4/rpc_server/netlogon/dcerpc_netlogon.c | 193 ++++++++++++++----
12172     1 file changed, 153 insertions(+), 40 deletions(-)
12173    
12174     diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
12175     index f4413d7a03b..474d0806e6b 100644
12176     --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
12177     +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
12178     @@ -845,23 +845,105 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_ca
12179     return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &r3);
12180     }
12181    
12182     -static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
12183     - const struct netlogon_creds_CredentialState *creds,
12184     - enum dcerpc_AuthType auth_type,
12185     - enum dcerpc_AuthLevel auth_level,
12186     - uint16_t opnum)
12187     +struct dcesrv_netr_check_schannel_state {
12188     + struct dom_sid account_sid;
12189     + enum dcerpc_AuthType auth_type;
12190     + enum dcerpc_AuthLevel auth_level;
12191     +
12192     + bool schannel_global_required;
12193     + bool schannel_required;
12194     + bool schannel_explicitly_set;
12195     +
12196     + NTSTATUS result;
12197     +};
12198     +
12199     +static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state *dce_call,
12200     + const struct netlogon_creds_CredentialState *creds,
12201     + enum dcerpc_AuthType auth_type,
12202     + enum dcerpc_AuthLevel auth_level,
12203     + struct dcesrv_netr_check_schannel_state **_s)
12204     {
12205     struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
12206     - TALLOC_CTX *frame = talloc_stackframe();
12207     - NTSTATUS nt_status;
12208     int schannel = lpcfg_server_schannel(lp_ctx);
12209     bool schannel_global_required = (schannel == true);
12210     bool schannel_required = schannel_global_required;
12211     const char *explicit_opt = NULL;
12212     +#define DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC (NETLOGON_SERVER_PIPE_STATE_MAGIC+1)
12213     + struct dcesrv_netr_check_schannel_state *s = NULL;
12214     + NTSTATUS status;
12215     +
12216     + *_s = NULL;
12217     +
12218     + s = dcesrv_iface_state_find_conn(dce_call,
12219     + DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC,
12220     + struct dcesrv_netr_check_schannel_state);
12221     + if (s != NULL) {
12222     + if (!dom_sid_equal(&s->account_sid, creds->sid)) {
12223     + goto new_state;
12224     + }
12225     + if (s->auth_type != auth_type) {
12226     + goto new_state;
12227     + }
12228     + if (s->auth_level != auth_level) {
12229     + goto new_state;
12230     + }
12231     +
12232     + *_s = s;
12233     + return NT_STATUS_OK;
12234     + }
12235     +
12236     +new_state:
12237     + TALLOC_FREE(s);
12238     + s = talloc_zero(dce_call,
12239     + struct dcesrv_netr_check_schannel_state);
12240     + if (s == NULL) {
12241     + return NT_STATUS_NO_MEMORY;
12242     + }
12243     +
12244     + s->account_sid = *creds->sid;
12245     + s->auth_type = auth_type;
12246     + s->auth_level = auth_level;
12247     + s->result = NT_STATUS_MORE_PROCESSING_REQUIRED;
12248     +
12249     + /*
12250     + * We don't use lpcfg_parm_bool(), as we
12251     + * need the explicit_opt pointer in order to
12252     + * adjust the debug messages.
12253     + */
12254     + explicit_opt = lpcfg_get_parametric(lp_ctx,
12255     + NULL,
12256     + "server require schannel",
12257     + creds->account_name);
12258     + if (explicit_opt != NULL) {
12259     + schannel_required = lp_bool(explicit_opt);
12260     + }
12261     +
12262     + s->schannel_global_required = schannel_global_required;
12263     + s->schannel_required = schannel_required;
12264     + s->schannel_explicitly_set = explicit_opt != NULL;
12265     +
12266     + status = dcesrv_iface_state_store_conn(dce_call,
12267     + DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC,
12268     + s);
12269     + if (!NT_STATUS_IS_OK(status)) {
12270     + return status;
12271     + }
12272     +
12273     + *_s = s;
12274     + return NT_STATUS_OK;
12275     +}
12276     +
12277     +static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_call,
12278     + struct dcesrv_netr_check_schannel_state *s,
12279     + const struct netlogon_creds_CredentialState *creds,
12280     + uint16_t opnum)
12281     +{
12282     + struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
12283     int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL,
12284     "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
12285     int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
12286     "CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
12287     + TALLOC_CTX *frame = talloc_stackframe();
12288     unsigned int dbg_lvl = DBGLVL_DEBUG;
12289     const char *opname = "<unknown>";
12290     const char *reason = "<unknown>";
12291     @@ -870,37 +952,43 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
12292     opname = ndr_table_netlogon.calls[opnum].name;
12293     }
12294    
12295     - if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
12296     - if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
12297     + if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
12298     + if (s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
12299     reason = "WITH SEALED";
12300     - } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
12301     + } else if (s->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
12302     reason = "WITH SIGNED";
12303     } else {
12304     - smb_panic("Schannel without SIGN/SEAL");
12305     + reason = "WITH INVALID";
12306     + dbg_lvl = DBGLVL_ERR;
12307     + s->result = NT_STATUS_INTERNAL_ERROR;
12308     }
12309     } else {
12310     reason = "WITHOUT";
12311     }
12312    
12313     - /*
12314     - * We don't use lpcfg_parm_bool(), as we
12315     - * need the explicit_opt pointer in order to
12316     - * adjust the debug messages.
12317     - */
12318     - explicit_opt = lpcfg_get_parametric(lp_ctx,
12319     - NULL,
12320     - "server require schannel",
12321     - creds->account_name);
12322     - if (explicit_opt != NULL) {
12323     - schannel_required = lp_bool(explicit_opt);
12324     + if (!NT_STATUS_EQUAL(s->result, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
12325     + if (!NT_STATUS_IS_OK(s->result)) {
12326     + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
12327     + }
12328     +
12329     + DEBUG(dbg_lvl, (
12330     + "CVE-2020-1472(ZeroLogon): "
12331     + "%s request (opnum[%u]) %s schannel from "
12332     + "client_account[%s] client_computer_name[%s] %s\n",
12333     + opname, opnum, reason,
12334     + log_escape(frame, creds->account_name),
12335     + log_escape(frame, creds->computer_name),
12336     + nt_errstr(s->result)));
12337     + TALLOC_FREE(frame);
12338     + return s->result;
12339     }
12340    
12341     - if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
12342     - nt_status = NT_STATUS_OK;
12343     + if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
12344     + s->result = NT_STATUS_OK;
12345    
12346     - if (explicit_opt != NULL && !schannel_required) {
12347     + if (s->schannel_explicitly_set && !s->schannel_required) {
12348     dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
12349     - } else if (!schannel_required) {
12350     + } else if (!s->schannel_required) {
12351     dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
12352     }
12353    
12354     @@ -911,9 +999,8 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
12355     opname, opnum, reason,
12356     log_escape(frame, creds->account_name),
12357     log_escape(frame, creds->computer_name),
12358     - nt_errstr(nt_status)));
12359     -
12360     - if (explicit_opt != NULL && !schannel_required) {
12361     + nt_errstr(s->result)));
12362     + if (s->schannel_explicitly_set && !s->schannel_required) {
12363     DEBUG(CVE_2020_1472_warn_level, (
12364     "CVE-2020-1472(ZeroLogon): "
12365     "Option 'server require schannel:%s = no' not needed for '%s'!\n",
12366     @@ -922,13 +1009,13 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
12367     }
12368    
12369     TALLOC_FREE(frame);
12370     - return nt_status;
12371     + return s->result;
12372     }
12373    
12374     - if (schannel_required) {
12375     - nt_status = NT_STATUS_ACCESS_DENIED;
12376     + if (s->schannel_required) {
12377     + s->result = NT_STATUS_ACCESS_DENIED;
12378    
12379     - if (explicit_opt != NULL) {
12380     + if (s->schannel_explicitly_set) {
12381     dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
12382     } else {
12383     dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
12384     @@ -941,8 +1028,8 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
12385     opname, opnum, reason,
12386     log_escape(frame, creds->account_name),
12387     log_escape(frame, creds->computer_name),
12388     - nt_errstr(nt_status)));
12389     - if (explicit_opt != NULL) {
12390     + nt_errstr(s->result)));
12391     + if (s->schannel_explicitly_set) {
12392     D_NOTICE("CVE-2020-1472(ZeroLogon): Option "
12393     "'server require schannel:%s = yes' "
12394     "rejects access for client.\n",
12395     @@ -955,12 +1042,12 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
12396     log_escape(frame, creds->account_name)));
12397     }
12398     TALLOC_FREE(frame);
12399     - return nt_status;
12400     + return s->result;
12401     }
12402    
12403     - nt_status = NT_STATUS_OK;
12404     + s->result = NT_STATUS_OK;
12405    
12406     - if (explicit_opt != NULL) {
12407     + if (s->schannel_explicitly_set) {
12408     dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
12409     } else {
12410     dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
12411     @@ -973,9 +1060,9 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
12412     opname, opnum, reason,
12413     log_escape(frame, creds->account_name),
12414     log_escape(frame, creds->computer_name),
12415     - nt_errstr(nt_status)));
12416     + nt_errstr(s->result)));
12417    
12418     - if (explicit_opt != NULL) {
12419     + if (s->schannel_explicitly_set) {
12420     D_INFO("CVE-2020-1472(ZeroLogon): Option "
12421     "'server require schannel:%s = no' "
12422     "still needed for '%s'!\n",
12423     @@ -998,6 +1085,32 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
12424     }
12425    
12426     TALLOC_FREE(frame);
12427     + return s->result;
12428     +}
12429     +
12430     +static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
12431     + const struct netlogon_creds_CredentialState *creds,
12432     + enum dcerpc_AuthType auth_type,
12433     + enum dcerpc_AuthLevel auth_level,
12434     + uint16_t opnum)
12435     +{
12436     + struct dcesrv_netr_check_schannel_state *s = NULL;
12437     + NTSTATUS status;
12438     +
12439     + status = dcesrv_netr_check_schannel_get_state(dce_call,
12440     + creds,
12441     + auth_type,
12442     + auth_level,
12443     + &s);
12444     + if (!NT_STATUS_IS_OK(status)) {
12445     + return status;
12446     + }
12447     +
12448     + status = dcesrv_netr_check_schannel_once(dce_call, s, creds, opnum);
12449     + if (!NT_STATUS_IS_OK(status)) {
12450     + return status;
12451     + }
12452     +
12453     return NT_STATUS_OK;
12454     }
12455    
12456     --
12457     2.39.0
12458    
12459    
12460     From ef51add9def64d75f17b394924c238fffc81168f Mon Sep 17 00:00:00 2001
12461     From: Stefan Metzmacher <metze@samba.org>
12462     Date: Fri, 25 Nov 2022 14:05:30 +0100
12463     Subject: [PATCH 128/142] CVE-2022-38023 s4:rpc_server/netlogon: implement
12464     "server schannel require seal[:COMPUTERACCOUNT]"
12465    
12466     By default we'll now require schannel connections with
12467     privacy/sealing/encryption.
12468    
12469     But we allow exceptions for specific computer/trust accounts.
12470    
12471     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
12472    
12473     Signed-off-by: Stefan Metzmacher <metze@samba.org>
12474     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
12475     Reviewed-by: Ralph Boehme <slow@samba.org>
12476     (cherry picked from commit b3ed90a0541a271a7c6d4bee1201fa47adc3c0c1)
12477     ---
12478     selftest/target/Samba4.pm | 27 ++
12479     source4/rpc_server/netlogon/dcerpc_netlogon.c | 244 +++++++++++++++++-
12480     2 files changed, 270 insertions(+), 1 deletion(-)
12481    
12482     diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
12483     index aafb9ee14ca..c267b81d865 100755
12484     --- a/selftest/target/Samba4.pm
12485     +++ b/selftest/target/Samba4.pm
12486     @@ -1734,9 +1734,23 @@ sub provision_ad_dc_ntvfs($$)
12487     server require schannel:schannel10\$ = no
12488     server require schannel:schannel11\$ = no
12489     server require schannel:torturetest\$ = no
12490     + server schannel require seal:schannel0\$ = no
12491     + server schannel require seal:schannel1\$ = no
12492     + server schannel require seal:schannel2\$ = no
12493     + server schannel require seal:schannel3\$ = no
12494     + server schannel require seal:schannel4\$ = no
12495     + server schannel require seal:schannel5\$ = no
12496     + server schannel require seal:schannel6\$ = no
12497     + server schannel require seal:schannel7\$ = no
12498     + server schannel require seal:schannel8\$ = no
12499     + server schannel require seal:schannel9\$ = no
12500     + server schannel require seal:schannel10\$ = no
12501     + server schannel require seal:schannel11\$ = no
12502     + server schannel require seal:torturetest\$ = no
12503    
12504     # needed for 'samba.tests.auth_log' tests
12505     server require schannel:LOCALDC\$ = no
12506     + server schannel require seal:LOCALDC\$ = no
12507     ";
12508     my $extra_provision_options = ["--use-ntvfs"];
12509     my $ret = $self->provision($prefix,
12510     @@ -2166,6 +2180,19 @@ sub provision_ad_dc($$$$$$)
12511     server require schannel:schannel10\$ = no
12512     server require schannel:schannel11\$ = no
12513     server require schannel:torturetest\$ = no
12514     + server schannel require seal:schannel0\$ = no
12515     + server schannel require seal:schannel1\$ = no
12516     + server schannel require seal:schannel2\$ = no
12517     + server schannel require seal:schannel3\$ = no
12518     + server schannel require seal:schannel4\$ = no
12519     + server schannel require seal:schannel5\$ = no
12520     + server schannel require seal:schannel6\$ = no
12521     + server schannel require seal:schannel7\$ = no
12522     + server schannel require seal:schannel8\$ = no
12523     + server schannel require seal:schannel9\$ = no
12524     + server schannel require seal:schannel10\$ = no
12525     + server schannel require seal:schannel11\$ = no
12526     + server schannel require seal:torturetest\$ = no
12527    
12528     auth event notification = true
12529     dsdb event notification = true
12530     diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
12531     index 474d0806e6b..343cd53473c 100644
12532     --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
12533     +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
12534     @@ -65,9 +65,11 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context
12535     bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
12536     int schannel = lpcfg_server_schannel(lp_ctx);
12537     bool schannel_global_required = (schannel == true);
12538     + bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx);
12539     static bool warned_global_nt4_once = false;
12540     static bool warned_global_md5_once = false;
12541     static bool warned_global_schannel_once = false;
12542     + static bool warned_global_seal_once = false;
12543    
12544     if (global_allow_nt4_crypto && !warned_global_nt4_once) {
12545     /*
12546     @@ -99,6 +101,16 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context
12547     warned_global_schannel_once = true;
12548     }
12549    
12550     + if (!global_require_seal && !warned_global_seal_once) {
12551     + /*
12552     + * We want admins to notice their misconfiguration!
12553     + */
12554     + D_ERR("CVE-2022-38023 (and others): "
12555     + "Please configure 'server schannel require seal = yes' (the default), "
12556     + "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
12557     + warned_global_seal_once = true;
12558     + }
12559     +
12560     return dcesrv_interface_bind_reject_connect(context, iface);
12561     }
12562    
12563     @@ -854,6 +866,10 @@ struct dcesrv_netr_check_schannel_state {
12564     bool schannel_required;
12565     bool schannel_explicitly_set;
12566    
12567     + bool seal_global_required;
12568     + bool seal_required;
12569     + bool seal_explicitly_set;
12570     +
12571     NTSTATUS result;
12572     };
12573    
12574     @@ -868,6 +884,9 @@ static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state *d
12575     bool schannel_global_required = (schannel == true);
12576     bool schannel_required = schannel_global_required;
12577     const char *explicit_opt = NULL;
12578     + bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx);
12579     + bool require_seal = global_require_seal;
12580     + const char *explicit_seal_opt = NULL;
12581     #define DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC (NETLOGON_SERVER_PIPE_STATE_MAGIC+1)
12582     struct dcesrv_netr_check_schannel_state *s = NULL;
12583     NTSTATUS status;
12584     @@ -905,6 +924,19 @@ new_state:
12585     s->auth_level = auth_level;
12586     s->result = NT_STATUS_MORE_PROCESSING_REQUIRED;
12587    
12588     + /*
12589     + * We don't use lpcfg_parm_bool(), as we
12590     + * need the explicit_opt pointer in order to
12591     + * adjust the debug messages.
12592     + */
12593     + explicit_seal_opt = lpcfg_get_parametric(lp_ctx,
12594     + NULL,
12595     + "server schannel require seal",
12596     + creds->account_name);
12597     + if (explicit_seal_opt != NULL) {
12598     + require_seal = lp_bool(explicit_seal_opt);
12599     + }
12600     +
12601     /*
12602     * We don't use lpcfg_parm_bool(), as we
12603     * need the explicit_opt pointer in order to
12604     @@ -922,6 +954,10 @@ new_state:
12605     s->schannel_required = schannel_required;
12606     s->schannel_explicitly_set = explicit_opt != NULL;
12607    
12608     + s->seal_global_required = global_require_seal;
12609     + s->seal_required = require_seal;
12610     + s->seal_explicitly_set = explicit_seal_opt != NULL;
12611     +
12612     status = dcesrv_iface_state_store_conn(dce_call,
12613     DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC,
12614     s);
12615     @@ -943,6 +979,10 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
12616     "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
12617     int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
12618     "CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
12619     + int CVE_2022_38023_warn_level = lpcfg_parm_int(lp_ctx, NULL,
12620     + "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR);
12621     + int CVE_2022_38023_error_level = lpcfg_parm_int(lp_ctx, NULL,
12622     + "CVE_2022_38023", "error_debug_level", DBGLVL_ERR);
12623     TALLOC_CTX *frame = talloc_stackframe();
12624     unsigned int dbg_lvl = DBGLVL_DEBUG;
12625     const char *opname = "<unknown>";
12626     @@ -972,18 +1012,107 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
12627     }
12628    
12629     DEBUG(dbg_lvl, (
12630     - "CVE-2020-1472(ZeroLogon): "
12631     + "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
12632     + "%s request (opnum[%u]) %s schannel from "
12633     + "client_account[%s] client_computer_name[%s] %s\n",
12634     + opname, opnum, reason,
12635     + log_escape(frame, creds->account_name),
12636     + log_escape(frame, creds->computer_name),
12637     + nt_errstr(s->result)));
12638     + TALLOC_FREE(frame);
12639     + return s->result;
12640     + }
12641     +
12642     + if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL &&
12643     + s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY)
12644     + {
12645     + s->result = NT_STATUS_OK;
12646     +
12647     + if (s->schannel_explicitly_set && !s->schannel_required) {
12648     + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
12649     + } else if (!s->schannel_required) {
12650     + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
12651     + }
12652     + if (s->seal_explicitly_set && !s->seal_required) {
12653     + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level);
12654     + } else if (!s->seal_required) {
12655     + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
12656     + }
12657     +
12658     + DEBUG(dbg_lvl, (
12659     + "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
12660     "%s request (opnum[%u]) %s schannel from "
12661     "client_account[%s] client_computer_name[%s] %s\n",
12662     opname, opnum, reason,
12663     log_escape(frame, creds->account_name),
12664     log_escape(frame, creds->computer_name),
12665     nt_errstr(s->result)));
12666     +
12667     + if (s->schannel_explicitly_set && !s->schannel_required) {
12668     + DEBUG(CVE_2020_1472_warn_level, (
12669     + "CVE-2020-1472(ZeroLogon): "
12670     + "Option 'server require schannel:%s = no' not needed for '%s'!\n",
12671     + log_escape(frame, creds->account_name),
12672     + log_escape(frame, creds->computer_name)));
12673     + }
12674     +
12675     + if (s->seal_explicitly_set && !s->seal_required) {
12676     + DEBUG(CVE_2022_38023_warn_level, (
12677     + "CVE-2022-38023: "
12678     + "Option 'server schannel require seal:%s = no' not needed for '%s'!\n",
12679     + log_escape(frame, creds->account_name),
12680     + log_escape(frame, creds->computer_name)));
12681     + }
12682     +
12683     TALLOC_FREE(frame);
12684     return s->result;
12685     }
12686    
12687     if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
12688     + if (s->seal_required) {
12689     + s->result = NT_STATUS_ACCESS_DENIED;
12690     +
12691     + if (s->seal_explicitly_set) {
12692     + dbg_lvl = DBGLVL_NOTICE;
12693     + } else {
12694     + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
12695     + }
12696     + if (s->schannel_explicitly_set && !s->schannel_required) {
12697     + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level);
12698     + }
12699     +
12700     + DEBUG(dbg_lvl, (
12701     + "CVE-2022-38023: "
12702     + "%s request (opnum[%u]) %s schannel from "
12703     + "from client_account[%s] client_computer_name[%s] %s\n",
12704     + opname, opnum, reason,
12705     + log_escape(frame, creds->account_name),
12706     + log_escape(frame, creds->computer_name),
12707     + nt_errstr(s->result)));
12708     + if (s->seal_explicitly_set) {
12709     + D_NOTICE("CVE-2022-38023: Option "
12710     + "'server schannel require seal:%s = yes' "
12711     + "rejects access for client.\n",
12712     + log_escape(frame, creds->account_name));
12713     + } else {
12714     + DEBUG(CVE_2020_1472_error_level, (
12715     + "CVE-2022-38023: Check if option "
12716     + "'server schannel require seal:%s = no' "
12717     + "might be needed for a legacy client.\n",
12718     + log_escape(frame, creds->account_name)));
12719     + }
12720     + if (s->schannel_explicitly_set && !s->schannel_required) {
12721     + DEBUG(CVE_2020_1472_warn_level, (
12722     + "CVE-2020-1472(ZeroLogon): Option "
12723     + "'server require schannel:%s = no' "
12724     + "not needed for '%s'!\n",
12725     + log_escape(frame, creds->account_name),
12726     + log_escape(frame, creds->computer_name)));
12727     + }
12728     + TALLOC_FREE(frame);
12729     + return s->result;
12730     + }
12731     +
12732     s->result = NT_STATUS_OK;
12733    
12734     if (s->schannel_explicitly_set && !s->schannel_required) {
12735     @@ -991,6 +1120,11 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
12736     } else if (!s->schannel_required) {
12737     dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
12738     }
12739     + if (s->seal_explicitly_set && !s->seal_required) {
12740     + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
12741     + } else if (!s->seal_required) {
12742     + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
12743     + }
12744    
12745     DEBUG(dbg_lvl, (
12746     "CVE-2020-1472(ZeroLogon): "
12747     @@ -1007,11 +1141,81 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
12748     log_escape(frame, creds->account_name),
12749     log_escape(frame, creds->computer_name)));
12750     }
12751     + if (s->seal_explicitly_set && !s->seal_required) {
12752     + D_INFO("CVE-2022-38023: "
12753     + "Option 'server schannel require seal:%s = no' still needed for '%s'!\n",
12754     + log_escape(frame, creds->account_name),
12755     + log_escape(frame, creds->computer_name));
12756     + } else if (!s->seal_required) {
12757     + /*
12758     + * admins should set
12759     + * server schannel require seal:COMPUTER$ = no
12760     + * in order to avoid the level 0 messages.
12761     + * Over time they can switch the global value
12762     + * to be strict.
12763     + */
12764     + DEBUG(CVE_2022_38023_error_level, (
12765     + "CVE-2022-38023: "
12766     + "Please use 'server schannel require seal:%s = no' "
12767     + "for '%s' to avoid this warning!\n",
12768     + log_escape(frame, creds->account_name),
12769     + log_escape(frame, creds->computer_name)));
12770     + }
12771    
12772     TALLOC_FREE(frame);
12773     return s->result;
12774     }
12775    
12776     + if (s->seal_required) {
12777     + s->result = NT_STATUS_ACCESS_DENIED;
12778     +
12779     + if (s->seal_explicitly_set) {
12780     + dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
12781     + } else {
12782     + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
12783     + }
12784     + if (!s->schannel_explicitly_set) {
12785     + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
12786     + } else if (s->schannel_required) {
12787     + dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
12788     + }
12789     +
12790     + DEBUG(dbg_lvl, (
12791     + "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
12792     + "%s request (opnum[%u]) %s schannel from "
12793     + "from client_account[%s] client_computer_name[%s] %s\n",
12794     + opname, opnum, reason,
12795     + log_escape(frame, creds->account_name),
12796     + log_escape(frame, creds->computer_name),
12797     + nt_errstr(s->result)));
12798     + if (s->seal_explicitly_set) {
12799     + D_NOTICE("CVE-2022-38023: Option "
12800     + "'server schannel require seal:%s = yes' "
12801     + "rejects access for client.\n",
12802     + log_escape(frame, creds->account_name));
12803     + } else {
12804     + DEBUG(CVE_2022_38023_error_level, (
12805     + "CVE-2022-38023: Check if option "
12806     + "'server schannel require seal:%s = no' "
12807     + "might be needed for a legacy client.\n",
12808     + log_escape(frame, creds->account_name)));
12809     + }
12810     + if (!s->schannel_explicitly_set) {
12811     + DEBUG(CVE_2020_1472_error_level, (
12812     + "CVE-2020-1472(ZeroLogon): Check if option "
12813     + "'server require schannel:%s = no' "
12814     + "might be needed for a legacy client.\n",
12815     + log_escape(frame, creds->account_name)));
12816     + } else if (s->schannel_required) {
12817     + D_NOTICE("CVE-2022-38023: Option "
12818     + "'server require schannel:%s = yes' "
12819     + "also rejects access for client.\n",
12820     + log_escape(frame, creds->account_name));
12821     + }
12822     + TALLOC_FREE(frame);
12823     + return s->result;
12824     + }
12825     +
12826     if (s->schannel_required) {
12827     s->result = NT_STATUS_ACCESS_DENIED;
12828    
12829     @@ -1020,6 +1224,9 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
12830     } else {
12831     dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
12832     }
12833     + if (!s->seal_explicitly_set) {
12834     + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
12835     + }
12836    
12837     DEBUG(dbg_lvl, (
12838     "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
12839     @@ -1041,12 +1248,25 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
12840     "might be needed for a legacy client.\n",
12841     log_escape(frame, creds->account_name)));
12842     }
12843     + if (!s->seal_explicitly_set) {
12844     + DEBUG(CVE_2022_38023_error_level, (
12845     + "CVE-2022-38023: Check if option "
12846     + "'server schannel require seal:%s = no' "
12847     + "might be needed for a legacy client.\n",
12848     + log_escape(frame, creds->account_name)));
12849     + }
12850     TALLOC_FREE(frame);
12851     return s->result;
12852     }
12853    
12854     s->result = NT_STATUS_OK;
12855    
12856     + if (s->seal_explicitly_set) {
12857     + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
12858     + } else {
12859     + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
12860     + }
12861     +
12862     if (s->schannel_explicitly_set) {
12863     dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
12864     } else {
12865     @@ -1062,6 +1282,28 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
12866     log_escape(frame, creds->computer_name),
12867     nt_errstr(s->result)));
12868    
12869     + if (s->seal_explicitly_set) {
12870     + D_INFO("CVE-2022-38023: Option "
12871     + "'server schannel require seal:%s = no' "
12872     + "still needed for '%s'!\n",
12873     + log_escape(frame, creds->account_name),
12874     + log_escape(frame, creds->computer_name));
12875     + } else {
12876     + /*
12877     + * admins should set
12878     + * server schannel require seal:COMPUTER$ = no
12879     + * in order to avoid the level 0 messages.
12880     + * Over time they can switch the global value
12881     + * to be strict.
12882     + */
12883     + DEBUG(CVE_2022_38023_error_level, (
12884     + "CVE-2022-38023: Please use "
12885     + "'server schannel require seal:%s = no' "
12886     + "for '%s' to avoid this warning!\n",
12887     + log_escape(frame, creds->account_name),
12888     + log_escape(frame, creds->computer_name)));
12889     + }
12890     +
12891     if (s->schannel_explicitly_set) {
12892     D_INFO("CVE-2020-1472(ZeroLogon): Option "
12893     "'server require schannel:%s = no' "
12894     --
12895     2.39.0
12896    
12897    
12898     From fe38dc0186d3505db4c105f78dc46c2270c43240 Mon Sep 17 00:00:00 2001
12899     From: Stefan Metzmacher <metze@samba.org>
12900     Date: Wed, 30 Nov 2022 15:13:47 +0100
12901     Subject: [PATCH 129/142] CVE-2022-38023 testparm: warn about server/client
12902     schannel != yes
12903    
12904     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
12905    
12906     Signed-off-by: Stefan Metzmacher <metze@samba.org>
12907     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
12908     Reviewed-by: Ralph Boehme <slow@samba.org>
12909     (cherry picked from commit f964c0c357214637f80d0089723b9b11d1b38f7e)
12910     ---
12911     source3/utils/testparm.c | 21 +++++++++++++++++++++
12912     1 file changed, 21 insertions(+)
12913    
12914     diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
12915     index c673ef71a92..aa990b729d7 100644
12916     --- a/source3/utils/testparm.c
12917     +++ b/source3/utils/testparm.c
12918     @@ -522,6 +522,27 @@ static int do_global_checks(void)
12919     ret = 1;
12920     }
12921    
12922     + if (lp_server_schannel() != true) { /* can be 'auto' */
12923     + fprintf(stderr,
12924     + "WARNING: You have not configured "
12925     + "'server schannel = yes' (the default). "
12926     + "Your server is vulernable to \"ZeroLogon\" "
12927     + "(CVE-2020-1472)\n"
12928     + "If required use individual "
12929     + "'server require schannel:COMPUTERACCOUNT$ = no' "
12930     + "options\n\n");
12931     + }
12932     + if (lp_client_schannel() != true) { /* can be 'auto' */
12933     + fprintf(stderr,
12934     + "WARNING: You have not configured "
12935     + "'client schannel = yes' (the default). "
12936     + "Your server is vulernable to \"ZeroLogon\" "
12937     + "(CVE-2020-1472)\n"
12938     + "If required use individual "
12939     + "'client schannel:NETBIOSDOMAIN = no' "
12940     + "options\n\n");
12941     + }
12942     +
12943     return ret;
12944     }
12945    
12946     --
12947     2.39.0
12948    
12949    
12950     From c870a61377d0245a3fd25f5d5c8663d965fe469a Mon Sep 17 00:00:00 2001
12951     From: Stefan Metzmacher <metze@samba.org>
12952     Date: Tue, 6 Dec 2022 13:36:17 +0100
12953     Subject: [PATCH 130/142] CVE-2022-38023 testparm: warn about unsecure schannel
12954     related options
12955    
12956     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
12957    
12958     Signed-off-by: Stefan Metzmacher <metze@samba.org>
12959     Reviewed-by: Andrew Bartlett <abartlet@samba.org>
12960     Reviewed-by: Ralph Boehme <slow@samba.org>
12961     (cherry picked from commit 4d540473c3d43d048a30dd63efaeae9ff87b2aeb)
12962     ---
12963     source3/utils/testparm.c | 61 ++++++++++++++++++++++++++++++++++++++++
12964     1 file changed, 61 insertions(+)
12965    
12966     diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
12967     index aa990b729d7..f9253d323aa 100644
12968     --- a/source3/utils/testparm.c
12969     +++ b/source3/utils/testparm.c
12970     @@ -532,6 +532,37 @@ static int do_global_checks(void)
12971     "'server require schannel:COMPUTERACCOUNT$ = no' "
12972     "options\n\n");
12973     }
12974     + if (lp_allow_nt4_crypto()) {
12975     + fprintf(stderr,
12976     + "WARNING: You have not configured "
12977     + "'allow nt4 crypto = no' (the default). "
12978     + "Your server is vulernable to "
12979     + "CVE-2022-38023 and others!\n"
12980     + "If required use individual "
12981     + "'allow nt4 crypto:COMPUTERACCOUNT$ = yes' "
12982     + "options\n\n");
12983     + }
12984     + if (!lp_reject_md5_clients()) {
12985     + fprintf(stderr,
12986     + "WARNING: You have not configured "
12987     + "'reject md5 clients = yes' (the default). "
12988     + "Your server is vulernable to "
12989     + "CVE-2022-38023!\n"
12990     + "If required use individual "
12991     + "'server reject md5 schannel:COMPUTERACCOUNT$ = yes' "
12992     + "options\n\n");
12993     + }
12994     + if (!lp_server_schannel_require_seal()) {
12995     + fprintf(stderr,
12996     + "WARNING: You have not configured "
12997     + "'server schannel require seal = yes' (the default). "
12998     + "Your server is vulernable to "
12999     + "CVE-2022-38023!\n"
13000     + "If required use individual "
13001     + "'server schannel require seal:COMPUTERACCOUNT$ = no' "
13002     + "options\n\n");
13003     + }
13004     +
13005     if (lp_client_schannel() != true) { /* can be 'auto' */
13006     fprintf(stderr,
13007     "WARNING: You have not configured "
13008     @@ -542,6 +573,36 @@ static int do_global_checks(void)
13009     "'client schannel:NETBIOSDOMAIN = no' "
13010     "options\n\n");
13011     }
13012     + if (!lp_reject_md5_servers()) {
13013     + fprintf(stderr,
13014     + "WARNING: You have not configured "
13015     + "'reject md5 servers = yes' (the default). "
13016     + "Your server is vulernable to "
13017     + "CVE-2022-38023\n"
13018     + "If required use individual "
13019     + "'reject md5 servers:NETBIOSDOMAIN = no' "
13020     + "options\n\n");
13021     + }
13022     + if (!lp_require_strong_key()) {
13023     + fprintf(stderr,
13024     + "WARNING: You have not configured "
13025     + "'require strong key = yes' (the default). "
13026     + "Your server is vulernable to "
13027     + "CVE-2022-38023\n"
13028     + "If required use individual "
13029     + "'require strong key:NETBIOSDOMAIN = no' "
13030     + "options\n\n");
13031     + }
13032     + if (!lp_winbind_sealed_pipes()) {
13033     + fprintf(stderr,
13034     + "WARNING: You have not configured "
13035     + "'winbind sealed pipes = yes' (the default). "
13036     + "Your server is vulernable to "
13037     + "CVE-2022-38023\n"
13038     + "If required use individual "
13039     + "'winbind sealed pipes:NETBIOSDOMAIN = no' "
13040     + "options\n\n");
13041     + }
13042    
13043     return ret;
13044     }
13045     --
13046     2.39.0
13047    
13048    
13049     From 938168a5f7c3225562ed772bf8a9bbecc0badb62 Mon Sep 17 00:00:00 2001
13050     From: Andreas Schneider <asn@samba.org>
13051     Date: Mon, 12 Sep 2022 16:31:05 +0200
13052     Subject: [PATCH 131/142] s3:auth: Flush the GETPWSID in memory cache for NTLM
13053     auth
13054    
13055     Example valgrind output:
13056    
13057     ==22502== 22,747,002 bytes in 21,049 blocks are possibly lost in loss record 1,075 of 1,075
13058     ==22502== at 0x4C29F73: malloc (vg_replace_malloc.c:309)
13059     ==22502== by 0x11D7089C: _talloc_pooled_object (in /usr/lib64/libtalloc.so.2.1.16)
13060     ==22502== by 0x9027834: tcopy_passwd (in /usr/lib64/libsmbconf.so.0)
13061     ==22502== by 0x6A1E1A3: pdb_copy_sam_account (in /usr/lib64/libsamba-passdb.so.0.27.2)
13062     ==22502== by 0x6A28AB7: pdb_getsampwnam (in /usr/lib64/libsamba-passdb.so.0.27.2)
13063     ==22502== by 0x65D0BC4: check_sam_security (in /usr/lib64/samba/libauth-samba4.so)
13064     ==22502== by 0x65C70F0: ??? (in /usr/lib64/samba/libauth-samba4.so)
13065     ==22502== by 0x65C781A: auth_check_ntlm_password (in /usr/lib64/samba/libauth-samba4.so)
13066     ==22502== by 0x14E464: ??? (in /usr/sbin/winbindd)
13067     ==22502== by 0x151CED: winbind_dual_SamLogon (in /usr/sbin/winbindd)
13068     ==22502== by 0x152072: winbindd_dual_pam_auth_crap (in /usr/sbin/winbindd)
13069     ==22502== by 0x167DE0: ??? (in /usr/sbin/winbindd)
13070     ==22502== by 0x12F29B12: tevent_common_invoke_fd_handler (in /usr/lib64/libtevent.so.0.9.39)
13071     ==22502== by 0x12F30086: ??? (in /usr/lib64/libtevent.so.0.9.39)
13072     ==22502== by 0x12F2E056: ??? (in /usr/lib64/libtevent.so.0.9.39)
13073     ==22502== by 0x12F2925C: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.39)
13074     ==22502== by 0x16A243: ??? (in /usr/sbin/winbindd)
13075     ==22502== by 0x16AA04: ??? (in /usr/sbin/winbindd)
13076     ==22502== by 0x12F29F68: tevent_common_invoke_immediate_handler (in /usr/lib64/libtevent.so.0.9.39)
13077     ==22502== by 0x12F29F8F: tevent_common_loop_immediate (in /usr/lib64/libtevent.so.0.9.39)
13078     ==22502== by 0x12F2FE3C: ??? (in /usr/lib64/libtevent.so.0.9.39)
13079     ==22502== by 0x12F2E056: ??? (in /usr/lib64/libtevent.so.0.9.39)
13080     ==22502== by 0x12F2925C: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.39)
13081     ==22502== by 0x12F4C7: main (in /usr/sbin/winbindd)
13082    
13083     You can find one for each string in pdb_copy_sam_account(), in total
13084     this already has 67 MB in total for this valgrind run.
13085    
13086     pdb_getsampwnam() -> memcache_add_talloc(NULL, PDB_GETPWSID_CACHE, ...)
13087    
13088     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15169
13089    
13090     Signed-off-by: Andreas Schneider <asn@samba.org>
13091     Reviewed-by: Jeremy Allison <jra@samba.org>
13092    
13093     Autobuild-User(master): Jeremy Allison <jra@samba.org>
13094     Autobuild-Date(master): Fri Sep 16 20:30:31 UTC 2022 on sn-devel-184
13095    
13096     (cherry picked from commit 9ef2f7345f0d387567fca598cc7008af95598903)
13097     ---
13098     source3/auth/check_samsec.c | 8 ++++++--
13099     1 file changed, 6 insertions(+), 2 deletions(-)
13100    
13101     diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
13102     index 53b6da53dc1..4276c3060ed 100644
13103     --- a/source3/auth/check_samsec.c
13104     +++ b/source3/auth/check_samsec.c
13105     @@ -24,6 +24,7 @@
13106     #include "auth.h"
13107     #include "../libcli/auth/libcli_auth.h"
13108     #include "passdb.h"
13109     +#include "lib/util/memcache.h"
13110    
13111     #undef DBGC_CLASS
13112     #define DBGC_CLASS DBGC_AUTH
13113     @@ -487,8 +488,6 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
13114     nt_status = make_server_info_sam(mem_ctx, sampass, server_info);
13115     unbecome_root();
13116    
13117     - TALLOC_FREE(sampass);
13118     -
13119     if (!NT_STATUS_IS_OK(nt_status)) {
13120     DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status)));
13121     goto done;
13122     @@ -507,6 +506,11 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
13123     (*server_info)->nss_token |= user_info->was_mapped;
13124    
13125     done:
13126     + /*
13127     + * Always flush the getpwsid cache or this will grow indefinetly for
13128     + * each NTLM auththentication.
13129     + */
13130     + memcache_flush(NULL, PDB_GETPWSID_CACHE);
13131     TALLOC_FREE(sampass);
13132     data_blob_free(&user_sess_key);
13133     data_blob_free(&lm_sess_key);
13134     --
13135     2.39.0
13136    
13137    
13138     From 296612a8c1dda253e1f2c0618f1f8330e2e23b34 Mon Sep 17 00:00:00 2001
13139     From: Samuel Cabrero <scabrero@suse.de>
13140     Date: Thu, 22 Dec 2022 16:46:15 +0100
13141     Subject: [PATCH 132/142] CVE-2022-38023 selftest:Samba3: avoid global 'server
13142     schannel = auto'
13143    
13144     Instead of using the generic deprecated option use the specific
13145     server require schannel:COMPUTERACCOUNT = no in order to allow
13146     legacy tests for pass.
13147    
13148     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
13149    
13150     Signed-off-by: Samuel Cabrero <scabrero@samba.org>
13151     Reviewed-by: Andreas Schneider <asn@samba.org>
13152     (cherry picked from commit 3cd18690f83d2f85e847fc703ac127b4b04189fc)
13153     ---
13154     selftest/target/Samba3.pm | 17 ++++++++++++++++-
13155     1 file changed, 16 insertions(+), 1 deletion(-)
13156    
13157     diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
13158     index 7034127ef0b..0c14f02be11 100755
13159     --- a/selftest/target/Samba3.pm
13160     +++ b/selftest/target/Samba3.pm
13161     @@ -199,7 +199,6 @@ sub setup_nt4_dc
13162     lanman auth = yes
13163     ntlm auth = yes
13164     raw NTLMv2 auth = yes
13165     - server schannel = auto
13166    
13167     rpc_server:epmapper = external
13168     rpc_server:spoolss = external
13169     @@ -213,6 +212,22 @@ sub setup_nt4_dc
13170     rpc_daemon:spoolssd = fork
13171     rpc_daemon:lsasd = fork
13172     rpc_daemon:fssd = fork
13173     +
13174     + CVE_2020_1472:warn_about_unused_debug_level = 3
13175     + server require schannel:schannel0\$ = no
13176     + server require schannel:schannel1\$ = no
13177     + server require schannel:schannel2\$ = no
13178     + server require schannel:schannel3\$ = no
13179     + server require schannel:schannel4\$ = no
13180     + server require schannel:schannel5\$ = no
13181     + server require schannel:schannel6\$ = no
13182     + server require schannel:schannel7\$ = no
13183     + server require schannel:schannel8\$ = no
13184     + server require schannel:schannel9\$ = no
13185     + server require schannel:schannel10\$ = no
13186     + server require schannel:schannel11\$ = no
13187     + server require schannel:torturetest\$ = no
13188     +
13189     fss: sequence timeout = 1
13190     check parent directory delete on close = yes
13191     ";
13192     --
13193     2.39.0
13194    
13195    
13196     From 1a90fc7cbc4054f9815ffaca710b5bdba0dffd6f Mon Sep 17 00:00:00 2001
13197     From: Samuel Cabrero <scabrero@suse.de>
13198     Date: Thu, 22 Dec 2022 11:33:12 +0100
13199     Subject: [PATCH 133/142] CVE-2022-38023 s3:rpc_server/netlogon: add
13200     talloc_stackframe() to dcesrv_netr_creds_server_step_check()
13201    
13202     This will simplify the following changes.
13203    
13204     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
13205    
13206     Signed-off-by: Samuel Cabrero <scabrero@samba.org>
13207     ---
13208     source3/rpc_server/netlogon/srv_netlog_nt.c | 38 ++++++++++++---------
13209     1 file changed, 22 insertions(+), 16 deletions(-)
13210    
13211     diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
13212     index 7f6704adbda..f9b674d0052 100644
13213     --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
13214     +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
13215     @@ -1071,6 +1071,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13216     struct netr_Authenticator *return_authenticator,
13217     struct netlogon_creds_CredentialState **creds_out)
13218     {
13219     + TALLOC_CTX *frame = talloc_stackframe();
13220     NTSTATUS status;
13221     bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
13222     bool schannel_required = schannel_global_required;
13223     @@ -1092,19 +1093,19 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13224    
13225     auth_type = p->auth.auth_type;
13226    
13227     - lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers());
13228     + lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
13229     if (lp_ctx == NULL) {
13230     DEBUG(0, ("loadparm_init_s3 failed\n"));
13231     + TALLOC_FREE(frame);
13232     return NT_STATUS_INTERNAL_ERROR;
13233     }
13234    
13235     status = schannel_check_creds_state(mem_ctx, lp_ctx,
13236     computer_name, received_authenticator,
13237     return_authenticator, &creds);
13238     - talloc_unlink(mem_ctx, lp_ctx);
13239     -
13240     if (!NT_STATUS_IS_OK(status)) {
13241     ZERO_STRUCTP(return_authenticator);
13242     + TALLOC_FREE(frame);
13243     return status;
13244     }
13245    
13246     @@ -1125,6 +1126,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13247     if (schannel_required) {
13248     if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
13249     *creds_out = creds;
13250     + TALLOC_FREE(frame);
13251     return NT_STATUS_OK;
13252     }
13253    
13254     @@ -1132,13 +1134,15 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13255     "%s request (opnum[%u]) without schannel from "
13256     "client_account[%s] client_computer_name[%s]\n",
13257     opname, opnum,
13258     - log_escape(mem_ctx, creds->account_name),
13259     - log_escape(mem_ctx, creds->computer_name));
13260     + log_escape(frame, creds->account_name),
13261     + log_escape(frame, creds->computer_name));
13262     DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
13263     - "'server require schannel:%s = no' is needed! \n",
13264     - log_escape(mem_ctx, creds->account_name));
13265     + "'server require schannel:%s = no' "
13266     + "might be needed for a legacy client.\n",
13267     + log_escape(frame, creds->account_name));
13268     TALLOC_FREE(creds);
13269     ZERO_STRUCTP(return_authenticator);
13270     + TALLOC_FREE(frame);
13271     return NT_STATUS_ACCESS_DENIED;
13272     }
13273    
13274     @@ -1157,13 +1161,14 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13275     "%s request (opnum[%u]) WITH schannel from "
13276     "client_account[%s] client_computer_name[%s]\n",
13277     opname, opnum,
13278     - log_escape(mem_ctx, creds->account_name),
13279     - log_escape(mem_ctx, creds->computer_name));
13280     + log_escape(frame, creds->account_name),
13281     + log_escape(frame, creds->computer_name));
13282     DBG_ERR("CVE-2020-1472(ZeroLogon): "
13283     "Option 'server require schannel:%s = no' not needed!?\n",
13284     - log_escape(mem_ctx, creds->account_name));
13285     + log_escape(frame, creds->account_name));
13286    
13287     *creds_out = creds;
13288     + TALLOC_FREE(frame);
13289     return NT_STATUS_OK;
13290     }
13291    
13292     @@ -1172,24 +1177,25 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13293     "%s request (opnum[%u]) without schannel from "
13294     "client_account[%s] client_computer_name[%s]\n",
13295     opname, opnum,
13296     - log_escape(mem_ctx, creds->account_name),
13297     - log_escape(mem_ctx, creds->computer_name));
13298     + log_escape(frame, creds->account_name),
13299     + log_escape(frame, creds->computer_name));
13300     DBG_INFO("CVE-2020-1472(ZeroLogon): "
13301     "Option 'server require schannel:%s = no' still needed!\n",
13302     - log_escape(mem_ctx, creds->account_name));
13303     + log_escape(frame, creds->account_name));
13304     } else {
13305     DBG_ERR("CVE-2020-1472(ZeroLogon): "
13306     "%s request (opnum[%u]) without schannel from "
13307     "client_account[%s] client_computer_name[%s]\n",
13308     opname, opnum,
13309     - log_escape(mem_ctx, creds->account_name),
13310     - log_escape(mem_ctx, creds->computer_name));
13311     + log_escape(frame, creds->account_name),
13312     + log_escape(frame, creds->computer_name));
13313     DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
13314     "'server require schannel:%s = no' might be needed!\n",
13315     - log_escape(mem_ctx, creds->account_name));
13316     + log_escape(frame, creds->account_name));
13317     }
13318    
13319     *creds_out = creds;
13320     + TALLOC_FREE(frame);
13321     return NT_STATUS_OK;
13322     }
13323    
13324     --
13325     2.39.0
13326    
13327    
13328     From d3e503e670501186fcce9702b72cda3b03afc0cf Mon Sep 17 00:00:00 2001
13329     From: Samuel Cabrero <scabrero@suse.de>
13330     Date: Wed, 21 Dec 2022 18:17:57 +0100
13331     Subject: [PATCH 134/142] CVE-2022-38023 s3:rpc_server/netlogon: re-order
13332     checking in netr_creds_server_step_check()
13333    
13334     This will simplify the following changes.
13335    
13336     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
13337    
13338     Signed-off-by: Samuel Cabrero <scabrero@samba.org>
13339     ---
13340     source3/rpc_server/netlogon/srv_netlog_nt.c | 40 ++++++++++-----------
13341     1 file changed, 19 insertions(+), 21 deletions(-)
13342    
13343     diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
13344     index f9b674d0052..b42794eea8d 100644
13345     --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
13346     +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
13347     @@ -1123,13 +1123,27 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13348     schannel_required = lp_bool(explicit_opt);
13349     }
13350    
13351     - if (schannel_required) {
13352     - if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
13353     - *creds_out = creds;
13354     - TALLOC_FREE(frame);
13355     - return NT_STATUS_OK;
13356     + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
13357     + if (!schannel_required) {
13358     + DBG_ERR("CVE-2020-1472(ZeroLogon): "
13359     + "%s request (opnum[%u]) WITH schannel from "
13360     + "client_account[%s] client_computer_name[%s]\n",
13361     + opname, opnum,
13362     + log_escape(frame, creds->account_name),
13363     + log_escape(frame, creds->computer_name));
13364     + }
13365     + if (explicit_opt != NULL && !schannel_required) {
13366     + DBG_ERR("CVE-2020-1472(ZeroLogon): "
13367     + "Option 'server require schannel:%s = no' not needed!?\n",
13368     + log_escape(frame, creds->account_name));
13369     }
13370    
13371     + *creds_out = creds;
13372     + TALLOC_FREE(frame);
13373     + return NT_STATUS_OK;
13374     + }
13375     +
13376     + if (schannel_required) {
13377     DBG_ERR("CVE-2020-1472(ZeroLogon): "
13378     "%s request (opnum[%u]) without schannel from "
13379     "client_account[%s] client_computer_name[%s]\n",
13380     @@ -1156,22 +1170,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13381     warned_global_once = true;
13382     }
13383    
13384     - if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
13385     - DBG_ERR("CVE-2020-1472(ZeroLogon): "
13386     - "%s request (opnum[%u]) WITH schannel from "
13387     - "client_account[%s] client_computer_name[%s]\n",
13388     - opname, opnum,
13389     - log_escape(frame, creds->account_name),
13390     - log_escape(frame, creds->computer_name));
13391     - DBG_ERR("CVE-2020-1472(ZeroLogon): "
13392     - "Option 'server require schannel:%s = no' not needed!?\n",
13393     - log_escape(frame, creds->account_name));
13394     -
13395     - *creds_out = creds;
13396     - TALLOC_FREE(frame);
13397     - return NT_STATUS_OK;
13398     - }
13399     -
13400     if (explicit_opt != NULL) {
13401     DBG_INFO("CVE-2020-1472(ZeroLogon): "
13402     "%s request (opnum[%u]) without schannel from "
13403     --
13404     2.39.0
13405    
13406    
13407     From 44de3ae0d4b6f1a728124429dfc748c538714a05 Mon Sep 17 00:00:00 2001
13408     From: Samuel Cabrero <scabrero@suse.de>
13409     Date: Thu, 22 Dec 2022 11:35:57 +0100
13410     Subject: [PATCH 135/142] CVE-2022-38023 s3:rpc_server/netlogon: improve
13411     CVE-2020-1472(ZeroLogon) debug messages
13412    
13413     In order to avoid generating useless debug messages during make test,
13414     we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3'
13415     and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings.
13416    
13417     Review with: git show -w
13418    
13419     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
13420    
13421     Signed-off-by: Samuel Cabrero <scabrero@samba.org>
13422     ---
13423     source3/rpc_server/netlogon/srv_netlog_nt.c | 149 ++++++++++++++------
13424     1 file changed, 109 insertions(+), 40 deletions(-)
13425    
13426     diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
13427     index b42794eea8d..1d261c9a639 100644
13428     --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
13429     +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
13430     @@ -1078,9 +1078,14 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13431     const char *explicit_opt = NULL;
13432     struct loadparm_context *lp_ctx;
13433     struct netlogon_creds_CredentialState *creds = NULL;
13434     + int CVE_2020_1472_warn_level = DBGLVL_ERR;
13435     + int CVE_2020_1472_error_level = DBGLVL_ERR;
13436     + unsigned int dbg_lvl = DBGLVL_DEBUG;
13437     enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
13438     + enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
13439     uint16_t opnum = p->opnum;
13440     const char *opname = "<unknown>";
13441     + const char *reason = "<unknown>";
13442     static bool warned_global_once = false;
13443    
13444     if (creds_out != NULL) {
13445     @@ -1092,6 +1097,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13446     }
13447    
13448     auth_type = p->auth.auth_type;
13449     + auth_level = p->auth.auth_level;
13450    
13451     lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
13452     if (lp_ctx == NULL) {
13453     @@ -1100,6 +1106,23 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13454     return NT_STATUS_INTERNAL_ERROR;
13455     }
13456    
13457     + CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL,
13458     + "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
13459     + CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
13460     + "CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
13461     +
13462     + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
13463     + if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
13464     + reason = "WITH SEALED";
13465     + } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
13466     + reason = "WITH SIGNED";
13467     + } else {
13468     + smb_panic("Schannel without SIGN/SEAL");
13469     + }
13470     + } else {
13471     + reason = "WITHOUT";
13472     + }
13473     +
13474     status = schannel_check_creds_state(mem_ctx, lp_ctx,
13475     computer_name, received_authenticator,
13476     return_authenticator, &creds);
13477     @@ -1124,40 +1147,69 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13478     }
13479    
13480     if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
13481     - if (!schannel_required) {
13482     - DBG_ERR("CVE-2020-1472(ZeroLogon): "
13483     - "%s request (opnum[%u]) WITH schannel from "
13484     - "client_account[%s] client_computer_name[%s]\n",
13485     - opname, opnum,
13486     - log_escape(frame, creds->account_name),
13487     - log_escape(frame, creds->computer_name));
13488     + status = NT_STATUS_OK;
13489     +
13490     + if (explicit_opt != NULL && !schannel_required) {
13491     + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
13492     + } else if (!schannel_required) {
13493     + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
13494     }
13495     +
13496     + DEBUG(dbg_lvl, (
13497     + "CVE-2020-1472(ZeroLogon): "
13498     + "%s request (opnum[%u]) %s schannel from "
13499     + "client_account[%s] client_computer_name[%s] %s\n",
13500     + opname, opnum, reason,
13501     + log_escape(frame, creds->account_name),
13502     + log_escape(frame, creds->computer_name),
13503     + nt_errstr(status)));
13504     +
13505     if (explicit_opt != NULL && !schannel_required) {
13506     - DBG_ERR("CVE-2020-1472(ZeroLogon): "
13507     - "Option 'server require schannel:%s = no' not needed!?\n",
13508     - log_escape(frame, creds->account_name));
13509     + DEBUG(CVE_2020_1472_warn_level, (
13510     + "CVE-2020-1472(ZeroLogon): "
13511     + "Option 'server require schannel:%s = no' not needed for '%s'!\n",
13512     + log_escape(frame, creds->account_name),
13513     + log_escape(frame, creds->computer_name)));
13514     }
13515    
13516     *creds_out = creds;
13517     TALLOC_FREE(frame);
13518     - return NT_STATUS_OK;
13519     + return status;
13520     }
13521    
13522     if (schannel_required) {
13523     - DBG_ERR("CVE-2020-1472(ZeroLogon): "
13524     - "%s request (opnum[%u]) without schannel from "
13525     - "client_account[%s] client_computer_name[%s]\n",
13526     - opname, opnum,
13527     - log_escape(frame, creds->account_name),
13528     - log_escape(frame, creds->computer_name));
13529     - DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
13530     - "'server require schannel:%s = no' "
13531     - "might be needed for a legacy client.\n",
13532     - log_escape(frame, creds->account_name));
13533     + status = NT_STATUS_ACCESS_DENIED;
13534     +
13535     + if (explicit_opt != NULL) {
13536     + dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
13537     + } else {
13538     + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
13539     + }
13540     +
13541     + DEBUG(dbg_lvl, (
13542     + "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
13543     + "%s request (opnum[%u]) %s schannel from "
13544     + "client_account[%s] client_computer_name[%s] %s\n",
13545     + opname, opnum, reason,
13546     + log_escape(frame, creds->account_name),
13547     + log_escape(frame, creds->computer_name),
13548     + nt_errstr(status)));
13549     + if (explicit_opt != NULL) {
13550     + D_NOTICE("CVE-2020-1472(ZeroLogon): Option "
13551     + "'server require schannel:%s = yes' "
13552     + "rejects access for client.\n",
13553     + log_escape(frame, creds->account_name));
13554     + } else {
13555     + DEBUG(CVE_2020_1472_error_level, (
13556     + "CVE-2020-1472(ZeroLogon): Check if option "
13557     + "'server require schannel:%s = no' "
13558     + "might be needed for a legacy client.\n",
13559     + log_escape(frame, creds->account_name)));
13560     + }
13561     TALLOC_FREE(creds);
13562     ZERO_STRUCTP(return_authenticator);
13563     TALLOC_FREE(frame);
13564     - return NT_STATUS_ACCESS_DENIED;
13565     + return status;
13566     }
13567    
13568     if (!schannel_global_required && !warned_global_once) {
13569     @@ -1170,26 +1222,43 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13570     warned_global_once = true;
13571     }
13572    
13573     + status = NT_STATUS_OK;
13574     +
13575     if (explicit_opt != NULL) {
13576     - DBG_INFO("CVE-2020-1472(ZeroLogon): "
13577     - "%s request (opnum[%u]) without schannel from "
13578     - "client_account[%s] client_computer_name[%s]\n",
13579     - opname, opnum,
13580     - log_escape(frame, creds->account_name),
13581     - log_escape(frame, creds->computer_name));
13582     - DBG_INFO("CVE-2020-1472(ZeroLogon): "
13583     - "Option 'server require schannel:%s = no' still needed!\n",
13584     - log_escape(frame, creds->account_name));
13585     + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
13586     } else {
13587     - DBG_ERR("CVE-2020-1472(ZeroLogon): "
13588     - "%s request (opnum[%u]) without schannel from "
13589     - "client_account[%s] client_computer_name[%s]\n",
13590     - opname, opnum,
13591     - log_escape(frame, creds->account_name),
13592     - log_escape(frame, creds->computer_name));
13593     - DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
13594     - "'server require schannel:%s = no' might be needed!\n",
13595     - log_escape(frame, creds->account_name));
13596     + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
13597     + }
13598     +
13599     + DEBUG(dbg_lvl, (
13600     + "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
13601     + "%s request (opnum[%u]) %s schannel from "
13602     + "client_account[%s] client_computer_name[%s] %s\n",
13603     + opname, opnum, reason,
13604     + log_escape(frame, creds->account_name),
13605     + log_escape(frame, creds->computer_name),
13606     + nt_errstr(status)));
13607     +
13608     + if (explicit_opt != NULL) {
13609     + D_INFO("CVE-2020-1472(ZeroLogon): Option "
13610     + "'server require schannel:%s = no' "
13611     + "still needed for '%s'!\n",
13612     + log_escape(frame, creds->account_name),
13613     + log_escape(frame, creds->computer_name));
13614     + } else {
13615     + /*
13616     + * admins should set
13617     + * server require schannel:COMPUTER$ = no
13618     + * in order to avoid the level 0 messages.
13619     + * Over time they can switch the global value
13620     + * to be strict.
13621     + */
13622     + DEBUG(CVE_2020_1472_error_level, (
13623     + "CVE-2020-1472(ZeroLogon): "
13624     + "Please use 'server require schannel:%s = no' "
13625     + "for '%s' to avoid this warning!\n",
13626     + log_escape(frame, creds->account_name),
13627     + log_escape(frame, creds->computer_name)));
13628     }
13629    
13630     *creds_out = creds;
13631     --
13632     2.39.0
13633    
13634    
13635     From 7e0bfe3db2b4d274b3bf2e5f011ae8207ce6f4ab Mon Sep 17 00:00:00 2001
13636     From: Samuel Cabrero <scabrero@suse.de>
13637     Date: Wed, 21 Dec 2022 18:37:05 +0100
13638     Subject: [PATCH 136/142] CVE-2022-38023 selftest:Samba3: avoid global 'server
13639     schannel = auto'
13640    
13641     Instead of using the generic deprecated option use the specific
13642     server require schannel:COMPUTERACCOUNT = no in order to allow
13643     legacy tests for pass.
13644    
13645     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
13646    
13647     Signed-off-by: Samuel Cabrero <scabrero@samba.org>
13648     ---
13649     selftest/target/Samba3.pm | 21 ++++++++++++++++++---
13650     1 file changed, 18 insertions(+), 3 deletions(-)
13651    
13652     diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
13653     index 0c14f02be11..e8a4c3bbbb6 100755
13654     --- a/selftest/target/Samba3.pm
13655     +++ b/selftest/target/Samba3.pm
13656     @@ -140,7 +140,7 @@ sub getlog_env_app($$$)
13657     close(LOG);
13658    
13659     return "" if $out eq $title;
13660     -
13661     +
13662     return $out;
13663     }
13664    
13665     @@ -200,6 +200,21 @@ sub setup_nt4_dc
13666     ntlm auth = yes
13667     raw NTLMv2 auth = yes
13668    
13669     + CVE_2020_1472:warn_about_unused_debug_level = 3
13670     + server require schannel:schannel0\$ = no
13671     + server require schannel:schannel1\$ = no
13672     + server require schannel:schannel2\$ = no
13673     + server require schannel:schannel3\$ = no
13674     + server require schannel:schannel4\$ = no
13675     + server require schannel:schannel5\$ = no
13676     + server require schannel:schannel6\$ = no
13677     + server require schannel:schannel7\$ = no
13678     + server require schannel:schannel8\$ = no
13679     + server require schannel:schannel9\$ = no
13680     + server require schannel:schannel10\$ = no
13681     + server require schannel:schannel11\$ = no
13682     + server require schannel:torturetest\$ = no
13683     +
13684     rpc_server:epmapper = external
13685     rpc_server:spoolss = external
13686     rpc_server:lsarpc = external
13687     @@ -1588,7 +1603,7 @@ sub provision($$$$$$$$$)
13688     my $nmbdsockdir="$prefix_abs/nmbd";
13689     unlink($nmbdsockdir);
13690    
13691     - ##
13692     + ##
13693     ## create the test directory layout
13694     ##
13695     die ("prefix_abs = ''") if $prefix_abs eq "";
13696     @@ -2393,7 +2408,7 @@ sub provision($$$$$$$$$)
13697     unless (open(PASSWD, ">$nss_wrapper_passwd")) {
13698     warn("Unable to open $nss_wrapper_passwd");
13699     return undef;
13700     - }
13701     + }
13702     print PASSWD "nobody:x:$uid_nobody:$gid_nobody:nobody gecos:$prefix_abs:/bin/false
13703     $unix_name:x:$unix_uid:$unix_gids[0]:$unix_name gecos:$prefix_abs:/bin/false
13704     pdbtest:x:$uid_pdbtest:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false
13705     --
13706     2.39.0
13707    
13708    
13709     From 340bdcc92d979eb67d67e2a2d8056f939a011f37 Mon Sep 17 00:00:00 2001
13710     From: Samuel Cabrero <scabrero@suse.de>
13711     Date: Thu, 22 Dec 2022 11:42:51 +0100
13712     Subject: [PATCH 137/142] CVE-2022-38023 s3:rpc_server/netlogon: split out
13713     netr_check_schannel() function
13714    
13715     This will allow us to reuse the function in other places.
13716     As it will also get some additional checks soon.
13717    
13718     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
13719    
13720     Signed-off-by: Samuel Cabrero <scabrero@samba.org>
13721     ---
13722     source3/rpc_server/netlogon/srv_netlog_nt.c | 107 ++++++++++++--------
13723     1 file changed, 62 insertions(+), 45 deletions(-)
13724    
13725     diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
13726     index 1d261c9a639..eb364eaf29a 100644
13727     --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
13728     +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
13729     @@ -1064,53 +1064,30 @@ NTSTATUS _netr_ServerAuthenticate2(struct pipes_struct *p,
13730     /*************************************************************************
13731     *************************************************************************/
13732    
13733     -static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13734     - TALLOC_CTX *mem_ctx,
13735     - const char *computer_name,
13736     - struct netr_Authenticator *received_authenticator,
13737     - struct netr_Authenticator *return_authenticator,
13738     - struct netlogon_creds_CredentialState **creds_out)
13739     +static NTSTATUS netr_check_schannel(struct pipes_struct *p,
13740     + const struct netlogon_creds_CredentialState *creds,
13741     + enum dcerpc_AuthType auth_type,
13742     + enum dcerpc_AuthLevel auth_level,
13743     + uint16_t opnum)
13744     {
13745     TALLOC_CTX *frame = talloc_stackframe();
13746     NTSTATUS status;
13747     bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
13748     bool schannel_required = schannel_global_required;
13749     const char *explicit_opt = NULL;
13750     - struct loadparm_context *lp_ctx;
13751     - struct netlogon_creds_CredentialState *creds = NULL;
13752     - int CVE_2020_1472_warn_level = DBGLVL_ERR;
13753     - int CVE_2020_1472_error_level = DBGLVL_ERR;
13754     + int CVE_2020_1472_warn_level = lp_parm_int(GLOBAL_SECTION_SNUM,
13755     + "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
13756     + int CVE_2020_1472_error_level = lp_parm_int(GLOBAL_SECTION_SNUM,
13757     + "CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
13758     unsigned int dbg_lvl = DBGLVL_DEBUG;
13759     - enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
13760     - enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
13761     - uint16_t opnum = p->opnum;
13762     const char *opname = "<unknown>";
13763     const char *reason = "<unknown>";
13764     static bool warned_global_once = false;
13765    
13766     - if (creds_out != NULL) {
13767     - *creds_out = NULL;
13768     - }
13769     -
13770     if (opnum < ndr_table_netlogon.num_calls) {
13771     opname = ndr_table_netlogon.calls[opnum].name;
13772     }
13773    
13774     - auth_type = p->auth.auth_type;
13775     - auth_level = p->auth.auth_level;
13776     -
13777     - lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
13778     - if (lp_ctx == NULL) {
13779     - DEBUG(0, ("loadparm_init_s3 failed\n"));
13780     - TALLOC_FREE(frame);
13781     - return NT_STATUS_INTERNAL_ERROR;
13782     - }
13783     -
13784     - CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL,
13785     - "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
13786     - CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
13787     - "CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
13788     -
13789     if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
13790     if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
13791     reason = "WITH SEALED";
13792     @@ -1123,15 +1100,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13793     reason = "WITHOUT";
13794     }
13795    
13796     - status = schannel_check_creds_state(mem_ctx, lp_ctx,
13797     - computer_name, received_authenticator,
13798     - return_authenticator, &creds);
13799     - if (!NT_STATUS_IS_OK(status)) {
13800     - ZERO_STRUCTP(return_authenticator);
13801     - TALLOC_FREE(frame);
13802     - return status;
13803     - }
13804     -
13805     /*
13806     * We don't use lp_parm_bool(), as we
13807     * need the explicit_opt pointer in order to
13808     @@ -1172,7 +1140,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13809     log_escape(frame, creds->computer_name)));
13810     }
13811    
13812     - *creds_out = creds;
13813     TALLOC_FREE(frame);
13814     return status;
13815     }
13816     @@ -1206,8 +1173,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13817     "might be needed for a legacy client.\n",
13818     log_escape(frame, creds->account_name)));
13819     }
13820     - TALLOC_FREE(creds);
13821     - ZERO_STRUCTP(return_authenticator);
13822     TALLOC_FREE(frame);
13823     return status;
13824     }
13825     @@ -1261,11 +1226,63 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13826     log_escape(frame, creds->computer_name)));
13827     }
13828    
13829     - *creds_out = creds;
13830     TALLOC_FREE(frame);
13831     return NT_STATUS_OK;
13832     }
13833    
13834     +static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13835     + TALLOC_CTX *mem_ctx,
13836     + const char *computer_name,
13837     + struct netr_Authenticator *received_authenticator,
13838     + struct netr_Authenticator *return_authenticator,
13839     + struct netlogon_creds_CredentialState **creds_out)
13840     +{
13841     + struct loadparm_context *lp_ctx = NULL;
13842     + NTSTATUS status;
13843     + struct netlogon_creds_CredentialState *creds = NULL;
13844     + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
13845     + enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
13846     + uint16_t opnum = p->opnum;
13847     +
13848     + if (creds_out != NULL) {
13849     + *creds_out = NULL;
13850     + }
13851     +
13852     + auth_type = p->auth.auth_type;
13853     + auth_level = p->auth.auth_level;
13854     +
13855     + lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers());
13856     + if (lp_ctx == NULL) {
13857     + DEBUG(0, ("loadparm_init_s3 failed\n"));
13858     + return NT_STATUS_INTERNAL_ERROR;
13859     + }
13860     +
13861     + status = schannel_check_creds_state(mem_ctx,
13862     + lp_ctx,
13863     + computer_name,
13864     + received_authenticator,
13865     + return_authenticator,
13866     + &creds);
13867     + TALLOC_FREE(lp_ctx);
13868     + if (!NT_STATUS_IS_OK(status)) {
13869     + ZERO_STRUCTP(return_authenticator);
13870     + return status;
13871     + }
13872     +
13873     + status = netr_check_schannel(p,
13874     + creds,
13875     + auth_type,
13876     + auth_level,
13877     + opnum);
13878     + if (!NT_STATUS_IS_OK(status)) {
13879     + TALLOC_FREE(creds);
13880     + ZERO_STRUCTP(return_authenticator);
13881     + return status;
13882     + }
13883     +
13884     + *creds_out = creds;
13885     + return NT_STATUS_OK;
13886     +}
13887    
13888     /*************************************************************************
13889     *************************************************************************/
13890     --
13891     2.39.0
13892    
13893    
13894     From 8b52bfc3bb274d7d1607b505c18b4ccafe25cad7 Mon Sep 17 00:00:00 2001
13895     From: Samuel Cabrero <scabrero@suse.de>
13896     Date: Thu, 22 Dec 2022 09:29:04 +0100
13897     Subject: [PATCH 138/142] CVE-2022-38023 s3:rpc_server/netlogon: make sure all
13898     dcesrv_netr_LogonSamLogon*() calls go through netr_check_schannel()
13899    
13900     We'll soon add some additional contraints in dcesrv_netr_check_schannel(),
13901     which are also required for dcesrv_netr_LogonSamLogonEx().
13902    
13903     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
13904    
13905     Signed-off-by: Samuel Cabrero <scabrero@samba.org>
13906     ---
13907     source3/rpc_server/netlogon/srv_netlog_nt.c | 30 ++++++++++++++++-----
13908     1 file changed, 23 insertions(+), 7 deletions(-)
13909    
13910     diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
13911     index eb364eaf29a..ca343d3e28a 100644
13912     --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
13913     +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
13914     @@ -1766,6 +1766,8 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
13915     struct auth_serversupplied_info *server_info = NULL;
13916     struct auth_context *auth_context = NULL;
13917     const char *fn;
13918     + enum dcerpc_AuthType auth_type = p->auth.auth_type;
13919     + enum dcerpc_AuthLevel auth_level = p->auth.auth_level;
13920    
13921     #ifdef DEBUG_PASSWORD
13922     logon = netlogon_creds_shallow_copy_logon(p->mem_ctx,
13923     @@ -1779,11 +1781,32 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
13924     switch (p->opnum) {
13925     case NDR_NETR_LOGONSAMLOGON:
13926     fn = "_netr_LogonSamLogon";
13927     + /*
13928     + * Already called netr_check_schannel() via
13929     + * netr_creds_server_step_check()
13930     + */
13931     break;
13932     case NDR_NETR_LOGONSAMLOGONWITHFLAGS:
13933     fn = "_netr_LogonSamLogonWithFlags";
13934     + /*
13935     + * Already called netr_check_schannel() via
13936     + * netr_creds_server_step_check()
13937     + */
13938     break;
13939     case NDR_NETR_LOGONSAMLOGONEX:
13940     + if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
13941     + return NT_STATUS_ACCESS_DENIED;
13942     + }
13943     +
13944     + status = netr_check_schannel(p,
13945     + creds,
13946     + auth_type,
13947     + auth_level,
13948     + p->opnum);
13949     + if (NT_STATUS_IS_ERR(status)) {
13950     + return status;
13951     + }
13952     +
13953     fn = "_netr_LogonSamLogonEx";
13954     break;
13955     default:
13956     @@ -2123,13 +2146,6 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p,
13957     return status;
13958     }
13959    
13960     - /* Only allow this if the pipe is protected. */
13961     - if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
13962     - DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n",
13963     - get_remote_machine_name() ));
13964     - return NT_STATUS_INVALID_PARAMETER;
13965     - }
13966     -
13967     lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers());
13968     if (lp_ctx == NULL) {
13969     DEBUG(0, ("loadparm_init_s3 failed\n"));
13970     --
13971     2.39.0
13972    
13973    
13974     From 43dca97088ce82a5e346887b8078f346e8249929 Mon Sep 17 00:00:00 2001
13975     From: Samuel Cabrero <scabrero@suse.de>
13976     Date: Wed, 4 Jan 2023 17:23:41 +0100
13977     Subject: [PATCH 139/142] CVE-2022-38023 s3:rpc_server/netlogon: Rename
13978     variable
13979    
13980     This will simplify the following changes.
13981    
13982     Signed-off-by: Samuel Cabrero <scabrero@suse.de>
13983     ---
13984     source3/rpc_server/netlogon/srv_netlog_nt.c | 16 +++++++++-------
13985     1 file changed, 9 insertions(+), 7 deletions(-)
13986    
13987     diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
13988     index ca343d3e28a..5500a421334 100644
13989     --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
13990     +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
13991     @@ -1072,9 +1072,10 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
13992     {
13993     TALLOC_CTX *frame = talloc_stackframe();
13994     NTSTATUS status;
13995     + const char *explicit_opt = NULL;
13996     bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
13997     bool schannel_required = schannel_global_required;
13998     - const char *explicit_opt = NULL;
13999     + bool schannel_explicitly_set = false;
14000     int CVE_2020_1472_warn_level = lp_parm_int(GLOBAL_SECTION_SNUM,
14001     "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
14002     int CVE_2020_1472_error_level = lp_parm_int(GLOBAL_SECTION_SNUM,
14003     @@ -1113,11 +1114,12 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14004     if (explicit_opt != NULL) {
14005     schannel_required = lp_bool(explicit_opt);
14006     }
14007     + schannel_explicitly_set = explicit_opt != NULL;
14008    
14009     if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
14010     status = NT_STATUS_OK;
14011    
14012     - if (explicit_opt != NULL && !schannel_required) {
14013     + if (schannel_explicitly_set && !schannel_required) {
14014     dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
14015     } else if (!schannel_required) {
14016     dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
14017     @@ -1132,7 +1134,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14018     log_escape(frame, creds->computer_name),
14019     nt_errstr(status)));
14020    
14021     - if (explicit_opt != NULL && !schannel_required) {
14022     + if (schannel_explicitly_set && !schannel_required) {
14023     DEBUG(CVE_2020_1472_warn_level, (
14024     "CVE-2020-1472(ZeroLogon): "
14025     "Option 'server require schannel:%s = no' not needed for '%s'!\n",
14026     @@ -1147,7 +1149,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14027     if (schannel_required) {
14028     status = NT_STATUS_ACCESS_DENIED;
14029    
14030     - if (explicit_opt != NULL) {
14031     + if (schannel_explicitly_set) {
14032     dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
14033     } else {
14034     dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
14035     @@ -1161,7 +1163,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14036     log_escape(frame, creds->account_name),
14037     log_escape(frame, creds->computer_name),
14038     nt_errstr(status)));
14039     - if (explicit_opt != NULL) {
14040     + if (schannel_explicitly_set) {
14041     D_NOTICE("CVE-2020-1472(ZeroLogon): Option "
14042     "'server require schannel:%s = yes' "
14043     "rejects access for client.\n",
14044     @@ -1189,7 +1191,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14045    
14046     status = NT_STATUS_OK;
14047    
14048     - if (explicit_opt != NULL) {
14049     + if (schannel_explicitly_set) {
14050     dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
14051     } else {
14052     dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
14053     @@ -1204,7 +1206,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14054     log_escape(frame, creds->computer_name),
14055     nt_errstr(status)));
14056    
14057     - if (explicit_opt != NULL) {
14058     + if (schannel_explicitly_set) {
14059     D_INFO("CVE-2020-1472(ZeroLogon): Option "
14060     "'server require schannel:%s = no' "
14061     "still needed for '%s'!\n",
14062     --
14063     2.39.0
14064    
14065    
14066     From 4ae0a15ed4ebde7b1725f9ada406c179de238267 Mon Sep 17 00:00:00 2001
14067     From: Samuel Cabrero <scabrero@suse.de>
14068     Date: Wed, 4 Jan 2023 17:39:20 +0100
14069     Subject: [PATCH 140/142] CVE-2022-38023 s3:rpc_server/netlogon: Return error
14070     on invalid auth level
14071    
14072     Signed-off-by: Samuel Cabrero <scabrero@suse.de>
14073     ---
14074     source3/rpc_server/netlogon/srv_netlog_nt.c | 23 +++++++++++++++++++--
14075     1 file changed, 21 insertions(+), 2 deletions(-)
14076    
14077     diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
14078     index 5500a421334..fb5a05b75c8 100644
14079     --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
14080     +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
14081     @@ -1071,7 +1071,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14082     uint16_t opnum)
14083     {
14084     TALLOC_CTX *frame = talloc_stackframe();
14085     - NTSTATUS status;
14086     + NTSTATUS status = NT_STATUS_MORE_PROCESSING_REQUIRED;
14087     const char *explicit_opt = NULL;
14088     bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
14089     bool schannel_required = schannel_global_required;
14090     @@ -1095,12 +1095,31 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14091     } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
14092     reason = "WITH SIGNED";
14093     } else {
14094     - smb_panic("Schannel without SIGN/SEAL");
14095     + reason = "WITH INVALID";
14096     + dbg_lvl = DBGLVL_ERR;
14097     + status = NT_STATUS_INTERNAL_ERROR;
14098     }
14099     } else {
14100     reason = "WITHOUT";
14101     }
14102    
14103     + if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
14104     + if (!NT_STATUS_IS_OK(status)) {
14105     + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
14106     + }
14107     +
14108     + DEBUG(dbg_lvl, (
14109     + "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
14110     + "%s request (opnum[%u]) %s schannel from "
14111     + "client_account[%s] client_computer_name[%s] %s\n",
14112     + opname, opnum, reason,
14113     + log_escape(frame, creds->account_name),
14114     + log_escape(frame, creds->computer_name),
14115     + nt_errstr(status)));
14116     + TALLOC_FREE(frame);
14117     + return status;
14118     + }
14119     +
14120     /*
14121     * We don't use lp_parm_bool(), as we
14122     * need the explicit_opt pointer in order to
14123     --
14124     2.39.0
14125    
14126    
14127     From f59b49f3c23a9a7879a6975aa77e9cf2560a68be Mon Sep 17 00:00:00 2001
14128     From: Samuel Cabrero <scabrero@suse.de>
14129     Date: Wed, 4 Jan 2023 17:42:37 +0100
14130     Subject: [PATCH 141/142] CVE-2022-38023 s3:rpc_server/netlogon: Rename
14131     variable
14132    
14133     This will simplify the following changes.
14134    
14135     Signed-off-by: Samuel Cabrero <scabrero@samba.org>
14136     ---
14137     source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++---
14138     1 file changed, 3 insertions(+), 3 deletions(-)
14139    
14140     diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
14141     index fb5a05b75c8..fd128a70c8b 100644
14142     --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
14143     +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
14144     @@ -1083,7 +1083,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14145     unsigned int dbg_lvl = DBGLVL_DEBUG;
14146     const char *opname = "<unknown>";
14147     const char *reason = "<unknown>";
14148     - static bool warned_global_once = false;
14149     + static bool warned_global_schannel_once = false;
14150    
14151     if (opnum < ndr_table_netlogon.num_calls) {
14152     opname = ndr_table_netlogon.calls[opnum].name;
14153     @@ -1198,14 +1198,14 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14154     return status;
14155     }
14156    
14157     - if (!schannel_global_required && !warned_global_once) {
14158     + if (!schannel_global_required && !warned_global_schannel_once) {
14159     /*
14160     * We want admins to notice their misconfiguration!
14161     */
14162     DBG_ERR("CVE-2020-1472(ZeroLogon): "
14163     "Please configure 'server schannel = yes', "
14164     "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
14165     - warned_global_once = true;
14166     + warned_global_schannel_once = true;
14167     }
14168    
14169     status = NT_STATUS_OK;
14170     --
14171     2.39.0
14172    
14173    
14174     From 6b038af7f70f0331d85dac00647cfe8dedefec28 Mon Sep 17 00:00:00 2001
14175     From: Samuel Cabrero <scabrero@suse.de>
14176     Date: Wed, 4 Jan 2023 17:50:04 +0100
14177     Subject: [PATCH 142/142] CVE-2022-38023 s3:rpc_server/netlogon: implement
14178     "server schannel require seal[:COMPUTERACCOUNT]"
14179    
14180     By default we'll now require schannel connections with
14181     privacy/sealing/encryption.
14182    
14183     But we allow exceptions for specific computer/trust accounts.
14184    
14185     BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
14186    
14187     Signed-off-by: Samuel Cabrero <scabrero@suse.de>
14188     ---
14189     selftest/target/Samba3.pm | 14 ++
14190     source3/rpc_server/netlogon/srv_netlog_nt.c | 237 +++++++++++++++++++-
14191     2 files changed, 249 insertions(+), 2 deletions(-)
14192    
14193     diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
14194     index e8a4c3bbbb6..cf6c38562de 100755
14195     --- a/selftest/target/Samba3.pm
14196     +++ b/selftest/target/Samba3.pm
14197     @@ -215,6 +215,20 @@ sub setup_nt4_dc
14198     server require schannel:schannel11\$ = no
14199     server require schannel:torturetest\$ = no
14200    
14201     + server schannel require seal:schannel0\$ = no
14202     + server schannel require seal:schannel1\$ = no
14203     + server schannel require seal:schannel2\$ = no
14204     + server schannel require seal:schannel3\$ = no
14205     + server schannel require seal:schannel4\$ = no
14206     + server schannel require seal:schannel5\$ = no
14207     + server schannel require seal:schannel6\$ = no
14208     + server schannel require seal:schannel7\$ = no
14209     + server schannel require seal:schannel8\$ = no
14210     + server schannel require seal:schannel9\$ = no
14211     + server schannel require seal:schannel10\$ = no
14212     + server schannel require seal:schannel11\$ = no
14213     + server schannel require seal:torturetest\$ = no
14214     +
14215     rpc_server:epmapper = external
14216     rpc_server:spoolss = external
14217     rpc_server:lsarpc = external
14218     diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
14219     index fd128a70c8b..38772586d81 100644
14220     --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
14221     +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
14222     @@ -1076,14 +1076,22 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14223     bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
14224     bool schannel_required = schannel_global_required;
14225     bool schannel_explicitly_set = false;
14226     + bool seal_global_required = (lp_server_schannel_require_seal() == true) ? true:false;
14227     + bool seal_required = seal_global_required;
14228     + bool seal_explicitly_set = false;
14229     int CVE_2020_1472_warn_level = lp_parm_int(GLOBAL_SECTION_SNUM,
14230     "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
14231     int CVE_2020_1472_error_level = lp_parm_int(GLOBAL_SECTION_SNUM,
14232     "CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
14233     + int CVE_2022_38023_warn_level = lp_parm_int(GLOBAL_SECTION_SNUM,
14234     + "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR);
14235     + int CVE_2022_38023_error_level = lp_parm_int(GLOBAL_SECTION_SNUM,
14236     + "CVE_2022_38023", "error_debug_level", DBGLVL_ERR);
14237     unsigned int dbg_lvl = DBGLVL_DEBUG;
14238     const char *opname = "<unknown>";
14239     const char *reason = "<unknown>";
14240     static bool warned_global_schannel_once = false;
14241     + static bool warned_global_seal_once = false;
14242    
14243     if (opnum < ndr_table_netlogon.num_calls) {
14244     opname = ndr_table_netlogon.calls[opnum].name;
14245     @@ -1120,6 +1128,20 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14246     return status;
14247     }
14248    
14249     + /*
14250     + * We don't use lp_parm_bool(), as we
14251     + * need the explicit_opt pointer in order to
14252     + * adjust the debug messages.
14253     + */
14254     + explicit_opt = lp_parm_const_string(GLOBAL_SECTION_SNUM,
14255     + "server schannel require seal",
14256     + creds->account_name,
14257     + NULL);
14258     + if (explicit_opt != NULL) {
14259     + seal_required = lp_bool(explicit_opt);
14260     + }
14261     + seal_explicitly_set = explicit_opt != NULL;
14262     +
14263     /*
14264     * We don't use lp_parm_bool(), as we
14265     * need the explicit_opt pointer in order to
14266     @@ -1135,7 +1157,96 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14267     }
14268     schannel_explicitly_set = explicit_opt != NULL;
14269    
14270     + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL &&
14271     + auth_level == DCERPC_AUTH_LEVEL_PRIVACY)
14272     + {
14273     + status = NT_STATUS_OK;
14274     +
14275     + if (schannel_explicitly_set && !schannel_required) {
14276     + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
14277     + } else if (!schannel_required) {
14278     + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
14279     + }
14280     + if (seal_explicitly_set && !seal_required) {
14281     + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level);
14282     + } else if (!seal_required) {
14283     + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
14284     + }
14285     +
14286     + DEBUG(dbg_lvl, (
14287     + "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
14288     + "%s request (opnum[%u]) %s schannel from "
14289     + "client_account[%s] client_computer_name[%s] %s\n",
14290     + opname, opnum, reason,
14291     + log_escape(frame, creds->account_name),
14292     + log_escape(frame, creds->computer_name),
14293     + nt_errstr(status)));
14294     +
14295     + if (schannel_explicitly_set && !schannel_required) {
14296     + DEBUG(CVE_2020_1472_warn_level, (
14297     + "CVE-2020-1472(ZeroLogon): "
14298     + "Option 'server require schannel:%s = no' not needed for '%s'!\n",
14299     + log_escape(frame, creds->account_name),
14300     + log_escape(frame, creds->computer_name)));
14301     + }
14302     +
14303     + if (seal_explicitly_set && !seal_required) {
14304     + DEBUG(CVE_2022_38023_warn_level, (
14305     + "CVE-2022-38023: "
14306     + "Option 'server schannel require seal:%s = no' not needed for '%s'!\n",
14307     + log_escape(frame, creds->account_name),
14308     + log_escape(frame, creds->computer_name)));
14309     + }
14310     +
14311     + TALLOC_FREE(frame);
14312     + return status;
14313     + }
14314     +
14315     if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
14316     + if (seal_required) {
14317     + status = NT_STATUS_ACCESS_DENIED;
14318     +
14319     + if (seal_explicitly_set) {
14320     + dbg_lvl = DBGLVL_NOTICE;
14321     + } else {
14322     + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
14323     + }
14324     + if (schannel_explicitly_set && !schannel_required) {
14325     + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level);
14326     + }
14327     +
14328     + DEBUG(dbg_lvl, (
14329     + "CVE-2022-38023: "
14330     + "%s request (opnum[%u]) %s schannel from "
14331     + "from client_account[%s] client_computer_name[%s] %s\n",
14332     + opname, opnum, reason,
14333     + log_escape(frame, creds->account_name),
14334     + log_escape(frame, creds->computer_name),
14335     + nt_errstr(status)));
14336     + if (seal_explicitly_set) {
14337     + D_NOTICE("CVE-2022-38023: Option "
14338     + "'server schannel require seal:%s = yes' "
14339     + "rejects access for client.\n",
14340     + log_escape(frame, creds->account_name));
14341     + } else {
14342     + DEBUG(CVE_2020_1472_error_level, (
14343     + "CVE-2022-38023: Check if option "
14344     + "'server schannel require seal:%s = no' "
14345     + "might be needed for a legacy client.\n",
14346     + log_escape(frame, creds->account_name)));
14347     + }
14348     + if (schannel_explicitly_set && !schannel_required) {
14349     + DEBUG(CVE_2020_1472_warn_level, (
14350     + "CVE-2020-1472(ZeroLogon): Option "
14351     + "'server require schannel:%s = no' "
14352     + "not needed for '%s'!\n",
14353     + log_escape(frame, creds->account_name),
14354     + log_escape(frame, creds->computer_name)));
14355     + }
14356     + TALLOC_FREE(frame);
14357     + return status;
14358     + }
14359     +
14360     status = NT_STATUS_OK;
14361    
14362     if (schannel_explicitly_set && !schannel_required) {
14363     @@ -1143,6 +1254,11 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14364     } else if (!schannel_required) {
14365     dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
14366     }
14367     + if (seal_explicitly_set && !seal_required) {
14368     + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
14369     + } else if (!seal_required) {
14370     + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
14371     + }
14372    
14373     DEBUG(dbg_lvl, (
14374     "CVE-2020-1472(ZeroLogon): "
14375     @@ -1152,7 +1268,6 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14376     log_escape(frame, creds->account_name),
14377     log_escape(frame, creds->computer_name),
14378     nt_errstr(status)));
14379     -
14380     if (schannel_explicitly_set && !schannel_required) {
14381     DEBUG(CVE_2020_1472_warn_level, (
14382     "CVE-2020-1472(ZeroLogon): "
14383     @@ -1160,7 +1275,77 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14384     log_escape(frame, creds->account_name),
14385     log_escape(frame, creds->computer_name)));
14386     }
14387     + if (seal_explicitly_set && !seal_required) {
14388     + D_INFO("CVE-2022-38023: "
14389     + "Option 'server schannel require seal:%s = no' still needed for '%s'!\n",
14390     + log_escape(frame, creds->account_name),
14391     + log_escape(frame, creds->computer_name));
14392     + } else if (!seal_required) {
14393     + /*
14394     + * admins should set
14395     + * server schannel require seal:COMPUTER$ = no
14396     + * in order to avoid the level 0 messages.
14397     + * Over time they can switch the global value
14398     + * to be strict.
14399     + */
14400     + DEBUG(CVE_2022_38023_error_level, (
14401     + "CVE-2022-38023: "
14402     + "Please use 'server schannel require seal:%s = no' "
14403     + "for '%s' to avoid this warning!\n",
14404     + log_escape(frame, creds->account_name),
14405     + log_escape(frame, creds->computer_name)));
14406     + }
14407     +
14408     + TALLOC_FREE(frame);
14409     + return status;
14410     + }
14411     +
14412     + if (seal_required) {
14413     + status = NT_STATUS_ACCESS_DENIED;
14414    
14415     + if (seal_explicitly_set) {
14416     + dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
14417     + } else {
14418     + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
14419     + }
14420     + if (!schannel_explicitly_set) {
14421     + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
14422     + } else if (schannel_required) {
14423     + dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
14424     + }
14425     +
14426     + DEBUG(dbg_lvl, (
14427     + "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
14428     + "%s request (opnum[%u]) %s schannel from "
14429     + "from client_account[%s] client_computer_name[%s] %s\n",
14430     + opname, opnum, reason,
14431     + log_escape(frame, creds->account_name),
14432     + log_escape(frame, creds->computer_name),
14433     + nt_errstr(status)));
14434     + if (seal_explicitly_set) {
14435     + D_NOTICE("CVE-2022-38023: Option "
14436     + "'server schannel require seal:%s = yes' "
14437     + "rejects access for client.\n",
14438     + log_escape(frame, creds->account_name));
14439     + } else {
14440     + DEBUG(CVE_2022_38023_error_level, (
14441     + "CVE-2022-38023: Check if option "
14442     + "'server schannel require seal:%s = no' "
14443     + "might be needed for a legacy client.\n",
14444     + log_escape(frame, creds->account_name)));
14445     + }
14446     + if (!schannel_explicitly_set) {
14447     + DEBUG(CVE_2020_1472_error_level, (
14448     + "CVE-2020-1472(ZeroLogon): Check if option "
14449     + "'server require schannel:%s = no' "
14450     + "might be needed for a legacy client.\n",
14451     + log_escape(frame, creds->account_name)));
14452     + } else if (schannel_required) {
14453     + D_NOTICE("CVE-2022-38023: Option "
14454     + "'server require schannel:%s = yes' "
14455     + "also rejects access for client.\n",
14456     + log_escape(frame, creds->account_name));
14457     + }
14458     TALLOC_FREE(frame);
14459     return status;
14460     }
14461     @@ -1173,6 +1358,9 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14462     } else {
14463     dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
14464     }
14465     + if (!seal_explicitly_set) {
14466     + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
14467     + }
14468    
14469     DEBUG(dbg_lvl, (
14470     "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
14471     @@ -1194,6 +1382,13 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14472     "might be needed for a legacy client.\n",
14473     log_escape(frame, creds->account_name)));
14474     }
14475     + if (!seal_explicitly_set) {
14476     + DEBUG(CVE_2022_38023_error_level, (
14477     + "CVE-2022-38023: Check if option "
14478     + "'server schannel require seal:%s = no' "
14479     + "might be needed for a legacy client.\n",
14480     + log_escape(frame, creds->account_name)));
14481     + }
14482     TALLOC_FREE(frame);
14483     return status;
14484     }
14485     @@ -1208,8 +1403,24 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14486     warned_global_schannel_once = true;
14487     }
14488    
14489     + if (!seal_global_required && !warned_global_seal_once) {
14490     + /*
14491     + * We want admins to notice their misconfiguration!
14492     + */
14493     + DBG_ERR("CVE-2022-38023 (and others): "
14494     + "Please configure 'server schannel require seal = yes' (the default), "
14495     + "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
14496     + warned_global_seal_once = true;
14497     + }
14498     +
14499     status = NT_STATUS_OK;
14500    
14501     + if (seal_explicitly_set) {
14502     + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
14503     + } else {
14504     + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
14505     + }
14506     +
14507     if (schannel_explicitly_set) {
14508     dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
14509     } else {
14510     @@ -1225,6 +1436,28 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14511     log_escape(frame, creds->computer_name),
14512     nt_errstr(status)));
14513    
14514     + if (seal_explicitly_set) {
14515     + D_INFO("CVE-2022-38023: Option "
14516     + "'server schannel require seal:%s = no' "
14517     + "still needed for '%s'!\n",
14518     + log_escape(frame, creds->account_name),
14519     + log_escape(frame, creds->computer_name));
14520     + } else {
14521     + /*
14522     + * admins should set
14523     + * server schannel require seal:COMPUTER$ = no
14524     + * in order to avoid the level 0 messages.
14525     + * Over time they can switch the global value
14526     + * to be strict.
14527     + */
14528     + DEBUG(CVE_2022_38023_error_level, (
14529     + "CVE-2022-38023: Please use "
14530     + "'server schannel require seal:%s = no' "
14531     + "for '%s' to avoid this warning!\n",
14532     + log_escape(frame, creds->account_name),
14533     + log_escape(frame, creds->computer_name)));
14534     + }
14535     +
14536     if (schannel_explicitly_set) {
14537     D_INFO("CVE-2020-1472(ZeroLogon): Option "
14538     "'server require schannel:%s = no' "
14539     @@ -1248,7 +1481,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14540     }
14541    
14542     TALLOC_FREE(frame);
14543     - return NT_STATUS_OK;
14544     + return status;
14545     }
14546    
14547     static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
14548     --
14549     2.39.0
14550    
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed