/[smeserver]/rpms/samba/sme10/samba-4.10-redhat.patch
ViewVC logotype

Contents of /rpms/samba/sme10/samba-4.10-redhat.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Wed Aug 9 04:48:46 2023 UTC (15 months, 2 weeks ago) by jpp
Branch: MAIN
CVS Tags: samba-4_10_16-24_el7_9, samba-4_10_16-24_1_el7_sme, HEAD
Initial import

1 From 9aa816f5017bd38cbb9af2af5a7c385647e4f76d Mon Sep 17 00:00:00 2001
2 From: Alexander Bokovoy <ab@samba.org>
3 Date: Tue, 7 Jan 2020 19:25:53 +0200
4 Subject: [PATCH 001/142] s3-rpcserver: fix security level check for
5 DsRGetForestTrustInformation
6 MIME-Version: 1.0
7 Content-Type: text/plain; charset=UTF-8
8 Content-Transfer-Encoding: 8bit
9
10 Harmonize _netr_DsRGetForestTrustInformation with source4/ logic which
11 didn't change since DCE RPC channel refactoring.
12
13 With the current code we return RPC faul as can be seen in the logs:
14
15 2019/12/11 17:12:55.463081, 1, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
16 netr_DsRGetForestTrustInformation: struct netr_DsRGetForestTrustInformation
17 in: struct netr_DsRGetForestTrustInformation
18 server_name : *
19 server_name : '\\some-dc.example.com'
20 trusted_domain_name : NULL
21 flags : 0x00000000 (0)
22 [2019/12/11 17:12:55.463122, 4, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1561(api_rpcTNP)
23 api_rpcTNP: fault(5) return.
24
25 This is due to this check in processing a request:
26 if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE)
27 && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) {
28 p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
29 return WERR_ACCESS_DENIED;
30 }
31
32 and since we get AuthZ response,
33
34 Successful AuthZ: [netlogon,ncacn_np] user [EXAMPLE]\[admin] [S-1-5-21-1234567-890123456-500] at [Wed, 11 Dec 2019 17:12:55.461164 UTC]
35 Remote host [ipv4:Y.Y.Y.Y:59017] local host [ipv4:X.X.X.X:445]
36 [2019/12/11 17:12:55.461584, 4, pid=20939, effective(0, 0), real(0, 0)] ../lib/audit_logging/audit_logging.c:141(audit_log_json)
37 JSON Authorization: {"timestamp": "2019-12-11T17:12:55.461491+0000",
38 "type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1},
39 "localAddress": "ipv4:X.X.X.X:445", "remoteAddress": "ipv4:Y.Y.Y.Y:59017",
40 "serviceDescription": "netlogon", "authType": "ncacn_np",
41 "domain": "EXAMPLE", "account": "admin", "sid": "S-1-5-21-1234567-890123456-500",
42 "sessionId": "c5a2386f-f2cc-4241-9a9e-d104cf5859d5", "logonServer": "SOME-DC",
43 "transportProtection": "SMB", "accountFlags": "0x00000010"}}
44
45 this means we are actually getting anonymous DCE/RPC access to netlogon
46 on top of authenticated SMB connection. In such case we have exactly
47 auth_type set to DCERPC_AUTH_TYPE_NONE and auth_level set to
48 DCERPC_AUTH_LEVEL_NONE in the pipe->auth. Thus, returning an error.
49
50 Update the code to follow the same security level check as in s4 variant
51 of the call.
52
53 Signed-off-by: Alexander Bokovoy <ab@samba.org>
54 Reviewed-by: Guenther Deschner <gd@samba.org>
55
56 Autobuild-User(master): Günther Deschner <gd@samba.org>
57 Autobuild-Date(master): Mon Jan 13 15:05:28 UTC 2020 on sn-devel-184
58
59 (cherry picked from commit c6d880a115095c336b8b74f45854a99abb1bbb87)
60 ---
61 source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++---
62 1 file changed, 3 insertions(+), 3 deletions(-)
63
64 diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
65 index d799ba4feef..87613b99fde 100644
66 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
67 +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
68 @@ -2425,10 +2425,10 @@ WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p,
69 {
70 NTSTATUS status;
71 struct lsa_ForestTrustInformation *info, **info_ptr;
72 + enum security_user_level security_level;
73
74 - if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE)
75 - && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) {
76 - p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
77 + security_level = security_session_user_level(p->session_info, NULL);
78 + if (security_level < SECURITY_USER) {
79 return WERR_ACCESS_DENIED;
80 }
81
82 --
83 2.39.0
84
85
86 From e71fddb9ad5275a222d96bdcee06571a9a8c73c8 Mon Sep 17 00:00:00 2001
87 From: Isaac Boukris <iboukris@gmail.com>
88 Date: Wed, 27 May 2020 16:50:45 +0200
89 Subject: [PATCH 002/142] Add a test to check dNSHostName with netbios aliases
90
91 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
92
93 Signed-off-by: Isaac Boukris <iboukris@samba.org>
94 Reviewed-by: Andreas Schneider <asn@samba.org>
95 ---
96 selftest/knownfail.d/nb_alias_dnshostname | 2 ++
97 testprogs/blackbox/test_net_ads.sh | 14 ++++++++++++++
98 2 files changed, 16 insertions(+)
99 create mode 100644 selftest/knownfail.d/nb_alias_dnshostname
100
101 diff --git a/selftest/knownfail.d/nb_alias_dnshostname b/selftest/knownfail.d/nb_alias_dnshostname
102 new file mode 100644
103 index 00000000000..3c14e9931b9
104 --- /dev/null
105 +++ b/selftest/knownfail.d/nb_alias_dnshostname
106 @@ -0,0 +1,2 @@
107 +^samba4.blackbox.net_ads.nb_alias check dNSHostName
108 +^samba4.blackbox.net_ads.nb_alias check main SPN
109 diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
110 index 95c0cf76f90..6073ea972f9 100755
111 --- a/testprogs/blackbox/test_net_ads.sh
112 +++ b/testprogs/blackbox/test_net_ads.sh
113 @@ -220,6 +220,20 @@ testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samac
114 ##Goodbye...
115 testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
116
117 +# netbios aliases tests
118 +testit "join nb_alias" $VALGRIND $net_tool --option=netbiosaliases=nb_alias1,nb_alias2 ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
119 +
120 +testit "testjoin nb_alias" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1`
121 +
122 +testit_grep "nb_alias check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1`
123 +testit_grep "nb_alias check main SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
124 +
125 +testit_grep "nb_alias1 SPN" nb_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
126 +testit_grep "nb_alias2 SPN" nb_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
127 +
128 +##Goodbye...
129 +testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
130 +
131 #
132 # Test createcomputer option of 'net ads join'
133 #
134 --
135 2.39.0
136
137
138 From e80e373485818eb7faebf5c9aae10d82fbc4e2e2 Mon Sep 17 00:00:00 2001
139 From: Isaac Boukris <iboukris@gmail.com>
140 Date: Wed, 27 May 2020 15:52:46 +0200
141 Subject: [PATCH 003/142] Fix accidental overwrite of dnsHostName by the last
142 netbios alias
143
144 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
145
146 Signed-off-by: Isaac Boukris <iboukris@samba.org>
147 Reviewed-by: Andreas Schneider <asn@samba.org>
148 ---
149 selftest/knownfail.d/nb_alias_dnshostname | 2 --
150 source3/libnet/libnet_join.c | 5 +++--
151 2 files changed, 3 insertions(+), 4 deletions(-)
152 delete mode 100644 selftest/knownfail.d/nb_alias_dnshostname
153
154 diff --git a/selftest/knownfail.d/nb_alias_dnshostname b/selftest/knownfail.d/nb_alias_dnshostname
155 deleted file mode 100644
156 index 3c14e9931b9..00000000000
157 --- a/selftest/knownfail.d/nb_alias_dnshostname
158 +++ /dev/null
159 @@ -1,2 +0,0 @@
160 -^samba4.blackbox.net_ads.nb_alias check dNSHostName
161 -^samba4.blackbox.net_ads.nb_alias check main SPN
162 diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
163 index 9d4f656ffec..a31011b0ff8 100644
164 --- a/source3/libnet/libnet_join.c
165 +++ b/source3/libnet/libnet_join.c
166 @@ -507,6 +507,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
167 ADS_STATUS status;
168 ADS_MODLIST mods;
169 fstring my_fqdn;
170 + fstring my_alias;
171 const char **spn_array = NULL;
172 size_t num_spns = 0;
173 char *spn = NULL;
174 @@ -587,11 +588,11 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
175 /*
176 * Add HOST/netbiosname.domainname
177 */
178 - fstr_sprintf(my_fqdn, "%s.%s",
179 + fstr_sprintf(my_alias, "%s.%s",
180 *netbios_aliases,
181 lp_dnsdomain());
182
183 - spn = talloc_asprintf(frame, "HOST/%s", my_fqdn);
184 + spn = talloc_asprintf(frame, "HOST/%s", my_alias);
185 if (spn == NULL) {
186 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
187 goto done;
188 --
189 2.39.0
190
191
192 From 7ca5f9b2956ec41777837a7e14800a4345505ed6 Mon Sep 17 00:00:00 2001
193 From: Isaac Boukris <iboukris@gmail.com>
194 Date: Thu, 24 Oct 2019 19:04:51 +0300
195 Subject: [PATCH 004/142] Refactor ads_keytab_add_entry() to make it iterable
196
197 so we can more easily add msDS-AdditionalDnsHostName entries.
198
199 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
200
201 Signed-off-by: Isaac Boukris <iboukris@samba.org>
202 Reviewed-by: Andreas Schneider <asn@samba.org>
203 ---
204 source3/libads/kerberos_keytab.c | 197 +++++++++++++++++--------------
205 1 file changed, 107 insertions(+), 90 deletions(-)
206
207 diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
208 index 97d5535041c..0f450a09df5 100644
209 --- a/source3/libads/kerberos_keytab.c
210 +++ b/source3/libads/kerberos_keytab.c
211 @@ -228,18 +228,16 @@ out:
212 return ok;
213 }
214
215 -/**********************************************************************
216 - Adds a single service principal, i.e. 'host' to the system keytab
217 -***********************************************************************/
218 -
219 -int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
220 +static int add_kt_entry_etypes(krb5_context context, TALLOC_CTX *tmpctx,
221 + ADS_STRUCT *ads, const char *salt_princ_s,
222 + krb5_keytab keytab, krb5_kvno kvno,
223 + const char *srvPrinc, const char *my_fqdn,
224 + krb5_data *password, bool update_ads)
225 {
226 krb5_error_code ret = 0;
227 - krb5_context context = NULL;
228 - krb5_keytab keytab = NULL;
229 - krb5_data password;
230 - krb5_kvno kvno;
231 - krb5_enctype enctypes[6] = {
232 + char *princ_s = NULL;
233 + char *short_princ_s = NULL;
234 + krb5_enctype enctypes[6] = {
235 ENCTYPE_DES_CBC_CRC,
236 ENCTYPE_DES_CBC_MD5,
237 #ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
238 @@ -251,65 +249,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
239 ENCTYPE_ARCFOUR_HMAC,
240 0
241 };
242 - char *princ_s = NULL;
243 - char *short_princ_s = NULL;
244 - char *salt_princ_s = NULL;
245 - char *password_s = NULL;
246 - char *my_fqdn;
247 - TALLOC_CTX *tmpctx = NULL;
248 - int i;
249 -
250 - ret = smb_krb5_init_context_common(&context);
251 - if (ret) {
252 - DBG_ERR("kerberos init context failed (%s)\n",
253 - error_message(ret));
254 - return -1;
255 - }
256 -
257 - ret = ads_keytab_open(context, &keytab);
258 - if (ret != 0) {
259 - goto out;
260 - }
261 -
262 - /* retrieve the password */
263 - if (!secrets_init()) {
264 - DEBUG(1, (__location__ ": secrets_init failed\n"));
265 - ret = -1;
266 - goto out;
267 - }
268 - password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
269 - if (!password_s) {
270 - DEBUG(1, (__location__ ": failed to fetch machine password\n"));
271 - ret = -1;
272 - goto out;
273 - }
274 - ZERO_STRUCT(password);
275 - password.data = password_s;
276 - password.length = strlen(password_s);
277 -
278 - /* we need the dNSHostName value here */
279 - tmpctx = talloc_init(__location__);
280 - if (!tmpctx) {
281 - DEBUG(0, (__location__ ": talloc_init() failed!\n"));
282 - ret = -1;
283 - goto out;
284 - }
285 -
286 - my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name());
287 - if (!my_fqdn) {
288 - DEBUG(0, (__location__ ": unable to determine machine "
289 - "account's dns name in AD!\n"));
290 - ret = -1;
291 - goto out;
292 - }
293 -
294 - /* make sure we have a single instance of a the computer account */
295 - if (!ads_has_samaccountname(ads, tmpctx, lp_netbios_name())) {
296 - DEBUG(0, (__location__ ": unable to determine machine "
297 - "account's short name in AD!\n"));
298 - ret = -1;
299 - goto out;
300 - }
301 + size_t i;
302
303 /* Construct our principal */
304 if (strchr_m(srvPrinc, '@')) {
305 @@ -358,22 +298,6 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
306 }
307 }
308
309 - kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
310 - if (kvno == -1) {
311 - /* -1 indicates failure, everything else is OK */
312 - DEBUG(1, (__location__ ": ads_get_machine_kvno failed to "
313 - "determine the system's kvno.\n"));
314 - ret = -1;
315 - goto out;
316 - }
317 -
318 - salt_princ_s = kerberos_secrets_fetch_salt_princ();
319 - if (salt_princ_s == NULL) {
320 - DBG_WARNING("kerberos_secrets_fetch_salt_princ() failed\n");
321 - ret = -1;
322 - goto out;
323 - }
324 -
325 for (i = 0; enctypes[i]; i++) {
326
327 /* add the fqdn principal to the keytab */
328 @@ -383,11 +307,11 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
329 princ_s,
330 salt_princ_s,
331 enctypes[i],
332 - &password,
333 + password,
334 false,
335 false);
336 if (ret) {
337 - DEBUG(1, (__location__ ": Failed to add entry to keytab\n"));
338 + DBG_WARNING("Failed to add entry to keytab\n");
339 goto out;
340 }
341
342 @@ -399,16 +323,109 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
343 short_princ_s,
344 salt_princ_s,
345 enctypes[i],
346 - &password,
347 + password,
348 false,
349 false);
350 if (ret) {
351 - DEBUG(1, (__location__
352 - ": Failed to add short entry to keytab\n"));
353 + DBG_WARNING("Failed to add short entry to keytab\n");
354 goto out;
355 }
356 }
357 }
358 +out:
359 + return ret;
360 +}
361 +
362 +/**********************************************************************
363 + Adds a single service principal, i.e. 'host' to the system keytab
364 +***********************************************************************/
365 +
366 +int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
367 +{
368 + krb5_error_code ret = 0;
369 + krb5_context context = NULL;
370 + krb5_keytab keytab = NULL;
371 + krb5_data password;
372 + krb5_kvno kvno;
373 + char *salt_princ_s = NULL;
374 + char *password_s = NULL;
375 + char *my_fqdn;
376 + TALLOC_CTX *tmpctx = NULL;
377 +
378 + ret = smb_krb5_init_context_common(&context);
379 + if (ret) {
380 + DBG_ERR("kerberos init context failed (%s)\n",
381 + error_message(ret));
382 + return -1;
383 + }
384 +
385 + ret = ads_keytab_open(context, &keytab);
386 + if (ret != 0) {
387 + goto out;
388 + }
389 +
390 + /* retrieve the password */
391 + if (!secrets_init()) {
392 + DBG_WARNING("secrets_init failed\n");
393 + ret = -1;
394 + goto out;
395 + }
396 + password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
397 + if (!password_s) {
398 + DBG_WARNING("failed to fetch machine password\n");
399 + ret = -1;
400 + goto out;
401 + }
402 + ZERO_STRUCT(password);
403 + password.data = password_s;
404 + password.length = strlen(password_s);
405 +
406 + /* we need the dNSHostName value here */
407 + tmpctx = talloc_init(__location__);
408 + if (!tmpctx) {
409 + DBG_ERR("talloc_init() failed!\n");
410 + ret = -1;
411 + goto out;
412 + }
413 +
414 + my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name());
415 + if (!my_fqdn) {
416 + DBG_ERR("unable to determine machine account's dns name in "
417 + "AD!\n");
418 + ret = -1;
419 + goto out;
420 + }
421 +
422 + /* make sure we have a single instance of a the computer account */
423 + if (!ads_has_samaccountname(ads, tmpctx, lp_netbios_name())) {
424 + DBG_ERR("unable to determine machine account's short name in "
425 + "AD!\n");
426 + ret = -1;
427 + goto out;
428 + }
429 +
430 + kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
431 + if (kvno == -1) {
432 + /* -1 indicates failure, everything else is OK */
433 + DBG_WARNING("ads_get_machine_kvno failed to determine the "
434 + "system's kvno.\n");
435 + ret = -1;
436 + goto out;
437 + }
438 +
439 + salt_princ_s = kerberos_secrets_fetch_salt_princ();
440 + if (salt_princ_s == NULL) {
441 + DBG_WARNING("kerberos_secrets_fetch_salt_princ() failed\n");
442 + ret = -1;
443 + goto out;
444 + }
445 +
446 + ret = add_kt_entry_etypes(context, tmpctx, ads, salt_princ_s, keytab,
447 + kvno, srvPrinc, my_fqdn, &password,
448 + update_ads);
449 + if (ret != 0) {
450 + goto out;
451 + }
452
453 out:
454 SAFE_FREE(salt_princ_s);
455 --
456 2.39.0
457
458
459 From 087d6dd4c4f25860643ab5920a1b2c0c70e5551b Mon Sep 17 00:00:00 2001
460 From: Isaac Boukris <iboukris@gmail.com>
461 Date: Wed, 27 May 2020 17:55:12 +0200
462 Subject: [PATCH 005/142] Add a test for msDS-AdditionalDnsHostName entries in
463 keytab
464
465 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
466
467 Signed-off-by: Isaac Boukris <iboukris@samba.org>
468 Reviewed-by: Andreas Schneider <asn@samba.org>
469 ---
470 selftest/knownfail.d/dns_alias_keytab | 2 ++
471 testprogs/blackbox/test_net_ads.sh | 9 +++++++++
472 2 files changed, 11 insertions(+)
473 create mode 100644 selftest/knownfail.d/dns_alias_keytab
474
475 diff --git a/selftest/knownfail.d/dns_alias_keytab b/selftest/knownfail.d/dns_alias_keytab
476 new file mode 100644
477 index 00000000000..216592e1210
478 --- /dev/null
479 +++ b/selftest/knownfail.d/dns_alias_keytab
480 @@ -0,0 +1,2 @@
481 +^samba4.blackbox.net_ads.dns alias1 check keytab
482 +^samba4.blackbox.net_ads.dns alias2 check keytab
483 diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
484 index 6073ea972f9..a40b477a173 100755
485 --- a/testprogs/blackbox/test_net_ads.sh
486 +++ b/testprogs/blackbox/test_net_ads.sh
487 @@ -217,6 +217,15 @@ testit_grep "dns alias SPN" $dns_alias2 $VALGRIND $net_tool ads search -P samacc
488 testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
489 testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
490
491 +dedicated_keytab_file="$PREFIX_ABS/test_dns_aliases_dedicated_krb5.keytab"
492 +
493 +testit "dns alias create_keytab" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
494 +
495 +testit_grep "dns alias1 check keytab" "host/${dns_alias1}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
496 +testit_grep "dns alias2 check keytab" "host/${dns_alias2}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
497 +
498 +rm -f $dedicated_keytab_file
499 +
500 ##Goodbye...
501 testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
502
503 --
504 2.39.0
505
506
507 From 1ae32dddad89cdb75ae2c8fb3e7378ce6f5ad6af Mon Sep 17 00:00:00 2001
508 From: Isaac Boukris <iboukris@gmail.com>
509 Date: Wed, 27 May 2020 15:36:28 +0200
510 Subject: [PATCH 006/142] Add msDS-AdditionalDnsHostName entries to the keytab
511
512 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
513
514 Signed-off-by: Isaac Boukris <iboukris@samba.org>
515 Reviewed-by: Andreas Schneider <asn@samba.org>
516 ---
517 selftest/knownfail.d/dns_alias_keytab | 2 --
518 source3/libads/ads_proto.h | 5 +++
519 source3/libads/kerberos_keytab.c | 21 +++++++++++++
520 source3/libads/ldap.c | 45 +++++++++++++++++++++++++++
521 4 files changed, 71 insertions(+), 2 deletions(-)
522 delete mode 100644 selftest/knownfail.d/dns_alias_keytab
523
524 diff --git a/selftest/knownfail.d/dns_alias_keytab b/selftest/knownfail.d/dns_alias_keytab
525 deleted file mode 100644
526 index 216592e1210..00000000000
527 --- a/selftest/knownfail.d/dns_alias_keytab
528 +++ /dev/null
529 @@ -1,2 +0,0 @@
530 -^samba4.blackbox.net_ads.dns alias1 check keytab
531 -^samba4.blackbox.net_ads.dns alias2 check keytab
532 diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
533 index 495ef5d3325..cd9c1082681 100644
534 --- a/source3/libads/ads_proto.h
535 +++ b/source3/libads/ads_proto.h
536 @@ -137,6 +137,11 @@ ADS_STATUS ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx,
537 enum ads_extended_dn_flags flags,
538 struct dom_sid *sid);
539 char* ads_get_dnshostname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
540 +ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx,
541 + ADS_STRUCT *ads,
542 + const char *machine_name,
543 + char ***hostnames_array,
544 + size_t *num_hostnames);
545 char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
546 bool ads_has_samaccountname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
547 ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *machine_name,
548 diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
549 index 0f450a09df5..818ec884a03 100644
550 --- a/source3/libads/kerberos_keytab.c
551 +++ b/source3/libads/kerberos_keytab.c
552 @@ -351,6 +351,8 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
553 char *password_s = NULL;
554 char *my_fqdn;
555 TALLOC_CTX *tmpctx = NULL;
556 + char **hostnames_array = NULL;
557 + size_t num_hostnames = 0;
558
559 ret = smb_krb5_init_context_common(&context);
560 if (ret) {
561 @@ -427,6 +429,25 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
562 goto out;
563 }
564
565 + if (ADS_ERR_OK(ads_get_additional_dns_hostnames(tmpctx, ads,
566 + lp_netbios_name(),
567 + &hostnames_array,
568 + &num_hostnames))) {
569 + size_t i;
570 +
571 + for (i = 0; i < num_hostnames; i++) {
572 +
573 + ret = add_kt_entry_etypes(context, tmpctx, ads,
574 + salt_princ_s, keytab,
575 + kvno, srvPrinc,
576 + hostnames_array[i],
577 + &password, update_ads);
578 + if (ret != 0) {
579 + goto out;
580 + }
581 + }
582 + }
583 +
584 out:
585 SAFE_FREE(salt_princ_s);
586 TALLOC_FREE(tmpctx);
587 diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
588 index db2b72ab1b5..02a628ee0e6 100644
589 --- a/source3/libads/ldap.c
590 +++ b/source3/libads/ldap.c
591 @@ -1377,6 +1377,7 @@ char *ads_parent_dn(const char *dn)
592 "unicodePwd",
593
594 /* Additional attributes Samba checks */
595 + "msDS-AdditionalDnsHostName",
596 "msDS-SupportedEncryptionTypes",
597 "nTSecurityDescriptor",
598
599 @@ -3663,6 +3664,50 @@ out:
600 /********************************************************************
601 ********************************************************************/
602
603 +ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx,
604 + ADS_STRUCT *ads,
605 + const char *machine_name,
606 + char ***hostnames_array,
607 + size_t *num_hostnames)
608 +{
609 + ADS_STATUS status;
610 + LDAPMessage *res = NULL;
611 + int count;
612 +
613 + status = ads_find_machine_acct(ads,
614 + &res,
615 + machine_name);
616 + if (!ADS_ERR_OK(status)) {
617 + DEBUG(1,("Host Account for %s not found... skipping operation.\n",
618 + machine_name));
619 + return status;
620 + }
621 +
622 + count = ads_count_replies(ads, res);
623 + if (count != 1) {
624 + status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
625 + goto done;
626 + }
627 +
628 + *hostnames_array = ads_pull_strings(ads, mem_ctx, res,
629 + "msDS-AdditionalDnsHostName",
630 + num_hostnames);
631 + if (*hostnames_array == NULL) {
632 + DEBUG(1, ("Host account for %s does not have msDS-AdditionalDnsHostName.\n",
633 + machine_name));
634 + status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
635 + goto done;
636 + }
637 +
638 +done:
639 + ads_msgfree(ads, res);
640 +
641 + return status;
642 +}
643 +
644 +/********************************************************************
645 +********************************************************************/
646 +
647 char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name )
648 {
649 LDAPMessage *res = NULL;
650 --
651 2.39.0
652
653
654 From 939b9265a533393189ef3c513e77b2cb009a51d5 Mon Sep 17 00:00:00 2001
655 From: Isaac Boukris <iboukris@gmail.com>
656 Date: Wed, 27 May 2020 15:54:12 +0200
657 Subject: [PATCH 007/142] Add net-ads-join dnshostname=fqdn option
658
659 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
660
661 Signed-off-by: Isaac Boukris <iboukris@samba.org>
662 Reviewed-by: Andreas Schneider <asn@samba.org>
663
664 Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
665 Autobuild-Date(master): Fri May 29 13:33:28 UTC 2020 on sn-devel-184
666 ---
667 docs-xml/manpages/net.8.xml | 7 ++++++-
668 source3/libnet/libnet_join.c | 7 ++++++-
669 source3/librpc/idl/libnet_join.idl | 1 +
670 source3/utils/net_ads.c | 9 ++++++++-
671 testprogs/blackbox/test_net_ads.sh | 15 +++++++++++++++
672 5 files changed, 36 insertions(+), 3 deletions(-)
673
674 diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
675 index 37dfa2af694..69e18df8b6c 100644
676 --- a/docs-xml/manpages/net.8.xml
677 +++ b/docs-xml/manpages/net.8.xml
678 @@ -454,7 +454,7 @@ The remote server must be specified with the -S option.
679
680 <refsect2>
681 <title>[RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]]
682 -[createupn=UPN] [createcomputer=OU] [machinepass=PASS]
683 +[dnshostname=FQDN] [createupn=UPN] [createcomputer=OU] [machinepass=PASS]
684 [osName=string osVer=string] [options]</title>
685
686 <para>
687 @@ -469,6 +469,11 @@ be created.</para>
688 joining the domain.
689 </para>
690
691 +<para>
692 +[FQDN] (ADS only) set the dnsHosName attribute during the join.
693 +The default format is netbiosname.dnsdomain.
694 +</para>
695 +
696 <para>
697 [UPN] (ADS only) set the principalname attribute during the join. The default
698 format is host/netbiosname@REALM.
699 diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
700 index a31011b0ff8..de558be4f91 100644
701 --- a/source3/libnet/libnet_join.c
702 +++ b/source3/libnet/libnet_join.c
703 @@ -546,7 +546,12 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
704 goto done;
705 }
706
707 - fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain());
708 + if (r->in.dnshostname != NULL) {
709 + fstr_sprintf(my_fqdn, "%s", r->in.dnshostname);
710 + } else {
711 + fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name,
712 + lp_dnsdomain());
713 + }
714
715 if (!strlower_m(my_fqdn)) {
716 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
717 diff --git a/source3/librpc/idl/libnet_join.idl b/source3/librpc/idl/libnet_join.idl
718 index e45034d40da..03d919863b5 100644
719 --- a/source3/librpc/idl/libnet_join.idl
720 +++ b/source3/librpc/idl/libnet_join.idl
721 @@ -37,6 +37,7 @@ interface libnetjoin
722 [in] string os_servicepack,
723 [in] boolean8 create_upn,
724 [in] string upn,
725 + [in] string dnshostname,
726 [in] boolean8 modify_config,
727 [in,unique] ads_struct *ads,
728 [in] boolean8 debug,
729 diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
730 index 07a22098fb1..3cf8fbbf7c8 100644
731 --- a/source3/utils/net_ads.c
732 +++ b/source3/utils/net_ads.c
733 @@ -1710,6 +1710,8 @@ static int net_ads_join_usage(struct net_context *c, int argc, const char **argv
734 {
735 d_printf(_("net ads join [--no-dns-updates] [options]\n"
736 "Valid options:\n"));
737 + d_printf(_(" dnshostname=FQDN Set the dnsHostName attribute during the join.\n"
738 + " The default is in the form netbiosname.dnsdomain\n"));
739 d_printf(_(" createupn[=UPN] Set the userPrincipalName attribute during the join.\n"
740 " The default UPN is in the form host/netbiosname@REALM.\n"));
741 d_printf(_(" createcomputer=OU Precreate the computer account in a specific OU.\n"
742 @@ -1830,6 +1832,7 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
743 const char *domain = lp_realm();
744 WERROR werr = WERR_NERR_SETUPNOTJOINED;
745 bool createupn = false;
746 + const char *dnshostname = NULL;
747 const char *machineupn = NULL;
748 const char *machine_password = NULL;
749 const char *create_in_ou = NULL;
750 @@ -1870,7 +1873,10 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
751 /* process additional command line args */
752
753 for ( i=0; i<argc; i++ ) {
754 - if ( !strncasecmp_m(argv[i], "createupn", strlen("createupn")) ) {
755 + if ( !strncasecmp_m(argv[i], "dnshostname", strlen("dnshostname")) ) {
756 + dnshostname = get_string_param(argv[i]);
757 + }
758 + else if ( !strncasecmp_m(argv[i], "createupn", strlen("createupn")) ) {
759 createupn = true;
760 machineupn = get_string_param(argv[i]);
761 }
762 @@ -1938,6 +1944,7 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
763 r->in.domain_name_type = domain_name_type;
764 r->in.create_upn = createupn;
765 r->in.upn = machineupn;
766 + r->in.dnshostname = dnshostname;
767 r->in.account_ou = create_in_ou;
768 r->in.os_name = os_name;
769 r->in.os_version = os_version;
770 diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
771 index a40b477a173..85257f445d8 100755
772 --- a/testprogs/blackbox/test_net_ads.sh
773 +++ b/testprogs/blackbox/test_net_ads.sh
774 @@ -277,6 +277,21 @@ rm -f $dedicated_keytab_file
775
776 testit "leave+createupn" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
777
778 +#
779 +# Test dnshostname option of 'net ads join'
780 +#
781 +testit "join+dnshostname" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD dnshostname="alt.hostname.$HOSTNAME" || failed=`expr $failed + 1`
782 +
783 +testit_grep "check dnshostname opt" "dNSHostName: alt.hostname.$HOSTNAME" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "CN=$HOSTNAME,CN=Computers,$base_dn" || failed=`expr $failed + 1`
784 +
785 +testit "create_keytab+dnshostname" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
786 +
787 +testit_grep "check dnshostname+keytab" "host/alt.hostname.$HOSTNAME@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
788 +
789 +rm -f $dedicated_keytab_file
790 +
791 +testit "leave+dnshostname" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
792 +
793 rm -rf $BASEDIR/$WORKDIR
794
795 exit $failed
796 --
797 2.39.0
798
799
800 From 25a6679a5260dafde7a7d2aed9bfe43eaf083b1c Mon Sep 17 00:00:00 2001
801 From: Stefan Metzmacher <metze@samba.org>
802 Date: Wed, 16 Sep 2020 16:04:57 +0200
803 Subject: [PATCH 008/142] CVE-2020-1472(ZeroLogon): libcli/auth: add
804 netlogon_creds_random_challenge()
805
806 It's good to have just a single isolated function that will generate
807 random challenges, in future we can add some logic in order to
808 avoid weak values, which are likely to be rejected by a server.
809
810 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
811
812 Signed-off-by: Stefan Metzmacher <metze@samba.org>
813 ---
814 libcli/auth/credentials.c | 8 ++++++++
815 libcli/auth/proto.h | 2 ++
816 2 files changed, 10 insertions(+)
817
818 diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
819 index b6c8ba281ba..dbbef9e7a3c 100644
820 --- a/libcli/auth/credentials.c
821 +++ b/libcli/auth/credentials.c
822 @@ -26,9 +26,17 @@
823 #include "libcli/auth/libcli_auth.h"
824 #include "../libcli/security/dom_sid.h"
825
826 +
827 +void netlogon_creds_random_challenge(struct netr_Credential *challenge)
828 +{
829 + ZERO_STRUCTP(challenge);
830 + generate_random_buffer(challenge->data, sizeof(challenge->data));
831 +}
832 +
833 static void netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *creds,
834 const struct netr_Credential *in,
835 struct netr_Credential *out)
836 +
837 {
838 if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
839 AES_KEY key;
840 diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
841 index 82febe74440..82797d453ed 100644
842 --- a/libcli/auth/proto.h
843 +++ b/libcli/auth/proto.h
844 @@ -11,6 +11,8 @@
845
846 /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/credentials.c */
847
848 +void netlogon_creds_random_challenge(struct netr_Credential *challenge);
849 +
850 void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key);
851 void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key);
852 void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass);
853 --
854 2.39.0
855
856
857 From 1e8ad7efe35d8b79fef387ff709d6a499565c39a Mon Sep 17 00:00:00 2001
858 From: Stefan Metzmacher <metze@samba.org>
859 Date: Wed, 16 Sep 2020 16:07:30 +0200
860 Subject: [PATCH 009/142] CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of
861 netlogon_creds_random_challenge()
862
863 This will avoid getting flakey tests once our server starts to
864 reject weak challenges.
865
866 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
867
868 Signed-off-by: Stefan Metzmacher <metze@samba.org>
869 ---
870 source4/torture/rpc/lsa.c | 2 +-
871 source4/torture/rpc/netlogon.c | 34 ++++++++++++----------------------
872 2 files changed, 13 insertions(+), 23 deletions(-)
873
874 diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
875 index 21cc16afbaf..7bdc0cf679a 100644
876 --- a/source4/torture/rpc/lsa.c
877 +++ b/source4/torture/rpc/lsa.c
878 @@ -2847,7 +2847,7 @@ static bool check_pw_with_ServerAuthenticate3(struct dcerpc_pipe *p,
879 r.in.credentials = &credentials1;
880 r.out.return_credentials = &credentials2;
881
882 - generate_random_buffer(credentials1.data, sizeof(credentials1.data));
883 + netlogon_creds_random_challenge(&credentials1);
884
885 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
886 "ServerReqChallenge failed");
887 diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
888 index 026d86d50e4..e11014922f8 100644
889 --- a/source4/torture/rpc/netlogon.c
890 +++ b/source4/torture/rpc/netlogon.c
891 @@ -160,7 +160,7 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
892 r.in.credentials = &credentials1;
893 r.out.return_credentials = &credentials2;
894
895 - generate_random_buffer(credentials1.data, sizeof(credentials1.data));
896 + netlogon_creds_random_challenge(&credentials1);
897
898 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
899 "ServerReqChallenge failed");
900 @@ -229,7 +229,7 @@ bool test_SetupCredentials2ex(struct dcerpc_pipe *p, struct torture_context *tct
901 r.in.credentials = &credentials1;
902 r.out.return_credentials = &credentials2;
903
904 - generate_random_buffer(credentials1.data, sizeof(credentials1.data));
905 + netlogon_creds_random_challenge(&credentials1);
906
907 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
908 "ServerReqChallenge failed");
909 @@ -318,7 +318,7 @@ bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx,
910 r.in.credentials = &credentials1;
911 r.out.return_credentials = &credentials2;
912
913 - generate_random_buffer(credentials1.data, sizeof(credentials1.data));
914 + netlogon_creds_random_challenge(&credentials1);
915
916 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
917 "ServerReqChallenge failed");
918 @@ -390,7 +390,7 @@ bool test_SetupCredentialsDowngrade(struct torture_context *tctx,
919 r.in.credentials = &credentials1;
920 r.out.return_credentials = &credentials2;
921
922 - generate_random_buffer(credentials1.data, sizeof(credentials1.data));
923 + netlogon_creds_random_challenge(&credentials1);
924
925 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
926 "ServerReqChallenge failed");
927 @@ -1278,7 +1278,7 @@ static bool test_ServerReqChallengeGlobal(struct torture_context *tctx,
928 r.in.credentials = &credentials1;
929 r.out.return_credentials = &credentials2;
930
931 - generate_random_buffer(credentials1.data, sizeof(credentials1.data));
932 + netlogon_creds_random_challenge(&credentials1);
933
934 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
935 "ServerReqChallenge failed on b1");
936 @@ -1367,7 +1367,7 @@ static bool test_ServerReqChallengeReuseGlobal(struct torture_context *tctx,
937 r.in.credentials = &credentials1;
938 r.out.return_credentials = &credentials2;
939
940 - generate_random_buffer(credentials1.data, sizeof(credentials1.data));
941 + netlogon_creds_random_challenge(&credentials1);
942
943 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
944 "ServerReqChallenge failed on b1");
945 @@ -1456,7 +1456,7 @@ static bool test_ServerReqChallengeReuseGlobal2(struct torture_context *tctx,
946 r.in.credentials = &credentials1;
947 r.out.return_credentials = &credentials2;
948
949 - generate_random_buffer(credentials1.data, sizeof(credentials1.data));
950 + netlogon_creds_random_challenge(&credentials1);
951
952 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
953 "ServerReqChallenge failed on b1");
954 @@ -1546,7 +1546,7 @@ static bool test_ServerReqChallengeReuseGlobal3(struct torture_context *tctx,
955 r.in.credentials = &credentials1;
956 r.out.return_credentials = &credentials2;
957
958 - generate_random_buffer(credentials1.data, sizeof(credentials1.data));
959 + netlogon_creds_random_challenge(&credentials1);
960
961 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
962 "ServerReqChallenge failed on b1");
963 @@ -1638,8 +1638,7 @@ static bool test_ServerReqChallengeReuseGlobal4(struct torture_context *tctx,
964 r.in.credentials = &credentials1_random;
965 r.out.return_credentials = &credentials_discard;
966
967 - generate_random_buffer(credentials1_random.data,
968 - sizeof(credentials1_random.data));
969 + netlogon_creds_random_challenge(&credentials1_random);
970
971 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
972 "ServerReqChallenge failed on b1");
973 @@ -1651,7 +1650,7 @@ static bool test_ServerReqChallengeReuseGlobal4(struct torture_context *tctx,
974 r.in.credentials = &credentials1;
975 r.out.return_credentials = &credentials2;
976
977 - generate_random_buffer(credentials1.data, sizeof(credentials1.data));
978 + netlogon_creds_random_challenge(&credentials1);
979
980 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
981 "ServerReqChallenge failed on b1");
982 @@ -1662,16 +1661,7 @@ static bool test_ServerReqChallengeReuseGlobal4(struct torture_context *tctx,
983 r.in.credentials = &credentials1_random;
984 r.out.return_credentials = &credentials_discard;
985
986 - generate_random_buffer(credentials1_random.data,
987 - sizeof(credentials1_random.data));
988 -
989 - r.in.server_name = NULL;
990 - r.in.computer_name = "CHALTEST3";
991 - r.in.credentials = &credentials1_random;
992 - r.out.return_credentials = &credentials_discard;
993 -
994 - generate_random_buffer(credentials1_random.data,
995 - sizeof(credentials1_random.data));
996 + netlogon_creds_random_challenge(&credentials1_random);
997
998 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
999 "ServerReqChallenge failed on b1");
1000 @@ -1747,7 +1737,7 @@ static bool test_ServerReqChallengeReuse(struct torture_context *tctx,
1001 r.in.credentials = &credentials1;
1002 r.out.return_credentials = &credentials2;
1003
1004 - generate_random_buffer(credentials1.data, sizeof(credentials1.data));
1005 + netlogon_creds_random_challenge(&credentials1);
1006
1007 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
1008 "ServerReqChallenge");
1009 --
1010 2.39.0
1011
1012
1013 From 74ee204ad4647d0d7a2097124652cbcd43406c7d Mon Sep 17 00:00:00 2001
1014 From: Stefan Metzmacher <metze@samba.org>
1015 Date: Wed, 16 Sep 2020 16:08:38 +0200
1016 Subject: [PATCH 010/142] CVE-2020-1472(ZeroLogon): libcli/auth: make use of
1017 netlogon_creds_random_challenge() in netlogon_creds_cli.c
1018
1019 This will avoid getting rejected by the server if we generate
1020 a weak challenge.
1021
1022 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1023
1024 Signed-off-by: Stefan Metzmacher <metze@samba.org>
1025 ---
1026 libcli/auth/netlogon_creds_cli.c | 3 +--
1027 1 file changed, 1 insertion(+), 2 deletions(-)
1028
1029 diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
1030 index 817d2cd041a..0f6ca11ff96 100644
1031 --- a/libcli/auth/netlogon_creds_cli.c
1032 +++ b/libcli/auth/netlogon_creds_cli.c
1033 @@ -1177,8 +1177,7 @@ static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req)
1034
1035 TALLOC_FREE(state->creds);
1036
1037 - generate_random_buffer(state->client_challenge.data,
1038 - sizeof(state->client_challenge.data));
1039 + netlogon_creds_random_challenge(&state->client_challenge);
1040
1041 subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev,
1042 state->binding_handle,
1043 --
1044 2.39.0
1045
1046
1047 From 10196846d019d0e2ccef51f32ddd39fc17ca60aa Mon Sep 17 00:00:00 2001
1048 From: Stefan Metzmacher <metze@samba.org>
1049 Date: Wed, 16 Sep 2020 16:10:53 +0200
1050 Subject: [PATCH 011/142] CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon:
1051 make use of netlogon_creds_random_challenge()
1052
1053 This is not strictly needed, but makes things more clear.
1054
1055 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1056
1057 Signed-off-by: Stefan Metzmacher <metze@samba.org>
1058 ---
1059 source3/rpc_server/netlogon/srv_netlog_nt.c | 3 +--
1060 1 file changed, 1 insertion(+), 2 deletions(-)
1061
1062 diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
1063 index 87613b99fde..86b2f343e82 100644
1064 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
1065 +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
1066 @@ -840,8 +840,7 @@ NTSTATUS _netr_ServerReqChallenge(struct pipes_struct *p,
1067
1068 pipe_state->client_challenge = *r->in.credentials;
1069
1070 - generate_random_buffer(pipe_state->server_challenge.data,
1071 - sizeof(pipe_state->server_challenge.data));
1072 + netlogon_creds_random_challenge(&pipe_state->server_challenge);
1073
1074 *r->out.return_credentials = pipe_state->server_challenge;
1075
1076 --
1077 2.39.0
1078
1079
1080 From 215aca6d11b900ee3cf11568d27bce77e0567653 Mon Sep 17 00:00:00 2001
1081 From: Stefan Metzmacher <metze@samba.org>
1082 Date: Wed, 16 Sep 2020 16:10:53 +0200
1083 Subject: [PATCH 012/142] CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon:
1084 make use of netlogon_creds_random_challenge()
1085
1086 This is not strictly needed, but makes things more clear.
1087
1088 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1089
1090 Signed-off-by: Stefan Metzmacher <metze@samba.org>
1091 ---
1092 source4/rpc_server/netlogon/dcerpc_netlogon.c | 3 +--
1093 1 file changed, 1 insertion(+), 2 deletions(-)
1094
1095 diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
1096 index 023adfd99e9..de260d8051d 100644
1097 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
1098 +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
1099 @@ -90,8 +90,7 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal
1100
1101 pipe_state->client_challenge = *r->in.credentials;
1102
1103 - generate_random_buffer(pipe_state->server_challenge.data,
1104 - sizeof(pipe_state->server_challenge.data));
1105 + netlogon_creds_random_challenge(&pipe_state->server_challenge);
1106
1107 *r->out.return_credentials = pipe_state->server_challenge;
1108
1109 --
1110 2.39.0
1111
1112
1113 From 4551bf623426e8c543b287807d447feb69bb0f09 Mon Sep 17 00:00:00 2001
1114 From: Stefan Metzmacher <metze@samba.org>
1115 Date: Wed, 16 Sep 2020 16:15:26 +0200
1116 Subject: [PATCH 013/142] CVE-2020-1472(ZeroLogon): libcli/auth: add
1117 netlogon_creds_is_random_challenge() to avoid weak values
1118
1119 This is the check Windows is using, so we won't generate challenges,
1120 which are rejected by Windows DCs (and future Samba DCs).
1121
1122 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1123
1124 Signed-off-by: Stefan Metzmacher <metze@samba.org>
1125 ---
1126 libcli/auth/credentials.c | 23 ++++++++++++++++++++++-
1127 libcli/auth/proto.h | 1 +
1128 2 files changed, 23 insertions(+), 1 deletion(-)
1129
1130 diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
1131 index dbbef9e7a3c..64b424c099f 100644
1132 --- a/libcli/auth/credentials.c
1133 +++ b/libcli/auth/credentials.c
1134 @@ -27,10 +27,31 @@
1135 #include "../libcli/security/dom_sid.h"
1136
1137
1138 +bool netlogon_creds_is_random_challenge(const struct netr_Credential *challenge)
1139 +{
1140 + /*
1141 + * If none of the first 5 bytes of the client challenge is unique, the
1142 + * server MUST fail session-key negotiation without further processing
1143 + * of the following steps.
1144 + */
1145 +
1146 + if (challenge->data[1] == challenge->data[0] &&
1147 + challenge->data[2] == challenge->data[0] &&
1148 + challenge->data[3] == challenge->data[0] &&
1149 + challenge->data[4] == challenge->data[0])
1150 + {
1151 + return false;
1152 + }
1153 +
1154 + return true;
1155 +}
1156 +
1157 void netlogon_creds_random_challenge(struct netr_Credential *challenge)
1158 {
1159 ZERO_STRUCTP(challenge);
1160 - generate_random_buffer(challenge->data, sizeof(challenge->data));
1161 + while (!netlogon_creds_is_random_challenge(challenge)) {
1162 + generate_random_buffer(challenge->data, sizeof(challenge->data));
1163 + }
1164 }
1165
1166 static void netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *creds,
1167 diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
1168 index 82797d453ed..ad768682b9f 100644
1169 --- a/libcli/auth/proto.h
1170 +++ b/libcli/auth/proto.h
1171 @@ -11,6 +11,7 @@
1172
1173 /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/credentials.c */
1174
1175 +bool netlogon_creds_is_random_challenge(const struct netr_Credential *challenge);
1176 void netlogon_creds_random_challenge(struct netr_Credential *challenge);
1177
1178 void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key);
1179 --
1180 2.39.0
1181
1182
1183 From f7e09421ace8fe60c0110770d909800d21ae6c8e Mon Sep 17 00:00:00 2001
1184 From: Stefan Metzmacher <metze@samba.org>
1185 Date: Wed, 16 Sep 2020 16:17:29 +0200
1186 Subject: [PATCH 014/142] CVE-2020-1472(ZeroLogon): libcli/auth: reject weak
1187 client challenges in netlogon_creds_server_init()
1188
1189 This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation:
1190
1191 7. If none of the first 5 bytes of the client challenge is unique, the
1192 server MUST fail session-key negotiation without further processing of
1193 the following steps.
1194
1195 It lets ./zerologon_tester.py from
1196 https://github.com/SecuraBV/CVE-2020-1472.git
1197 report: "Attack failed. Target is probably patched."
1198
1199 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1200
1201 Signed-off-by: Stefan Metzmacher <metze@samba.org>
1202
1203 [dbagnall@samba.org, abartlet@samba.org: wscript_build backport
1204 differs because 4.10 has no gnutls dependency]
1205 ---
1206 libcli/auth/credentials.c | 16 ++++++++++++++++
1207 libcli/auth/wscript_build | 2 +-
1208 2 files changed, 17 insertions(+), 1 deletion(-)
1209
1210 diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
1211 index 64b424c099f..e2bc82809b7 100644
1212 --- a/libcli/auth/credentials.c
1213 +++ b/libcli/auth/credentials.c
1214 @@ -25,6 +25,7 @@
1215 #include "../lib/crypto/crypto.h"
1216 #include "libcli/auth/libcli_auth.h"
1217 #include "../libcli/security/dom_sid.h"
1218 +#include "lib/util/util_str_escape.h"
1219
1220
1221 bool netlogon_creds_is_random_challenge(const struct netr_Credential *challenge)
1222 @@ -451,6 +452,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
1223 {
1224
1225 struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
1226 + bool ok;
1227
1228 if (!creds) {
1229 return NULL;
1230 @@ -463,6 +465,20 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
1231 dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data));
1232 dump_data_pw("Machine Pass", machine_password->hash, sizeof(machine_password->hash));
1233
1234 + ok = netlogon_creds_is_random_challenge(client_challenge);
1235 + if (!ok) {
1236 + DBG_WARNING("CVE-2020-1472(ZeroLogon): "
1237 + "non-random client challenge rejected for "
1238 + "client_account[%s] client_computer_name[%s]\n",
1239 + log_escape(mem_ctx, client_account),
1240 + log_escape(mem_ctx, client_computer_name));
1241 + dump_data(DBGLVL_WARNING,
1242 + client_challenge->data,
1243 + sizeof(client_challenge->data));
1244 + talloc_free(creds);
1245 + return NULL;
1246 + }
1247 +
1248 creds->computer_name = talloc_strdup(creds, client_computer_name);
1249 if (!creds->computer_name) {
1250 talloc_free(creds);
1251 diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
1252 index d319d9b879e..394505d166d 100644
1253 --- a/libcli/auth/wscript_build
1254 +++ b/libcli/auth/wscript_build
1255 @@ -18,7 +18,7 @@ bld.SAMBA_SUBSYSTEM('NTLM_CHECK',
1256
1257 bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH',
1258 source='credentials.c session.c smbencrypt.c smbdes.c',
1259 - public_deps='MSRPC_PARSE',
1260 + public_deps='MSRPC_PARSE util_str_escape',
1261 public_headers='credentials.h:domain_credentials.h'
1262 )
1263
1264 --
1265 2.39.0
1266
1267
1268 From 6bc86fb69bf50c89a334fd2dcbce6999a2360fb7 Mon Sep 17 00:00:00 2001
1269 From: Stefan Metzmacher <metze@samba.org>
1270 Date: Wed, 16 Sep 2020 19:20:25 +0200
1271 Subject: [PATCH 015/142] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
1272 protect netr_ServerPasswordSet2 against unencrypted passwords
1273
1274 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1275
1276 Signed-off-by: Stefan Metzmacher <metze@samba.org>
1277 ---
1278 source4/rpc_server/netlogon/dcerpc_netlogon.c | 60 ++++++++++++++++++-
1279 1 file changed, 59 insertions(+), 1 deletion(-)
1280
1281 diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
1282 index de260d8051d..acbf077c6c7 100644
1283 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
1284 +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
1285 @@ -722,7 +722,10 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal
1286 struct NL_PASSWORD_VERSION version = {};
1287 const uint32_t *new_version = NULL;
1288 NTSTATUS nt_status;
1289 - DATA_BLOB new_password;
1290 + DATA_BLOB new_password = data_blob_null;
1291 + size_t confounder_len;
1292 + DATA_BLOB dec_blob = data_blob_null;
1293 + DATA_BLOB enc_blob = data_blob_null;
1294 int ret;
1295 struct samr_CryptPassword password_buf;
1296
1297 @@ -780,6 +783,61 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal
1298 return NT_STATUS_WRONG_PASSWORD;
1299 }
1300
1301 + /*
1302 + * Make sure the length field was encrypted,
1303 + * otherwise we are under attack.
1304 + */
1305 + if (new_password.length == r->in.new_password->length) {
1306 + DBG_WARNING("Length[%zu] field not encrypted\n",
1307 + new_password.length);
1308 + return NT_STATUS_WRONG_PASSWORD;
1309 + }
1310 +
1311 + /*
1312 + * We don't allow empty passwords for machine accounts.
1313 + */
1314 + if (new_password.length < 2) {
1315 + DBG_WARNING("Empty password Length[%zu]\n",
1316 + new_password.length);
1317 + return NT_STATUS_WRONG_PASSWORD;
1318 + }
1319 +
1320 + /*
1321 + * Make sure the confounder part of CryptPassword
1322 + * buffer was encrypted, otherwise we are under attack.
1323 + */
1324 + confounder_len = 512 - new_password.length;
1325 + enc_blob = data_blob_const(r->in.new_password->data, confounder_len);
1326 + dec_blob = data_blob_const(password_buf.data, confounder_len);
1327 + if (data_blob_cmp(&dec_blob, &enc_blob) == 0) {
1328 + DBG_WARNING("Confounder buffer not encrypted Length[%zu]\n",
1329 + confounder_len);
1330 + return NT_STATUS_WRONG_PASSWORD;
1331 + }
1332 +
1333 + /*
1334 + * Check that the password part was actually encrypted,
1335 + * otherwise we are under attack.
1336 + */
1337 + enc_blob = data_blob_const(r->in.new_password->data + confounder_len,
1338 + new_password.length);
1339 + dec_blob = data_blob_const(password_buf.data + confounder_len,
1340 + new_password.length);
1341 + if (data_blob_cmp(&dec_blob, &enc_blob) == 0) {
1342 + DBG_WARNING("Password buffer not encrypted Length[%zu]\n",
1343 + new_password.length);
1344 + return NT_STATUS_WRONG_PASSWORD;
1345 + }
1346 +
1347 + /*
1348 + * don't allow zero buffers
1349 + */
1350 + if (all_zero(new_password.data, new_password.length)) {
1351 + DBG_WARNING("Password zero buffer Length[%zu]\n",
1352 + new_password.length);
1353 + return NT_STATUS_WRONG_PASSWORD;
1354 + }
1355 +
1356 /* fetch the old password hashes (at least one of both has to exist) */
1357
1358 ret = gendb_search(sam_ctx, mem_ctx, NULL, &res, attrs,
1359 --
1360 2.39.0
1361
1362
1363 From 1f8dec1cbb37f3406d999425590f8a923586ccac Mon Sep 17 00:00:00 2001
1364 From: Jeremy Allison <jra@samba.org>
1365 Date: Wed, 16 Sep 2020 12:53:50 -0700
1366 Subject: [PATCH 016/142] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
1367 protect netr_ServerPasswordSet2 against unencrypted passwords
1368
1369 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1370
1371 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
1372
1373 Signed-off-by: Jeremy Allison <jra@samba.org>
1374 Signed-off-by: Stefan Metzmacher <metze@samba.org>
1375 ---
1376 source3/rpc_server/netlogon/srv_netlog_nt.c | 98 +++++++++++++++++++--
1377 1 file changed, 92 insertions(+), 6 deletions(-)
1378
1379 diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
1380 index 86b2f343e82..fd9127b386f 100644
1381 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
1382 +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
1383 @@ -1326,9 +1326,14 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p,
1384 {
1385 NTSTATUS status;
1386 struct netlogon_creds_CredentialState *creds = NULL;
1387 - DATA_BLOB plaintext;
1388 + DATA_BLOB plaintext = data_blob_null;
1389 + DATA_BLOB new_password = data_blob_null;
1390 + size_t confounder_len;
1391 + DATA_BLOB dec_blob = data_blob_null;
1392 + DATA_BLOB enc_blob = data_blob_null;
1393 struct samr_CryptPassword password_buf;
1394 struct _samr_Credentials_t cr = { CRED_TYPE_PLAIN_TEXT, {0}};
1395 + bool ok;
1396
1397 become_root();
1398 status = netr_creds_server_step_check(p, p->mem_ctx,
1399 @@ -1364,18 +1369,99 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p,
1400 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
1401 }
1402
1403 - if (!decode_pw_buffer(p->mem_ctx,
1404 - password_buf.data,
1405 - (char**) &plaintext.data,
1406 - &plaintext.length,
1407 - CH_UTF16)) {
1408 + if (!extract_pw_from_buffer(p->mem_ctx, password_buf.data, &new_password)) {
1409 DEBUG(2,("_netr_ServerPasswordSet2: unable to extract password "
1410 "from a buffer. Rejecting auth request as a wrong password\n"));
1411 TALLOC_FREE(creds);
1412 return NT_STATUS_WRONG_PASSWORD;
1413 }
1414
1415 + /*
1416 + * Make sure the length field was encrypted,
1417 + * otherwise we are under attack.
1418 + */
1419 + if (new_password.length == r->in.new_password->length) {
1420 + DBG_WARNING("Length[%zu] field not encrypted\n",
1421 + new_password.length);
1422 + TALLOC_FREE(creds);
1423 + return NT_STATUS_WRONG_PASSWORD;
1424 + }
1425 +
1426 + /*
1427 + * We don't allow empty passwords for machine accounts.
1428 + */
1429 + if (new_password.length < 2) {
1430 + DBG_WARNING("Empty password Length[%zu]\n",
1431 + new_password.length);
1432 + TALLOC_FREE(creds);
1433 + return NT_STATUS_WRONG_PASSWORD;
1434 + }
1435 +
1436 + /*
1437 + * Make sure the confounder part of CryptPassword
1438 + * buffer was encrypted, otherwise we are under attack.
1439 + */
1440 + confounder_len = 512 - new_password.length;
1441 + enc_blob = data_blob_const(r->in.new_password->data, confounder_len);
1442 + dec_blob = data_blob_const(password_buf.data, confounder_len);
1443 + if (data_blob_cmp(&dec_blob, &enc_blob) == 0) {
1444 + DBG_WARNING("Confounder buffer not encrypted Length[%zu]\n",
1445 + confounder_len);
1446 + TALLOC_FREE(creds);
1447 + return NT_STATUS_WRONG_PASSWORD;
1448 + }
1449 +
1450 + /*
1451 + * Check that the password part was actually encrypted,
1452 + * otherwise we are under attack.
1453 + */
1454 + enc_blob = data_blob_const(r->in.new_password->data + confounder_len,
1455 + new_password.length);
1456 + dec_blob = data_blob_const(password_buf.data + confounder_len,
1457 + new_password.length);
1458 + if (data_blob_cmp(&dec_blob, &enc_blob) == 0) {
1459 + DBG_WARNING("Password buffer not encrypted Length[%zu]\n",
1460 + new_password.length);
1461 + TALLOC_FREE(creds);
1462 + return NT_STATUS_WRONG_PASSWORD;
1463 + }
1464 +
1465 + /*
1466 + * don't allow zero buffers
1467 + */
1468 + if (all_zero(new_password.data, new_password.length)) {
1469 + DBG_WARNING("Password zero buffer Length[%zu]\n",
1470 + new_password.length);
1471 + TALLOC_FREE(creds);
1472 + return NT_STATUS_WRONG_PASSWORD;
1473 + }
1474 +
1475 + /* Convert from UTF16 -> plaintext. */
1476 + ok = convert_string_talloc(p->mem_ctx,
1477 + CH_UTF16,
1478 + CH_UNIX,
1479 + new_password.data,
1480 + new_password.length,
1481 + (void *)&plaintext.data,
1482 + &plaintext.length);
1483 + if (!ok) {
1484 + DBG_WARNING("unable to extract password from a buffer. "
1485 + "Rejecting auth request as a wrong password\n");
1486 + TALLOC_FREE(creds);
1487 + return NT_STATUS_WRONG_PASSWORD;
1488 + }
1489 +
1490 + /*
1491 + * We don't allow empty passwords for machine accounts.
1492 + */
1493 +
1494 cr.creds.password = (const char*) plaintext.data;
1495 + if (strlen(cr.creds.password) == 0) {
1496 + DBG_WARNING("Empty plaintext password\n");
1497 + TALLOC_FREE(creds);
1498 + return NT_STATUS_WRONG_PASSWORD;
1499 + }
1500 +
1501 status = netr_set_machine_account_password(p->mem_ctx,
1502 p->session_info,
1503 p->msg_ctx,
1504 --
1505 2.39.0
1506
1507
1508 From 2ad269be74481789ded62a3dcb538709c6d6e291 Mon Sep 17 00:00:00 2001
1509 From: Stefan Metzmacher <metze@samba.org>
1510 Date: Wed, 16 Sep 2020 10:18:45 +0200
1511 Subject: [PATCH 017/142] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
1512 refactor dcesrv_netr_creds_server_step_check()
1513
1514 We should debug more details about the failing request.
1515
1516 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1517
1518 Signed-off-by: Stefan Metzmacher <metze@samba.org>
1519 ---
1520 source4/rpc_server/netlogon/dcerpc_netlogon.c | 45 ++++++++++++++-----
1521 1 file changed, 33 insertions(+), 12 deletions(-)
1522
1523 diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
1524 index acbf077c6c7..b4326a4ecaa 100644
1525 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
1526 +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
1527 @@ -623,26 +623,47 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
1528 NTSTATUS nt_status;
1529 int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx);
1530 bool schannel_global_required = (schannel == true);
1531 + struct netlogon_creds_CredentialState *creds = NULL;
1532 + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
1533 + uint16_t opnum = dce_call->pkt.u.request.opnum;
1534 + const char *opname = "<unknown>";
1535
1536 - if (schannel_global_required) {
1537 - enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
1538 -
1539 - dcesrv_call_auth_info(dce_call, &auth_type, NULL);
1540 -
1541 - if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
1542 - DBG_ERR("[%s] is not using schannel\n",
1543 - computer_name);
1544 - return NT_STATUS_ACCESS_DENIED;
1545 - }
1546 + if (opnum < ndr_table_netlogon.num_calls) {
1547 + opname = ndr_table_netlogon.calls[opnum].name;
1548 }
1549
1550 + dcesrv_call_auth_info(dce_call, &auth_type, NULL);
1551 +
1552 nt_status = schannel_check_creds_state(mem_ctx,
1553 dce_call->conn->dce_ctx->lp_ctx,
1554 computer_name,
1555 received_authenticator,
1556 return_authenticator,
1557 - creds_out);
1558 - return nt_status;
1559 + &creds);
1560 + if (!NT_STATUS_IS_OK(nt_status)) {
1561 + ZERO_STRUCTP(return_authenticator);
1562 + return nt_status;
1563 + }
1564 +
1565 + if (schannel_global_required) {
1566 + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
1567 + *creds_out = creds;
1568 + return NT_STATUS_OK;
1569 + }
1570 +
1571 + DBG_ERR("CVE-2020-1472(ZeroLogon): "
1572 + "%s request (opnum[%u]) without schannel from "
1573 + "client_account[%s] client_computer_name[%s]\n",
1574 + opname, opnum,
1575 + log_escape(mem_ctx, creds->account_name),
1576 + log_escape(mem_ctx, creds->computer_name));
1577 + TALLOC_FREE(creds);
1578 + ZERO_STRUCTP(return_authenticator);
1579 + return NT_STATUS_ACCESS_DENIED;
1580 + }
1581 +
1582 + *creds_out = creds;
1583 + return NT_STATUS_OK;
1584 }
1585
1586 /*
1587 --
1588 2.39.0
1589
1590
1591 From 57941290adb9a2fd4be9aa4a70f879a684b38dfd Mon Sep 17 00:00:00 2001
1592 From: Stefan Metzmacher <metze@samba.org>
1593 Date: Wed, 16 Sep 2020 10:56:53 +0200
1594 Subject: [PATCH 018/142] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
1595 support "server require schannel:WORKSTATION$ = no"
1596
1597 This allows to add expections for individual workstations, when using "server schannel = yes".
1598 "server schannel = auto" is very insecure and will be removed soon.
1599
1600 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1601
1602 Signed-off-by: Stefan Metzmacher <metze@samba.org>
1603 ---
1604 source4/rpc_server/netlogon/dcerpc_netlogon.c | 9 ++++++++-
1605 1 file changed, 8 insertions(+), 1 deletion(-)
1606
1607 diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
1608 index b4326a4ecaa..e7bafb31e83 100644
1609 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
1610 +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
1611 @@ -623,6 +623,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
1612 NTSTATUS nt_status;
1613 int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx);
1614 bool schannel_global_required = (schannel == true);
1615 + bool schannel_required = schannel_global_required;
1616 struct netlogon_creds_CredentialState *creds = NULL;
1617 enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
1618 uint16_t opnum = dce_call->pkt.u.request.opnum;
1619 @@ -645,7 +646,13 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
1620 return nt_status;
1621 }
1622
1623 - if (schannel_global_required) {
1624 + schannel_required = lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx,
1625 + NULL,
1626 + "server require schannel",
1627 + creds->account_name,
1628 + schannel_global_required);
1629 +
1630 + if (schannel_required) {
1631 if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
1632 *creds_out = creds;
1633 return NT_STATUS_OK;
1634 --
1635 2.39.0
1636
1637
1638 From 779b37e825fe406892ff77be18c098d314cd387d Mon Sep 17 00:00:00 2001
1639 From: Stefan Metzmacher <metze@samba.org>
1640 Date: Thu, 17 Sep 2020 13:37:26 +0200
1641 Subject: [PATCH 019/142] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log
1642 warnings about unsecure configurations
1643 MIME-Version: 1.0
1644 Content-Type: text/plain; charset=UTF-8
1645 Content-Transfer-Encoding: 8bit
1646
1647 This should give admins wawrnings until they have a secure
1648 configuration.
1649
1650 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1651
1652 Signed-off-by: Stefan Metzmacher <metze@samba.org>
1653 Reviewed-by: Ralph Boehme <slow@samba.org>
1654 Reviewed-by: Günther Deschner <gd@samba.org>
1655 ---
1656 source4/rpc_server/netlogon/dcerpc_netlogon.c | 66 ++++++++++++++++++-
1657 1 file changed, 63 insertions(+), 3 deletions(-)
1658
1659 diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
1660 index e7bafb31e83..7668a9eb923 100644
1661 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
1662 +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
1663 @@ -624,10 +624,12 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
1664 int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx);
1665 bool schannel_global_required = (schannel == true);
1666 bool schannel_required = schannel_global_required;
1667 + const char *explicit_opt = NULL;
1668 struct netlogon_creds_CredentialState *creds = NULL;
1669 enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
1670 uint16_t opnum = dce_call->pkt.u.request.opnum;
1671 const char *opname = "<unknown>";
1672 + static bool warned_global_once = false;
1673
1674 if (opnum < ndr_table_netlogon.num_calls) {
1675 opname = ndr_table_netlogon.calls[opnum].name;
1676 @@ -646,11 +648,18 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
1677 return nt_status;
1678 }
1679
1680 - schannel_required = lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx,
1681 + /*
1682 + * We don't use lpcfg_parm_bool(), as we
1683 + * need the explicit_opt pointer in order to
1684 + * adjust the debug messages.
1685 + */
1686 + explicit_opt = lpcfg_get_parametric(dce_call->conn->dce_ctx->lp_ctx,
1687 NULL,
1688 "server require schannel",
1689 - creds->account_name,
1690 - schannel_global_required);
1691 + creds->account_name);
1692 + if (explicit_opt != NULL) {
1693 + schannel_required = lp_bool(explicit_opt);
1694 + }
1695
1696 if (schannel_required) {
1697 if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
1698 @@ -664,11 +673,62 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
1699 opname, opnum,
1700 log_escape(mem_ctx, creds->account_name),
1701 log_escape(mem_ctx, creds->computer_name));
1702 + DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
1703 + "'server require schannel:%s = no' is needed! \n",
1704 + log_escape(mem_ctx, creds->account_name));
1705 TALLOC_FREE(creds);
1706 ZERO_STRUCTP(return_authenticator);
1707 return NT_STATUS_ACCESS_DENIED;
1708 }
1709
1710 + if (!schannel_global_required && !warned_global_once) {
1711 + /*
1712 + * We want admins to notice their misconfiguration!
1713 + */
1714 + DBG_ERR("CVE-2020-1472(ZeroLogon): "
1715 + "Please configure 'server schannel = yes', "
1716 + "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
1717 + warned_global_once = true;
1718 + }
1719 +
1720 + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
1721 + DBG_ERR("CVE-2020-1472(ZeroLogon): "
1722 + "%s request (opnum[%u]) WITH schannel from "
1723 + "client_account[%s] client_computer_name[%s]\n",
1724 + opname, opnum,
1725 + log_escape(mem_ctx, creds->account_name),
1726 + log_escape(mem_ctx, creds->computer_name));
1727 + DBG_ERR("CVE-2020-1472(ZeroLogon): "
1728 + "Option 'server require schannel:%s = no' not needed!?\n",
1729 + log_escape(mem_ctx, creds->account_name));
1730 +
1731 + *creds_out = creds;
1732 + return NT_STATUS_OK;
1733 + }
1734 +
1735 +
1736 + if (explicit_opt != NULL) {
1737 + DBG_INFO("CVE-2020-1472(ZeroLogon): "
1738 + "%s request (opnum[%u]) without schannel from "
1739 + "client_account[%s] client_computer_name[%s]\n",
1740 + opname, opnum,
1741 + log_escape(mem_ctx, creds->account_name),
1742 + log_escape(mem_ctx, creds->computer_name));
1743 + DBG_INFO("CVE-2020-1472(ZeroLogon): "
1744 + "Option 'server require schannel:%s = no' still needed!\n",
1745 + log_escape(mem_ctx, creds->account_name));
1746 + } else {
1747 + DBG_ERR("CVE-2020-1472(ZeroLogon): "
1748 + "%s request (opnum[%u]) without schannel from "
1749 + "client_account[%s] client_computer_name[%s]\n",
1750 + opname, opnum,
1751 + log_escape(mem_ctx, creds->account_name),
1752 + log_escape(mem_ctx, creds->computer_name));
1753 + DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
1754 + "'server require schannel:%s = no' might be needed!\n",
1755 + log_escape(mem_ctx, creds->account_name));
1756 + }
1757 +
1758 *creds_out = creds;
1759 return NT_STATUS_OK;
1760 }
1761 --
1762 2.39.0
1763
1764
1765 From 60b83fbda31c53c592a02f0ed43356a912021021 Mon Sep 17 00:00:00 2001
1766 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
1767 Date: Thu, 17 Sep 2020 14:57:22 +0200
1768 Subject: [PATCH 020/142] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
1769 refactor dcesrv_netr_creds_server_step_check()
1770 MIME-Version: 1.0
1771 Content-Type: text/plain; charset=UTF-8
1772 Content-Transfer-Encoding: 8bit
1773
1774 We should debug more details about the failing request.
1775
1776 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1777
1778 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
1779
1780 Signed-off-by: Günther Deschner <gd@samba.org>
1781 Signed-off-by: Stefan Metzmacher <metze@samba.org>
1782 ---
1783 source3/rpc_server/netlogon/srv_netlog_nt.c | 43 +++++++++++++++++----
1784 1 file changed, 35 insertions(+), 8 deletions(-)
1785
1786 diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
1787 index fd9127b386f..8541571b459 100644
1788 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
1789 +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
1790 @@ -48,6 +48,7 @@
1791 #include "../lib/tsocket/tsocket.h"
1792 #include "lib/param/param.h"
1793 #include "libsmb/dsgetdcname.h"
1794 +#include "lib/util/util_str_escape.h"
1795
1796 extern userdom_struct current_user_info;
1797
1798 @@ -1073,19 +1074,21 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
1799 NTSTATUS status;
1800 bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
1801 struct loadparm_context *lp_ctx;
1802 + struct netlogon_creds_CredentialState *creds = NULL;
1803 + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
1804 + uint16_t opnum = p->opnum;
1805 + const char *opname = "<unknown>";
1806
1807 if (creds_out != NULL) {
1808 *creds_out = NULL;
1809 }
1810
1811 - if (schannel_global_required) {
1812 - if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
1813 - DBG_ERR("[%s] is not using schannel\n",
1814 - computer_name);
1815 - return NT_STATUS_ACCESS_DENIED;
1816 - }
1817 + if (opnum < ndr_table_netlogon.num_calls) {
1818 + opname = ndr_table_netlogon.calls[opnum].name;
1819 }
1820
1821 + auth_type = p->auth.auth_type;
1822 +
1823 lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers());
1824 if (lp_ctx == NULL) {
1825 DEBUG(0, ("loadparm_init_s3 failed\n"));
1826 @@ -1094,9 +1097,33 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
1827
1828 status = schannel_check_creds_state(mem_ctx, lp_ctx,
1829 computer_name, received_authenticator,
1830 - return_authenticator, creds_out);
1831 + return_authenticator, &creds);
1832 talloc_unlink(mem_ctx, lp_ctx);
1833 - return status;
1834 +
1835 + if (!NT_STATUS_IS_OK(status)) {
1836 + ZERO_STRUCTP(return_authenticator);
1837 + return status;
1838 + }
1839 +
1840 + if (schannel_global_required) {
1841 + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
1842 + *creds_out = creds;
1843 + return NT_STATUS_OK;
1844 + }
1845 +
1846 + DBG_ERR("CVE-2020-1472(ZeroLogon): "
1847 + "%s request (opnum[%u]) without schannel from "
1848 + "client_account[%s] client_computer_name[%s]\n",
1849 + opname, opnum,
1850 + log_escape(mem_ctx, creds->account_name),
1851 + log_escape(mem_ctx, creds->computer_name));
1852 + TALLOC_FREE(creds);
1853 + ZERO_STRUCTP(return_authenticator);
1854 + return NT_STATUS_ACCESS_DENIED;
1855 + }
1856 +
1857 + *creds_out = creds;
1858 + return NT_STATUS_OK;
1859 }
1860
1861
1862 --
1863 2.39.0
1864
1865
1866 From c0a188b2696edb8f3ae9f7f56a820b11358bad98 Mon Sep 17 00:00:00 2001
1867 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
1868 Date: Thu, 17 Sep 2020 14:23:16 +0200
1869 Subject: [PATCH 021/142] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
1870 support "server require schannel:WORKSTATION$ = no"
1871 MIME-Version: 1.0
1872 Content-Type: text/plain; charset=UTF-8
1873 Content-Transfer-Encoding: 8bit
1874
1875 This allows to add expections for individual workstations, when using "server schannel = yes".
1876 "server schannel = auto" is very insecure and will be removed soon.
1877
1878 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1879
1880 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
1881
1882 Signed-off-by: Günther Deschner <gd@samba.org>
1883 Signed-off-by: Stefan Metzmacher <metze@samba.org>
1884 ---
1885 source3/rpc_server/netlogon/srv_netlog_nt.c | 7 ++++++-
1886 1 file changed, 6 insertions(+), 1 deletion(-)
1887
1888 diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
1889 index 8541571b459..f9b10103bd5 100644
1890 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
1891 +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
1892 @@ -1073,6 +1073,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
1893 {
1894 NTSTATUS status;
1895 bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
1896 + bool schannel_required = schannel_global_required;
1897 struct loadparm_context *lp_ctx;
1898 struct netlogon_creds_CredentialState *creds = NULL;
1899 enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
1900 @@ -1105,7 +1106,11 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
1901 return status;
1902 }
1903
1904 - if (schannel_global_required) {
1905 + schannel_required = lp_parm_bool(GLOBAL_SECTION_SNUM,
1906 + "server require schannel",
1907 + creds->account_name,
1908 + schannel_global_required);
1909 + if (schannel_required) {
1910 if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
1911 *creds_out = creds;
1912 return NT_STATUS_OK;
1913 --
1914 2.39.0
1915
1916
1917 From c9550b81b55316cf5d667502885fc248a5999fb5 Mon Sep 17 00:00:00 2001
1918 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
1919 Date: Thu, 17 Sep 2020 14:42:52 +0200
1920 Subject: [PATCH 022/142] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log
1921 warnings about unsecure configurations
1922 MIME-Version: 1.0
1923 Content-Type: text/plain; charset=UTF-8
1924 Content-Transfer-Encoding: 8bit
1925
1926 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
1927
1928 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
1929
1930 Signed-off-by: Günther Deschner <gd@samba.org>
1931 Signed-off-by: Stefan Metzmacher <metze@samba.org>
1932 ---
1933 source3/rpc_server/netlogon/srv_netlog_nt.c | 70 +++++++++++++++++++--
1934 1 file changed, 66 insertions(+), 4 deletions(-)
1935
1936 diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
1937 index f9b10103bd5..7f6704adbda 100644
1938 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
1939 +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
1940 @@ -1074,11 +1074,13 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
1941 NTSTATUS status;
1942 bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
1943 bool schannel_required = schannel_global_required;
1944 + const char *explicit_opt = NULL;
1945 struct loadparm_context *lp_ctx;
1946 struct netlogon_creds_CredentialState *creds = NULL;
1947 enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
1948 uint16_t opnum = p->opnum;
1949 const char *opname = "<unknown>";
1950 + static bool warned_global_once = false;
1951
1952 if (creds_out != NULL) {
1953 *creds_out = NULL;
1954 @@ -1106,10 +1108,20 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
1955 return status;
1956 }
1957
1958 - schannel_required = lp_parm_bool(GLOBAL_SECTION_SNUM,
1959 - "server require schannel",
1960 - creds->account_name,
1961 - schannel_global_required);
1962 + /*
1963 + * We don't use lp_parm_bool(), as we
1964 + * need the explicit_opt pointer in order to
1965 + * adjust the debug messages.
1966 + */
1967 +
1968 + explicit_opt = lp_parm_const_string(GLOBAL_SECTION_SNUM,
1969 + "server require schannel",
1970 + creds->account_name,
1971 + NULL);
1972 + if (explicit_opt != NULL) {
1973 + schannel_required = lp_bool(explicit_opt);
1974 + }
1975 +
1976 if (schannel_required) {
1977 if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
1978 *creds_out = creds;
1979 @@ -1122,11 +1134,61 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
1980 opname, opnum,
1981 log_escape(mem_ctx, creds->account_name),
1982 log_escape(mem_ctx, creds->computer_name));
1983 + DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
1984 + "'server require schannel:%s = no' is needed! \n",
1985 + log_escape(mem_ctx, creds->account_name));
1986 TALLOC_FREE(creds);
1987 ZERO_STRUCTP(return_authenticator);
1988 return NT_STATUS_ACCESS_DENIED;
1989 }
1990
1991 + if (!schannel_global_required && !warned_global_once) {
1992 + /*
1993 + * We want admins to notice their misconfiguration!
1994 + */
1995 + DBG_ERR("CVE-2020-1472(ZeroLogon): "
1996 + "Please configure 'server schannel = yes', "
1997 + "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
1998 + warned_global_once = true;
1999 + }
2000 +
2001 + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
2002 + DBG_ERR("CVE-2020-1472(ZeroLogon): "
2003 + "%s request (opnum[%u]) WITH schannel from "
2004 + "client_account[%s] client_computer_name[%s]\n",
2005 + opname, opnum,
2006 + log_escape(mem_ctx, creds->account_name),
2007 + log_escape(mem_ctx, creds->computer_name));
2008 + DBG_ERR("CVE-2020-1472(ZeroLogon): "
2009 + "Option 'server require schannel:%s = no' not needed!?\n",
2010 + log_escape(mem_ctx, creds->account_name));
2011 +
2012 + *creds_out = creds;
2013 + return NT_STATUS_OK;
2014 + }
2015 +
2016 + if (explicit_opt != NULL) {
2017 + DBG_INFO("CVE-2020-1472(ZeroLogon): "
2018 + "%s request (opnum[%u]) without schannel from "
2019 + "client_account[%s] client_computer_name[%s]\n",
2020 + opname, opnum,
2021 + log_escape(mem_ctx, creds->account_name),
2022 + log_escape(mem_ctx, creds->computer_name));
2023 + DBG_INFO("CVE-2020-1472(ZeroLogon): "
2024 + "Option 'server require schannel:%s = no' still needed!\n",
2025 + log_escape(mem_ctx, creds->account_name));
2026 + } else {
2027 + DBG_ERR("CVE-2020-1472(ZeroLogon): "
2028 + "%s request (opnum[%u]) without schannel from "
2029 + "client_account[%s] client_computer_name[%s]\n",
2030 + opname, opnum,
2031 + log_escape(mem_ctx, creds->account_name),
2032 + log_escape(mem_ctx, creds->computer_name));
2033 + DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
2034 + "'server require schannel:%s = no' might be needed!\n",
2035 + log_escape(mem_ctx, creds->account_name));
2036 + }
2037 +
2038 *creds_out = creds;
2039 return NT_STATUS_OK;
2040 }
2041 --
2042 2.39.0
2043
2044
2045 From 63f03e2e29e81f890a5d88c726cced6d3e7bbf5d Mon Sep 17 00:00:00 2001
2046 From: Stefan Metzmacher <metze@samba.org>
2047 Date: Thu, 17 Sep 2020 17:27:54 +0200
2048 Subject: [PATCH 023/142] CVE-2020-1472(ZeroLogon): docs-xml: document 'server
2049 require schannel:COMPUTERACCOUNT'
2050
2051 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
2052
2053 Signed-off-by: Stefan Metzmacher <metze@samba.org>
2054 ---
2055 .../smbdotconf/security/serverschannel.xml | 69 +++++++++++++++----
2056 1 file changed, 54 insertions(+), 15 deletions(-)
2057
2058 diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
2059 index 489492d79b1..b682d086f76 100644
2060 --- a/docs-xml/smbdotconf/security/serverschannel.xml
2061 +++ b/docs-xml/smbdotconf/security/serverschannel.xml
2062 @@ -7,26 +7,65 @@
2063 <description>
2064
2065 <para>
2066 - This option is deprecated with Samba 4.8 and will be removed in future.
2067 - At the same time the default changed to yes, which will be the
2068 - hardcoded behavior in future. If you have the need for the behavior of "auto"
2069 - to be kept, please file a bug at https://bugzilla.samba.org.
2070 + This option is deprecated and will be removed in future,
2071 + as it is a security problem if not set to "yes" (which will be
2072 + the hardcoded behavior in future).
2073 </para>
2074
2075 <para>
2076 - This controls whether the server offers or even demands the use of the netlogon schannel.
2077 - <smbconfoption name="server schannel">no</smbconfoption> does not offer the schannel, <smbconfoption
2078 - name="server schannel">auto</smbconfoption> offers the schannel but does not enforce it, and <smbconfoption
2079 - name="server schannel">yes</smbconfoption> denies access if the client is not able to speak netlogon schannel.
2080 - This is only the case for Windows NT4 before SP4.
2081 - </para>
2082 -
2083 + Samba will complain in the log files at log level 0,
2084 + about the security problem if the option is not set to "yes".
2085 + </para>
2086 <para>
2087 - Please note that with this set to <literal>no</literal>, you will have to apply the WindowsXP
2088 - <filename>WinXP_SignOrSeal.reg</filename> registry patch found in the docs/registry subdirectory of the Samba distribution tarball.
2089 - </para>
2090 + See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
2091 + </para>
2092 +
2093 + <para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.
2094 + </para>
2095 +
2096 + <para>This option yields precedence to the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>
2097 +
2098 </description>
2099
2100 <value type="default">yes</value>
2101 -<value type="example">auto</value>
2102 +</samba:parameter>
2103 +
2104 +<samba:parameter name="server require schannel:COMPUTERACCOUNT"
2105 + context="G"
2106 + type="string"
2107 + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
2108 +<description>
2109 +
2110 + <para>If you still have legacy domain members, which required "server schannel = auto" before,
2111 + it is possible to specify explicit expection per computer account
2112 + by using 'server require schannel:COMPUTERACCOUNT = no' as option.
2113 + Note that COMPUTERACCOUNT has to be the sAMAccountName value of
2114 + the computer account (including the trailing '$' sign).
2115 + </para>
2116 +
2117 + <para>
2118 + Samba will complain in the log files at log level 0,
2119 + about the security problem if the option is not set to "no",
2120 + but the related computer is actually using the netlogon
2121 + secure channel (schannel) feature.
2122 + </para>
2123 +
2124 + <para>
2125 + Samba will warn in the log files at log level 5,
2126 + if a setting is still needed for the specified computer account.
2127 + </para>
2128 +
2129 + <para>
2130 + See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
2131 + </para>
2132 +
2133 + <para>This option takes precedence to the <smbconfoption name="server schannel"/> option.</para>
2134 +
2135 + <programlisting>
2136 + server require schannel:LEGACYCOMPUTER1$ = no
2137 + server require schannel:NASBOX$ = no
2138 + server require schannel:LEGACYCOMPUTER2$ = no
2139 + </programlisting>
2140 +</description>
2141 +
2142 </samba:parameter>
2143 --
2144 2.39.0
2145
2146
2147 From 8a40da45b7f4e7a9110daf010383c4fce30bd9b6 Mon Sep 17 00:00:00 2001
2148 From: Gary Lockyer <gary@catalyst.net.nz>
2149 Date: Fri, 18 Sep 2020 12:39:54 +1200
2150 Subject: [PATCH 024/142] CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty
2151 machine acct pwd
2152
2153 Ensure that an empty machine account password can't be set by
2154 netr_ServerPasswordSet2
2155
2156 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
2157
2158 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2159 ---
2160 source4/torture/rpc/netlogon.c | 64 +++++++++++++++-------------------
2161 1 file changed, 29 insertions(+), 35 deletions(-)
2162
2163 diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
2164 index e11014922f8..0ba45f0c1da 100644
2165 --- a/source4/torture/rpc/netlogon.c
2166 +++ b/source4/torture/rpc/netlogon.c
2167 @@ -719,45 +719,39 @@ static bool test_SetPassword2_with_flags(struct torture_context *tctx,
2168
2169 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
2170
2171 - if (!torture_setting_bool(tctx, "dangerous", false)) {
2172 - torture_comment(tctx,
2173 - "Not testing ability to set password to '', enable dangerous tests to perform this test\n");
2174 + /*
2175 + * As a consequence of CVE-2020-1472(ZeroLogon)
2176 + * Samba explicitly disallows the setting of an empty machine account
2177 + * password.
2178 + *
2179 + * Note that this may fail against Windows, and leave a machine account
2180 + * with an empty password.
2181 + */
2182 + password = "";
2183 + encode_pw_buffer(password_buf.data, password, STR_UNICODE);
2184 + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
2185 + netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
2186 } else {
2187 - /* by changing the machine password to ""
2188 - * we check if the server uses password restrictions
2189 - * for ServerPasswordSet2
2190 - * (win2k3 accepts "")
2191 - */
2192 - password = "";
2193 - encode_pw_buffer(password_buf.data, password, STR_UNICODE);
2194 - if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
2195 - netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
2196 - } else {
2197 - netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
2198 - }
2199 - memcpy(new_password.data, password_buf.data, 512);
2200 - new_password.length = IVAL(password_buf.data, 512);
2201 -
2202 - torture_comment(tctx,
2203 - "Testing ServerPasswordSet2 on machine account\n");
2204 - torture_comment(tctx,
2205 - "Changing machine account password to '%s'\n", password);
2206 -
2207 - netlogon_creds_client_authenticator(creds, &credential);
2208 -
2209 - torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
2210 - "ServerPasswordSet2 failed");
2211 - torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet2 failed");
2212 + netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
2213 + }
2214 + memcpy(new_password.data, password_buf.data, 512);
2215 + new_password.length = IVAL(password_buf.data, 512);
2216
2217 - if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
2218 - torture_comment(tctx, "Credential chaining failed\n");
2219 - }
2220 + torture_comment(tctx,
2221 + "Testing ServerPasswordSet2 on machine account\n");
2222 + torture_comment(tctx,
2223 + "Changing machine account password to '%s'\n", password);
2224
2225 - cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
2226 - }
2227 + netlogon_creds_client_authenticator(creds, &credential);
2228
2229 - torture_assert(tctx, test_SetupCredentials(p, tctx, machine_credentials, &creds),
2230 - "ServerPasswordSet failed to actually change the password");
2231 + torture_assert_ntstatus_ok(
2232 + tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
2233 + "ServerPasswordSet2 failed");
2234 + torture_assert_ntstatus_equal(
2235 + tctx,
2236 + r.out.result,
2237 + NT_STATUS_WRONG_PASSWORD,
2238 + "ServerPasswordSet2 did not return NT_STATUS_WRONG_PASSWORD");
2239
2240 /* now try a random password */
2241 password = generate_random_password(tctx, 8, 255);
2242 --
2243 2.39.0
2244
2245
2246 From 341a448cb69557410fa79dbb8a3d4adbab79d5b6 Mon Sep 17 00:00:00 2001
2247 From: Gary Lockyer <gary@catalyst.net.nz>
2248 Date: Fri, 18 Sep 2020 15:57:34 +1200
2249 Subject: [PATCH 025/142] CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated
2250 bytes in client challenge
2251
2252 Ensure that client challenges with the first 5 bytes identical are
2253 rejected.
2254
2255 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
2256
2257 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2258
2259 [abartlet@samba.org: backported from master as test order was flipped]
2260 ---
2261 source4/torture/rpc/netlogon.c | 335 +++++++++++++++++++++++++++++++++
2262 1 file changed, 335 insertions(+)
2263
2264 diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
2265 index 0ba45f0c1da..97c16688bc9 100644
2266 --- a/source4/torture/rpc/netlogon.c
2267 +++ b/source4/torture/rpc/netlogon.c
2268 @@ -480,6 +480,325 @@ bool test_SetupCredentialsPipe(const struct dcerpc_pipe *p1,
2269 return true;
2270 }
2271
2272 +static bool test_ServerReqChallenge(
2273 + struct torture_context *tctx,
2274 + struct dcerpc_pipe *p,
2275 + struct cli_credentials *credentials)
2276 +{
2277 + struct netr_ServerReqChallenge r;
2278 + struct netr_Credential credentials1, credentials2, credentials3;
2279 + const char *machine_name;
2280 + struct dcerpc_binding_handle *b = p->binding_handle;
2281 + struct netr_ServerAuthenticate2 a;
2282 + uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
2283 + uint32_t out_negotiate_flags = 0;
2284 + const struct samr_Password *mach_password = NULL;
2285 + enum netr_SchannelType sec_chan_type = 0;
2286 + struct netlogon_creds_CredentialState *creds = NULL;
2287 + const char *account_name = NULL;
2288 +
2289 + machine_name = cli_credentials_get_workstation(credentials);
2290 + mach_password = cli_credentials_get_nt_hash(credentials, tctx);
2291 + account_name = cli_credentials_get_username(credentials);
2292 + sec_chan_type = cli_credentials_get_secure_channel_type(credentials);
2293 +
2294 + torture_comment(tctx, "Testing ServerReqChallenge\n");
2295 +
2296 + r.in.server_name = NULL;
2297 + r.in.computer_name = machine_name;
2298 + r.in.credentials = &credentials1;
2299 + r.out.return_credentials = &credentials2;
2300 +
2301 + netlogon_creds_random_challenge(&credentials1);
2302 +
2303 + torture_assert_ntstatus_ok(
2304 + tctx,
2305 + dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
2306 + "ServerReqChallenge failed");
2307 + torture_assert_ntstatus_ok(
2308 + tctx,
2309 + r.out.result,
2310 + "ServerReqChallenge failed");
2311 + a.in.server_name = NULL;
2312 + a.in.account_name = account_name;
2313 + a.in.secure_channel_type = sec_chan_type;
2314 + a.in.computer_name = machine_name;
2315 + a.in.negotiate_flags = &in_negotiate_flags;
2316 + a.out.negotiate_flags = &out_negotiate_flags;
2317 + a.in.credentials = &credentials3;
2318 + a.out.return_credentials = &credentials3;
2319 +
2320 + creds = netlogon_creds_client_init(tctx, a.in.account_name,
2321 + a.in.computer_name,
2322 + a.in.secure_channel_type,
2323 + &credentials1, &credentials2,
2324 + mach_password, &credentials3,
2325 + in_negotiate_flags);
2326 +
2327 + torture_assert(tctx, creds != NULL, "memory allocation");
2328 +
2329 + torture_comment(tctx, "Testing ServerAuthenticate2\n");
2330 +
2331 + torture_assert_ntstatus_ok(
2332 + tctx,
2333 + dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a),
2334 + "ServerAuthenticate2 failed");
2335 + torture_assert_ntstatus_equal(
2336 + tctx,
2337 + a.out.result,
2338 + NT_STATUS_OK,
2339 + "ServerAuthenticate2 unexpected");
2340 +
2341 + return true;
2342 +}
2343 +
2344 +static bool test_ServerReqChallenge_zero_challenge(
2345 + struct torture_context *tctx,
2346 + struct dcerpc_pipe *p,
2347 + struct cli_credentials *credentials)
2348 +{
2349 + struct netr_ServerReqChallenge r;
2350 + struct netr_Credential credentials1, credentials2, credentials3;
2351 + const char *machine_name;
2352 + struct dcerpc_binding_handle *b = p->binding_handle;
2353 + struct netr_ServerAuthenticate2 a;
2354 + uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
2355 + uint32_t out_negotiate_flags = 0;
2356 + const struct samr_Password *mach_password = NULL;
2357 + enum netr_SchannelType sec_chan_type = 0;
2358 + struct netlogon_creds_CredentialState *creds = NULL;
2359 + const char *account_name = NULL;
2360 +
2361 + machine_name = cli_credentials_get_workstation(credentials);
2362 + mach_password = cli_credentials_get_nt_hash(credentials, tctx);
2363 + account_name = cli_credentials_get_username(credentials);
2364 + sec_chan_type = cli_credentials_get_secure_channel_type(credentials);
2365 +
2366 + torture_comment(tctx, "Testing ServerReqChallenge\n");
2367 +
2368 + r.in.server_name = NULL;
2369 + r.in.computer_name = machine_name;
2370 + r.in.credentials = &credentials1;
2371 + r.out.return_credentials = &credentials2;
2372 +
2373 + /*
2374 + * Set the client challenge to zero, this should fail
2375 + * CVE-2020-1472(ZeroLogon)
2376 + * BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
2377 + */
2378 + ZERO_STRUCT(credentials1);
2379 +
2380 + torture_assert_ntstatus_ok(
2381 + tctx,
2382 + dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
2383 + "ServerReqChallenge failed");
2384 + torture_assert_ntstatus_ok(
2385 + tctx,
2386 + r.out.result,
2387 + "ServerReqChallenge failed");
2388 + a.in.server_name = NULL;
2389 + a.in.account_name = account_name;
2390 + a.in.secure_channel_type = sec_chan_type;
2391 + a.in.computer_name = machine_name;
2392 + a.in.negotiate_flags = &in_negotiate_flags;
2393 + a.out.negotiate_flags = &out_negotiate_flags;
2394 + a.in.credentials = &credentials3;
2395 + a.out.return_credentials = &credentials3;
2396 +
2397 + creds = netlogon_creds_client_init(tctx, a.in.account_name,
2398 + a.in.computer_name,
2399 + a.in.secure_channel_type,
2400 + &credentials1, &credentials2,
2401 + mach_password, &credentials3,
2402 + in_negotiate_flags);
2403 +
2404 + torture_assert(tctx, creds != NULL, "memory allocation");
2405 +
2406 + torture_comment(tctx, "Testing ServerAuthenticate2\n");
2407 +
2408 + torture_assert_ntstatus_ok(
2409 + tctx,
2410 + dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a),
2411 + "ServerAuthenticate2 failed");
2412 + torture_assert_ntstatus_equal(
2413 + tctx,
2414 + a.out.result,
2415 + NT_STATUS_ACCESS_DENIED,
2416 + "ServerAuthenticate2 unexpected");
2417 +
2418 + return true;
2419 +}
2420 +
2421 +static bool test_ServerReqChallenge_5_repeats(
2422 + struct torture_context *tctx,
2423 + struct dcerpc_pipe *p,
2424 + struct cli_credentials *credentials)
2425 +{
2426 + struct netr_ServerReqChallenge r;
2427 + struct netr_Credential credentials1, credentials2, credentials3;
2428 + const char *machine_name;
2429 + struct dcerpc_binding_handle *b = p->binding_handle;
2430 + struct netr_ServerAuthenticate2 a;
2431 + uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
2432 + uint32_t out_negotiate_flags = 0;
2433 + const struct samr_Password *mach_password = NULL;
2434 + enum netr_SchannelType sec_chan_type = 0;
2435 + struct netlogon_creds_CredentialState *creds = NULL;
2436 + const char *account_name = NULL;
2437 +
2438 + machine_name = cli_credentials_get_workstation(credentials);
2439 + mach_password = cli_credentials_get_nt_hash(credentials, tctx);
2440 + account_name = cli_credentials_get_username(credentials);
2441 + sec_chan_type = cli_credentials_get_secure_channel_type(credentials);
2442 +
2443 + torture_comment(tctx, "Testing ServerReqChallenge\n");
2444 +
2445 + r.in.server_name = NULL;
2446 + r.in.computer_name = machine_name;
2447 + r.in.credentials = &credentials1;
2448 + r.out.return_credentials = &credentials2;
2449 +
2450 + /*
2451 + * Set the first 5 bytes of the client challenge to the same value,
2452 + * this should fail CVE-2020-1472(ZeroLogon)
2453 + * BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
2454 + */
2455 + credentials1.data[0] = 'A';
2456 + credentials1.data[1] = 'A';
2457 + credentials1.data[2] = 'A';
2458 + credentials1.data[3] = 'A';
2459 + credentials1.data[4] = 'A';
2460 + credentials1.data[5] = 'B';
2461 + credentials1.data[6] = 'C';
2462 + credentials1.data[7] = 'D';
2463 +
2464 + torture_assert_ntstatus_ok(
2465 + tctx,
2466 + dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
2467 + "ServerReqChallenge failed");
2468 + torture_assert_ntstatus_ok(
2469 + tctx,
2470 + r.out.result,
2471 + "ServerReqChallenge failed");
2472 + a.in.server_name = NULL;
2473 + a.in.account_name = account_name;
2474 + a.in.secure_channel_type = sec_chan_type;
2475 + a.in.computer_name = machine_name;
2476 + a.in.negotiate_flags = &in_negotiate_flags;
2477 + a.out.negotiate_flags = &out_negotiate_flags;
2478 + a.in.credentials = &credentials3;
2479 + a.out.return_credentials = &credentials3;
2480 +
2481 + creds = netlogon_creds_client_init(tctx, a.in.account_name,
2482 + a.in.computer_name,
2483 + a.in.secure_channel_type,
2484 + &credentials1, &credentials2,
2485 + mach_password, &credentials3,
2486 + in_negotiate_flags);
2487 +
2488 + torture_assert(tctx, creds != NULL, "memory allocation");
2489 +
2490 + torture_comment(tctx, "Testing ServerAuthenticate2\n");
2491 +
2492 + torture_assert_ntstatus_ok(
2493 + tctx,
2494 + dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a),
2495 + "ServerAuthenticate2 failed");
2496 + torture_assert_ntstatus_equal(
2497 + tctx,
2498 + a.out.result,
2499 + NT_STATUS_ACCESS_DENIED,
2500 + "ServerAuthenticate2 unexpected");
2501 +
2502 + return true;
2503 +}
2504 +
2505 +static bool test_ServerReqChallenge_4_repeats(
2506 + struct torture_context *tctx,
2507 + struct dcerpc_pipe *p,
2508 + struct cli_credentials *credentials)
2509 +{
2510 + struct netr_ServerReqChallenge r;
2511 + struct netr_Credential credentials1, credentials2, credentials3;
2512 + const char *machine_name;
2513 + struct dcerpc_binding_handle *b = p->binding_handle;
2514 + struct netr_ServerAuthenticate2 a;
2515 + uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
2516 + uint32_t out_negotiate_flags = 0;
2517 + const struct samr_Password *mach_password = NULL;
2518 + enum netr_SchannelType sec_chan_type = 0;
2519 + struct netlogon_creds_CredentialState *creds = NULL;
2520 + const char *account_name = NULL;
2521 +
2522 + machine_name = cli_credentials_get_workstation(credentials);
2523 + mach_password = cli_credentials_get_nt_hash(credentials, tctx);
2524 + account_name = cli_credentials_get_username(credentials);
2525 + sec_chan_type = cli_credentials_get_secure_channel_type(credentials);
2526 +
2527 + torture_comment(tctx, "Testing ServerReqChallenge\n");
2528 +
2529 + r.in.server_name = NULL;
2530 + r.in.computer_name = machine_name;
2531 + r.in.credentials = &credentials1;
2532 + r.out.return_credentials = &credentials2;
2533 +
2534 + /*
2535 + * Set the first 4 bytes of the client challenge to the same
2536 + * value, this should pass as 5 bytes identical are needed to
2537 + * fail for CVE-2020-1472(ZeroLogon)
2538 + *
2539 + * BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
2540 + */
2541 + credentials1.data[0] = 'A';
2542 + credentials1.data[1] = 'A';
2543 + credentials1.data[2] = 'A';
2544 + credentials1.data[3] = 'A';
2545 + credentials1.data[4] = 'B';
2546 + credentials1.data[5] = 'C';
2547 + credentials1.data[6] = 'D';
2548 + credentials1.data[7] = 'E';
2549 +
2550 + torture_assert_ntstatus_ok(
2551 + tctx,
2552 + dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
2553 + "ServerReqChallenge failed");
2554 + torture_assert_ntstatus_ok(
2555 + tctx,
2556 + r.out.result,
2557 + "ServerReqChallenge failed");
2558 + a.in.server_name = NULL;
2559 + a.in.account_name = account_name;
2560 + a.in.secure_channel_type = sec_chan_type;
2561 + a.in.computer_name = machine_name;
2562 + a.in.negotiate_flags = &in_negotiate_flags;
2563 + a.out.negotiate_flags = &out_negotiate_flags;
2564 + a.in.credentials = &credentials3;
2565 + a.out.return_credentials = &credentials3;
2566 +
2567 + creds = netlogon_creds_client_init(tctx, a.in.account_name,
2568 + a.in.computer_name,
2569 + a.in.secure_channel_type,
2570 + &credentials1, &credentials2,
2571 + mach_password, &credentials3,
2572 + in_negotiate_flags);
2573 +
2574 + torture_assert(tctx, creds != NULL, "memory allocation");
2575 +
2576 + torture_comment(tctx, "Testing ServerAuthenticate2\n");
2577 +
2578 + torture_assert_ntstatus_ok(
2579 + tctx,
2580 + dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a),
2581 + "ServerAuthenticate2 failed");
2582 + torture_assert_ntstatus_equal(
2583 + tctx,
2584 + a.out.result,
2585 + NT_STATUS_OK,
2586 + "ServerAuthenticate2 unexpected");
2587 +
2588 + return true;
2589 +}
2590 +
2591 /*
2592 try a change password for our machine account
2593 */
2594 @@ -4949,6 +5268,22 @@ struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx)
2595 torture_rpc_tcase_add_test(tcase, "lsa_over_netlogon", test_lsa_over_netlogon);
2596 torture_rpc_tcase_add_test_creds(tcase, "SetupCredentialsDowngrade", test_SetupCredentialsDowngrade);
2597
2598 + torture_rpc_tcase_add_test_creds(
2599 + tcase,
2600 + "ServerReqChallenge",
2601 + test_ServerReqChallenge);
2602 + torture_rpc_tcase_add_test_creds(
2603 + tcase,
2604 + "ServerReqChallenge_zero_challenge",
2605 + test_ServerReqChallenge_zero_challenge);
2606 + torture_rpc_tcase_add_test_creds(
2607 + tcase,
2608 + "ServerReqChallenge_5_repeats",
2609 + test_ServerReqChallenge_5_repeats);
2610 + torture_rpc_tcase_add_test_creds(
2611 + tcase,
2612 + "ServerReqChallenge_4_repeats",
2613 + test_ServerReqChallenge_4_repeats);
2614 return suite;
2615 }
2616
2617 --
2618 2.39.0
2619
2620
2621 From 268303632f79d7395b452172c06b25ad68fe35fb Mon Sep 17 00:00:00 2001
2622 From: Jeremy Allison <jra@samba.org>
2623 Date: Fri, 10 Jul 2020 15:09:33 -0700
2624 Subject: [PATCH 026/142] s4: torture: Add smb2.notify.handle-permissions test.
2625
2626 Add knownfail entry.
2627
2628 CVE-2020-14318
2629
2630 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434
2631
2632 Signed-off-by: Jeremy Allison <jra@samba.org>
2633 (cherry picked from commit f100bd2f2e4f047942002a992c99104227a17f81)
2634 ---
2635 .../smb2_notify_handle_permissions | 2 +
2636 source4/torture/smb2/notify.c | 80 +++++++++++++++++++
2637 2 files changed, 82 insertions(+)
2638 create mode 100644 selftest/knownfail.d/smb2_notify_handle_permissions
2639
2640 diff --git a/selftest/knownfail.d/smb2_notify_handle_permissions b/selftest/knownfail.d/smb2_notify_handle_permissions
2641 new file mode 100644
2642 index 00000000000..c0ec8fc8153
2643 --- /dev/null
2644 +++ b/selftest/knownfail.d/smb2_notify_handle_permissions
2645 @@ -0,0 +1,2 @@
2646 +^samba3.smb2.notify.handle-permissions
2647 +
2648 diff --git a/source4/torture/smb2/notify.c b/source4/torture/smb2/notify.c
2649 index ebb4f8a4f8e..b017491c8fb 100644
2650 --- a/source4/torture/smb2/notify.c
2651 +++ b/source4/torture/smb2/notify.c
2652 @@ -2569,6 +2569,83 @@ done:
2653 return ok;
2654 }
2655
2656 +/*
2657 + Test asking for a change notify on a handle without permissions.
2658 +*/
2659 +
2660 +#define BASEDIR_HPERM BASEDIR "_HPERM"
2661 +
2662 +static bool torture_smb2_notify_handle_permissions(
2663 + struct torture_context *torture,
2664 + struct smb2_tree *tree)
2665 +{
2666 + bool ret = true;
2667 + NTSTATUS status;
2668 + union smb_notify notify;
2669 + union smb_open io;
2670 + struct smb2_handle h1 = {{0}};
2671 + struct smb2_request *req;
2672 +
2673 + smb2_deltree(tree, BASEDIR_HPERM);
2674 + smb2_util_rmdir(tree, BASEDIR_HPERM);
2675 +
2676 + torture_comment(torture,
2677 + "TESTING CHANGE NOTIFY "
2678 + "ON A HANDLE WITHOUT PERMISSIONS\n");
2679 +
2680 + /*
2681 + get a handle on the directory
2682 + */
2683 + ZERO_STRUCT(io.smb2);
2684 + io.generic.level = RAW_OPEN_SMB2;
2685 + io.smb2.in.create_flags = 0;
2686 + io.smb2.in.desired_access = SEC_FILE_READ_ATTRIBUTE;
2687 + io.smb2.in.create_options = NTCREATEX_OPTIONS_DIRECTORY;
2688 + io.smb2.in.file_attributes = FILE_ATTRIBUTE_NORMAL;
2689 + io.smb2.in.share_access = NTCREATEX_SHARE_ACCESS_READ |
2690 + NTCREATEX_SHARE_ACCESS_WRITE;
2691 + io.smb2.in.alloc_size = 0;
2692 + io.smb2.in.create_disposition = NTCREATEX_DISP_CREATE;
2693 + io.smb2.in.impersonation_level = SMB2_IMPERSONATION_ANONYMOUS;
2694 + io.smb2.in.security_flags = 0;
2695 + io.smb2.in.fname = BASEDIR_HPERM;
2696 +
2697 + status = smb2_create(tree, torture, &io.smb2);
2698 + CHECK_STATUS(status, NT_STATUS_OK);
2699 + h1 = io.smb2.out.file.handle;
2700 +
2701 + /* ask for a change notify,
2702 + on file or directory name changes */
2703 + ZERO_STRUCT(notify.smb2);
2704 + notify.smb2.level = RAW_NOTIFY_SMB2;
2705 + notify.smb2.in.buffer_size = 1000;
2706 + notify.smb2.in.completion_filter = FILE_NOTIFY_CHANGE_NAME;
2707 + notify.smb2.in.file.handle = h1;
2708 + notify.smb2.in.recursive = true;
2709 +
2710 + req = smb2_notify_send(tree, &notify.smb2);
2711 + torture_assert_goto(torture,
2712 + req != NULL,
2713 + ret,
2714 + done,
2715 + "smb2_notify_send failed\n");
2716 +
2717 + /*
2718 + * Cancel it, we don't really want to wait.
2719 + */
2720 + smb2_cancel(req);
2721 + status = smb2_notify_recv(req, torture, &notify.smb2);
2722 + /* Handle h1 doesn't have permissions for ChangeNotify. */
2723 + CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
2724 +
2725 +done:
2726 + if (!smb2_util_handle_empty(h1)) {
2727 + smb2_util_close(tree, h1);
2728 + }
2729 + smb2_deltree(tree, BASEDIR_HPERM);
2730 + return ret;
2731 +}
2732 +
2733 /*
2734 basic testing of SMB2 change notify
2735 */
2736 @@ -2602,6 +2679,9 @@ struct torture_suite *torture_smb2_notify_init(TALLOC_CTX *ctx)
2737 torture_smb2_notify_rmdir3);
2738 torture_suite_add_2smb2_test(suite, "rmdir4",
2739 torture_smb2_notify_rmdir4);
2740 + torture_suite_add_1smb2_test(suite,
2741 + "handle-permissions",
2742 + torture_smb2_notify_handle_permissions);
2743
2744 suite->description = talloc_strdup(suite, "SMB2-NOTIFY tests");
2745
2746 --
2747 2.39.0
2748
2749
2750 From 448d4e99f8883a07589264cfca474c3dff8b5942 Mon Sep 17 00:00:00 2001
2751 From: Jeremy Allison <jra@samba.org>
2752 Date: Tue, 7 Jul 2020 18:25:23 -0700
2753 Subject: [PATCH 027/142] s3: smbd: Ensure change notifies can't get set unless
2754 the directory handle is open for SEC_DIR_LIST.
2755
2756 Remove knownfail entry.
2757
2758 CVE-2020-14318
2759
2760 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434
2761
2762 Signed-off-by: Jeremy Allison <jra@samba.org>
2763 (cherry picked from commit f43ecce46a89c6380317fbb5f2ae38f48d3d42c8)
2764 ---
2765 selftest/knownfail.d/smb2_notify_handle_permissions | 2 --
2766 source3/smbd/notify.c | 8 ++++++++
2767 2 files changed, 8 insertions(+), 2 deletions(-)
2768 delete mode 100644 selftest/knownfail.d/smb2_notify_handle_permissions
2769
2770 diff --git a/selftest/knownfail.d/smb2_notify_handle_permissions b/selftest/knownfail.d/smb2_notify_handle_permissions
2771 deleted file mode 100644
2772 index c0ec8fc8153..00000000000
2773 --- a/selftest/knownfail.d/smb2_notify_handle_permissions
2774 +++ /dev/null
2775 @@ -1,2 +0,0 @@
2776 -^samba3.smb2.notify.handle-permissions
2777 -
2778 diff --git a/source3/smbd/notify.c b/source3/smbd/notify.c
2779 index 44c0b09432e..d23c03bce41 100644
2780 --- a/source3/smbd/notify.c
2781 +++ b/source3/smbd/notify.c
2782 @@ -283,6 +283,14 @@ NTSTATUS change_notify_create(struct files_struct *fsp, uint32_t filter,
2783 char fullpath[len+1];
2784 NTSTATUS status = NT_STATUS_NOT_IMPLEMENTED;
2785
2786 + /*
2787 + * Setting a changenotify needs READ/LIST access
2788 + * on the directory handle.
2789 + */
2790 + if (!(fsp->access_mask & SEC_DIR_LIST)) {
2791 + return NT_STATUS_ACCESS_DENIED;
2792 + }
2793 +
2794 if (fsp->notify != NULL) {
2795 DEBUG(1, ("change_notify_create: fsp->notify != NULL, "
2796 "fname = %s\n", fsp->fsp_name->base_name));
2797 --
2798 2.39.0
2799
2800
2801 From 041c86926999594f13b884522b1d9fcc65f92a52 Mon Sep 17 00:00:00 2001
2802 From: Volker Lendecke <vl@samba.org>
2803 Date: Thu, 9 Jul 2020 21:49:25 +0200
2804 Subject: [PATCH 028/142] CVE-2020-14323 winbind: Fix invalid lookupsids DoS
2805
2806 A lookupsids request without extra_data will lead to "state->domain==NULL",
2807 which makes winbindd_lookupsids_recv trying to dereference it.
2808
2809 Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134
2810
2811 Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436
2812 Signed-off-by: Volker Lendecke <vl@samba.org>
2813 (cherry picked from commit f17967ad73e9c1d2bd6e0b7c181f08079d2a8214)
2814 ---
2815 source3/winbindd/winbindd_lookupsids.c | 2 +-
2816 1 file changed, 1 insertion(+), 1 deletion(-)
2817
2818 diff --git a/source3/winbindd/winbindd_lookupsids.c b/source3/winbindd/winbindd_lookupsids.c
2819 index d28b5fa9f01..a289fd86f0f 100644
2820 --- a/source3/winbindd/winbindd_lookupsids.c
2821 +++ b/source3/winbindd/winbindd_lookupsids.c
2822 @@ -47,7 +47,7 @@ struct tevent_req *winbindd_lookupsids_send(TALLOC_CTX *mem_ctx,
2823 DEBUG(3, ("lookupsids\n"));
2824
2825 if (request->extra_len == 0) {
2826 - tevent_req_done(req);
2827 + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
2828 return tevent_req_post(req, ev);
2829 }
2830 if (request->extra_data.data[request->extra_len-1] != '\0') {
2831 --
2832 2.39.0
2833
2834
2835 From e6e77a3a503f9223ecbc2d32a1d24e20f834659f Mon Sep 17 00:00:00 2001
2836 From: Volker Lendecke <vl@samba.org>
2837 Date: Thu, 9 Jul 2020 21:48:57 +0200
2838 Subject: [PATCH 029/142] CVE-2020-14323 torture4: Add a simple test for
2839 invalid lookup_sids winbind call
2840
2841 We can't add this test before the fix, add it to knownfail and have the fix
2842 remove the knownfail entry again. As this crashes winbind, many tests after
2843 this one will fail.
2844
2845 Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134
2846
2847 Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436
2848 Signed-off-by: Volker Lendecke <vl@samba.org>
2849 (cherry picked from commit d0ca2a63aaedf123205337aaa211426175ffcebf)
2850 ---
2851 source4/torture/winbind/struct_based.c | 27 ++++++++++++++++++++++++++
2852 1 file changed, 27 insertions(+)
2853
2854 diff --git a/source4/torture/winbind/struct_based.c b/source4/torture/winbind/struct_based.c
2855 index 9745b621ca9..71f248c0d61 100644
2856 --- a/source4/torture/winbind/struct_based.c
2857 +++ b/source4/torture/winbind/struct_based.c
2858 @@ -1110,6 +1110,29 @@ static bool torture_winbind_struct_lookup_name_sid(struct torture_context *tortu
2859 return true;
2860 }
2861
2862 +static bool torture_winbind_struct_lookup_sids_invalid(
2863 + struct torture_context *torture)
2864 +{
2865 + struct winbindd_request req = {0};
2866 + struct winbindd_response rep = {0};
2867 + bool strict = torture_setting_bool(torture, "strict mode", false);
2868 + bool ok;
2869 +
2870 + torture_comment(torture,
2871 + "Running WINBINDD_LOOKUP_SIDS (struct based)\n");
2872 +
2873 + ok = true;
2874 + DO_STRUCT_REQ_REP_EXT(WINBINDD_LOOKUPSIDS, &req, &rep,
2875 + NSS_STATUS_NOTFOUND,
2876 + strict,
2877 + ok=false,
2878 + talloc_asprintf(
2879 + torture,
2880 + "invalid lookupsids succeeded"));
2881 +
2882 + return ok;
2883 +}
2884 +
2885 struct torture_suite *torture_winbind_struct_init(TALLOC_CTX *ctx)
2886 {
2887 struct torture_suite *suite = torture_suite_create(ctx, "struct");
2888 @@ -1132,6 +1155,10 @@ struct torture_suite *torture_winbind_struct_init(TALLOC_CTX *ctx)
2889 torture_suite_add_simple_test(suite, "getpwent", torture_winbind_struct_getpwent);
2890 torture_suite_add_simple_test(suite, "endpwent", torture_winbind_struct_endpwent);
2891 torture_suite_add_simple_test(suite, "lookup_name_sid", torture_winbind_struct_lookup_name_sid);
2892 + torture_suite_add_simple_test(
2893 + suite,
2894 + "lookup_sids_invalid",
2895 + torture_winbind_struct_lookup_sids_invalid);
2896
2897 suite->description = talloc_strdup(suite, "WINBIND - struct based protocol tests");
2898
2899 --
2900 2.39.0
2901
2902
2903 From 2b4763940d1826a2b4e5eaa1e2df338004cd9af0 Mon Sep 17 00:00:00 2001
2904 From: Laurent Menase <laurent.menase@hpe.com>
2905 Date: Wed, 20 May 2020 12:31:53 +0200
2906 Subject: [PATCH 030/142] winbind: Fix a memleak
2907
2908 Bug: https://bugzilla.samba.org/show_bug.cgi?id=14388
2909 Signed-off-by: Laurent Menase <laurent.menase@hpe.com>
2910 Reviewed-by: Volker Lendecke <vl@samba.org>
2911 Reviewed-by: Noel Power <noel.power@suse.com>
2912
2913 Autobuild-User(master): Volker Lendecke <vl@samba.org>
2914 Autobuild-Date(master): Mon Sep 14 13:33:13 UTC 2020 on sn-devel-184
2915
2916 (cherry picked from commit 8f868b0ea0b4795668f7bc0b028cd85686b249fb)
2917 ---
2918 source3/winbindd/winbindd_ads.c | 1 +
2919 1 file changed, 1 insertion(+)
2920
2921 diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
2922 index 556b4523866..325ba1abd82 100644
2923 --- a/source3/winbindd/winbindd_ads.c
2924 +++ b/source3/winbindd/winbindd_ads.c
2925 @@ -405,6 +405,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
2926 DBG_NOTICE("ads query_user_list gave %d entries\n", count);
2927
2928 done:
2929 + ads_msgfree(ads, res);
2930 return status;
2931 }
2932
2933 --
2934 2.39.0
2935
2936
2937 From accc423a4eb9170ab0dbe4b2ba90ce83790e7a16 Mon Sep 17 00:00:00 2001
2938 From: Andreas Schneider <asn@samba.org>
2939 Date: Mon, 17 Aug 2020 13:39:58 +0200
2940 Subject: [PATCH 031/142] s3:tests: Add test for 'valid users = DOMAIN\%U'
2941
2942 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14467
2943
2944 Signed-off-by: Andreas Schneider <asn@samba.org>
2945 Reviewed-by: Ralph Boehme <slow@samba.org>
2946 (cherry picked from commit 53b6dd951249052772e1ffcf651b7efd0963b931)
2947 (cherry picked from commit 20d3cf455c631c6cea6d471333779cc15d0e8d8a)
2948 ---
2949 selftest/knownfail.d/samba3.substiutions | 1 +
2950 selftest/target/Samba3.pm | 4 ++++
2951 source3/script/tests/test_substitutions.sh | 5 +++++
2952 3 files changed, 10 insertions(+)
2953 create mode 100644 selftest/knownfail.d/samba3.substiutions
2954
2955 diff --git a/selftest/knownfail.d/samba3.substiutions b/selftest/knownfail.d/samba3.substiutions
2956 new file mode 100644
2957 index 00000000000..f116d3b2fcf
2958 --- /dev/null
2959 +++ b/selftest/knownfail.d/samba3.substiutions
2960 @@ -0,0 +1 @@
2961 +^samba3.substitutions.Test.login.to.share.with.substitution.for.valid.users
2962 diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
2963 index 75960dbc790..9e4da0e6a08 100755
2964 --- a/selftest/target/Samba3.pm
2965 +++ b/selftest/target/Samba3.pm
2966 @@ -423,6 +423,10 @@ sub setup_ad_member
2967 path = $share_dir/D_%D/u_%u/g_%g
2968 writeable = yes
2969
2970 +[sub_valid_users]
2971 + path = $share_dir
2972 + valid users = ADDOMAIN/%U
2973 +
2974 ";
2975
2976 my $ret = $self->provision($prefix, $dcvars->{DOMAIN},
2977 diff --git a/source3/script/tests/test_substitutions.sh b/source3/script/tests/test_substitutions.sh
2978 index 1a46f11c85d..c813a8f9def 100755
2979 --- a/source3/script/tests/test_substitutions.sh
2980 +++ b/source3/script/tests/test_substitutions.sh
2981 @@ -34,4 +34,9 @@ SMB_UNC="//$SERVER/sub_dug2"
2982 test_smbclient "Test login to share with substitution (Dug)" \
2983 "ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1)
2984
2985 +SMB_UNC="//$SERVER/sub_valid_users"
2986 +
2987 +test_smbclient "Test login to share with substitution for valid users" \
2988 + "ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1)
2989 +
2990 exit $failed
2991 --
2992 2.39.0
2993
2994
2995 From 1c594e3734e3ffd2dfc615897ac95792878f2df4 Mon Sep 17 00:00:00 2001
2996 From: Andreas Schneider <asn@samba.org>
2997 Date: Mon, 17 Aug 2020 14:12:48 +0200
2998 Subject: [PATCH 032/142] s3:smbd: Fix %U substitutions if it contains a domain
2999 name
3000
3001 'valid users = DOMAIN\%U' worked with Samba 3.6 and broke in a newer
3002 version.
3003
3004 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14467
3005
3006 Signed-off-by: Andreas Schneider <asn@samba.org>
3007 Reviewed-by: Ralph Boehme <slow@samba.org>
3008 (cherry picked from commit 5de7c91e6d4e98f438157a7675c8582cabdd828d)
3009 (cherry picked from commit 60ddb7b20071b00f0cd7f1cb818022220eb0c279)
3010 ---
3011 selftest/knownfail.d/samba3.substiutions | 1 -
3012 source3/smbd/share_access.c | 18 +++++++++++++++++-
3013 2 files changed, 17 insertions(+), 2 deletions(-)
3014 delete mode 100644 selftest/knownfail.d/samba3.substiutions
3015
3016 diff --git a/selftest/knownfail.d/samba3.substiutions b/selftest/knownfail.d/samba3.substiutions
3017 deleted file mode 100644
3018 index f116d3b2fcf..00000000000
3019 --- a/selftest/knownfail.d/samba3.substiutions
3020 +++ /dev/null
3021 @@ -1 +0,0 @@
3022 -^samba3.substitutions.Test.login.to.share.with.substitution.for.valid.users
3023 diff --git a/source3/smbd/share_access.c b/source3/smbd/share_access.c
3024 index 3cbf7f318a2..0705e197975 100644
3025 --- a/source3/smbd/share_access.c
3026 +++ b/source3/smbd/share_access.c
3027 @@ -79,7 +79,23 @@ static bool token_contains_name(TALLOC_CTX *mem_ctx,
3028 enum lsa_SidType type;
3029
3030 if (username != NULL) {
3031 - name = talloc_sub_basic(mem_ctx, username, domain, name);
3032 + size_t domain_len = strlen(domain);
3033 +
3034 + /* Check if username starts with domain name */
3035 + if (domain_len > 0) {
3036 + const char *sep = lp_winbind_separator();
3037 + int cmp = strncasecmp_m(username, domain, domain_len);
3038 + if (cmp == 0 && sep[0] == username[domain_len]) {
3039 + /* Move after the winbind separator */
3040 + domain_len += 1;
3041 + } else {
3042 + domain_len = 0;
3043 + }
3044 + }
3045 + name = talloc_sub_basic(mem_ctx,
3046 + username + domain_len,
3047 + domain,
3048 + name);
3049 }
3050 if (sharename != NULL) {
3051 name = talloc_string_sub(mem_ctx, name, "%S", sharename);
3052 --
3053 2.39.0
3054
3055
3056 From d93ddae23e1b378f771134e93d1b15e61e2278af Mon Sep 17 00:00:00 2001
3057 From: Andreas Schneider <asn@samba.org>
3058 Date: Thu, 9 Jul 2020 11:48:26 +0200
3059 Subject: [PATCH 033/142] docs: Fix documentation for require_membership_of of
3060 pam_winbind
3061
3062 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358
3063
3064 Signed-off-by: Andreas Schneider <asn@samba.org>
3065 Reviewed-by: Alexander Bokovoy <ab@samba.org>
3066 (cherry picked from commit 4c74db6978c682f8ba4e74a6ee8157cfcbb54971)
3067 ---
3068 docs-xml/manpages/pam_winbind.8.xml | 8 +++++---
3069 1 file changed, 5 insertions(+), 3 deletions(-)
3070
3071 diff --git a/docs-xml/manpages/pam_winbind.8.xml b/docs-xml/manpages/pam_winbind.8.xml
3072 index a9a227f1647..a61fb2d58e5 100644
3073 --- a/docs-xml/manpages/pam_winbind.8.xml
3074 +++ b/docs-xml/manpages/pam_winbind.8.xml
3075 @@ -84,9 +84,11 @@
3076 If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID
3077 can be either a group-SID, an alias-SID or even an user-SID. It is also possible to give a NAME instead of the
3078 SID. That name must have the form: <parameter>MYDOMAIN\mygroup</parameter> or
3079 - <parameter>MYDOMAIN\myuser</parameter>. pam_winbind will, in that case, lookup the SID internally. Note that
3080 - NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a
3081 - user is a member of with <command>wbinfo --user-sids=SID</command>.
3082 + <parameter>MYDOMAIN\myuser</parameter> (where '\' character corresponds to the value of
3083 + <parameter>winbind separator</parameter> parameter). It is also possible to use a UPN in the form
3084 + <parameter>user@REALM</parameter> or <parameter>group@REALM</parameter>. pam_winbind will, in that case, lookup
3085 + the SID internally. Note that NAME may not contain any spaces. It is thus recommended to only use SIDs. You can
3086 + verify the list of SIDs a user is a member of with <command>wbinfo --user-sids=SID</command>.
3087 </para>
3088
3089 <para>
3090 --
3091 2.39.0
3092
3093
3094 From c9aea952eb3f8d83701abd6db4d48c8d93a8517a Mon Sep 17 00:00:00 2001
3095 From: Andreas Schneider <asn@samba.org>
3096 Date: Fri, 17 Jul 2020 12:14:16 +0200
3097 Subject: [PATCH 034/142] docs: Fix documentation for require_membership_of of
3098 pam_winbind.conf
3099
3100 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358
3101
3102 Signed-off-by: Andreas Schneider <asn@samba.org>
3103 Reviewed-by: Isaac Boukris <iboukris@samba.org>
3104 (cherry picked from commit 71b7140fd0a33e7e8c5bf37c2897cea8224b3f01)
3105 ---
3106 docs-xml/manpages/pam_winbind.conf.5.xml | 9 ++++++---
3107 1 file changed, 6 insertions(+), 3 deletions(-)
3108
3109 diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
3110 index fcac1ee7036..d81a0bd6eba 100644
3111 --- a/docs-xml/manpages/pam_winbind.conf.5.xml
3112 +++ b/docs-xml/manpages/pam_winbind.conf.5.xml
3113 @@ -69,9 +69,12 @@
3114 If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID
3115 can be either a group-SID, an alias-SID or even an user-SID. It is also possible to give a NAME instead of the
3116 SID. That name must have the form: <parameter>MYDOMAIN\mygroup</parameter> or
3117 - <parameter>MYDOMAIN\myuser</parameter>. pam_winbind will, in that case, lookup the SID internally. Note that
3118 - NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a
3119 - user is a member of with <command>wbinfo --user-sids=SID</command>. This setting is empty by default.
3120 + <parameter>MYDOMAIN\myuser</parameter> (where '\' character corresponds to the value of
3121 + <parameter>winbind separator</parameter> parameter). It is also possible to use a UPN in the form
3122 + <parameter>user@REALM</parameter> or <parameter>group@REALM</parameter>. pam_winbind will, in that case, lookup
3123 + the SID internally. Note that NAME may not contain any spaces. It is thus recommended to only use SIDs. You can
3124 + verify the list of SIDs a user is a member of with <command>wbinfo --user-sids=SID</command>.
3125 + This setting is empty by default.
3126 </para>
3127 <para>This option only operates during password authentication, and will not restrict access if a password is not required for any reason (such as SSH key-based login).</para>
3128 </listitem>
3129 --
3130 2.39.0
3131
3132
3133 From b04be6ffd3a1c9eda1f1dc78d60ad7b3a9b7471d Mon Sep 17 00:00:00 2001
3134 From: Isaac Boukris <iboukris@gmail.com>
3135 Date: Thu, 11 Jun 2020 21:05:07 +0300
3136 Subject: [PATCH 035/142] Fix a typo in recent net man page changes
3137
3138 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
3139
3140 Signed-off-by: Isaac Boukris <iboukris@samba.org>
3141 Reviewed-by: Andreas Schneider <asn@samba.org>
3142 (cherry picked from commit 4e51e832176a99f2a841c7a0d78fb0424f02956e)
3143 ---
3144 docs-xml/manpages/net.8.xml | 2 +-
3145 1 file changed, 1 insertion(+), 1 deletion(-)
3146
3147 diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
3148 index 69e18df8b6c..9b1d4458acc 100644
3149 --- a/docs-xml/manpages/net.8.xml
3150 +++ b/docs-xml/manpages/net.8.xml
3151 @@ -470,7 +470,7 @@ joining the domain.
3152 </para>
3153
3154 <para>
3155 -[FQDN] (ADS only) set the dnsHosName attribute during the join.
3156 +[FQDN] (ADS only) set the dnsHostName attribute during the join.
3157 The default format is netbiosname.dnsdomain.
3158 </para>
3159
3160 --
3161 2.39.0
3162
3163
3164 From a5a7dac759c2570861732c68efefb62371a29565 Mon Sep 17 00:00:00 2001
3165 From: Isaac Boukris <iboukris@gmail.com>
3166 Date: Tue, 16 Jun 2020 22:01:49 +0300
3167 Subject: [PATCH 036/142] selftest: add tests for binary
3168 msDS-AdditionalDnsHostName
3169
3170 Like the short names added implicitly by Windows DC.
3171
3172 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
3173
3174 Signed-off-by: Isaac Boukris <iboukris@samba.org>
3175 Reviewed-by: Andreas Schneider <asn@samba.org>
3176 (cherry picked from commit 4605d7aec5caf494a23f2c9800d6689f710ffbce)
3177 ---
3178 selftest/knownfail.d/binary_addl_hostname | 3 +++
3179 testprogs/blackbox/test_net_ads.sh | 22 ++++++++++++++++++++++
3180 2 files changed, 25 insertions(+)
3181 create mode 100644 selftest/knownfail.d/binary_addl_hostname
3182
3183 diff --git a/selftest/knownfail.d/binary_addl_hostname b/selftest/knownfail.d/binary_addl_hostname
3184 new file mode 100644
3185 index 00000000000..559db1df507
3186 --- /dev/null
3187 +++ b/selftest/knownfail.d/binary_addl_hostname
3188 @@ -0,0 +1,3 @@
3189 +^samba4.blackbox.net_ads.dns alias1 check keytab
3190 +^samba4.blackbox.net_ads.dns alias2 check keytab
3191 +^samba4.blackbox.net_ads.addl short check keytab
3192 diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
3193 index 85257f445d8..eef4a31a6a7 100755
3194 --- a/testprogs/blackbox/test_net_ads.sh
3195 +++ b/testprogs/blackbox/test_net_ads.sh
3196 @@ -41,6 +41,11 @@ if [ -x "$BINDIR/ldbdel" ]; then
3197 ldbdel="$BINDIR/ldbdel"
3198 fi
3199
3200 +ldbmodify="ldbmodify"
3201 +if [ -x "$BINDIR/ldbmodify" ]; then
3202 + ldbmodify="$BINDIR/ldbmodify"
3203 +fi
3204 +
3205 # Load test functions
3206 . `dirname $0`/subunit.sh
3207
3208 @@ -217,12 +222,29 @@ testit_grep "dns alias SPN" $dns_alias2 $VALGRIND $net_tool ads search -P samacc
3209 testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
3210 testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
3211
3212 +# Test binary msDS-AdditionalDnsHostName like ones added by Windows DC
3213 +short_alias_file="$PREFIX_ABS/short_alias_file"
3214 +printf 'short_alias\0$' > $short_alias_file
3215 +cat > $PREFIX_ABS/tmpldbmodify <<EOF
3216 +dn: CN=$HOSTNAME,$computers_dn
3217 +changetype: modify
3218 +add: msDS-AdditionalDnsHostName
3219 +msDS-AdditionalDnsHostName:< file://$short_alias_file
3220 +EOF
3221 +
3222 +testit "add binary msDS-AdditionalDnsHostName" $VALGRIND $ldbmodify -k yes -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM $PREFIX_ABS/tmpldbmodify || failed=`expr $failed + 1`
3223 +
3224 +testit_grep "addl short alias" short_alias $ldbsearch --show-binary -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "CN=$HOSTNAME,CN=Computers,$base_dn" msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
3225 +
3226 +rm -f $PREFIX_ABS/tmpldbmodify $short_alias_file
3227 +
3228 dedicated_keytab_file="$PREFIX_ABS/test_dns_aliases_dedicated_krb5.keytab"
3229
3230 testit "dns alias create_keytab" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
3231
3232 testit_grep "dns alias1 check keytab" "host/${dns_alias1}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
3233 testit_grep "dns alias2 check keytab" "host/${dns_alias2}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
3234 +testit_grep "addl short check keytab" "host/short_alias@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
3235
3236 rm -f $dedicated_keytab_file
3237
3238 --
3239 2.39.0
3240
3241
3242 From 2769976aaa13474d2b5ee7b58ee17d5824dfa5a2 Mon Sep 17 00:00:00 2001
3243 From: Isaac Boukris <iboukris@gmail.com>
3244 Date: Thu, 11 Jun 2020 16:51:27 +0300
3245 Subject: [PATCH 037/142] Properly handle msDS-AdditionalDnsHostName returned
3246 from Windows DC
3247
3248 Windows DC adds short names for each specified msDS-AdditionalDnsHostName
3249 attribute, but these have a suffix of "\0$" and thus fail with
3250 ldap_get_values(), use ldap_get_values_len() instead.
3251
3252 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
3253
3254 Signed-off-by: Isaac Boukris <iboukris@samba.org>
3255 Reviewed-by: Andreas Schneider <asn@samba.org>
3256
3257 Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
3258 Autobuild-Date(master): Thu Jun 18 16:43:47 UTC 2020 on sn-devel-184
3259
3260 (cherry picked from commit 9a447fb7e0701bf8b2fd922aed44d89f40420251)
3261 ---
3262 selftest/knownfail.d/binary_addl_hostname | 3 --
3263 source3/libads/ldap.c | 38 +++++++++++++++++++++--
3264 2 files changed, 35 insertions(+), 6 deletions(-)
3265 delete mode 100644 selftest/knownfail.d/binary_addl_hostname
3266
3267 diff --git a/selftest/knownfail.d/binary_addl_hostname b/selftest/knownfail.d/binary_addl_hostname
3268 deleted file mode 100644
3269 index 559db1df507..00000000000
3270 --- a/selftest/knownfail.d/binary_addl_hostname
3271 +++ /dev/null
3272 @@ -1,3 +0,0 @@
3273 -^samba4.blackbox.net_ads.dns alias1 check keytab
3274 -^samba4.blackbox.net_ads.dns alias2 check keytab
3275 -^samba4.blackbox.net_ads.addl short check keytab
3276 diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
3277 index 02a628ee0e6..2684bba63ec 100644
3278 --- a/source3/libads/ldap.c
3279 +++ b/source3/libads/ldap.c
3280 @@ -3664,6 +3664,40 @@ out:
3281 /********************************************************************
3282 ********************************************************************/
3283
3284 +static char **get_addl_hosts(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
3285 + LDAPMessage *msg, size_t *num_values)
3286 +{
3287 + const char *field = "msDS-AdditionalDnsHostName";
3288 + struct berval **values = NULL;
3289 + char **ret = NULL;
3290 + size_t i, converted_size;
3291 +
3292 + values = ldap_get_values_len(ads->ldap.ld, msg, field);
3293 + if (values == NULL) {
3294 + return NULL;
3295 + }
3296 +
3297 + *num_values = ldap_count_values_len(values);
3298 +
3299 + ret = talloc_array(mem_ctx, char *, *num_values + 1);
3300 + if (ret == NULL) {
3301 + ldap_value_free_len(values);
3302 + return NULL;
3303 + }
3304 +
3305 + for (i = 0; i < *num_values; i++) {
3306 + if (!pull_utf8_talloc(mem_ctx, &ret[i], values[i]->bv_val,
3307 + &converted_size)) {
3308 + ldap_value_free_len(values);
3309 + return NULL;
3310 + }
3311 + }
3312 + ret[i] = NULL;
3313 +
3314 + ldap_value_free_len(values);
3315 + return ret;
3316 +}
3317 +
3318 ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx,
3319 ADS_STRUCT *ads,
3320 const char *machine_name,
3321 @@ -3689,9 +3723,7 @@ ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx,
3322 goto done;
3323 }
3324
3325 - *hostnames_array = ads_pull_strings(ads, mem_ctx, res,
3326 - "msDS-AdditionalDnsHostName",
3327 - num_hostnames);
3328 + *hostnames_array = get_addl_hosts(ads, mem_ctx, res, num_hostnames);
3329 if (*hostnames_array == NULL) {
3330 DEBUG(1, ("Host account for %s does not have msDS-AdditionalDnsHostName.\n",
3331 machine_name));
3332 --
3333 2.39.0
3334
3335
3336 From 9727953d482a3849d4ac1f40486bc567f6b77067 Mon Sep 17 00:00:00 2001
3337 From: Isaac Boukris <iboukris@gmail.com>
3338 Date: Sat, 20 Jun 2020 17:17:33 +0200
3339 Subject: [PATCH 038/142] Fix usage of ldap_get_values_len for
3340 msDS-AdditionalDnsHostName
3341
3342 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
3343
3344 Signed-off-by: Isaac Boukris <iboukris@samba.org>
3345 Reviewed-by: Andreas Schneider <asn@samba.org>
3346
3347 Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
3348 Autobuild-Date(master): Mon Jun 22 09:59:04 UTC 2020 on sn-devel-184
3349
3350 (cherry picked from commit f9dd67355ba35539d7ae1774d5135fd05d747b3f)
3351 ---
3352 source3/libads/ldap.c | 8 ++++++--
3353 1 file changed, 6 insertions(+), 2 deletions(-)
3354
3355 diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
3356 index 2684bba63ec..d1ce9cee2f0 100644
3357 --- a/source3/libads/ldap.c
3358 +++ b/source3/libads/ldap.c
3359 @@ -3686,8 +3686,12 @@ static char **get_addl_hosts(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
3360 }
3361
3362 for (i = 0; i < *num_values; i++) {
3363 - if (!pull_utf8_talloc(mem_ctx, &ret[i], values[i]->bv_val,
3364 - &converted_size)) {
3365 + ret[i] = NULL;
3366 + if (!convert_string_talloc(mem_ctx, CH_UTF8, CH_UNIX,
3367 + values[i]->bv_val,
3368 + strnlen(values[i]->bv_val,
3369 + values[i]->bv_len),
3370 + &ret[i], &converted_size)) {
3371 ldap_value_free_len(values);
3372 return NULL;
3373 }
3374 --
3375 2.39.0
3376
3377
3378 From ec4cfe786d8c3cb67bb0e9224ae1822902c672d3 Mon Sep 17 00:00:00 2001
3379 From: Isaac Boukris <iboukris@gmail.com>
3380 Date: Tue, 15 Dec 2020 15:17:04 +0100
3381 Subject: [PATCH 039/142] HACK:s3:winbind: Rely on the domain child for online
3382 check
3383
3384 ---
3385 source3/winbindd/winbindd_cm.c | 9 +++++++++
3386 source3/winbindd/winbindd_dual.c | 3 +++
3387 2 files changed, 12 insertions(+)
3388
3389 diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
3390 index 4bd03ed8b7a..502331f7260 100644
3391 --- a/source3/winbindd/winbindd_cm.c
3392 +++ b/source3/winbindd/winbindd_cm.c
3393 @@ -89,6 +89,8 @@
3394 #undef DBGC_CLASS
3395 #define DBGC_CLASS DBGC_WINBIND
3396
3397 +extern bool wb_idmap_child;
3398 +
3399 struct dc_name_ip {
3400 fstring name;
3401 struct sockaddr_storage ss;
3402 @@ -176,6 +178,13 @@ static void msg_try_to_go_online(struct messaging_context *msg,
3403 continue;
3404 }
3405
3406 + if (wb_child_domain() == NULL && !wb_idmap_child) {
3407 + DEBUG(5,("msg_try_to_go_online: domain %s "
3408 + "NOT CONNECTING IN MAIN PROCESS.\n", domainname));
3409 + domain->online = true;
3410 + continue;
3411 + }
3412 +
3413 /* This call takes care of setting the online
3414 flag to true if we connected, or re-adding
3415 the offline handler if false. Bypasses online
3416 diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
3417 index 6e3277e5529..35b76a367aa 100644
3418 --- a/source3/winbindd/winbindd_dual.c
3419 +++ b/source3/winbindd/winbindd_dual.c
3420 @@ -1612,6 +1612,8 @@ static void child_handler(struct tevent_context *ev, struct tevent_fd *fde,
3421 }
3422 }
3423
3424 +bool wb_idmap_child;
3425 +
3426 static bool fork_domain_child(struct winbindd_child *child)
3427 {
3428 int fdpair[2];
3429 @@ -1715,6 +1717,7 @@ static bool fork_domain_child(struct winbindd_child *child)
3430 setproctitle("domain child [%s]", child_domain->name);
3431 } else if (child == idmap_child()) {
3432 setproctitle("idmap child");
3433 + wb_idmap_child = true;
3434 }
3435
3436 /* Handle online/offline messages. */
3437 --
3438 2.39.0
3439
3440
3441 From 958bed1a1e5c9f334a1859bef14f4fe1657c3e49 Mon Sep 17 00:00:00 2001
3442 From: Andreas Schneider <asn@samba.org>
3443 Date: Wed, 9 Sep 2020 16:00:52 +0200
3444 Subject: [PATCH 040/142] s3:smbd: Use fsp al the talloc memory context
3445
3446 Somehow the lck pointer gets freed before we call TALLOC_FREE().
3447
3448 Signed-off-by: Andreas Schneider <asn@samba.org>
3449 Reviewed-by: Guenther Deschner <gd@samba.org>
3450 Reviewed-by: Alexander Bokovoy <ab@samba.org>
3451 ---
3452 source3/smbd/open.c | 2 +-
3453 1 file changed, 1 insertion(+), 1 deletion(-)
3454
3455 diff --git a/source3/smbd/open.c b/source3/smbd/open.c
3456 index de557f53a20..9a24e331ab1 100644
3457 --- a/source3/smbd/open.c
3458 +++ b/source3/smbd/open.c
3459 @@ -4239,7 +4239,7 @@ static NTSTATUS open_directory(connection_struct *conn,
3460 return NT_STATUS_ACCESS_DENIED;
3461 }
3462
3463 - lck = get_share_mode_lock(talloc_tos(), fsp->file_id,
3464 + lck = get_share_mode_lock(fsp, fsp->file_id,
3465 conn->connectpath, smb_dname,
3466 &mtimespec);
3467
3468 --
3469 2.39.0
3470
3471
3472 From 2591ae5d6a1dbd71391801b7bdf20bd37c8e8375 Mon Sep 17 00:00:00 2001
3473 From: Andreas Schneider <asn@samba.org>
3474 Date: Wed, 3 Feb 2021 12:58:31 +0100
3475 Subject: [PATCH 041/142] Revert "s3:smbd: Use fsp al the talloc memory
3476 context"
3477
3478 This reverts commit 958bed1a1e5c9f334a1859bef14f4fe1657c3e49.
3479 ---
3480 source3/smbd/open.c | 2 +-
3481 1 file changed, 1 insertion(+), 1 deletion(-)
3482
3483 diff --git a/source3/smbd/open.c b/source3/smbd/open.c
3484 index 9a24e331ab1..de557f53a20 100644
3485 --- a/source3/smbd/open.c
3486 +++ b/source3/smbd/open.c
3487 @@ -4239,7 +4239,7 @@ static NTSTATUS open_directory(connection_struct *conn,
3488 return NT_STATUS_ACCESS_DENIED;
3489 }
3490
3491 - lck = get_share_mode_lock(fsp, fsp->file_id,
3492 + lck = get_share_mode_lock(talloc_tos(), fsp->file_id,
3493 conn->connectpath, smb_dname,
3494 &mtimespec);
3495
3496 --
3497 2.39.0
3498
3499
3500 From 2438619ec7ef18816f6b92c87a094851223d2bb1 Mon Sep 17 00:00:00 2001
3501 From: Khem Raj <raj.khem@gmail.com>
3502 Date: Wed, 22 Jul 2020 22:42:09 -0700
3503 Subject: [PATCH 042/142] nsswitch/nsstest.c: Avoid nss function conflicts with
3504 glibc nss.h
3505
3506 glibc 2.32 will define these varibles [1] which results in conflicts
3507 with these static function names, therefore prefix these function names
3508 with samba_ to avoid it
3509
3510 [1] https://sourceware.org/git/?p=glibc.git;a=commit;h=499a92df8b9fc64a054cf3b7f728f8967fc1da7d
3511
3512 Signed-off-by: Khem Raj <raj.khem@gmail.com>
3513 Reviewed-by: Volker Lendecke <vl@samba.org>
3514 Reviewed-by: Noel Power <npower@samba.org>
3515
3516 Autobuild-User(master): Noel Power <npower@samba.org>
3517 Autobuild-Date(master): Tue Jul 28 10:52:00 UTC 2020 on sn-devel-184
3518
3519 (cherry picked from commit 6e496aa3635557b59792e469f7c7f8eccd822322)
3520 ---
3521 nsswitch/nsstest.c | 16 ++++++++--------
3522 1 file changed, 8 insertions(+), 8 deletions(-)
3523
3524 diff --git a/nsswitch/nsstest.c b/nsswitch/nsstest.c
3525 index 6d92806cffc..46f96795f39 100644
3526 --- a/nsswitch/nsstest.c
3527 +++ b/nsswitch/nsstest.c
3528 @@ -137,7 +137,7 @@ static struct passwd *nss_getpwuid(uid_t uid)
3529 return &pwd;
3530 }
3531
3532 -static void nss_setpwent(void)
3533 +static void samba_nss_setpwent(void)
3534 {
3535 NSS_STATUS (*_nss_setpwent)(void) =
3536 (NSS_STATUS(*)(void))find_fn("setpwent");
3537 @@ -152,7 +152,7 @@ static void nss_setpwent(void)
3538 }
3539 }
3540
3541 -static void nss_endpwent(void)
3542 +static void samba_nss_endpwent(void)
3543 {
3544 NSS_STATUS (*_nss_endpwent)(void) =
3545 (NSS_STATUS (*)(void))find_fn("endpwent");
3546 @@ -284,7 +284,7 @@ again:
3547 return &grp;
3548 }
3549
3550 -static void nss_setgrent(void)
3551 +static void samba_nss_setgrent(void)
3552 {
3553 NSS_STATUS (*_nss_setgrent)(void) =
3554 (NSS_STATUS (*)(void))find_fn("setgrent");
3555 @@ -299,7 +299,7 @@ static void nss_setgrent(void)
3556 }
3557 }
3558
3559 -static void nss_endgrent(void)
3560 +static void samba_nss_endgrent(void)
3561 {
3562 NSS_STATUS (*_nss_endgrent)(void) =
3563 (NSS_STATUS (*)(void))find_fn("endgrent");
3564 @@ -396,7 +396,7 @@ static void nss_test_users(void)
3565 {
3566 struct passwd *pwd;
3567
3568 - nss_setpwent();
3569 + samba_nss_setpwent();
3570 /* loop over all users */
3571 while ((pwd = nss_getpwent())) {
3572 printf("Testing user %s\n", pwd->pw_name);
3573 @@ -418,14 +418,14 @@ static void nss_test_users(void)
3574 printf("initgroups: "); nss_test_initgroups(pwd->pw_name, pwd->pw_gid);
3575 printf("\n");
3576 }
3577 - nss_endpwent();
3578 + samba_nss_endpwent();
3579 }
3580
3581 static void nss_test_groups(void)
3582 {
3583 struct group *grp;
3584
3585 - nss_setgrent();
3586 + samba_nss_setgrent();
3587 /* loop over all groups */
3588 while ((grp = nss_getgrent())) {
3589 printf("Testing group %s\n", grp->gr_name);
3590 @@ -446,7 +446,7 @@ static void nss_test_groups(void)
3591 printf("getgrgid: "); print_group(grp);
3592 printf("\n");
3593 }
3594 - nss_endgrent();
3595 + samba_nss_endgrent();
3596 }
3597
3598 static void nss_test_errors(void)
3599 --
3600 2.39.0
3601
3602
3603 From d5410b038bb3b1d31783c0d825dc933497f6eeaa Mon Sep 17 00:00:00 2001
3604 From: Andreas Schneider <asn@samba.org>
3605 Date: Wed, 3 Feb 2021 10:30:08 +0100
3606 Subject: [PATCH 043/142] lib:util: Add basic memcache unit test
3607
3608 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625
3609
3610 Signed-off-by: Andreas Schneider <asn@samba.org>
3611 Reviewed-by: Ralph Boehme <slow@samba.org>
3612 (cherry picked from commit bebbf621d6052f797c5cf19a2a9bbc13e699d3f0)
3613 ---
3614 lib/util/tests/test_memcache.c | 122 +++++++++++++++++++++++++++++++++
3615 lib/util/wscript_build | 6 ++
3616 selftest/tests.py | 2 +
3617 3 files changed, 130 insertions(+)
3618 create mode 100644 lib/util/tests/test_memcache.c
3619
3620 diff --git a/lib/util/tests/test_memcache.c b/lib/util/tests/test_memcache.c
3621 new file mode 100644
3622 index 00000000000..8ea5e5b042e
3623 --- /dev/null
3624 +++ b/lib/util/tests/test_memcache.c
3625 @@ -0,0 +1,122 @@
3626 +/*
3627 + * Unix SMB/CIFS implementation.
3628 + *
3629 + * Copyright (C) 2021 Andreas Schneider <asn@samba.org>
3630 + *
3631 + * This program is free software; you can redistribute it and/or modify
3632 + * it under the terms of the GNU General Public License as published by
3633 + * the Free Software Foundation; either version 3 of the License, or
3634 + * (at your option) any later version.
3635 + *
3636 + * This program is distributed in the hope that it will be useful,
3637 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
3638 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
3639 + * GNU General Public License for more details.
3640 + *
3641 + * You should have received a copy of the GNU General Public License
3642 + * along with this program. If not, see <http://www.gnu.org/licenses/>.
3643 + */
3644 +
3645 +#include <stdarg.h>
3646 +#include <stddef.h>
3647 +#include <stdint.h>
3648 +#include <setjmp.h>
3649 +#include <cmocka.h>
3650 +
3651 +#include "lib/replace/replace.h"
3652 +#include "lib/util/talloc_stack.h"
3653 +#include "lib/util/memcache.h"
3654 +
3655 +static int setup_talloc_context(void **state)
3656 +{
3657 + TALLOC_CTX *frame = talloc_stackframe();
3658 +
3659 + *state = frame;
3660 + return 0;
3661 +}
3662 +
3663 +static int teardown_talloc_context(void **state)
3664 +{
3665 + TALLOC_CTX *frame = *state;
3666 + TALLOC_FREE(frame);
3667 + return 0;
3668 +}
3669 +
3670 +static void torture_memcache_init(void **state)
3671 +{
3672 + TALLOC_CTX *mem_ctx = *state;
3673 + struct memcache *cache = NULL;
3674 +
3675 + cache = memcache_init(mem_ctx, 0);
3676 + assert_non_null(cache);
3677 +
3678 + TALLOC_FREE(cache);
3679 +
3680 + cache = memcache_init(mem_ctx, 10);
3681 + assert_non_null(cache);
3682 +
3683 + TALLOC_FREE(cache);
3684 +}
3685 +
3686 +static void torture_memcache_add_lookup_delete(void **state)
3687 +{
3688 + TALLOC_CTX *mem_ctx = *state;
3689 + struct memcache *cache = NULL;
3690 + DATA_BLOB key1, key2;
3691 + char *path1 = NULL, *path2 = NULL;
3692 +
3693 + cache = memcache_init(mem_ctx, 0);
3694 + assert_non_null(cache);
3695 +
3696 + key1 = data_blob_const("key1", 4);
3697 + path1 = talloc_strdup(mem_ctx, "/tmp/one");
3698 + assert_non_null(path1);
3699 +
3700 + key2 = data_blob_const("key2", 4);
3701 + path2 = talloc_strdup(mem_ctx, "/tmp/two");
3702 + assert_non_null(path1);
3703 +
3704 + memcache_add_talloc(cache, GETWD_CACHE, key1, &path1);
3705 + assert_null(path1);
3706 +
3707 + memcache_add_talloc(cache, GETWD_CACHE, key2, &path2);
3708 + assert_null(path2);
3709 +
3710 + path1 = memcache_lookup_talloc(cache, GETWD_CACHE, key1);
3711 + assert_non_null(path1);
3712 + assert_string_equal(path1, "/tmp/one");
3713 +
3714 + path2 = memcache_lookup_talloc(cache, GETWD_CACHE, key2);
3715 + assert_non_null(path2);
3716 + assert_string_equal(path2, "/tmp/two");
3717 +
3718 + memcache_delete(cache, GETWD_CACHE, key1);
3719 + path1 = memcache_lookup_talloc(cache, GETWD_CACHE, key1);
3720 + assert_null(path1);
3721 +
3722 + memcache_flush(cache, GETWD_CACHE);
3723 + path2 = memcache_lookup_talloc(cache, GETWD_CACHE, key2);
3724 + assert_null(path2);
3725 +
3726 + TALLOC_FREE(cache);
3727 +}
3728 +
3729 +int main(int argc, char *argv[])
3730 +{
3731 + int rc;
3732 + const struct CMUnitTest tests[] = {
3733 + cmocka_unit_test(torture_memcache_init),
3734 + cmocka_unit_test(torture_memcache_add_lookup_delete),
3735 + };
3736 +
3737 + if (argc == 2) {
3738 + cmocka_set_test_filter(argv[1]);
3739 + }
3740 + cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
3741 +
3742 + rc = cmocka_run_group_tests(tests,
3743 + setup_talloc_context,
3744 + teardown_talloc_context);
3745 +
3746 + return rc;
3747 +}
3748 diff --git a/lib/util/wscript_build b/lib/util/wscript_build
3749 index fd3027eff77..229dbd5ef6a 100644
3750 --- a/lib/util/wscript_build
3751 +++ b/lib/util/wscript_build
3752 @@ -256,3 +256,9 @@ else:
3753 deps='cmocka replace talloc samba-util',
3754 local_include=False,
3755 install=False)
3756 +
3757 + bld.SAMBA_BINARY('test_memcache',
3758 + source='tests/test_memcache.c',
3759 + deps='cmocka replace talloc samba-util',
3760 + local_include=False,
3761 + install=False)
3762 diff --git a/selftest/tests.py b/selftest/tests.py
3763 index e7639c4da27..e3f7d9acb4a 100644
3764 --- a/selftest/tests.py
3765 +++ b/selftest/tests.py
3766 @@ -254,6 +254,8 @@ plantestsuite("samba.unittests.ms_fnmatch", "none",
3767 [os.path.join(bindir(), "default/lib/util/test_ms_fnmatch")])
3768 plantestsuite("samba.unittests.util_paths", "none",
3769 [os.path.join(bindir(), "default/lib/util/test_util_paths")])
3770 +plantestsuite("samba.unittests.memcache", "none",
3771 + [os.path.join(bindir(), "default/lib/util/test_memcache")])
3772 plantestsuite("samba.unittests.ntlm_check", "none",
3773 [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")])
3774 plantestsuite("samba.unittests.test_registry_regfio", "none",
3775 --
3776 2.39.0
3777
3778
3779 From 7f6661b3c60319073d7fd58906b9a3728f421fed Mon Sep 17 00:00:00 2001
3780 From: Andreas Schneider <asn@samba.org>
3781 Date: Wed, 3 Feb 2021 10:37:12 +0100
3782 Subject: [PATCH 044/142] lib:util: Add cache oversize test for memcache
3783
3784 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625
3785
3786 Signed-off-by: Andreas Schneider <asn@samba.org>
3787 Reviewed-by: Ralph Boehme <slow@samba.org>
3788 (cherry picked from commit 00543ab3b29e3fbfe8314e51919629803e14ede6)
3789 ---
3790 lib/util/tests/test_memcache.c | 39 ++++++++++++++++++++++++++++++++++
3791 selftest/knownfail.d/memcache | 1 +
3792 2 files changed, 40 insertions(+)
3793 create mode 100644 selftest/knownfail.d/memcache
3794
3795 diff --git a/lib/util/tests/test_memcache.c b/lib/util/tests/test_memcache.c
3796 index 8ea5e5b042e..8a3997817c1 100644
3797 --- a/lib/util/tests/test_memcache.c
3798 +++ b/lib/util/tests/test_memcache.c
3799 @@ -98,6 +98,44 @@ static void torture_memcache_add_lookup_delete(void **state)
3800 path2 = memcache_lookup_talloc(cache, GETWD_CACHE, key2);
3801 assert_null(path2);
3802
3803 + TALLOC_FREE(path1);
3804 + TALLOC_FREE(path2);
3805 + TALLOC_FREE(cache);
3806 +}
3807 +
3808 +static void torture_memcache_add_oversize(void **state)
3809 +{
3810 + TALLOC_CTX *mem_ctx = *state;
3811 + struct memcache *cache = NULL;
3812 + DATA_BLOB key1, key2;
3813 + char *path1 = NULL, *path2 = NULL;
3814 +
3815 + cache = memcache_init(mem_ctx, 10);
3816 + assert_non_null(cache);
3817 +
3818 + key1 = data_blob_const("key1", 4);
3819 + path1 = talloc_strdup(mem_ctx, "/tmp/one");
3820 + assert_non_null(path1);
3821 +
3822 + key2 = data_blob_const("key2", 4);
3823 + path2 = talloc_strdup(mem_ctx, "/tmp/two");
3824 + assert_non_null(path1);
3825 +
3826 + memcache_add_talloc(cache, GETWD_CACHE, key1, &path1);
3827 + assert_null(path1);
3828 +
3829 + memcache_add_talloc(cache, GETWD_CACHE, key2, &path2);
3830 + assert_null(path2);
3831 +
3832 + path1 = memcache_lookup_talloc(cache, GETWD_CACHE, key1);
3833 + assert_null(path1);
3834 +
3835 + path2 = memcache_lookup_talloc(cache, GETWD_CACHE, key2);
3836 + assert_non_null(path2);
3837 + assert_string_equal(path2, "/tmp/two");
3838 +
3839 + TALLOC_FREE(path1);
3840 + TALLOC_FREE(path2);
3841 TALLOC_FREE(cache);
3842 }
3843
3844 @@ -107,6 +145,7 @@ int main(int argc, char *argv[])
3845 const struct CMUnitTest tests[] = {
3846 cmocka_unit_test(torture_memcache_init),
3847 cmocka_unit_test(torture_memcache_add_lookup_delete),
3848 + cmocka_unit_test(torture_memcache_add_oversize),
3849 };
3850
3851 if (argc == 2) {
3852 diff --git a/selftest/knownfail.d/memcache b/selftest/knownfail.d/memcache
3853 new file mode 100644
3854 index 00000000000..0a74ace3003
3855 --- /dev/null
3856 +++ b/selftest/knownfail.d/memcache
3857 @@ -0,0 +1 @@
3858 +^samba.unittests.memcache.torture_memcache_add_oversize
3859 --
3860 2.39.0
3861
3862
3863 From 53c7f00510556aea15b640254934e514c1d88c25 Mon Sep 17 00:00:00 2001
3864 From: Andreas Schneider <asn@samba.org>
3865 Date: Tue, 2 Feb 2021 18:10:38 +0100
3866 Subject: [PATCH 045/142] lib:util: Avoid free'ing our own pointer
3867 MIME-Version: 1.0
3868 Content-Type: text/plain; charset=UTF-8
3869 Content-Transfer-Encoding: 8bit
3870
3871 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625
3872
3873 Signed-off-by: Andreas Schneider <asn@samba.org>
3874 Reviewed-by: Ralph Boehme <slow@samba.org>
3875
3876 Autobuild-User(master): Ralph Böhme <slow@samba.org>
3877 Autobuild-Date(master): Wed Feb 3 10:57:01 UTC 2021 on sn-devel-184
3878
3879 (cherry picked from commit 0bdbe50fac680be3fe21043246b8c75005611351)
3880 ---
3881 lib/util/memcache.c | 19 +++++++++++++++----
3882 selftest/knownfail.d/memcache | 1 -
3883 2 files changed, 15 insertions(+), 5 deletions(-)
3884 delete mode 100644 selftest/knownfail.d/memcache
3885
3886 diff --git a/lib/util/memcache.c b/lib/util/memcache.c
3887 index 1e616bd0e9a..7b0b27eaddb 100644
3888 --- a/lib/util/memcache.c
3889 +++ b/lib/util/memcache.c
3890 @@ -223,14 +223,25 @@ static void memcache_delete_element(struct memcache *cache,
3891 TALLOC_FREE(e);
3892 }
3893
3894 -static void memcache_trim(struct memcache *cache)
3895 +static void memcache_trim(struct memcache *cache, struct memcache_element *e)
3896 {
3897 + struct memcache_element *tail = NULL;
3898 +
3899 if (cache->max_size == 0) {
3900 return;
3901 }
3902
3903 - while ((cache->size > cache->max_size) && DLIST_TAIL(cache->mru)) {
3904 - memcache_delete_element(cache, DLIST_TAIL(cache->mru));
3905 + for (tail = DLIST_TAIL(cache->mru);
3906 + (cache->size > cache->max_size) && (tail != NULL);
3907 + tail = DLIST_TAIL(cache->mru))
3908 + {
3909 + if (tail == e) {
3910 + tail = DLIST_PREV(tail);
3911 + if (tail == NULL) {
3912 + break;
3913 + }
3914 + }
3915 + memcache_delete_element(cache, tail);
3916 }
3917 }
3918
3919 @@ -351,7 +362,7 @@ void memcache_add(struct memcache *cache, enum memcache_number n,
3920 memcpy(&mtv, cache_value.data, sizeof(mtv));
3921 cache->size += mtv.len;
3922 }
3923 - memcache_trim(cache);
3924 + memcache_trim(cache, e);
3925 }
3926
3927 void memcache_add_talloc(struct memcache *cache, enum memcache_number n,
3928 diff --git a/selftest/knownfail.d/memcache b/selftest/knownfail.d/memcache
3929 deleted file mode 100644
3930 index 0a74ace3003..00000000000
3931 --- a/selftest/knownfail.d/memcache
3932 +++ /dev/null
3933 @@ -1 +0,0 @@
3934 -^samba.unittests.memcache.torture_memcache_add_oversize
3935 --
3936 2.39.0
3937
3938
3939 From 138662453fb421609b4fa30487a53a50c085895f Mon Sep 17 00:00:00 2001
3940 From: Jeremy Allison <jra@samba.org>
3941 Date: Thu, 5 Nov 2020 15:48:08 -0800
3942 Subject: [PATCH 046/142] s3: spoolss: Make parameters in call to
3943 user_ok_token() match all other uses.
3944
3945 We already have p->session_info->unix_info->unix_name, we don't
3946 need to go through a legacy call to uidtoname(p->session_info->unix_token->uid).
3947
3948 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14568
3949
3950 Signed-off-by: Jeremy Allison <jra@samba.org>
3951 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
3952
3953 Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
3954 Autobuild-Date(master): Mon Nov 9 04:10:45 UTC 2020 on sn-devel-184
3955
3956 (cherry picked from commit e5e1759057a767f517bf480a2172a36623df2799)
3957 ---
3958 source3/rpc_server/spoolss/srv_spoolss_nt.c | 3 ++-
3959 1 file changed, 2 insertions(+), 1 deletion(-)
3960
3961 diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
3962 index f32b465afb6..c0f1803c2fa 100644
3963 --- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
3964 +++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
3965 @@ -1869,7 +1869,8 @@ WERROR _spoolss_OpenPrinterEx(struct pipes_struct *p,
3966 return WERR_ACCESS_DENIED;
3967 }
3968
3969 - if (!user_ok_token(uidtoname(p->session_info->unix_token->uid), NULL,
3970 + if (!user_ok_token(p->session_info->unix_info->unix_name,
3971 + p->session_info->info->domain_name,
3972 p->session_info->security_token, snum) ||
3973 !W_ERROR_IS_OK(print_access_check(p->session_info,
3974 p->msg_ctx,
3975 --
3976 2.39.0
3977
3978
3979 From 9550eb620ff23fb9f9414c9de596789aae64aef1 Mon Sep 17 00:00:00 2001
3980 From: Andreas Schneider <asn@samba.org>
3981 Date: Wed, 11 Nov 2020 13:42:06 +0100
3982 Subject: [PATCH 047/142] s3:smbd: Fix possible null pointer dereference in
3983 token_contains_name()
3984
3985 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14572
3986
3987 Signed-off-by: Andreas Schneider <asn@samba.org>
3988 Reviewed-by: Alexander Bokovoy <ab@samba.org>
3989
3990 Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
3991 Autobuild-Date(master): Thu Nov 12 15:13:47 UTC 2020 on sn-devel-184
3992
3993 (cherry picked from commit 8036bf9717f83e83c3e4a9cf00fded42e9a5de15)
3994 ---
3995 source3/smbd/share_access.c | 2 +-
3996 1 file changed, 1 insertion(+), 1 deletion(-)
3997
3998 diff --git a/source3/smbd/share_access.c b/source3/smbd/share_access.c
3999 index 0705e197975..64276c79fbe 100644
4000 --- a/source3/smbd/share_access.c
4001 +++ b/source3/smbd/share_access.c
4002 @@ -79,7 +79,7 @@ static bool token_contains_name(TALLOC_CTX *mem_ctx,
4003 enum lsa_SidType type;
4004
4005 if (username != NULL) {
4006 - size_t domain_len = strlen(domain);
4007 + size_t domain_len = domain != NULL ? strlen(domain) : 0;
4008
4009 /* Check if username starts with domain name */
4010 if (domain_len > 0) {
4011 --
4012 2.39.0
4013
4014
4015 From 49a19805c6837df04dce449841d011fc67e0a7df Mon Sep 17 00:00:00 2001
4016 From: Volker Lendecke <vl@samba.org>
4017 Date: Sat, 20 Feb 2021 15:50:12 +0100
4018 Subject: [PATCH 048/142] passdb: Simplify sids_to_unixids()
4019
4020 Best reviewed with "git show -b", there's a "continue" statement that
4021 changes subsequent indentation.
4022
4023 Decouple lookup status of ids from ID_TYPE_NOT_SPECIFIED
4024
4025 Bug: https://bugzilla.samba.org/show_bug.cgi?id=14571
4026
4027 Signed-off-by: Volker Lendecke <vl@samba.org>
4028 Reviewed-by: Jeremy Allison <jra@samba.org>
4029 ---
4030 source3/passdb/lookup_sid.c | 123 +++++++++++++++++++++++++++++-------
4031 1 file changed, 101 insertions(+), 22 deletions(-)
4032
4033 diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
4034 index 1bb15ccb8b4..186ba17fda6 100644
4035 --- a/source3/passdb/lookup_sid.c
4036 +++ b/source3/passdb/lookup_sid.c
4037 @@ -29,6 +29,7 @@
4038 #include "../libcli/security/security.h"
4039 #include "lib/winbind_util.h"
4040 #include "../librpc/gen_ndr/idmap.h"
4041 +#include "lib/util/bitmap.h"
4042
4043 static bool lookup_unix_user_name(const char *name, struct dom_sid *sid)
4044 {
4045 @@ -1247,7 +1248,9 @@ bool sids_to_unixids(const struct dom_sid *sids, uint32_t num_sids,
4046 {
4047 struct wbcDomainSid *wbc_sids = NULL;
4048 struct wbcUnixId *wbc_ids = NULL;
4049 + struct bitmap *found = NULL;
4050 uint32_t i, num_not_cached;
4051 + uint32_t wbc_ids_size = 0;
4052 wbcErr err;
4053 bool ret = false;
4054
4055 @@ -1255,6 +1258,20 @@ bool sids_to_unixids(const struct dom_sid *sids, uint32_t num_sids,
4056 if (wbc_sids == NULL) {
4057 return false;
4058 }
4059 + found = bitmap_talloc(wbc_sids, num_sids);
4060 + if (found == NULL) {
4061 + goto fail;
4062 + }
4063 +
4064 + /*
4065 + * We go through the requested SID array three times.
4066 + * First time to look for global_sid_Unix_Users
4067 + * and global_sid_Unix_Groups SIDS, and to look
4068 + * for mappings cached in the idmap_cache.
4069 + *
4070 + * Use bitmap_set() to mark an ids[] array entry as
4071 + * being mapped.
4072 + */
4073
4074 num_not_cached = 0;
4075
4076 @@ -1266,17 +1283,20 @@ bool sids_to_unixids(const struct dom_sid *sids, uint32_t num_sids,
4077 &sids[i], &rid)) {
4078 ids[i].type = ID_TYPE_UID;
4079 ids[i].id = rid;
4080 + bitmap_set(found, i);
4081 continue;
4082 }
4083 if (sid_peek_check_rid(&global_sid_Unix_Groups,
4084 &sids[i], &rid)) {
4085 ids[i].type = ID_TYPE_GID;
4086 ids[i].id = rid;
4087 + bitmap_set(found, i);
4088 continue;
4089 }
4090 if (idmap_cache_find_sid2unixid(&sids[i], &ids[i], &expired)
4091 && !expired)
4092 {
4093 + bitmap_set(found, i);
4094 continue;
4095 }
4096 ids[i].type = ID_TYPE_NOT_SPECIFIED;
4097 @@ -1287,62 +1307,121 @@ bool sids_to_unixids(const struct dom_sid *sids, uint32_t num_sids,
4098 if (num_not_cached == 0) {
4099 goto done;
4100 }
4101 - wbc_ids = talloc_array(talloc_tos(), struct wbcUnixId, num_not_cached);
4102 +
4103 + /*
4104 + * For the ones that we couldn't map in the loop above, query winbindd
4105 + * via wbcSidsToUnixIds().
4106 + */
4107 +
4108 + wbc_ids_size = num_not_cached;
4109 + wbc_ids = talloc_array(talloc_tos(), struct wbcUnixId, wbc_ids_size);
4110 if (wbc_ids == NULL) {
4111 goto fail;
4112 }
4113 - for (i=0; i<num_not_cached; i++) {
4114 + for (i=0; i<wbc_ids_size; i++) {
4115 wbc_ids[i].type = WBC_ID_TYPE_NOT_SPECIFIED;
4116 + wbc_ids[i].id.gid = (uint32_t)-1;
4117 }
4118 - err = wbcSidsToUnixIds(wbc_sids, num_not_cached, wbc_ids);
4119 + err = wbcSidsToUnixIds(wbc_sids, wbc_ids_size, wbc_ids);
4120 if (!WBC_ERROR_IS_OK(err)) {
4121 DEBUG(10, ("wbcSidsToUnixIds returned %s\n",
4122 wbcErrorString(err)));
4123 }
4124
4125 + /*
4126 + * Second time through the SID array, replace
4127 + * the ids[] entries that wbcSidsToUnixIds() was able to
4128 + * map.
4129 + *
4130 + * Use bitmap_set() to mark an ids[] array entry as
4131 + * being mapped.
4132 + */
4133 +
4134 num_not_cached = 0;
4135
4136 for (i=0; i<num_sids; i++) {
4137 - if (ids[i].type == ID_TYPE_NOT_SPECIFIED) {
4138 - switch (wbc_ids[num_not_cached].type) {
4139 - case WBC_ID_TYPE_UID:
4140 - ids[i].type = ID_TYPE_UID;
4141 - ids[i].id = wbc_ids[num_not_cached].id.uid;
4142 - break;
4143 - case WBC_ID_TYPE_GID:
4144 - ids[i].type = ID_TYPE_GID;
4145 - ids[i].id = wbc_ids[num_not_cached].id.gid;
4146 - break;
4147 - default:
4148 - /* The types match, and wbcUnixId -> id is a union anyway */
4149 - ids[i].type = (enum id_type)wbc_ids[num_not_cached].type;
4150 - ids[i].id = wbc_ids[num_not_cached].id.gid;
4151 - break;
4152 - }
4153 - num_not_cached += 1;
4154 + if (bitmap_query(found, i)) {
4155 + continue;
4156 }
4157 +
4158 + SMB_ASSERT(num_not_cached < wbc_ids_size);
4159 +
4160 + switch (wbc_ids[num_not_cached].type) {
4161 + case WBC_ID_TYPE_UID:
4162 + ids[i].type = ID_TYPE_UID;
4163 + ids[i].id = wbc_ids[num_not_cached].id.uid;
4164 + bitmap_set(found, i);
4165 + break;
4166 + case WBC_ID_TYPE_GID:
4167 + ids[i].type = ID_TYPE_GID;
4168 + ids[i].id = wbc_ids[num_not_cached].id.gid;
4169 + bitmap_set(found, i);
4170 + break;
4171 + case WBC_ID_TYPE_BOTH:
4172 + ids[i].type = ID_TYPE_BOTH;
4173 + ids[i].id = wbc_ids[num_not_cached].id.uid;
4174 + bitmap_set(found, i);
4175 + break;
4176 + case WBC_ID_TYPE_NOT_SPECIFIED:
4177 + /*
4178 + * wbcSidsToUnixIds() wasn't able to map this
4179 + * so we still need to check legacy_sid_to_XXX()
4180 + * below. Don't mark the bitmap entry
4181 + * as being found so the final loop knows
4182 + * to try and map this entry.
4183 + */
4184 + ids[i].type = ID_TYPE_NOT_SPECIFIED;
4185 + ids[i].id = (uint32_t)-1;
4186 + break;
4187 + default:
4188 + /*
4189 + * A successful return from wbcSidsToUnixIds()
4190 + * cannot return anything other than the values
4191 + * checked for above. Ensure this is so.
4192 + */
4193 + smb_panic(__location__);
4194 + break;
4195 + }
4196 + num_not_cached += 1;
4197 }
4198
4199 + /*
4200 + * Third and final time through the SID array,
4201 + * try legacy_sid_to_gid()/legacy_sid_to_uid()
4202 + * for entries we haven't already been able to
4203 + * map.
4204 + *
4205 + * Use bitmap_set() to mark an ids[] array entry as
4206 + * being mapped.
4207 + */
4208 +
4209 for (i=0; i<num_sids; i++) {
4210 - if (ids[i].type != ID_TYPE_NOT_SPECIFIED) {
4211 + if (bitmap_query(found, i)) {
4212 continue;
4213 }
4214 if (legacy_sid_to_gid(&sids[i], &ids[i].id)) {
4215 ids[i].type = ID_TYPE_GID;
4216 + bitmap_set(found, i);
4217 continue;
4218 }
4219 if (legacy_sid_to_uid(&sids[i], &ids[i].id)) {
4220 ids[i].type = ID_TYPE_UID;
4221 + bitmap_set(found, i);
4222 continue;
4223 }
4224 }
4225 done:
4226 + /*
4227 + * Pass through the return array for consistency.
4228 + * Any ids[].id mapped to (uint32_t)-1 must be returned
4229 + * as ID_TYPE_NOT_SPECIFIED.
4230 + */
4231 for (i=0; i<num_sids; i++) {
4232 switch(ids[i].type) {
4233 case WBC_ID_TYPE_GID:
4234 case WBC_ID_TYPE_UID:
4235 case WBC_ID_TYPE_BOTH:
4236 - if (ids[i].id == -1) {
4237 + if (ids[i].id == (uint32_t)-1) {
4238 ids[i].type = ID_TYPE_NOT_SPECIFIED;
4239 }
4240 break;
4241 --
4242 2.39.0
4243
4244
4245 From 8b39b14dcaf104a2f3172917ef926a3fec5db891 Mon Sep 17 00:00:00 2001
4246 From: Stefan Metzmacher <metze@samba.org>
4247 Date: Thu, 24 Nov 2016 09:12:59 +0100
4248 Subject: [PATCH 049/142] CVE-2016-2124: s4:libcli/sesssetup: don't fallback to
4249 non spnego authentication if we require kerberos
4250
4251 We should not send NTLM[v2] data on the wire if the user asked for kerberos
4252 only.
4253
4254 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
4255
4256 Signed-off-by: Stefan Metzmacher <metze@samba.org>
4257 ---
4258 source4/libcli/smb_composite/sesssetup.c | 14 ++++++++++++++
4259 1 file changed, 14 insertions(+)
4260
4261 diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c
4262 index 6ee4929e8d7..a0a1f4baa56 100644
4263 --- a/source4/libcli/smb_composite/sesssetup.c
4264 +++ b/source4/libcli/smb_composite/sesssetup.c
4265 @@ -620,6 +620,8 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se
4266 struct composite_context *c;
4267 struct sesssetup_state *state;
4268 NTSTATUS status;
4269 + enum credentials_use_kerberos krb5_state =
4270 + cli_credentials_get_kerberos_state(io->in.credentials);
4271
4272 c = composite_create(session, session->transport->ev);
4273 if (c == NULL) return NULL;
4274 @@ -635,6 +637,10 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se
4275
4276 /* no session setup at all in earliest protocol varients */
4277 if (session->transport->negotiate.protocol < PROTOCOL_LANMAN1) {
4278 + if (krb5_state == CRED_MUST_USE_KERBEROS) {
4279 + composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
4280 + return c;
4281 + }
4282 ZERO_STRUCT(io->out);
4283 composite_done(c);
4284 return c;
4285 @@ -642,9 +648,17 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se
4286
4287 /* see what session setup interface we will use */
4288 if (session->transport->negotiate.protocol < PROTOCOL_NT1) {
4289 + if (krb5_state == CRED_MUST_USE_KERBEROS) {
4290 + composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
4291 + return c;
4292 + }
4293 status = session_setup_old(c, session, io, &state->req);
4294 } else if (!session->transport->options.use_spnego ||
4295 !(io->in.capabilities & CAP_EXTENDED_SECURITY)) {
4296 + if (krb5_state == CRED_MUST_USE_KERBEROS) {
4297 + composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
4298 + return c;
4299 + }
4300 status = session_setup_nt1(c, session, io, &state->req);
4301 } else {
4302 struct tevent_req *subreq = NULL;
4303 --
4304 2.39.0
4305
4306
4307 From 41cc796909aeade44c4f1e88923936ba4444278e Mon Sep 17 00:00:00 2001
4308 From: Stefan Metzmacher <metze@samba.org>
4309 Date: Thu, 27 Oct 2016 10:40:28 +0200
4310 Subject: [PATCH 050/142] CVE-2016-2124: s3:libsmb: don't fallback to non
4311 spnego authentication if we require kerberos
4312
4313 We should not send NTLM[v2] nor plaintext data on the wire if the user
4314 asked for kerberos only.
4315
4316 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
4317
4318 Signed-off-by: Stefan Metzmacher <metze@samba.org>
4319 ---
4320 source3/libsmb/cliconnect.c | 7 +++++++
4321 1 file changed, 7 insertions(+)
4322
4323 diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
4324 index 9bba2665663..9a69d4b7217 100644
4325 --- a/source3/libsmb/cliconnect.c
4326 +++ b/source3/libsmb/cliconnect.c
4327 @@ -1455,6 +1455,13 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
4328 return req;
4329 }
4330
4331 + if (krb5_state == CRED_MUST_USE_KERBEROS) {
4332 + DBG_WARNING("Kerberos authentication requested, but "
4333 + "the server does not support SPNEGO authentication\n");
4334 + tevent_req_nterror(req, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
4335 + return tevent_req_post(req, ev);
4336 + }
4337 +
4338 if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_LANMAN1) {
4339 /*
4340 * SessionSetupAndX was introduced by LANMAN 1.0. So we skip
4341 --
4342 2.39.0
4343
4344
4345 From 3c1688714ea93cdb7c3088b8a5e5da3025e43b42 Mon Sep 17 00:00:00 2001
4346 From: Ralph Boehme <slow@samba.org>
4347 Date: Sat, 18 Jan 2020 08:06:45 +0100
4348 Subject: [PATCH 051/142] s3/auth: use set_current_user_info() in
4349 auth3_generate_session_info_pac()
4350
4351 This delays reloading config slightly, but I don't see how could affect
4352 observable behaviour other then log messages coming from the functions in
4353 between the different locations for lp_load_with_shares() like
4354 make_session_info_krb5() are sent to a different logfile if "log file" uses %U.
4355
4356 Signed-off-by: Ralph Boehme <slow@samba.org>
4357 Reviewed-by: Andreas Schneider <asn@samba.org>
4358 (cherry picked from commit dc4b1e39ce1f2201a2d6ae2d4cffef2448f69a62)
4359
4360 [scabrero@samba.org Prerequisite for CVE-2020-25717 backport]
4361 ---
4362 source3/auth/auth_generic.c | 14 ++++++++------
4363 1 file changed, 8 insertions(+), 6 deletions(-)
4364
4365 diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
4366 index 167d4e00367..0e9c423efef 100644
4367 --- a/source3/auth/auth_generic.c
4368 +++ b/source3/auth/auth_generic.c
4369 @@ -159,12 +159,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
4370 }
4371 }
4372
4373 - /* setup the string used by %U */
4374 - sub_set_smb_name(username);
4375 -
4376 - /* reload services so that the new %U is taken into account */
4377 - lp_load_with_shares(get_dyn_CONFIGFILE());
4378 -
4379 status = make_session_info_krb5(mem_ctx,
4380 ntuser, ntdomain, username, pw,
4381 info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
4382 @@ -176,6 +170,14 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
4383 goto done;
4384 }
4385
4386 + /* setup the string used by %U */
4387 + set_current_user_info((*session_info)->unix_info->sanitized_username,
4388 + (*session_info)->unix_info->unix_name,
4389 + (*session_info)->info->domain_name);
4390 +
4391 + /* reload services so that the new %U is taken into account */
4392 + lp_load_with_shares(get_dyn_CONFIGFILE());
4393 +
4394 DEBUG(5, (__location__ "OK: user: %s domain: %s client: %s\n",
4395 ntuser, ntdomain, rhost));
4396
4397 --
4398 2.39.0
4399
4400
4401 From cf43f0a90b3025077479d37ad905fe730695e739 Mon Sep 17 00:00:00 2001
4402 From: Samuel Cabrero <scabrero@suse.de>
4403 Date: Thu, 4 Nov 2021 11:51:08 +0100
4404 Subject: [PATCH 052/142] selftest: Fix ktest usermap file
4405
4406 The user was not mapped:
4407
4408 user_in_list: checking user |KTEST/administrator| against |KTEST\Administrator|
4409 The user 'KTEST/administrator' has no mapping. Skip it next time.
4410
4411 Signed-off-by: Samuel Cabrero <scabrero@samba.org>
4412
4413 [scabrero@samba.org Once smb_getpswnam() fallbacks are removed the user
4414 has to be mapped]
4415 ---
4416 selftest/target/Samba3.pm | 2 +-
4417 1 file changed, 1 insertion(+), 1 deletion(-)
4418
4419 diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
4420 index 9e4da0e6a08..2eb5003112e 100755
4421 --- a/selftest/target/Samba3.pm
4422 +++ b/selftest/target/Samba3.pm
4423 @@ -1124,7 +1124,7 @@ sub setup_ktest
4424
4425 open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map");
4426 print USERMAP "
4427 -$ret->{USERNAME} = KTEST\\Administrator
4428 +$ret->{USERNAME} = KTEST/Administrator
4429 ";
4430 close(USERMAP);
4431
4432 --
4433 2.39.0
4434
4435
4436 From 703f43ea7817fa0ab423134a4c40bf9c37f90274 Mon Sep 17 00:00:00 2001
4437 From: Stefan Metzmacher <metze@samba.org>
4438 Date: Tue, 5 Oct 2021 16:42:00 +0200
4439 Subject: [PATCH 053/142] selftest/Samba3: replace (winbindd => "yes",
4440 skip_wait => 1) with (winbindd => "offline")
4441
4442 This is much more flexible and concentrates the logic in a single place.
4443
4444 We'll use winbindd => "offline" in other places soon.
4445
4446 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
4447 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
4448
4449 Signed-off-by: Stefan Metzmacher <metze@samba.org>
4450 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4451 (cherry picked from commit 4dc3c68c9a28f71888e3d6dd3b1f0bcdb8fa45de)
4452 (cherry picked from commit 89b9cb8b786c3e4eb8691b5363390b68d8228a2d)
4453
4454 [scabrero@samba.org Backported to 4.10]
4455 ---
4456 selftest/target/Samba3.pm | 10 +++++++---
4457 1 file changed, 7 insertions(+), 3 deletions(-)
4458
4459 diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
4460 index 2eb5003112e..bbbefea44b7 100755
4461 --- a/selftest/target/Samba3.pm
4462 +++ b/selftest/target/Samba3.pm
4463 @@ -1333,7 +1333,7 @@ sub check_or_start($$$$$) {
4464
4465 $ENV{ENVNAME} = "$ENV{ENVNAME}.winbindd";
4466
4467 - if ($winbindd ne "yes") {
4468 + if ($winbindd ne "yes" and $winbindd ne "offline") {
4469 $SIG{USR1} = $SIG{ALRM} = $SIG{INT} = $SIG{QUIT} = $SIG{TERM} = sub {
4470 my $signame = shift;
4471 print("Skip winbindd received signal $signame");
4472 @@ -2564,13 +2564,17 @@ sub wait_for_start($$$$$)
4473 }
4474 }
4475
4476 - if ($winbindd eq "yes") {
4477 + if ($winbindd eq "yes" or $winbindd eq "offline") {
4478 print "checking for winbindd\n";
4479 my $count = 0;
4480 $cmd = "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' ";
4481 $cmd .= "NSS_WRAPPER_PASSWD='$envvars->{NSS_WRAPPER_PASSWD}' ";
4482 $cmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' ";
4483 - $cmd .= Samba::bindir_path($self, "wbinfo") . " --ping-dc";
4484 + if ($winbindd eq "yes") {
4485 + $cmd .= Samba::bindir_path($self, "wbinfo") . " --ping-dc";
4486 + } elsif ($winbindd eq "offline") {
4487 + $cmd .= Samba::bindir_path($self, "wbinfo") . " --ping";
4488 + }
4489
4490 do {
4491 if ($ret != 0) {
4492 --
4493 2.39.0
4494
4495
4496 From eadbcf608a98c8ff90b2d5d91b61fc8100d2cc71 Mon Sep 17 00:00:00 2001
4497 From: Stefan Metzmacher <metze@samba.org>
4498 Date: Fri, 22 Oct 2021 16:20:36 +0200
4499 Subject: [PATCH 054/142] CVE-2020-25719 CVE-2020-25717: selftest: remove
4500 "gensec:require_pac" settings
4501
4502 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
4503 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
4504
4505 Signed-off-by: Stefan Metzmacher <metze@samba.org>
4506 ---
4507 selftest/selftest.pl | 2 --
4508 selftest/target/Samba4.pm | 2 --
4509 2 files changed, 4 deletions(-)
4510
4511 diff --git a/selftest/selftest.pl b/selftest/selftest.pl
4512 index f2968139cfd..8c273951ab3 100755
4513 --- a/selftest/selftest.pl
4514 +++ b/selftest/selftest.pl
4515 @@ -637,8 +637,6 @@ sub write_clientconf($$$)
4516 client lanman auth = Yes
4517 log level = 1
4518 torture:basedir = $clientdir
4519 -#We don't want to pass our self-tests if the PAC code is wrong
4520 - gensec:require_pac = true
4521 #We don't want to run 'speed' tests for very long
4522 torture:timelimit = 1
4523 winbind separator = /
4524 diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
4525 index a7a6c4c9587..0f644661176 100755
4526 --- a/selftest/target/Samba4.pm
4527 +++ b/selftest/target/Samba4.pm
4528 @@ -777,8 +777,6 @@ sub provision_raw_step1($$)
4529 notify:inotify = false
4530 ldb:nosync = true
4531 ldap server require strong auth = yes
4532 -#We don't want to pass our self-tests if the PAC code is wrong
4533 - gensec:require_pac = true
4534 log file = $ctx->{logdir}/log.\%m
4535 log level = $ctx->{server_loglevel}
4536 lanman auth = Yes
4537 --
4538 2.39.0
4539
4540
4541 From 628493ea5f0cda3851ab13a41b8018daa228132b Mon Sep 17 00:00:00 2001
4542 From: Stefan Metzmacher <metze@samba.org>
4543 Date: Mon, 4 Oct 2021 17:29:34 +0200
4544 Subject: [PATCH 055/142] CVE-2020-25717: s3:winbindd: make sure we default to
4545 r->out.authoritative = true
4546
4547 We need to make sure that temporary failures don't trigger a fallback
4548 to the local SAM that silently ignores the domain name part for users.
4549
4550 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
4551
4552 Signed-off-by: Stefan Metzmacher <metze@samba.org>
4553
4554 [scabrero@samba.org Backported for 4.10 due to no logon_id for
4555 log_authentication() neither is_allowed_domain()]
4556 ---
4557 source3/winbindd/winbindd_dual_srv.c | 7 +++++++
4558 source3/winbindd/winbindd_irpc.c | 7 +++++++
4559 source3/winbindd/winbindd_pam.c | 13 ++++++++++---
4560 source3/winbindd/winbindd_pam_auth_crap.c | 9 ++++++++-
4561 source3/winbindd/winbindd_util.c | 7 +++++++
4562 5 files changed, 39 insertions(+), 4 deletions(-)
4563
4564 diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
4565 index ab14f5d51a0..0842241e02e 100644
4566 --- a/source3/winbindd/winbindd_dual_srv.c
4567 +++ b/source3/winbindd/winbindd_dual_srv.c
4568 @@ -928,6 +928,13 @@ NTSTATUS _winbind_SamLogon(struct pipes_struct *p,
4569 union netr_Validation *validation = NULL;
4570 bool interactive = false;
4571
4572 + /*
4573 + * Make sure we start with authoritative=true,
4574 + * it will only set to false if we don't know the
4575 + * domain.
4576 + */
4577 + r->out.authoritative = true;
4578 +
4579 domain = wb_child_domain();
4580 if (domain == NULL) {
4581 return NT_STATUS_REQUEST_NOT_ACCEPTED;
4582 diff --git a/source3/winbindd/winbindd_irpc.c b/source3/winbindd/winbindd_irpc.c
4583 index 8cbb0b93086..45615c2dc47 100644
4584 --- a/source3/winbindd/winbindd_irpc.c
4585 +++ b/source3/winbindd/winbindd_irpc.c
4586 @@ -143,6 +143,13 @@ static NTSTATUS wb_irpc_SamLogon(struct irpc_message *msg,
4587 const char *target_domain_name = NULL;
4588 const char *account_name = NULL;
4589
4590 + /*
4591 + * Make sure we start with authoritative=true,
4592 + * it will only set to false if we don't know the
4593 + * domain.
4594 + */
4595 + req->out.authoritative = true;
4596 +
4597 switch (req->in.logon_level) {
4598 case NetlogonInteractiveInformation:
4599 case NetlogonServiceInformation:
4600 diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
4601 index 35018fbe284..deed81d0a79 100644
4602 --- a/source3/winbindd/winbindd_pam.c
4603 +++ b/source3/winbindd/winbindd_pam.c
4604 @@ -1703,7 +1703,7 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(
4605 unsigned char local_nt_response[24];
4606 fstring name_namespace, name_domain, name_user;
4607 NTSTATUS result;
4608 - uint8_t authoritative = 0;
4609 + uint8_t authoritative = 1;
4610 uint32_t flags = 0;
4611 uint16_t validation_level;
4612 union netr_Validation *validation = NULL;
4613 @@ -2238,6 +2238,13 @@ done:
4614 result = NT_STATUS_NO_LOGON_SERVERS;
4615 }
4616
4617 + /*
4618 + * Here we don't alter
4619 + * state->response->data.auth.authoritative based
4620 + * on the servers response
4621 + * as we don't want a fallback to the local sam
4622 + * for interactive PAM logons
4623 + */
4624 set_auth_errors(state->response, result);
4625
4626 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
4627 @@ -2420,7 +2427,7 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
4628 const char *name_user = NULL;
4629 const char *name_domain = NULL;
4630 const char *workstation;
4631 - uint8_t authoritative = 0;
4632 + uint8_t authoritative = 1;
4633 uint32_t flags = 0;
4634 uint16_t validation_level;
4635 union netr_Validation *validation = NULL;
4636 @@ -2482,7 +2489,6 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
4637 &validation_level,
4638 &validation);
4639 if (!NT_STATUS_IS_OK(result)) {
4640 - state->response->data.auth.authoritative = authoritative;
4641 goto done;
4642 }
4643
4644 @@ -2526,6 +2532,7 @@ done:
4645 }
4646
4647 set_auth_errors(state->response, result);
4648 + state->response->data.auth.authoritative = authoritative;
4649
4650 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
4651 }
4652 diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c
4653 index b7912db43df..40cab81b5ea 100644
4654 --- a/source3/winbindd/winbindd_pam_auth_crap.c
4655 +++ b/source3/winbindd/winbindd_pam_auth_crap.c
4656 @@ -24,6 +24,7 @@
4657
4658 struct winbindd_pam_auth_crap_state {
4659 struct winbindd_response *response;
4660 + bool authoritative;
4661 uint32_t flags;
4662 };
4663
4664 @@ -45,7 +46,7 @@ struct tevent_req *winbindd_pam_auth_crap_send(
4665 if (req == NULL) {
4666 return NULL;
4667 }
4668 -
4669 + state->authoritative = true;
4670 state->flags = request->flags;
4671
4672 if (state->flags & WBFLAG_PAM_AUTH_PAC) {
4673 @@ -124,6 +125,11 @@ struct tevent_req *winbindd_pam_auth_crap_send(
4674
4675 domain = find_auth_domain(request->flags, auth_domain);
4676 if (domain == NULL) {
4677 + /*
4678 + * We don't know the domain so
4679 + * we're not authoritative
4680 + */
4681 + state->authoritative = false;
4682 tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
4683 return tevent_req_post(req, ev);
4684 }
4685 @@ -184,6 +190,7 @@ NTSTATUS winbindd_pam_auth_crap_recv(struct tevent_req *req,
4686
4687 if (tevent_req_is_nterror(req, &status)) {
4688 set_auth_errors(response, status);
4689 + response->data.auth.authoritative = state->authoritative;
4690 return status;
4691 }
4692
4693 diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
4694 index 3245c70bb8e..315eb366a52 100644
4695 --- a/source3/winbindd/winbindd_util.c
4696 +++ b/source3/winbindd/winbindd_util.c
4697 @@ -2062,6 +2062,13 @@ void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
4698
4699 void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
4700 {
4701 + /*
4702 + * Make sure we start with authoritative=true,
4703 + * it will only set to false if we don't know the
4704 + * domain.
4705 + */
4706 + resp->data.auth.authoritative = true;
4707 +
4708 resp->data.auth.nt_status = NT_STATUS_V(result);
4709 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
4710
4711 --
4712 2.39.0
4713
4714
4715 From fc3b3940208c2f03ea3aeb4b6f7e609fa9f90648 Mon Sep 17 00:00:00 2001
4716 From: Stefan Metzmacher <metze@samba.org>
4717 Date: Mon, 4 Oct 2021 17:29:34 +0200
4718 Subject: [PATCH 056/142] CVE-2020-25717: s4:auth/ntlm: make sure
4719 auth_check_password() defaults to r->out.authoritative = true
4720
4721 We need to make sure that temporary failures don't trigger a fallback
4722 to the local SAM that silently ignores the domain name part for users.
4723
4724 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
4725
4726 Signed-off-by: Stefan Metzmacher <metze@samba.org>
4727 ---
4728 source4/auth/ntlm/auth.c | 5 +++++
4729 1 file changed, 5 insertions(+)
4730
4731 diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
4732 index 3a3fa7eaa59..f754bd5cd44 100644
4733 --- a/source4/auth/ntlm/auth.c
4734 +++ b/source4/auth/ntlm/auth.c
4735 @@ -169,6 +169,11 @@ _PUBLIC_ NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
4736 /*TODO: create a new event context here! */
4737 ev = auth_ctx->event_ctx;
4738
4739 + /*
4740 + * We are authoritative by default
4741 + */
4742 + *pauthoritative = 1;
4743 +
4744 subreq = auth_check_password_send(mem_ctx,
4745 ev,
4746 auth_ctx,
4747 --
4748 2.39.0
4749
4750
4751 From ecd3a8af56dcd1aad43999a253175aa04b298eef Mon Sep 17 00:00:00 2001
4752 From: Stefan Metzmacher <metze@samba.org>
4753 Date: Tue, 26 Oct 2021 17:42:41 +0200
4754 Subject: [PATCH 057/142] CVE-2020-25717: s4:torture: start with authoritative
4755 = 1
4756
4757 This is not strictly needed, but makes it easier to audit
4758 that we don't miss important places.
4759
4760 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
4761
4762 Signed-off-by: Stefan Metzmacher <metze@samba.org>
4763 ---
4764 source4/torture/rpc/samlogon.c | 4 ++--
4765 source4/torture/rpc/schannel.c | 2 +-
4766 2 files changed, 3 insertions(+), 3 deletions(-)
4767
4768 diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c
4769 index e689dfd5e98..957cb410712 100644
4770 --- a/source4/torture/rpc/samlogon.c
4771 +++ b/source4/torture/rpc/samlogon.c
4772 @@ -1385,7 +1385,7 @@ static bool test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
4773
4774 union netr_LogonLevel logon;
4775 union netr_Validation validation;
4776 - uint8_t authoritative = 0;
4777 + uint8_t authoritative = 1;
4778 uint32_t flags = 0;
4779
4780 ZERO_STRUCT(logon);
4781 @@ -1498,7 +1498,7 @@ bool test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
4782
4783 union netr_LogonLevel logon;
4784 union netr_Validation validation;
4785 - uint8_t authoritative = 0;
4786 + uint8_t authoritative = 1;
4787 struct dcerpc_binding_handle *b = p->binding_handle;
4788
4789 ZERO_STRUCT(a);
4790 diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
4791 index c237c82bbe7..72d0bf28fdd 100644
4792 --- a/source4/torture/rpc/schannel.c
4793 +++ b/source4/torture/rpc/schannel.c
4794 @@ -50,7 +50,7 @@ bool test_netlogon_ex_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
4795 struct netr_NetworkInfo ninfo;
4796 union netr_LogonLevel logon;
4797 union netr_Validation validation;
4798 - uint8_t authoritative = 0;
4799 + uint8_t authoritative = 1;
4800 uint32_t _flags = 0;
4801 DATA_BLOB names_blob, chal, lm_resp, nt_resp;
4802 int i;
4803 --
4804 2.39.0
4805
4806
4807 From 3feb493c3dd5383712a41729ed6f770695acb8b7 Mon Sep 17 00:00:00 2001
4808 From: Stefan Metzmacher <metze@samba.org>
4809 Date: Tue, 26 Oct 2021 17:42:41 +0200
4810 Subject: [PATCH 058/142] CVE-2020-25717: s4:smb_server: start with
4811 authoritative = 1
4812
4813 This is not strictly needed, but makes it easier to audit
4814 that we don't miss important places.
4815
4816 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
4817
4818 Signed-off-by: Stefan Metzmacher <metze@samba.org>
4819 ---
4820 source4/smb_server/smb/sesssetup.c | 4 ++--
4821 1 file changed, 2 insertions(+), 2 deletions(-)
4822
4823 diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c
4824 index 13f13934412..5e817eecd4b 100644
4825 --- a/source4/smb_server/smb/sesssetup.c
4826 +++ b/source4/smb_server/smb/sesssetup.c
4827 @@ -102,7 +102,7 @@ static void sesssetup_old_send(struct tevent_req *subreq)
4828 struct auth_session_info *session_info;
4829 struct smbsrv_session *smb_sess;
4830 NTSTATUS status;
4831 - uint8_t authoritative = 0;
4832 + uint8_t authoritative = 1;
4833 uint32_t flags;
4834
4835 status = auth_check_password_recv(subreq, req, &user_info_dc,
4836 @@ -243,7 +243,7 @@ static void sesssetup_nt1_send(struct tevent_req *subreq)
4837 struct auth_user_info_dc *user_info_dc = NULL;
4838 struct auth_session_info *session_info;
4839 struct smbsrv_session *smb_sess;
4840 - uint8_t authoritative = 0;
4841 + uint8_t authoritative = 1;
4842 uint32_t flags;
4843 NTSTATUS status;
4844
4845 --
4846 2.39.0
4847
4848
4849 From e1a1787d1d3b64adc743eab4f626068b438d0e5c Mon Sep 17 00:00:00 2001
4850 From: Stefan Metzmacher <metze@samba.org>
4851 Date: Tue, 26 Oct 2021 17:42:41 +0200
4852 Subject: [PATCH 059/142] CVE-2020-25717: s4:auth_simple: start with
4853 authoritative = 1
4854
4855 This is not strictly needed, but makes it easier to audit
4856 that we don't miss important places.
4857
4858 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
4859
4860 Signed-off-by: Stefan Metzmacher <metze@samba.org>
4861 ---
4862 source4/auth/ntlm/auth_simple.c | 2 +-
4863 1 file changed, 1 insertion(+), 1 deletion(-)
4864
4865 diff --git a/source4/auth/ntlm/auth_simple.c b/source4/auth/ntlm/auth_simple.c
4866 index fcd9050979d..da8f094a838 100644
4867 --- a/source4/auth/ntlm/auth_simple.c
4868 +++ b/source4/auth/ntlm/auth_simple.c
4869 @@ -150,7 +150,7 @@ static void authenticate_ldap_simple_bind_done(struct tevent_req *subreq)
4870 const struct tsocket_address *local_address = user_info->local_host;
4871 const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
4872 struct auth_user_info_dc *user_info_dc = NULL;
4873 - uint8_t authoritative = 0;
4874 + uint8_t authoritative = 1;
4875 uint32_t flags = 0;
4876 NTSTATUS nt_status;
4877
4878 --
4879 2.39.0
4880
4881
4882 From e09409714301455ba7bbed1d80a9c90c05257aaf Mon Sep 17 00:00:00 2001
4883 From: Stefan Metzmacher <metze@samba.org>
4884 Date: Tue, 26 Oct 2021 17:42:41 +0200
4885 Subject: [PATCH 060/142] CVE-2020-25717: s3:ntlm_auth: start with
4886 authoritative = 1
4887
4888 This is not strictly needed, but makes it easier to audit
4889 that we don't miss important places.
4890
4891 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
4892
4893 Signed-off-by: Stefan Metzmacher <metze@samba.org>
4894 ---
4895 source3/utils/ntlm_auth.c | 4 ++--
4896 source3/utils/ntlm_auth_diagnostics.c | 10 +++++-----
4897 2 files changed, 7 insertions(+), 7 deletions(-)
4898
4899 diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
4900 index 36c32e4a3dc..3f70732a837 100644
4901 --- a/source3/utils/ntlm_auth.c
4902 +++ b/source3/utils/ntlm_auth.c
4903 @@ -1766,7 +1766,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
4904 TALLOC_FREE(mem_ctx);
4905
4906 } else {
4907 - uint8_t authoritative = 0;
4908 + uint8_t authoritative = 1;
4909
4910 if (!domain) {
4911 domain = smb_xstrdup(get_winbind_domain());
4912 @@ -2235,7 +2235,7 @@ static bool check_auth_crap(void)
4913 char *hex_lm_key;
4914 char *hex_user_session_key;
4915 char *error_string;
4916 - uint8_t authoritative = 0;
4917 + uint8_t authoritative = 1;
4918
4919 setbuf(stdout, NULL);
4920
4921 diff --git a/source3/utils/ntlm_auth_diagnostics.c b/source3/utils/ntlm_auth_diagnostics.c
4922 index 41591a8de33..fc0fc19bacb 100644
4923 --- a/source3/utils/ntlm_auth_diagnostics.c
4924 +++ b/source3/utils/ntlm_auth_diagnostics.c
4925 @@ -54,7 +54,7 @@ static bool test_lm_ntlm_broken(enum ntlm_break break_which)
4926 DATA_BLOB lm_response = data_blob(NULL, 24);
4927 DATA_BLOB nt_response = data_blob(NULL, 24);
4928 DATA_BLOB session_key = data_blob(NULL, 16);
4929 - uint8_t authoritative = 0;
4930 + uint8_t authoritative = 1;
4931 uchar lm_key[8];
4932 uchar user_session_key[16];
4933 uchar lm_hash[16];
4934 @@ -177,7 +177,7 @@ static bool test_ntlm_in_lm(void)
4935 NTSTATUS nt_status;
4936 uint32_t flags = 0;
4937 DATA_BLOB nt_response = data_blob(NULL, 24);
4938 - uint8_t authoritative = 0;
4939 + uint8_t authoritative = 1;
4940 uchar lm_key[8];
4941 uchar lm_hash[16];
4942 uchar user_session_key[16];
4943 @@ -245,7 +245,7 @@ static bool test_ntlm_in_both(void)
4944 uint32_t flags = 0;
4945 DATA_BLOB nt_response = data_blob(NULL, 24);
4946 DATA_BLOB session_key = data_blob(NULL, 16);
4947 - uint8_t authoritative = 0;
4948 + uint8_t authoritative = 1;
4949 uint8_t lm_key[8];
4950 uint8_t lm_hash[16];
4951 uint8_t user_session_key[16];
4952 @@ -322,7 +322,7 @@ static bool test_lmv2_ntlmv2_broken(enum ntlm_break break_which)
4953 DATA_BLOB lmv2_response = data_blob_null;
4954 DATA_BLOB ntlmv2_session_key = data_blob_null;
4955 DATA_BLOB names_blob = NTLMv2_generate_names_blob(NULL, get_winbind_netbios_name(), get_winbind_domain());
4956 - uint8_t authoritative = 0;
4957 + uint8_t authoritative = 1;
4958 uchar user_session_key[16];
4959 DATA_BLOB chall = get_challenge();
4960 char *error_string;
4961 @@ -452,7 +452,7 @@ static bool test_plaintext(enum ntlm_break break_which)
4962 char *password;
4963 smb_ucs2_t *nt_response_ucs2;
4964 size_t converted_size;
4965 - uint8_t authoritative = 0;
4966 + uint8_t authoritative = 1;
4967 uchar user_session_key[16];
4968 uchar lm_key[16];
4969 static const uchar zeros[8] = { 0, };
4970 --
4971 2.39.0
4972
4973
4974 From 26570ee2e981cc5d44eeeed020a051a4771470fe Mon Sep 17 00:00:00 2001
4975 From: Stefan Metzmacher <metze@samba.org>
4976 Date: Tue, 26 Oct 2021 17:42:41 +0200
4977 Subject: [PATCH 061/142] CVE-2020-25717: s3:torture: start with authoritative
4978 = 1
4979
4980 This is not strictly needed, but makes it easier to audit
4981 that we don't miss important places.
4982
4983 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
4984
4985 Signed-off-by: Stefan Metzmacher <metze@samba.org>
4986
4987 [scabrero@samba.org Backported to 4.10 due to missing commit
4988 a5548af018643f2e78c482e33ef0e6073db149e4 to check return value
4989 of SMBOWFencrypt()]
4990 ---
4991 source3/torture/pdbtest.c | 2 +-
4992 1 file changed, 1 insertion(+), 1 deletion(-)
4993
4994 diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c
4995 index 64bc45e6a7c..48190e78bf8 100644
4996 --- a/source3/torture/pdbtest.c
4997 +++ b/source3/torture/pdbtest.c
4998 @@ -277,7 +277,7 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
4999 struct netr_SamInfo6 *info6_wbc = NULL;
5000 NTSTATUS status;
5001 bool ok;
5002 - uint8_t authoritative = 0;
5003 + uint8_t authoritative = 1;
5004
5005 SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8,
5006 local_nt_response);
5007 --
5008 2.39.0
5009
5010
5011 From 36af26aac042ce48ae912d0ab7ce398280d81c93 Mon Sep 17 00:00:00 2001
5012 From: Stefan Metzmacher <metze@samba.org>
5013 Date: Tue, 26 Oct 2021 17:42:41 +0200
5014 Subject: [PATCH 062/142] CVE-2020-25717: s3:rpcclient: start with
5015 authoritative = 1
5016
5017 This is not strictly needed, but makes it easier to audit
5018 that we don't miss important places.
5019
5020 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
5021
5022 Signed-off-by: Stefan Metzmacher <metze@samba.org>
5023 ---
5024 source3/rpcclient/cmd_netlogon.c | 2 +-
5025 1 file changed, 1 insertion(+), 1 deletion(-)
5026
5027 diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
5028 index 631740562c6..30fa1ed7816 100644
5029 --- a/source3/rpcclient/cmd_netlogon.c
5030 +++ b/source3/rpcclient/cmd_netlogon.c
5031 @@ -496,7 +496,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
5032 uint32_t logon_param = 0;
5033 const char *workstation = NULL;
5034 struct netr_SamInfo3 *info3 = NULL;
5035 - uint8_t authoritative = 0;
5036 + uint8_t authoritative = 1;
5037 uint32_t flags = 0;
5038 uint16_t validation_level;
5039 union netr_Validation *validation = NULL;
5040 --
5041 2.39.0
5042
5043
5044 From 8eec50d65a10baa4e282c4a833c3cb202cd33255 Mon Sep 17 00:00:00 2001
5045 From: Stefan Metzmacher <metze@samba.org>
5046 Date: Tue, 26 Oct 2021 17:42:41 +0200
5047 Subject: [PATCH 063/142] CVE-2020-25717: s3:auth: start with authoritative = 1
5048
5049 This is not strictly needed, but makes it easier to audit
5050 that we don't miss important places.
5051
5052 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
5053
5054 Signed-off-by: Stefan Metzmacher <metze@samba.org>
5055
5056 [scabrero@samba.org Backported to 4.10 due to missing commits
5057 7f75dec865256049e99f7fcf46317cd2d53e95d1 and
5058 434030ba711e677fdd167a255d05c1cd4db943b7]
5059 ---
5060 source3/auth/auth_generic.c | 2 +-
5061 source3/auth/auth_samba4.c | 2 +-
5062 2 files changed, 2 insertions(+), 2 deletions(-)
5063
5064 diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
5065 index 0e9c423efef..4ef2270cb34 100644
5066 --- a/source3/auth/auth_generic.c
5067 +++ b/source3/auth/auth_generic.c
5068 @@ -415,7 +415,7 @@ NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context,
5069 {
5070 NTSTATUS nt_status;
5071 void *server_info;
5072 - uint8_t authoritative = 0;
5073 + uint8_t authoritative = 1;
5074
5075 if (auth_context->check_ntlm_password_send != NULL) {
5076 struct tevent_context *ev = NULL;
5077 diff --git a/source3/auth/auth_samba4.c b/source3/auth/auth_samba4.c
5078 index a71c75631d7..bf7ccb4348c 100644
5079 --- a/source3/auth/auth_samba4.c
5080 +++ b/source3/auth/auth_samba4.c
5081 @@ -118,7 +118,7 @@ static NTSTATUS check_samba4_security(const struct auth_context *auth_context,
5082 NTSTATUS nt_status;
5083 struct auth_user_info_dc *user_info_dc;
5084 struct auth4_context *auth4_context;
5085 - uint8_t authoritative = 0;
5086 + uint8_t authoritative = 1;
5087
5088 nt_status = make_auth4_context_s4(auth_context, mem_ctx, &auth4_context);
5089 if (!NT_STATUS_IS_OK(nt_status)) {
5090 --
5091 2.39.0
5092
5093
5094 From 46bc67c24c83940ef56cfa5dbbdb8544c290f200 Mon Sep 17 00:00:00 2001
5095 From: Stefan Metzmacher <metze@samba.org>
5096 Date: Tue, 26 Oct 2021 17:42:41 +0200
5097 Subject: [PATCH 064/142] CVE-2020-25717: auth/ntlmssp: start with
5098 authoritative = 1
5099
5100 This is not strictly needed, but makes it easier to audit
5101 that we don't miss important places.
5102
5103 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
5104
5105 Signed-off-by: Stefan Metzmacher <metze@samba.org>
5106 ---
5107 auth/ntlmssp/ntlmssp_server.c | 2 +-
5108 1 file changed, 1 insertion(+), 1 deletion(-)
5109
5110 diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
5111 index 140e89daeb1..eebada670be 100644
5112 --- a/auth/ntlmssp/ntlmssp_server.c
5113 +++ b/auth/ntlmssp/ntlmssp_server.c
5114 @@ -830,7 +830,7 @@ static void ntlmssp_server_auth_done(struct tevent_req *subreq)
5115 struct gensec_security *gensec_security = state->gensec_security;
5116 struct gensec_ntlmssp_context *gensec_ntlmssp = state->gensec_ntlmssp;
5117 struct auth4_context *auth_context = gensec_security->auth_context;
5118 - uint8_t authoritative = 0;
5119 + uint8_t authoritative = 1;
5120 NTSTATUS status;
5121
5122 status = auth_context->check_ntlm_password_recv(subreq,
5123 --
5124 2.39.0
5125
5126
5127 From 986642f066c3fdf187a8799898196a23cb9d532c Mon Sep 17 00:00:00 2001
5128 From: Samuel Cabrero <scabrero@samba.org>
5129 Date: Tue, 28 Sep 2021 10:43:40 +0200
5130 Subject: [PATCH 065/142] CVE-2020-25717: loadparm: Add new parameter "min
5131 domain uid"
5132
5133 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
5134 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
5135
5136 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
5137
5138 Signed-off-by: Samuel Cabrero <scabrero@samba.org>
5139 Signed-off-by: Stefan Metzmacher <metze@samba.org>
5140
5141 [abartlet@samba.org Backported from master/4.15 due to
5142 conflicts with other new parameters]
5143 ---
5144 docs-xml/smbdotconf/security/mindomainuid.xml | 17 +++++++++++++++++
5145 docs-xml/smbdotconf/winbind/idmapconfig.xml | 4 ++++
5146 lib/param/loadparm.c | 4 ++++
5147 source3/param/loadparm.c | 2 ++
5148 4 files changed, 27 insertions(+)
5149 create mode 100644 docs-xml/smbdotconf/security/mindomainuid.xml
5150
5151 diff --git a/docs-xml/smbdotconf/security/mindomainuid.xml b/docs-xml/smbdotconf/security/mindomainuid.xml
5152 new file mode 100644
5153 index 00000000000..46ae795d730
5154 --- /dev/null
5155 +++ b/docs-xml/smbdotconf/security/mindomainuid.xml
5156 @@ -0,0 +1,17 @@
5157 +<samba:parameter name="min domain uid"
5158 + type="integer"
5159 + context="G"
5160 + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
5161 +<description>
5162 + <para>
5163 + The integer parameter specifies the minimum uid allowed when mapping a
5164 + local account to a domain account.
5165 + </para>
5166 +
5167 + <para>
5168 + Note that this option interacts with the configured <emphasis>idmap ranges</emphasis>!
5169 + </para>
5170 +</description>
5171 +
5172 +<value type="default">1000</value>
5173 +</samba:parameter>
5174 diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml
5175 index 1374040fb29..f70f11df757 100644
5176 --- a/docs-xml/smbdotconf/winbind/idmapconfig.xml
5177 +++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml
5178 @@ -80,6 +80,9 @@
5179 authoritative for a unix ID to SID mapping, so it must be set
5180 for each individually configured domain and for the default
5181 configuration. The configured ranges must be mutually disjoint.
5182 + </para>
5183 + <para>
5184 + Note that the low value interacts with the <smbconfoption name="min domain uid"/> option!
5185 </para></listitem>
5186 </varlistentry>
5187
5188 @@ -115,4 +118,5 @@
5189 </programlisting>
5190
5191 </description>
5192 +<related>min domain uid</related>
5193 </samba:parameter>
5194 diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
5195 index 4c3dfff24f3..4aa91f4d404 100644
5196 --- a/lib/param/loadparm.c
5197 +++ b/lib/param/loadparm.c
5198 @@ -3015,6 +3015,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
5199 lpcfg_do_global_parameter(
5200 lp_ctx, "ldap max search request size", "256000");
5201
5202 + lpcfg_do_global_parameter(lp_ctx,
5203 + "min domain uid",
5204 + "1000");
5205 +
5206 for (i = 0; parm_table[i].label; i++) {
5207 if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
5208 lp_ctx->flags[i] |= FLAG_DEFAULT;
5209 diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
5210 index 0db44e92d19..57d1d909099 100644
5211 --- a/source3/param/loadparm.c
5212 +++ b/source3/param/loadparm.c
5213 @@ -963,6 +963,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
5214 Globals.ldap_max_authenticated_request_size = 16777216;
5215 Globals.ldap_max_search_request_size = 256000;
5216
5217 + Globals.min_domain_uid = 1000;
5218 +
5219 /* Now put back the settings that were set with lp_set_cmdline() */
5220 apply_lp_set_cmdline();
5221 }
5222 --
5223 2.39.0
5224
5225
5226 From 16fa6601a3517c723e90dfb8b1a086df2616e668 Mon Sep 17 00:00:00 2001
5227 From: Stefan Metzmacher <metze@samba.org>
5228 Date: Fri, 8 Oct 2021 19:57:18 +0200
5229 Subject: [PATCH 066/142] CVE-2020-25717: s3:auth: let
5230 auth3_generate_session_info_pac() forward the low level errors
5231
5232 Mapping everything to ACCESS_DENIED makes it hard to debug problems,
5233 which may happen because of our more restrictive behaviour in future.
5234
5235 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
5236 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
5237
5238 Signed-off-by: Stefan Metzmacher <metze@samba.org>
5239 ---
5240 source3/auth/auth_generic.c | 2 +-
5241 1 file changed, 1 insertion(+), 1 deletion(-)
5242
5243 diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
5244 index 4ef2270cb34..26a38f92b30 100644
5245 --- a/source3/auth/auth_generic.c
5246 +++ b/source3/auth/auth_generic.c
5247 @@ -166,7 +166,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
5248 if (!NT_STATUS_IS_OK(status)) {
5249 DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
5250 nt_errstr(status)));
5251 - status = NT_STATUS_ACCESS_DENIED;
5252 + status = nt_status_squash(status);
5253 goto done;
5254 }
5255
5256 --
5257 2.39.0
5258
5259
5260 From 10a4bdbe4a16fec1bd9b212736a9d26500e0981e Mon Sep 17 00:00:00 2001
5261 From: Samuel Cabrero <scabrero@samba.org>
5262 Date: Tue, 28 Sep 2021 10:45:11 +0200
5263 Subject: [PATCH 067/142] CVE-2020-25717: s3:auth: Check minimum domain uid
5264
5265 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
5266 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
5267
5268 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
5269
5270 Signed-off-by: Samuel Cabrero <scabrero@samba.org>
5271 Signed-off-by: Stefan Metzmacher <metze@samba.org>
5272 ---
5273 source3/auth/auth_util.c | 16 ++++++++++++++++
5274 1 file changed, 16 insertions(+)
5275
5276 diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
5277 index 8ff20c33759..8801d3f0f0b 100644
5278 --- a/source3/auth/auth_util.c
5279 +++ b/source3/auth/auth_util.c
5280 @@ -2078,6 +2078,22 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
5281 }
5282 }
5283 goto out;
5284 + } else if ((lp_security() == SEC_ADS || lp_security() == SEC_DOMAIN) &&
5285 + !is_myname(domain) && pwd->pw_uid < lp_min_domain_uid()) {
5286 + /*
5287 + * !is_myname(domain) because when smbd starts tries to setup
5288 + * the guest user info, calling this function with nobody
5289 + * username. Nobody is usually uid 65535 but it can be changed
5290 + * to a regular user with 'guest account' parameter
5291 + */
5292 + nt_status = NT_STATUS_INVALID_TOKEN;
5293 + DBG_NOTICE("Username '%s%s%s' is invalid on this system, "
5294 + "it does not meet 'min domain uid' "
5295 + "restriction (%u < %u): %s\n",
5296 + nt_domain, lp_winbind_separator(), nt_username,
5297 + pwd->pw_uid, lp_min_domain_uid(),
5298 + nt_errstr(nt_status));
5299 + goto out;
5300 }
5301
5302 result = make_server_info(tmp_ctx);
5303 --
5304 2.39.0
5305
5306
5307 From 58bea3837cfbeba5cd5c56060a42117fffedbda4 Mon Sep 17 00:00:00 2001
5308 From: Stefan Metzmacher <metze@samba.org>
5309 Date: Fri, 8 Oct 2021 17:40:30 +0200
5310 Subject: [PATCH 068/142] CVE-2020-25717: s3:auth: we should not try to
5311 autocreate the guest account
5312
5313 We should avoid autocreation of users as much as possible.
5314
5315 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
5316 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
5317
5318 Signed-off-by: Stefan Metzmacher <metze@samba.org>
5319 ---
5320 source3/auth/user_krb5.c | 2 +-
5321 1 file changed, 1 insertion(+), 1 deletion(-)
5322
5323 diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
5324 index 8998f9c8f8a..074e8c7eb71 100644
5325 --- a/source3/auth/user_krb5.c
5326 +++ b/source3/auth/user_krb5.c
5327 @@ -155,7 +155,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
5328 if (!fuser) {
5329 return NT_STATUS_NO_MEMORY;
5330 }
5331 - pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
5332 + pw = smb_getpwnam(mem_ctx, fuser, &unixuser, false);
5333 }
5334
5335 /* extra sanity check that the guest account is valid */
5336 --
5337 2.39.0
5338
5339
5340 From e78afbcff415d78cb29b65204fefeb0355d6651e Mon Sep 17 00:00:00 2001
5341 From: Stefan Metzmacher <metze@samba.org>
5342 Date: Fri, 8 Oct 2021 18:08:20 +0200
5343 Subject: [PATCH 069/142] CVE-2020-25717: s3:auth: no longer let
5344 check_account() autocreate local users
5345
5346 So far we autocreated local user accounts based on just the
5347 account_name (just ignoring any domain part).
5348
5349 This only happens via a possible 'add user script',
5350 which is not typically defined on domain members
5351 and on NT4 DCs local users already exist in the
5352 local passdb anyway.
5353
5354 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
5355 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
5356
5357 Signed-off-by: Stefan Metzmacher <metze@samba.org>
5358 ---
5359 source3/auth/auth_util.c | 2 +-
5360 1 file changed, 1 insertion(+), 1 deletion(-)
5361
5362 diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
5363 index 8801d3f0f0b..6ee500493e6 100644
5364 --- a/source3/auth/auth_util.c
5365 +++ b/source3/auth/auth_util.c
5366 @@ -1873,7 +1873,7 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
5367 return NT_STATUS_NO_MEMORY;
5368 }
5369
5370 - passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, true );
5371 + passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, false);
5372 if (!passwd) {
5373 DEBUG(3, ("Failed to find authenticated user %s via "
5374 "getpwnam(), denying access.\n", dom_user));
5375 --
5376 2.39.0
5377
5378
5379 From a3ffab81c235aae479262cca73cf4361f76f7f9d Mon Sep 17 00:00:00 2001
5380 From: Ralph Boehme <slow@samba.org>
5381 Date: Fri, 8 Oct 2021 12:33:16 +0200
5382 Subject: [PATCH 070/142] CVE-2020-25717: s3:auth: remove fallbacks in
5383 smb_getpwnam()
5384
5385 So far we tried getpwnam("DOMAIN\account") first and
5386 always did a fallback to getpwnam("account") completely
5387 ignoring the domain part, this just causes problems
5388 as we mix "DOMAIN1\account", "DOMAIN2\account",
5389 and "account"!
5390
5391 As we require a running winbindd for domain member setups
5392 we should no longer do a fallback to just "account" for
5393 users served by winbindd!
5394
5395 For users of the local SAM don't use this code path,
5396 as check_sam_security() doesn't call check_account().
5397
5398 The only case where smb_getpwnam("account") happens is
5399 when map_username() via ("username map [script]") mapped
5400 "DOMAIN\account" to something without '\', but that is
5401 explicitly desired by the admin.
5402
5403 Note: use 'git show -w'
5404
5405 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
5406 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
5407
5408 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
5409
5410 Signed-off-by: Ralph Boehme <slow@samba.org>
5411 Signed-off-by: Stefan Metzmacher <metze@samba.org>
5412 ---
5413 source3/auth/auth_util.c | 77 ++++++++++++++++++++++------------------
5414 1 file changed, 42 insertions(+), 35 deletions(-)
5415
5416 diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
5417 index 6ee500493e6..161e05c2106 100644
5418 --- a/source3/auth/auth_util.c
5419 +++ b/source3/auth/auth_util.c
5420 @@ -1908,7 +1908,7 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser,
5421 {
5422 struct passwd *pw = NULL;
5423 char *p = NULL;
5424 - char *username = NULL;
5425 + const char *username = NULL;
5426
5427 /* we only save a copy of the username it has been mangled
5428 by winbindd use default domain */
5429 @@ -1927,48 +1927,55 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser,
5430 /* code for a DOMAIN\user string */
5431
5432 if ( p ) {
5433 - pw = Get_Pwnam_alloc( mem_ctx, domuser );
5434 - if ( pw ) {
5435 - /* make sure we get the case of the username correct */
5436 - /* work around 'winbind use default domain = yes' */
5437 -
5438 - if ( lp_winbind_use_default_domain() &&
5439 - !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
5440 - char *domain;
5441 -
5442 - /* split the domain and username into 2 strings */
5443 - *p = '\0';
5444 - domain = username;
5445 -
5446 - *p_save_username = talloc_asprintf(mem_ctx,
5447 - "%s%c%s",
5448 - domain,
5449 - *lp_winbind_separator(),
5450 - pw->pw_name);
5451 - if (!*p_save_username) {
5452 - TALLOC_FREE(pw);
5453 - return NULL;
5454 - }
5455 - } else {
5456 - *p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
5457 - }
5458 + const char *domain = NULL;
5459
5460 - /* whew -- done! */
5461 - return pw;
5462 + /* split the domain and username into 2 strings */
5463 + *p = '\0';
5464 + domain = username;
5465 + p++;
5466 + username = p;
5467 +
5468 + if (strequal(domain, get_global_sam_name())) {
5469 + /*
5470 + * This typically don't happen
5471 + * as check_sam_Security()
5472 + * don't call make_server_info_info3()
5473 + * and thus check_account().
5474 + *
5475 + * But we better keep this.
5476 + */
5477 + goto username_only;
5478 }
5479
5480 - /* setup for lookup of just the username */
5481 - /* remember that p and username are overlapping memory */
5482 -
5483 - p++;
5484 - username = talloc_strdup(mem_ctx, p);
5485 - if (!username) {
5486 + pw = Get_Pwnam_alloc( mem_ctx, domuser );
5487 + if (pw == NULL) {
5488 return NULL;
5489 }
5490 + /* make sure we get the case of the username correct */
5491 + /* work around 'winbind use default domain = yes' */
5492 +
5493 + if ( lp_winbind_use_default_domain() &&
5494 + !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
5495 + *p_save_username = talloc_asprintf(mem_ctx,
5496 + "%s%c%s",
5497 + domain,
5498 + *lp_winbind_separator(),
5499 + pw->pw_name);
5500 + if (!*p_save_username) {
5501 + TALLOC_FREE(pw);
5502 + return NULL;
5503 + }
5504 + } else {
5505 + *p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
5506 + }
5507 +
5508 + /* whew -- done! */
5509 + return pw;
5510 +
5511 }
5512
5513 /* just lookup a plain username */
5514 -
5515 +username_only:
5516 pw = Get_Pwnam_alloc(mem_ctx, username);
5517
5518 /* Create local user if requested but only if winbindd
5519 --
5520 2.39.0
5521
5522
5523 From 9a1bb168388205f5a2bfa459a5da63c5046eaa7a Mon Sep 17 00:00:00 2001
5524 From: Stefan Metzmacher <metze@samba.org>
5525 Date: Mon, 4 Oct 2021 18:03:55 +0200
5526 Subject: [PATCH 071/142] CVE-2020-25717: s3:auth: don't let create_local_token
5527 depend on !winbind_ping()
5528
5529 We always require a running winbindd on a domain member, so
5530 we should better fail a request instead of silently alter
5531 the behaviour, which results in a different unix token, just
5532 because winbindd might be restarted.
5533
5534 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
5535 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
5536
5537 Signed-off-by: Stefan Metzmacher <metze@samba.org>
5538 ---
5539 source3/auth/auth_util.c | 10 ++++------
5540 1 file changed, 4 insertions(+), 6 deletions(-)
5541
5542 diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
5543 index 161e05c2106..c0e5cfd7fa8 100644
5544 --- a/source3/auth/auth_util.c
5545 +++ b/source3/auth/auth_util.c
5546 @@ -551,13 +551,11 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
5547 }
5548
5549 /*
5550 - * If winbind is not around, we can not make much use of the SIDs the
5551 - * domain controller provided us with. Likewise if the user name was
5552 - * mapped to some local unix user.
5553 + * If the user name was mapped to some local unix user,
5554 + * we can not make much use of the SIDs the
5555 + * domain controller provided us with.
5556 */
5557 -
5558 - if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
5559 - (server_info->nss_token)) {
5560 + if (server_info->nss_token) {
5561 char *found_username = NULL;
5562 status = create_token_from_username(session_info,
5563 server_info->unix_name,
5564 --
5565 2.39.0
5566
5567
5568 From bbe5c6693ba6954dab5bfef9f8c3778164cd879e Mon Sep 17 00:00:00 2001
5569 From: Alexander Bokovoy <ab@samba.org>
5570 Date: Wed, 11 Nov 2020 18:50:45 +0200
5571 Subject: [PATCH 072/142] CVE-2020-25717: Add FreeIPA domain controller role
5572
5573 As we want to reduce use of 'classic domain controller' role but FreeIPA
5574 relies on it internally, add a separate role to mark FreeIPA domain
5575 controller role.
5576
5577 It means that role won't result in ROLE_STANDALONE.
5578
5579 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
5580 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
5581
5582 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
5583
5584 Signed-off-by: Alexander Bokovoy <ab@samba.org>
5585 Signed-off-by: Stefan Metzmacher <metze@samba.org>
5586
5587 [abartlet@samba.org Backported due to conflict with DEBUG
5588 statements and IPA branding changes in comments]
5589 ---
5590 docs-xml/smbdotconf/security/serverrole.xml | 7 ++++
5591 lib/param/loadparm_server_role.c | 2 ++
5592 lib/param/param_table.c | 1 +
5593 lib/param/util.c | 1 +
5594 libcli/netlogon/netlogon.c | 2 +-
5595 libds/common/roles.h | 1 +
5596 source3/auth/auth.c | 3 ++
5597 source3/auth/auth_sam.c | 2 ++
5598 source3/include/smb_macros.h | 2 +-
5599 source3/lib/netapi/joindomain.c | 1 +
5600 source3/param/loadparm.c | 4 ++-
5601 source3/passdb/lookup_sid.c | 1 -
5602 source3/passdb/machine_account_secrets.c | 7 ++--
5603 source3/registry/reg_backend_prod_options.c | 1 +
5604 source3/rpc_server/dssetup/srv_dssetup_nt.c | 1 +
5605 source3/smbd/server.c | 2 +-
5606 source3/winbindd/winbindd_misc.c | 2 +-
5607 source3/winbindd/winbindd_util.c | 40 ++++++++++++++++-----
5608 source4/auth/ntlm/auth.c | 1 +
5609 source4/kdc/kdc-heimdal.c | 1 +
5610 source4/rpc_server/samr/dcesrv_samr.c | 2 ++
5611 21 files changed, 65 insertions(+), 19 deletions(-)
5612
5613 diff --git a/docs-xml/smbdotconf/security/serverrole.xml b/docs-xml/smbdotconf/security/serverrole.xml
5614 index 9511c61c96d..b8b83a127b5 100644
5615 --- a/docs-xml/smbdotconf/security/serverrole.xml
5616 +++ b/docs-xml/smbdotconf/security/serverrole.xml
5617 @@ -78,6 +78,13 @@
5618 url="http://wiki.samba.org/index.php/Samba4/HOWTO">Samba4
5619 HOWTO</ulink></para>
5620
5621 + <para><anchor id="IPA-DC"/><emphasis>SERVER ROLE = IPA DOMAIN CONTROLLER</emphasis></para>
5622 +
5623 + <para>This mode of operation runs Samba in a hybrid mode for IPA
5624 + domain controller, providing forest trust to Active Directory.
5625 + This role requires special configuration performed by IPA installers
5626 + and should not be used manually by any administrator.
5627 + </para>
5628 </description>
5629
5630 <related>security</related>
5631 diff --git a/lib/param/loadparm_server_role.c b/lib/param/loadparm_server_role.c
5632 index 7a6bc770723..a78d1ab9cf3 100644
5633 --- a/lib/param/loadparm_server_role.c
5634 +++ b/lib/param/loadparm_server_role.c
5635 @@ -42,6 +42,7 @@ static const struct srv_role_tab {
5636 { ROLE_DOMAIN_BDC, "ROLE_DOMAIN_BDC" },
5637 { ROLE_DOMAIN_PDC, "ROLE_DOMAIN_PDC" },
5638 { ROLE_ACTIVE_DIRECTORY_DC, "ROLE_ACTIVE_DIRECTORY_DC" },
5639 + { ROLE_IPA_DC, "ROLE_IPA_DC"},
5640 { 0, NULL }
5641 };
5642
5643 @@ -140,6 +141,7 @@ bool lp_is_security_and_server_role_valid(int server_role, int security)
5644 case ROLE_DOMAIN_PDC:
5645 case ROLE_DOMAIN_BDC:
5646 case ROLE_ACTIVE_DIRECTORY_DC:
5647 + case ROLE_IPA_DC:
5648 if (security == SEC_USER) {
5649 valid = true;
5650 }
5651 diff --git a/lib/param/param_table.c b/lib/param/param_table.c
5652 index f9d3b55adf2..aed205d1944 100644
5653 --- a/lib/param/param_table.c
5654 +++ b/lib/param/param_table.c
5655 @@ -100,6 +100,7 @@ static const struct enum_list enum_server_role[] = {
5656 {ROLE_ACTIVE_DIRECTORY_DC, "active directory domain controller"},
5657 {ROLE_ACTIVE_DIRECTORY_DC, "domain controller"},
5658 {ROLE_ACTIVE_DIRECTORY_DC, "dc"},
5659 + {ROLE_IPA_DC, "IPA primary domain controller"},
5660 {-1, NULL}
5661 };
5662
5663 diff --git a/lib/param/util.c b/lib/param/util.c
5664 index cd8e74b9d8f..9a0fc102de8 100644
5665 --- a/lib/param/util.c
5666 +++ b/lib/param/util.c
5667 @@ -255,6 +255,7 @@ const char *lpcfg_sam_name(struct loadparm_context *lp_ctx)
5668 case ROLE_DOMAIN_BDC:
5669 case ROLE_DOMAIN_PDC:
5670 case ROLE_ACTIVE_DIRECTORY_DC:
5671 + case ROLE_IPA_DC:
5672 return lpcfg_workgroup(lp_ctx);
5673 default:
5674 return lpcfg_netbios_name(lp_ctx);
5675 diff --git a/libcli/netlogon/netlogon.c b/libcli/netlogon/netlogon.c
5676 index 58a331d70ad..838bdf84c87 100644
5677 --- a/libcli/netlogon/netlogon.c
5678 +++ b/libcli/netlogon/netlogon.c
5679 @@ -93,7 +93,7 @@ NTSTATUS pull_netlogon_samlogon_response(DATA_BLOB *data, TALLOC_CTX *mem_ctx,
5680 if (ndr->offset < ndr->data_size) {
5681 TALLOC_FREE(ndr);
5682 /*
5683 - * We need to handle a bug in FreeIPA (at least <= 4.1.2).
5684 + * We need to handle a bug in IPA (at least <= 4.1.2).
5685 *
5686 * They include the ip address information without setting
5687 * NETLOGON_NT_VERSION_5EX_WITH_IP, while using
5688 diff --git a/libds/common/roles.h b/libds/common/roles.h
5689 index 4772c8d7d3f..03ba1915b21 100644
5690 --- a/libds/common/roles.h
5691 +++ b/libds/common/roles.h
5692 @@ -33,6 +33,7 @@ enum server_role {
5693
5694 /* not in samr.idl */
5695 ROLE_ACTIVE_DIRECTORY_DC = 4,
5696 + ROLE_IPA_DC = 5,
5697
5698 /* To determine the role automatically, this is not a valid role */
5699 ROLE_AUTO = 100
5700 diff --git a/source3/auth/auth.c b/source3/auth/auth.c
5701 index 0a96d591808..c5bfe9ac626 100644
5702 --- a/source3/auth/auth.c
5703 +++ b/source3/auth/auth.c
5704 @@ -529,6 +529,7 @@ NTSTATUS make_auth3_context_for_ntlm(TALLOC_CTX *mem_ctx,
5705 break;
5706 case ROLE_DOMAIN_BDC:
5707 case ROLE_DOMAIN_PDC:
5708 + case ROLE_IPA_DC:
5709 DEBUG(5,("Making default auth method list for DC\n"));
5710 methods = "anonymous sam winbind sam_ignoredomain";
5711 break;
5712 @@ -557,6 +558,7 @@ NTSTATUS make_auth3_context_for_netlogon(TALLOC_CTX *mem_ctx,
5713 switch (lp_server_role()) {
5714 case ROLE_DOMAIN_BDC:
5715 case ROLE_DOMAIN_PDC:
5716 + case ROLE_IPA_DC:
5717 methods = "sam_netlogon3 winbind";
5718 break;
5719
5720 @@ -578,6 +580,7 @@ NTSTATUS make_auth3_context_for_winbind(TALLOC_CTX *mem_ctx,
5721 case ROLE_DOMAIN_MEMBER:
5722 case ROLE_DOMAIN_BDC:
5723 case ROLE_DOMAIN_PDC:
5724 + case ROLE_IPA_DC:
5725 methods = "sam";
5726 break;
5727 case ROLE_ACTIVE_DIRECTORY_DC:
5728 diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
5729 index f9764d87e3c..d0b29083d46 100644
5730 --- a/source3/auth/auth_sam.c
5731 +++ b/source3/auth/auth_sam.c
5732 @@ -139,6 +139,7 @@ static NTSTATUS auth_samstrict_auth(const struct auth_context *auth_context,
5733 break;
5734 case ROLE_DOMAIN_PDC:
5735 case ROLE_DOMAIN_BDC:
5736 + case ROLE_IPA_DC:
5737 if ( !is_local_name && !is_my_domain ) {
5738 DEBUG(6,("check_samstrict_security: %s is not one of my local names or domain name (DC)\n",
5739 effective_domain));
5740 @@ -209,6 +210,7 @@ static NTSTATUS auth_sam_netlogon3_auth(const struct auth_context *auth_context,
5741 switch (lp_server_role()) {
5742 case ROLE_DOMAIN_PDC:
5743 case ROLE_DOMAIN_BDC:
5744 + case ROLE_IPA_DC:
5745 break;
5746 default:
5747 DBG_ERR("Invalid server role\n");
5748 diff --git a/source3/include/smb_macros.h b/source3/include/smb_macros.h
5749 index 06d24744960..346401510c2 100644
5750 --- a/source3/include/smb_macros.h
5751 +++ b/source3/include/smb_macros.h
5752 @@ -213,7 +213,7 @@ copy an IP address from one buffer to another
5753 Check to see if we are a DC for this domain
5754 *****************************************************************************/
5755
5756 -#define IS_DC (lp_server_role()==ROLE_DOMAIN_PDC || lp_server_role()==ROLE_DOMAIN_BDC || lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC)
5757 +#define IS_DC (lp_server_role()==ROLE_DOMAIN_PDC || lp_server_role()==ROLE_DOMAIN_BDC || lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC || lp_server_role() == ROLE_IPA_DC)
5758 #define IS_AD_DC (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC)
5759
5760 /*
5761 diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c
5762 index 8d0752f4531..0344c0e0416 100644
5763 --- a/source3/lib/netapi/joindomain.c
5764 +++ b/source3/lib/netapi/joindomain.c
5765 @@ -369,6 +369,7 @@ WERROR NetGetJoinInformation_l(struct libnetapi_ctx *ctx,
5766 case ROLE_DOMAIN_MEMBER:
5767 case ROLE_DOMAIN_PDC:
5768 case ROLE_DOMAIN_BDC:
5769 + case ROLE_IPA_DC:
5770 *r->out.name_type = NetSetupDomainName;
5771 break;
5772 case ROLE_STANDALONE:
5773 diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
5774 index 57d1d909099..98e05d13d59 100644
5775 --- a/source3/param/loadparm.c
5776 +++ b/source3/param/loadparm.c
5777 @@ -4321,6 +4321,7 @@ int lp_default_server_announce(void)
5778 default_server_announce |= SV_TYPE_DOMAIN_MEMBER;
5779 break;
5780 case ROLE_DOMAIN_PDC:
5781 + case ROLE_IPA_DC:
5782 default_server_announce |= SV_TYPE_DOMAIN_CTRL;
5783 break;
5784 case ROLE_DOMAIN_BDC:
5785 @@ -4346,7 +4347,8 @@ int lp_default_server_announce(void)
5786 bool lp_domain_master(void)
5787 {
5788 if (Globals._domain_master == Auto)
5789 - return (lp_server_role() == ROLE_DOMAIN_PDC);
5790 + return (lp_server_role() == ROLE_DOMAIN_PDC ||
5791 + lp_server_role() == ROLE_IPA_DC);
5792
5793 return (bool)Globals._domain_master;
5794 }
5795 diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
5796 index 186ba17fda6..839da5cfbf4 100644
5797 --- a/source3/passdb/lookup_sid.c
5798 +++ b/source3/passdb/lookup_sid.c
5799 @@ -117,7 +117,6 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
5800 if (((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) &&
5801 strequal(domain, get_global_sam_name()))
5802 {
5803 -
5804 /* It's our own domain, lookup the name in passdb */
5805 if (lookup_global_sam_name(name, flags, &rid, &type)) {
5806 sid_compose(&sid, get_global_sam_sid(), rid);
5807 diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
5808 index dfc21f295a1..b60cf56c490 100644
5809 --- a/source3/passdb/machine_account_secrets.c
5810 +++ b/source3/passdb/machine_account_secrets.c
5811 @@ -198,7 +198,8 @@ bool secrets_fetch_domain_guid(const char *domain, struct GUID *guid)
5812 dyn_guid = (struct GUID *)secrets_fetch(key, &size);
5813
5814 if (!dyn_guid) {
5815 - if (lp_server_role() == ROLE_DOMAIN_PDC) {
5816 + if (lp_server_role() == ROLE_DOMAIN_PDC ||
5817 + lp_server_role() == ROLE_IPA_DC) {
5818 new_guid = GUID_random();
5819 if (!secrets_store_domain_guid(domain, &new_guid))
5820 return False;
5821 @@ -314,9 +315,7 @@ static const char *trust_keystr(const char *domain)
5822
5823 enum netr_SchannelType get_default_sec_channel(void)
5824 {
5825 - if (lp_server_role() == ROLE_DOMAIN_BDC ||
5826 - lp_server_role() == ROLE_DOMAIN_PDC ||
5827 - lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
5828 + if (IS_DC) {
5829 return SEC_CHAN_BDC;
5830 } else {
5831 return SEC_CHAN_WKSTA;
5832 diff --git a/source3/registry/reg_backend_prod_options.c b/source3/registry/reg_backend_prod_options.c
5833 index 655c587ac40..7bd3f324c37 100644
5834 --- a/source3/registry/reg_backend_prod_options.c
5835 +++ b/source3/registry/reg_backend_prod_options.c
5836 @@ -40,6 +40,7 @@ static int prod_options_fetch_values(const char *key, struct regval_ctr *regvals
5837 switch (lp_server_role()) {
5838 case ROLE_DOMAIN_PDC:
5839 case ROLE_DOMAIN_BDC:
5840 + case ROLE_IPA_DC:
5841 value_ascii = "LanmanNT";
5842 break;
5843 case ROLE_STANDALONE:
5844 diff --git a/source3/rpc_server/dssetup/srv_dssetup_nt.c b/source3/rpc_server/dssetup/srv_dssetup_nt.c
5845 index 7e3efa8504e..aa896e15ac4 100644
5846 --- a/source3/rpc_server/dssetup/srv_dssetup_nt.c
5847 +++ b/source3/rpc_server/dssetup/srv_dssetup_nt.c
5848 @@ -62,6 +62,7 @@ static WERROR fill_dsrole_dominfo_basic(TALLOC_CTX *ctx,
5849 basic->domain = get_global_sam_name();
5850 break;
5851 case ROLE_DOMAIN_PDC:
5852 + case ROLE_IPA_DC:
5853 basic->role = DS_ROLE_PRIMARY_DC;
5854 basic->domain = get_global_sam_name();
5855 break;
5856 diff --git a/source3/smbd/server.c b/source3/smbd/server.c
5857 index 7d96a5762ec..d263507b22f 100644
5858 --- a/source3/smbd/server.c
5859 +++ b/source3/smbd/server.c
5860 @@ -1969,7 +1969,7 @@ extern void build_options(bool screen);
5861 exit_daemon("smbd can not open secrets.tdb", EACCES);
5862 }
5863
5864 - if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC) {
5865 + if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC || lp_server_role() == ROLE_IPA_DC) {
5866 struct loadparm_context *lp_ctx = loadparm_init_s3(NULL, loadparm_s3_helpers());
5867 if (!open_schannel_session_store(NULL, lp_ctx)) {
5868 exit_daemon("ERROR: Samba cannot open schannel store for secured NETLOGON operations.", EACCES);
5869 diff --git a/source3/winbindd/winbindd_misc.c b/source3/winbindd/winbindd_misc.c
5870 index cc0701e597a..f09b029fd13 100644
5871 --- a/source3/winbindd/winbindd_misc.c
5872 +++ b/source3/winbindd/winbindd_misc.c
5873 @@ -75,7 +75,7 @@ static char *get_trust_type_string(TALLOC_CTX *mem_ctx,
5874 case SEC_CHAN_BDC: {
5875 int role = lp_server_role();
5876
5877 - if (role == ROLE_DOMAIN_PDC) {
5878 + if (role == ROLE_DOMAIN_PDC || role == ROLE_IPA_DC) {
5879 s = talloc_strdup(mem_ctx, "PDC");
5880 if (s == NULL) {
5881 return NULL;
5882 diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
5883 index 315eb366a52..04e79e70f6b 100644
5884 --- a/source3/winbindd/winbindd_util.c
5885 +++ b/source3/winbindd/winbindd_util.c
5886 @@ -1225,15 +1225,37 @@ bool init_domain_list(void)
5887 secure_channel_type = SEC_CHAN_LOCAL;
5888 }
5889
5890 - status = add_trusted_domain(get_global_sam_name(),
5891 - NULL,
5892 - get_global_sam_sid(),
5893 - LSA_TRUST_TYPE_DOWNLEVEL,
5894 - trust_flags,
5895 - 0, /* trust_attribs */
5896 - secure_channel_type,
5897 - NULL,
5898 - &domain);
5899 + if ((pdb_domain_info != NULL) && (role == ROLE_IPA_DC)) {
5900 + /* This is IPA DC that presents itself as
5901 + * an Active Directory domain controller to trusted AD
5902 + * forests but in fact is a classic domain controller.
5903 + */
5904 + trust_flags = NETR_TRUST_FLAG_PRIMARY;
5905 + trust_flags |= NETR_TRUST_FLAG_IN_FOREST;
5906 + trust_flags |= NETR_TRUST_FLAG_NATIVE;
5907 + trust_flags |= NETR_TRUST_FLAG_OUTBOUND;
5908 + trust_flags |= NETR_TRUST_FLAG_TREEROOT;
5909 + status = add_trusted_domain(pdb_domain_info->name,
5910 + pdb_domain_info->dns_domain,
5911 + &pdb_domain_info->sid,
5912 + LSA_TRUST_TYPE_UPLEVEL,
5913 + trust_flags,
5914 + LSA_TRUST_ATTRIBUTE_WITHIN_FOREST,
5915 + secure_channel_type,
5916 + NULL,
5917 + &domain);
5918 + TALLOC_FREE(pdb_domain_info);
5919 + } else {
5920 + status = add_trusted_domain(get_global_sam_name(),
5921 + NULL,
5922 + get_global_sam_sid(),
5923 + LSA_TRUST_TYPE_DOWNLEVEL,
5924 + trust_flags,
5925 + 0, /* trust_attribs */
5926 + secure_channel_type,
5927 + NULL,
5928 + &domain);
5929 + }
5930 if (!NT_STATUS_IS_OK(status)) {
5931 DBG_ERR("Failed to add local SAM to "
5932 "domain to winbindd's internal list\n");
5933 diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
5934 index f754bd5cd44..7dab02b5c4d 100644
5935 --- a/source4/auth/ntlm/auth.c
5936 +++ b/source4/auth/ntlm/auth.c
5937 @@ -773,6 +773,7 @@ const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *
5938 case ROLE_DOMAIN_BDC:
5939 case ROLE_DOMAIN_PDC:
5940 case ROLE_ACTIVE_DIRECTORY_DC:
5941 + case ROLE_IPA_DC:
5942 auth_methods = str_list_make(mem_ctx, "anonymous sam winbind sam_ignoredomain", NULL);
5943 break;
5944 }
5945 diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c
5946 index b5de5a790d4..49aa560470c 100644
5947 --- a/source4/kdc/kdc-heimdal.c
5948 +++ b/source4/kdc/kdc-heimdal.c
5949 @@ -276,6 +276,7 @@ static NTSTATUS kdc_task_init(struct task_server *task)
5950 return NT_STATUS_INVALID_DOMAIN_ROLE;
5951 case ROLE_DOMAIN_PDC:
5952 case ROLE_DOMAIN_BDC:
5953 + case ROLE_IPA_DC:
5954 task_server_terminate(
5955 task, "Cannot start KDC as a 'classic Samba' DC", false);
5956 return NT_STATUS_INVALID_DOMAIN_ROLE;
5957 diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
5958 index 51fed4da62b..1f09b721408 100644
5959 --- a/source4/rpc_server/samr/dcesrv_samr.c
5960 +++ b/source4/rpc_server/samr/dcesrv_samr.c
5961 @@ -568,6 +568,7 @@ static NTSTATUS dcesrv_samr_info_DomGeneralInformation(struct samr_domain_state
5962 break;
5963 case ROLE_DOMAIN_PDC:
5964 case ROLE_DOMAIN_BDC:
5965 + case ROLE_IPA_DC:
5966 case ROLE_AUTO:
5967 return NT_STATUS_INTERNAL_ERROR;
5968 case ROLE_DOMAIN_MEMBER:
5969 @@ -675,6 +676,7 @@ static NTSTATUS dcesrv_samr_info_DomInfo7(struct samr_domain_state *state,
5970 break;
5971 case ROLE_DOMAIN_PDC:
5972 case ROLE_DOMAIN_BDC:
5973 + case ROLE_IPA_DC:
5974 case ROLE_AUTO:
5975 return NT_STATUS_INTERNAL_ERROR;
5976 case ROLE_DOMAIN_MEMBER:
5977 --
5978 2.39.0
5979
5980
5981 From 3a8b4d3b410508dfb0538376046a5b38c53f9568 Mon Sep 17 00:00:00 2001
5982 From: Stefan Metzmacher <metze@samba.org>
5983 Date: Tue, 5 Oct 2021 18:11:57 +0200
5984 Subject: [PATCH 073/142] CVE-2020-25717: auth/gensec: always require a PAC in
5985 domain mode (DC or member)
5986
5987 AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set
5988 on the service account, which can only be explicitly configured,
5989 but that's an invalid configuration!
5990
5991 We still try to support standalone servers in an MIT realm,
5992 as legacy setup.
5993
5994 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
5995 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
5996
5997 Signed-off-by: Stefan Metzmacher <metze@samba.org>
5998 ---
5999 auth/gensec/gensec_util.c | 27 +++++++++++++++++++++++----
6000 1 file changed, 23 insertions(+), 4 deletions(-)
6001
6002 diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
6003 index e185acc0c20..694661b53b5 100644
6004 --- a/auth/gensec/gensec_util.c
6005 +++ b/auth/gensec/gensec_util.c
6006 @@ -25,6 +25,8 @@
6007 #include "auth/gensec/gensec_internal.h"
6008 #include "auth/common_auth.h"
6009 #include "../lib/util/asn1.h"
6010 +#include "param/param.h"
6011 +#include "libds/common/roles.h"
6012
6013 #undef DBGC_CLASS
6014 #define DBGC_CLASS DBGC_AUTH
6015 @@ -46,10 +48,27 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
6016 session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
6017
6018 if (!pac_blob) {
6019 - if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
6020 - DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
6021 - principal_string));
6022 - return NT_STATUS_ACCESS_DENIED;
6023 + enum server_role server_role =
6024 + lpcfg_server_role(gensec_security->settings->lp_ctx);
6025 +
6026 + /*
6027 + * For any domain setup (DC or member) we require having
6028 + * a PAC, as the service ticket comes from an AD DC,
6029 + * which will always provide a PAC, unless
6030 + * UF_NO_AUTH_DATA_REQUIRED is configured for our
6031 + * account, but that's just an invalid configuration,
6032 + * the admin configured for us!
6033 + *
6034 + * As a legacy case, we still allow kerberos tickets from an MIT
6035 + * realm, but only in standalone mode. In that mode we'll only
6036 + * ever accept a kerberos authentication with a keytab file
6037 + * being explicitly configured via the 'keytab method' option.
6038 + */
6039 + if (server_role != ROLE_STANDALONE) {
6040 + DBG_WARNING("Unable to find PAC in ticket from %s, "
6041 + "failing to allow access\n",
6042 + principal_string);
6043 + return NT_STATUS_NO_IMPERSONATION_TOKEN;
6044 }
6045 DBG_NOTICE("Unable to find PAC for %s, resorting to local "
6046 "user lookup\n", principal_string);
6047 --
6048 2.39.0
6049
6050
6051 From 15cca0f7ee6f4b8d96b6b650b2d009b030a2bc5f Mon Sep 17 00:00:00 2001
6052 From: Stefan Metzmacher <metze@samba.org>
6053 Date: Mon, 11 Oct 2021 23:17:19 +0200
6054 Subject: [PATCH 074/142] CVE-2020-25717: s4:auth: remove unused
6055 auth_generate_session_info_principal()
6056
6057 We'll require a PAC at the main gensec layer already.
6058
6059 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
6060 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
6061
6062 Signed-off-by: Stefan Metzmacher <metze@samba.org>
6063
6064 [abartlet@samba.org Backported from master/4.15 as
6065 check_password is sync in 4.14]
6066 ---
6067 source4/auth/auth.h | 8 ------
6068 source4/auth/ntlm/auth.c | 49 ++++--------------------------------
6069 source4/auth/ntlm/auth_sam.c | 12 ---------
6070 3 files changed, 5 insertions(+), 64 deletions(-)
6071
6072 diff --git a/source4/auth/auth.h b/source4/auth/auth.h
6073 index 51895c9259f..f16d0649de2 100644
6074 --- a/source4/auth/auth.h
6075 +++ b/source4/auth/auth.h
6076 @@ -73,14 +73,6 @@ struct auth_operations {
6077 TALLOC_CTX *mem_ctx,
6078 struct auth_user_info_dc **interim_info,
6079 bool *authoritative);
6080 -
6081 - /* Lookup a 'session info interim' return based only on the principal or DN */
6082 - NTSTATUS (*get_user_info_dc_principal)(TALLOC_CTX *mem_ctx,
6083 - struct auth4_context *auth_context,
6084 - const char *principal,
6085 - struct ldb_dn *user_dn,
6086 - struct auth_user_info_dc **interim_info);
6087 - uint32_t flags;
6088 };
6089
6090 struct auth_method_context {
6091 diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
6092 index 7dab02b5c4d..2765fd1b13c 100644
6093 --- a/source4/auth/ntlm/auth.c
6094 +++ b/source4/auth/ntlm/auth.c
6095 @@ -86,48 +86,6 @@ _PUBLIC_ NTSTATUS auth_get_challenge(struct auth4_context *auth_ctx, uint8_t cha
6096 return NT_STATUS_OK;
6097 }
6098
6099 -/****************************************************************************
6100 -Used in the gensec_gssapi and gensec_krb5 server-side code, where the
6101 -PAC isn't available, and for tokenGroups in the DSDB stack.
6102 -
6103 - Supply either a principal or a DN
6104 -****************************************************************************/
6105 -static NTSTATUS auth_generate_session_info_principal(struct auth4_context *auth_ctx,
6106 - TALLOC_CTX *mem_ctx,
6107 - const char *principal,
6108 - struct ldb_dn *user_dn,
6109 - uint32_t session_info_flags,
6110 - struct auth_session_info **session_info)
6111 -{
6112 - NTSTATUS nt_status;
6113 - struct auth_method_context *method;
6114 - struct auth_user_info_dc *user_info_dc;
6115 -
6116 - for (method = auth_ctx->methods; method; method = method->next) {
6117 - if (!method->ops->get_user_info_dc_principal) {
6118 - continue;
6119 - }
6120 -
6121 - nt_status = method->ops->get_user_info_dc_principal(mem_ctx, auth_ctx, principal, user_dn, &user_info_dc);
6122 - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
6123 - continue;
6124 - }
6125 - if (!NT_STATUS_IS_OK(nt_status)) {
6126 - return nt_status;
6127 - }
6128 -
6129 - nt_status = auth_generate_session_info_wrapper(auth_ctx, mem_ctx,
6130 - user_info_dc,
6131 - user_info_dc->info->account_name,
6132 - session_info_flags, session_info);
6133 - talloc_free(user_info_dc);
6134 -
6135 - return nt_status;
6136 - }
6137 -
6138 - return NT_STATUS_NOT_IMPLEMENTED;
6139 -}
6140 -
6141 /**
6142 * Check a user's Plaintext, LM or NTLM password.
6143 * (sync version)
6144 @@ -663,8 +621,11 @@ static NTSTATUS auth_generate_session_info_pac(struct auth4_context *auth_ctx,
6145 TALLOC_CTX *tmp_ctx;
6146
6147 if (!pac_blob) {
6148 - return auth_generate_session_info_principal(auth_ctx, mem_ctx, principal_name,
6149 - NULL, session_info_flags, session_info);
6150 + /*
6151 + * This should already be catched at the main
6152 + * gensec layer, but better check twice
6153 + */
6154 + return NT_STATUS_INTERNAL_ERROR;
6155 }
6156
6157 tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context");
6158 diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
6159 index fb88cb87f66..a8c7d8b4b85 100644
6160 --- a/source4/auth/ntlm/auth_sam.c
6161 +++ b/source4/auth/ntlm/auth_sam.c
6162 @@ -854,28 +854,16 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
6163 return NT_STATUS_OK;
6164 }
6165
6166 -/* Wrapper for the auth subsystem pointer */
6167 -static NTSTATUS authsam_get_user_info_dc_principal_wrapper(TALLOC_CTX *mem_ctx,
6168 - struct auth4_context *auth_context,
6169 - const char *principal,
6170 - struct ldb_dn *user_dn,
6171 - struct auth_user_info_dc **user_info_dc)
6172 -{
6173 - return authsam_get_user_info_dc_principal(mem_ctx, auth_context->lp_ctx, auth_context->sam_ctx,
6174 - principal, user_dn, user_info_dc);
6175 -}
6176 static const struct auth_operations sam_ignoredomain_ops = {
6177 .name = "sam_ignoredomain",
6178 .want_check = authsam_ignoredomain_want_check,
6179 .check_password = authsam_check_password_internals,
6180 - .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper,
6181 };
6182
6183 static const struct auth_operations sam_ops = {
6184 .name = "sam",
6185 .want_check = authsam_want_check,
6186 .check_password = authsam_check_password_internals,
6187 - .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper,
6188 };
6189
6190 _PUBLIC_ NTSTATUS auth4_sam_init(TALLOC_CTX *);
6191 --
6192 2.39.0
6193
6194
6195 From ec14a33f17e638870c997b56d4b5ce9096cbb27a Mon Sep 17 00:00:00 2001
6196 From: Stefan Metzmacher <metze@samba.org>
6197 Date: Tue, 21 Sep 2021 12:27:28 +0200
6198 Subject: [PATCH 075/142] CVE-2020-25717: s3:ntlm_auth: fix memory leaks in
6199 ntlm_auth_generate_session_info_pac()
6200
6201 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
6202 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
6203
6204 Signed-off-by: Stefan Metzmacher <metze@samba.org>
6205 ---
6206 source3/utils/ntlm_auth.c | 18 ++++++++++++------
6207 1 file changed, 12 insertions(+), 6 deletions(-)
6208
6209 diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
6210 index 3f70732a837..fefdd32bf11 100644
6211 --- a/source3/utils/ntlm_auth.c
6212 +++ b/source3/utils/ntlm_auth.c
6213 @@ -827,23 +827,27 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c
6214 if (!p) {
6215 DEBUG(3, ("[%s] Doesn't look like a valid principal\n",
6216 princ_name));
6217 - return NT_STATUS_LOGON_FAILURE;
6218 + status = NT_STATUS_LOGON_FAILURE;
6219 + goto done;
6220 }
6221
6222 user = talloc_strndup(mem_ctx, princ_name, p - princ_name);
6223 if (!user) {
6224 - return NT_STATUS_NO_MEMORY;
6225 + status = NT_STATUS_NO_MEMORY;
6226 + goto done;
6227 }
6228
6229 realm = talloc_strdup(talloc_tos(), p + 1);
6230 if (!realm) {
6231 - return NT_STATUS_NO_MEMORY;
6232 + status = NT_STATUS_NO_MEMORY;
6233 + goto done;
6234 }
6235
6236 if (!strequal(realm, lp_realm())) {
6237 DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm));
6238 if (!lp_allow_trusted_domains()) {
6239 - return NT_STATUS_LOGON_FAILURE;
6240 + status = NT_STATUS_LOGON_FAILURE;
6241 + goto done;
6242 }
6243 }
6244
6245 @@ -851,7 +855,8 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c
6246 domain = talloc_strdup(mem_ctx,
6247 logon_info->info3.base.logon_domain.string);
6248 if (!domain) {
6249 - return NT_STATUS_NO_MEMORY;
6250 + status = NT_STATUS_NO_MEMORY;
6251 + goto done;
6252 }
6253 DEBUG(10, ("Domain is [%s] (using PAC)\n", domain));
6254 } else {
6255 @@ -881,7 +886,8 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c
6256 domain = talloc_strdup(mem_ctx, realm);
6257 }
6258 if (!domain) {
6259 - return NT_STATUS_NO_MEMORY;
6260 + status = NT_STATUS_NO_MEMORY;
6261 + goto done;
6262 }
6263 DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain));
6264 }
6265 --
6266 2.39.0
6267
6268
6269 From 9e036a77eca721c4ea23c3f629d9e504d5780f79 Mon Sep 17 00:00:00 2001
6270 From: Stefan Metzmacher <metze@samba.org>
6271 Date: Tue, 21 Sep 2021 12:44:01 +0200
6272 Subject: [PATCH 076/142] CVE-2020-25717: s3:ntlm_auth: let
6273 ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO
6274 only
6275
6276 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
6277 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
6278
6279 Signed-off-by: Stefan Metzmacher <metze@samba.org>
6280 ---
6281 source3/utils/ntlm_auth.c | 91 ++++++++++++---------------------------
6282 1 file changed, 28 insertions(+), 63 deletions(-)
6283
6284 diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
6285 index fefdd32bf11..ff2fd30a9ae 100644
6286 --- a/source3/utils/ntlm_auth.c
6287 +++ b/source3/utils/ntlm_auth.c
6288 @@ -799,10 +799,8 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c
6289 struct PAC_LOGON_INFO *logon_info = NULL;
6290 char *unixuser;
6291 NTSTATUS status;
6292 - char *domain = NULL;
6293 - char *realm = NULL;
6294 - char *user = NULL;
6295 - char *p;
6296 + const char *domain = "";
6297 + const char *user = "";
6298
6299 tmp_ctx = talloc_new(mem_ctx);
6300 if (!tmp_ctx) {
6301 @@ -819,79 +817,46 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c
6302 if (!NT_STATUS_IS_OK(status)) {
6303 goto done;
6304 }
6305 - }
6306 -
6307 - DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
6308 -
6309 - p = strchr_m(princ_name, '@');
6310 - if (!p) {
6311 - DEBUG(3, ("[%s] Doesn't look like a valid principal\n",
6312 - princ_name));
6313 - status = NT_STATUS_LOGON_FAILURE;
6314 + } else {
6315 + status = NT_STATUS_ACCESS_DENIED;
6316 + DBG_WARNING("Kerberos ticket for[%s] has no PAC: %s\n",
6317 + princ_name, nt_errstr(status));
6318 goto done;
6319 }
6320
6321 - user = talloc_strndup(mem_ctx, princ_name, p - princ_name);
6322 - if (!user) {
6323 - status = NT_STATUS_NO_MEMORY;
6324 - goto done;
6325 + if (logon_info->info3.base.account_name.string != NULL) {
6326 + user = logon_info->info3.base.account_name.string;
6327 + } else {
6328 + user = "";
6329 + }
6330 + if (logon_info->info3.base.logon_domain.string != NULL) {
6331 + domain = logon_info->info3.base.logon_domain.string;
6332 + } else {
6333 + domain = "";
6334 }
6335
6336 - realm = talloc_strdup(talloc_tos(), p + 1);
6337 - if (!realm) {
6338 - status = NT_STATUS_NO_MEMORY;
6339 + if (strlen(user) == 0 || strlen(domain) == 0) {
6340 + status = NT_STATUS_ACCESS_DENIED;
6341 + DBG_WARNING("Kerberos ticket for[%s] has invalid "
6342 + "account_name[%s]/logon_domain[%s]: %s\n",
6343 + princ_name,
6344 + logon_info->info3.base.account_name.string,
6345 + logon_info->info3.base.logon_domain.string,
6346 + nt_errstr(status));
6347 goto done;
6348 }
6349
6350 - if (!strequal(realm, lp_realm())) {
6351 - DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm));
6352 + DBG_NOTICE("Kerberos ticket principal name is [%s] "
6353 + "account_name[%s]/logon_domain[%s]\n",
6354 + princ_name, user, domain);
6355 +
6356 + if (!strequal(domain, lp_workgroup())) {
6357 if (!lp_allow_trusted_domains()) {
6358 status = NT_STATUS_LOGON_FAILURE;
6359 goto done;
6360 }
6361 }
6362
6363 - if (logon_info && logon_info->info3.base.logon_domain.string) {
6364 - domain = talloc_strdup(mem_ctx,
6365 - logon_info->info3.base.logon_domain.string);
6366 - if (!domain) {
6367 - status = NT_STATUS_NO_MEMORY;
6368 - goto done;
6369 - }
6370 - DEBUG(10, ("Domain is [%s] (using PAC)\n", domain));
6371 - } else {
6372 -
6373 - /* If we have winbind running, we can (and must) shorten the
6374 - username by using the short netbios name. Otherwise we will
6375 - have inconsistent user names. With Kerberos, we get the
6376 - fully qualified realm, with ntlmssp we get the short
6377 - name. And even w2k3 does use ntlmssp if you for example
6378 - connect to an ip address. */
6379 -
6380 - wbcErr wbc_status;
6381 - struct wbcDomainInfo *info = NULL;
6382 -
6383 - DEBUG(10, ("Mapping [%s] to short name using winbindd\n",
6384 - realm));
6385 -
6386 - wbc_status = wbcDomainInfo(realm, &info);
6387 -
6388 - if (WBC_ERROR_IS_OK(wbc_status)) {
6389 - domain = talloc_strdup(mem_ctx,
6390 - info->short_name);
6391 - wbcFreeMemory(info);
6392 - } else {
6393 - DEBUG(3, ("Could not find short name: %s\n",
6394 - wbcErrorString(wbc_status)));
6395 - domain = talloc_strdup(mem_ctx, realm);
6396 - }
6397 - if (!domain) {
6398 - status = NT_STATUS_NO_MEMORY;
6399 - goto done;
6400 - }
6401 - DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain));
6402 - }
6403 -
6404 unixuser = talloc_asprintf(tmp_ctx, "%s%c%s", domain, winbind_separator(), user);
6405 if (!unixuser) {
6406 status = NT_STATUS_NO_MEMORY;
6407 --
6408 2.39.0
6409
6410
6411 From 4c01fd62e30b8e1137e7de01ecb41c94550dac24 Mon Sep 17 00:00:00 2001
6412 From: Stefan Metzmacher <metze@samba.org>
6413 Date: Mon, 4 Oct 2021 19:42:20 +0200
6414 Subject: [PATCH 077/142] CVE-2020-25717: s3:auth: let
6415 auth3_generate_session_info_pac() delegate everything to
6416 make_server_info_wbcAuthUserInfo()
6417
6418 This consolidates the code paths used for NTLMSSP and Kerberos!
6419
6420 I checked what we were already doing for NTLMSSP, which is this:
6421
6422 a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx()
6423 b) as a domain member we require a valid response from winbindd,
6424 otherwise we'll return NT_STATUS_NO_LOGON_SERVERS
6425 c) we call make_server_info_wbcAuthUserInfo(), which internally
6426 calls make_server_info_info3()
6427 d) auth_check_ntlm_password() calls
6428 smb_pam_accountcheck(unix_username, rhost), where rhost
6429 is only an ipv4 or ipv6 address (without reverse dns lookup)
6430 e) from auth3_check_password_send/auth3_check_password_recv()
6431 server_returned_info will be passed to auth3_generate_session_info(),
6432 triggered by gensec_session_info(), which means we'll call into
6433 create_local_token() in order to transform auth_serversupplied_info
6434 into auth_session_info.
6435
6436 For Kerberos gensec_session_info() will call
6437 auth3_generate_session_info_pac() via the gensec_generate_session_info_pac()
6438 helper function. The current logic is this:
6439
6440 a) gensec_generate_session_info_pac() is the function that
6441 evaluates the 'gensec:require_pac', which defaulted to 'no'
6442 before.
6443 b) auth3_generate_session_info_pac() called
6444 wbcAuthenticateUserEx() in order to pass the PAC blob
6445 to winbindd, but only to prime its cache, e.g. netsamlogon cache
6446 and others. Most failures were just ignored.
6447 c) If the PAC blob is available, it extracted the PAC_LOGON_INFO
6448 from it.
6449 d) Then we called the horrible get_user_from_kerberos_info() function:
6450 - It uses a first part of the tickets principal name (before the @)
6451 as username and combines that with the 'logon_info->base.logon_domain'
6452 if the logon_info (PAC) is present.
6453 - As a fallback without a PAC it's tries to ask winbindd for a mapping
6454 from realm to netbios domain name.
6455 - Finally is falls back to using the realm as netbios domain name
6456 With this information is builds 'userdomain+winbind_separator+useraccount'
6457 and calls map_username() followed by smb_getpwnam() with create=true,
6458 Note this is similar to the make_server_info_info3() => check_account()
6459 => smb_getpwnam() logic under 3.
6460 - It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name
6461 instead of the ip address as rhost.
6462 - It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the
6463 guest account.
6464 e) We called create_info3_from_pac_logon_info()
6465 f) make_session_info_krb5() calls gets called and triggers this:
6466 - If get_user_from_kerberos_info() mapped to guest, it calls
6467 make_server_info_guest()
6468 - If create_info3_from_pac_logon_info() created a info3 from logon_info,
6469 it calls make_server_info_info3()
6470 - Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with
6471 a fallback to make_server_info_pw()
6472 From there it calls create_local_token()
6473
6474 I tried to change auth3_generate_session_info_pac() to behave similar
6475 to auth_winbind.c together with auth3_generate_session_info() as
6476 a domain member, as we now rely on a PAC:
6477
6478 a) As domain member we require a PAC and always call wbcAuthenticateUserEx()
6479 and require a valid response!
6480 b) we call make_server_info_wbcAuthUserInfo(), which internally
6481 calls make_server_info_info3(). Note make_server_info_info3()
6482 handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest()
6483 internally.
6484 c) Similar to auth_check_ntlm_password() we now call
6485 smb_pam_accountcheck(unix_username, rhost), where rhost
6486 is only an ipv4 or ipv6 address (without reverse dns lookup)
6487 d) From there it calls create_local_token()
6488
6489 As standalone server (in an MIT realm) we continue
6490 with the already existing code logic, which works without a PAC:
6491 a) we keep smb_getpwnam() with create=true logic as it
6492 also requires an explicit 'add user script' option.
6493 b) In the following commits we assert that there's
6494 actually no PAC in this mode, which means we can
6495 remove unused and confusing code.
6496
6497 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
6498 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
6499
6500 Signed-off-by: Stefan Metzmacher <metze@samba.org>
6501
6502 [abartlet@samba.org Backported due to change in structure
6503 initialization with { 0 } to zero ]
6504 [abartlet@samba.org backported to 4.12 due to conflict
6505 with code not present to reload shared on krb5 login]
6506 ---
6507 source3/auth/auth_generic.c | 139 ++++++++++++++++++++++++++++--------
6508 1 file changed, 110 insertions(+), 29 deletions(-)
6509
6510 diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
6511 index 26a38f92b30..3099e8f9057 100644
6512 --- a/source3/auth/auth_generic.c
6513 +++ b/source3/auth/auth_generic.c
6514 @@ -46,6 +46,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
6515 uint32_t session_info_flags,
6516 struct auth_session_info **session_info)
6517 {
6518 + enum server_role server_role = lp_server_role();
6519 TALLOC_CTX *tmp_ctx;
6520 struct PAC_LOGON_INFO *logon_info = NULL;
6521 struct netr_SamInfo3 *info3_copy = NULL;
6522 @@ -54,39 +55,59 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
6523 char *ntuser;
6524 char *ntdomain;
6525 char *username;
6526 - char *rhost;
6527 + const char *rhost;
6528 struct passwd *pw;
6529 NTSTATUS status;
6530 - int rc;
6531
6532 tmp_ctx = talloc_new(mem_ctx);
6533 if (!tmp_ctx) {
6534 return NT_STATUS_NO_MEMORY;
6535 }
6536
6537 - if (pac_blob) {
6538 -#ifdef HAVE_KRB5
6539 - struct wbcAuthUserParams params = {};
6540 + if (tsocket_address_is_inet(remote_address, "ip")) {
6541 + rhost = tsocket_address_inet_addr_string(
6542 + remote_address, tmp_ctx);
6543 + if (rhost == NULL) {
6544 + status = NT_STATUS_NO_MEMORY;
6545 + goto done;
6546 + }
6547 + } else {
6548 + rhost = "127.0.0.1";
6549 + }
6550 +
6551 + if (server_role != ROLE_STANDALONE) {
6552 + struct wbcAuthUserParams params = { 0 };
6553 struct wbcAuthUserInfo *info = NULL;
6554 struct wbcAuthErrorInfo *err = NULL;
6555 + struct auth_serversupplied_info *server_info = NULL;
6556 + char *original_user_name = NULL;
6557 + char *p = NULL;
6558 wbcErr wbc_err;
6559
6560 + if (pac_blob == NULL) {
6561 + /*
6562 + * This should already be catched at the main
6563 + * gensec layer, but better check twice
6564 + */
6565 + status = NT_STATUS_INTERNAL_ERROR;
6566 + goto done;
6567 + }
6568 +
6569 /*
6570 * Let winbind decode the PAC.
6571 * This will also store the user
6572 * data in the netsamlogon cache.
6573 *
6574 - * We need to do this *before* we
6575 - * call get_user_from_kerberos_info()
6576 - * as that does a user lookup that
6577 - * expects info in the netsamlogon cache.
6578 - *
6579 - * See BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259
6580 + * This used to be a cache prime
6581 + * optimization, but now we delegate
6582 + * all logic to winbindd, as we require
6583 + * winbindd as domain member anyway.
6584 */
6585 params.level = WBC_AUTH_USER_LEVEL_PAC;
6586 params.password.pac.data = pac_blob->data;
6587 params.password.pac.length = pac_blob->length;
6588
6589 + /* we are contacting the privileged pipe */
6590 become_root();
6591 wbc_err = wbcAuthenticateUserEx(&params, &info, &err);
6592 unbecome_root();
6593 @@ -99,18 +120,90 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
6594 */
6595
6596 switch (wbc_err) {
6597 - case WBC_ERR_WINBIND_NOT_AVAILABLE:
6598 case WBC_ERR_SUCCESS:
6599 break;
6600 + case WBC_ERR_WINBIND_NOT_AVAILABLE:
6601 + status = NT_STATUS_NO_LOGON_SERVERS;
6602 + DBG_ERR("winbindd not running - "
6603 + "but required as domain member: %s\n",
6604 + nt_errstr(status));
6605 + goto done;
6606 case WBC_ERR_AUTH_ERROR:
6607 status = NT_STATUS(err->nt_status);
6608 wbcFreeMemory(err);
6609 goto done;
6610 + case WBC_ERR_NO_MEMORY:
6611 + status = NT_STATUS_NO_MEMORY;
6612 + goto done;
6613 default:
6614 status = NT_STATUS_LOGON_FAILURE;
6615 goto done;
6616 }
6617
6618 + status = make_server_info_wbcAuthUserInfo(tmp_ctx,
6619 + info->account_name,
6620 + info->domain_name,
6621 + info, &server_info);
6622 + if (!NT_STATUS_IS_OK(status)) {
6623 + DEBUG(10, ("make_server_info_wbcAuthUserInfo failed: %s\n",
6624 + nt_errstr(status)));
6625 + goto done;
6626 + }
6627 +
6628 + /* We skip doing this step if the caller asked us not to */
6629 + if (!(server_info->guest)) {
6630 + const char *unix_username = server_info->unix_name;
6631 +
6632 + /* We might not be root if we are an RPC call */
6633 + become_root();
6634 + status = smb_pam_accountcheck(unix_username, rhost);
6635 + unbecome_root();
6636 +
6637 + if (!NT_STATUS_IS_OK(status)) {
6638 + DEBUG(3, ("check_ntlm_password: PAM Account for user [%s] "
6639 + "FAILED with error %s\n",
6640 + unix_username, nt_errstr(status)));
6641 + goto done;
6642 + }
6643 +
6644 + DEBUG(5, ("check_ntlm_password: PAM Account for user [%s] "
6645 + "succeeded\n", unix_username));
6646 + }
6647 +
6648 + DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
6649 +
6650 + p = strchr_m(princ_name, '@');
6651 + if (!p) {
6652 + DEBUG(3, ("[%s] Doesn't look like a valid principal\n",
6653 + princ_name));
6654 + status = NT_STATUS_LOGON_FAILURE;
6655 + goto done;
6656 + }
6657 +
6658 + original_user_name = talloc_strndup(tmp_ctx, princ_name, p - princ_name);
6659 + if (original_user_name == NULL) {
6660 + status = NT_STATUS_NO_MEMORY;
6661 + goto done;
6662 + }
6663 +
6664 + status = create_local_token(mem_ctx,
6665 + server_info,
6666 + NULL,
6667 + original_user_name,
6668 + session_info);
6669 + if (!NT_STATUS_IS_OK(status)) {
6670 + DEBUG(10, ("create_local_token failed: %s\n",
6671 + nt_errstr(status)));
6672 + goto done;
6673 + }
6674 +
6675 + goto session_info_ready;
6676 + }
6677 +
6678 + /* This is the standalone legacy code path */
6679 +
6680 + if (pac_blob != NULL) {
6681 +#ifdef HAVE_KRB5
6682 status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
6683 NULL, NULL, 0, &logon_info);
6684 #else
6685 @@ -121,22 +214,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
6686 }
6687 }
6688
6689 - rc = get_remote_hostname(remote_address,
6690 - &rhost,
6691 - tmp_ctx);
6692 - if (rc < 0) {
6693 - status = NT_STATUS_NO_MEMORY;
6694 - goto done;
6695 - }
6696 - if (strequal(rhost, "UNKNOWN")) {
6697 - rhost = tsocket_address_inet_addr_string(remote_address,
6698 - tmp_ctx);
6699 - if (rhost == NULL) {
6700 - status = NT_STATUS_NO_MEMORY;
6701 - goto done;
6702 - }
6703 - }
6704 -
6705 status = get_user_from_kerberos_info(tmp_ctx, rhost,
6706 princ_name, logon_info,
6707 &is_mapped, &is_guest,
6708 @@ -170,6 +247,8 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
6709 goto done;
6710 }
6711
6712 +session_info_ready:
6713 +
6714 /* setup the string used by %U */
6715 set_current_user_info((*session_info)->unix_info->sanitized_username,
6716 (*session_info)->unix_info->unix_name,
6717 @@ -179,7 +258,9 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
6718 lp_load_with_shares(get_dyn_CONFIGFILE());
6719
6720 DEBUG(5, (__location__ "OK: user: %s domain: %s client: %s\n",
6721 - ntuser, ntdomain, rhost));
6722 + (*session_info)->info->account_name,
6723 + (*session_info)->info->domain_name,
6724 + rhost));
6725
6726 status = NT_STATUS_OK;
6727
6728 --
6729 2.39.0
6730
6731
6732 From 2d7cd152d95e091447731b3699be9654ca13cffc Mon Sep 17 00:00:00 2001
6733 From: Stefan Metzmacher <metze@samba.org>
6734 Date: Tue, 5 Oct 2021 17:14:01 +0200
6735 Subject: [PATCH 078/142] CVE-2020-25717: selftest: configure 'ktest' env with
6736 winbindd and idmap_autorid
6737
6738 The 'ktest' environment was/is designed to test kerberos in an active
6739 directory member setup. It was created at a time we wanted to test
6740 smbd/winbindd with kerberos without having the source4 ad dc available.
6741
6742 This still applies to testing the build with system krb5 libraries
6743 but without relying on a running ad dc.
6744
6745 As a domain member setup requires a running winbindd, we should test it
6746 that way, in order to reflect a valid setup.
6747
6748 As a side effect it provides a way to demonstrate that we can accept
6749 smb connections authenticated via kerberos, but no connection to
6750 a domain controller! In order get this working offline, we need an
6751 idmap backend with ID_TYPE_BOTH support, so we use 'autorid', which
6752 should be the default choice.
6753
6754 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
6755 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
6756
6757 Signed-off-by: Stefan Metzmacher <metze@samba.org>
6758
6759 [scabrero@samba.org Backported to 4.11 Run winbindd in offline mode
6760 but keep the user name mapping to avoid having to backport fixes
6761 for bso#14539]
6762 ---
6763 selftest/target/Samba3.pm | 2 +-
6764 1 file changed, 1 insertion(+), 1 deletion(-)
6765
6766 diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
6767 index bbbefea44b7..7034127ef0b 100755
6768 --- a/selftest/target/Samba3.pm
6769 +++ b/selftest/target/Samba3.pm
6770 @@ -1176,7 +1176,7 @@ $ret->{USERNAME} = KTEST/Administrator
6771 # access the share for tests.
6772 chmod 0777, "$prefix/share";
6773
6774 - if (not $self->check_or_start($ret, "yes", "no", "yes")) {
6775 + if (not $self->check_or_start($ret, "yes", "offline", "yes")) {
6776 return undef;
6777 }
6778 return $ret;
6779 --
6780 2.39.0
6781
6782
6783 From 6b4c3693d4ae3c54fd4c890b71829ac582436dee Mon Sep 17 00:00:00 2001
6784 From: Stefan Metzmacher <metze@samba.org>
6785 Date: Tue, 5 Oct 2021 18:12:49 +0200
6786 Subject: [PATCH 079/142] CVE-2020-25717: s3:auth: let
6787 auth3_generate_session_info_pac() reject a PAC in standalone mode
6788
6789 We should be strict in standalone mode, that we only support MIT realms
6790 without a PAC in order to keep the code sane.
6791
6792 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
6793
6794 Signed-off-by: Stefan Metzmacher <metze@samba.org>
6795
6796 [abartlet@samba.org Backported to Samba 4.12 has conflcits
6797 as the share reload code is in a different spot]
6798 ---
6799 source3/auth/auth_generic.c | 29 +++++++++--------------------
6800 1 file changed, 9 insertions(+), 20 deletions(-)
6801
6802 diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
6803 index 3099e8f9057..23f746c078e 100644
6804 --- a/source3/auth/auth_generic.c
6805 +++ b/source3/auth/auth_generic.c
6806 @@ -48,8 +48,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
6807 {
6808 enum server_role server_role = lp_server_role();
6809 TALLOC_CTX *tmp_ctx;
6810 - struct PAC_LOGON_INFO *logon_info = NULL;
6811 - struct netr_SamInfo3 *info3_copy = NULL;
6812 bool is_mapped;
6813 bool is_guest;
6814 char *ntuser;
6815 @@ -203,19 +201,20 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
6816 /* This is the standalone legacy code path */
6817
6818 if (pac_blob != NULL) {
6819 -#ifdef HAVE_KRB5
6820 - status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
6821 - NULL, NULL, 0, &logon_info);
6822 -#else
6823 - status = NT_STATUS_ACCESS_DENIED;
6824 -#endif
6825 + /*
6826 + * In standalone mode we don't expect a PAC!
6827 + * we only support MIT realms
6828 + */
6829 + status = NT_STATUS_BAD_TOKEN_TYPE;
6830 + DBG_WARNING("Unexpected PAC for [%s] in standalone mode - %s\n",
6831 + princ_name, nt_errstr(status));
6832 if (!NT_STATUS_IS_OK(status)) {
6833 goto done;
6834 }
6835 }
6836
6837 status = get_user_from_kerberos_info(tmp_ctx, rhost,
6838 - princ_name, logon_info,
6839 + princ_name, NULL,
6840 &is_mapped, &is_guest,
6841 &ntuser, &ntdomain,
6842 &username, &pw);
6843 @@ -226,19 +225,9 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
6844 goto done;
6845 }
6846
6847 - /* Get the info3 from the PAC data if we have it */
6848 - if (logon_info) {
6849 - status = create_info3_from_pac_logon_info(tmp_ctx,
6850 - logon_info,
6851 - &info3_copy);
6852 - if (!NT_STATUS_IS_OK(status)) {
6853 - goto done;
6854 - }
6855 - }
6856 -
6857 status = make_session_info_krb5(mem_ctx,
6858 ntuser, ntdomain, username, pw,
6859 - info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
6860 + NULL, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
6861 session_info);
6862 if (!NT_STATUS_IS_OK(status)) {
6863 DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
6864 --
6865 2.39.0
6866
6867
6868 From 6f6a1fedb97d119a7f15831f7295b1774e806ba8 Mon Sep 17 00:00:00 2001
6869 From: Stefan Metzmacher <metze@samba.org>
6870 Date: Fri, 8 Oct 2021 17:59:59 +0200
6871 Subject: [PATCH 080/142] CVE-2020-25717: s3:auth: simplify
6872 get_user_from_kerberos_info() by removing the unused logon_info argument
6873
6874 This code is only every called in standalone mode on a MIT realm,
6875 it means we never have a PAC and we also don't have winbindd arround.
6876
6877 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
6878
6879 Signed-off-by: Stefan Metzmacher <metze@samba.org>
6880 ---
6881 source3/auth/auth_generic.c | 2 +-
6882 source3/auth/proto.h | 1 -
6883 source3/auth/user_krb5.c | 57 +++++++------------------------------
6884 3 files changed, 11 insertions(+), 49 deletions(-)
6885
6886 diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
6887 index 23f746c078e..a11aae713f5 100644
6888 --- a/source3/auth/auth_generic.c
6889 +++ b/source3/auth/auth_generic.c
6890 @@ -214,7 +214,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
6891 }
6892
6893 status = get_user_from_kerberos_info(tmp_ctx, rhost,
6894 - princ_name, NULL,
6895 + princ_name,
6896 &is_mapped, &is_guest,
6897 &ntuser, &ntdomain,
6898 &username, &pw);
6899 diff --git a/source3/auth/proto.h b/source3/auth/proto.h
6900 index fcfd1f36ca2..1ed3f4a2f77 100644
6901 --- a/source3/auth/proto.h
6902 +++ b/source3/auth/proto.h
6903 @@ -416,7 +416,6 @@ struct PAC_LOGON_INFO;
6904 NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
6905 const char *cli_name,
6906 const char *princ_name,
6907 - struct PAC_LOGON_INFO *logon_info,
6908 bool *is_mapped,
6909 bool *mapped_to_guest,
6910 char **ntuser,
6911 diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
6912 index 074e8c7eb71..7b69ca6c222 100644
6913 --- a/source3/auth/user_krb5.c
6914 +++ b/source3/auth/user_krb5.c
6915 @@ -31,7 +31,6 @@
6916 NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
6917 const char *cli_name,
6918 const char *princ_name,
6919 - struct PAC_LOGON_INFO *logon_info,
6920 bool *is_mapped,
6921 bool *mapped_to_guest,
6922 char **ntuser,
6923 @@ -40,8 +39,8 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
6924 struct passwd **_pw)
6925 {
6926 NTSTATUS status;
6927 - char *domain = NULL;
6928 - char *realm = NULL;
6929 + const char *domain = NULL;
6930 + const char *realm = NULL;
6931 char *user = NULL;
6932 char *p;
6933 char *fuser = NULL;
6934 @@ -62,55 +61,16 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
6935 return NT_STATUS_NO_MEMORY;
6936 }
6937
6938 - realm = talloc_strdup(talloc_tos(), p + 1);
6939 - if (!realm) {
6940 - return NT_STATUS_NO_MEMORY;
6941 - }
6942 + realm = p + 1;
6943
6944 if (!strequal(realm, lp_realm())) {
6945 DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm));
6946 if (!lp_allow_trusted_domains()) {
6947 return NT_STATUS_LOGON_FAILURE;
6948 }
6949 - }
6950 -
6951 - if (logon_info && logon_info->info3.base.logon_domain.string) {
6952 - domain = talloc_strdup(mem_ctx,
6953 - logon_info->info3.base.logon_domain.string);
6954 - if (!domain) {
6955 - return NT_STATUS_NO_MEMORY;
6956 - }
6957 - DEBUG(10, ("Domain is [%s] (using PAC)\n", domain));
6958 + domain = realm;
6959 } else {
6960 -
6961 - /* If we have winbind running, we can (and must) shorten the
6962 - username by using the short netbios name. Otherwise we will
6963 - have inconsistent user names. With Kerberos, we get the
6964 - fully qualified realm, with ntlmssp we get the short
6965 - name. And even w2k3 does use ntlmssp if you for example
6966 - connect to an ip address. */
6967 -
6968 - wbcErr wbc_status;
6969 - struct wbcDomainInfo *info = NULL;
6970 -
6971 - DEBUG(10, ("Mapping [%s] to short name using winbindd\n",
6972 - realm));
6973 -
6974 - wbc_status = wbcDomainInfo(realm, &info);
6975 -
6976 - if (WBC_ERROR_IS_OK(wbc_status)) {
6977 - domain = talloc_strdup(mem_ctx,
6978 - info->short_name);
6979 - wbcFreeMemory(info);
6980 - } else {
6981 - DEBUG(3, ("Could not find short name: %s\n",
6982 - wbcErrorString(wbc_status)));
6983 - domain = talloc_strdup(mem_ctx, realm);
6984 - }
6985 - if (!domain) {
6986 - return NT_STATUS_NO_MEMORY;
6987 - }
6988 - DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain));
6989 + domain = lp_workgroup();
6990 }
6991
6992 fuser = talloc_asprintf(mem_ctx,
6993 @@ -175,7 +135,11 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
6994 return NT_STATUS_NO_MEMORY;
6995 }
6996 *ntuser = user;
6997 - *ntdomain = domain;
6998 + *ntdomain = talloc_strdup(mem_ctx, domain);
6999 + if (*ntdomain == NULL) {
7000 + return NT_STATUS_NO_MEMORY;
7001 + }
7002 +
7003 *_pw = pw;
7004
7005 return NT_STATUS_OK;
7006 @@ -282,7 +246,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
7007 NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
7008 const char *cli_name,
7009 const char *princ_name,
7010 - struct PAC_LOGON_INFO *logon_info,
7011 bool *is_mapped,
7012 bool *mapped_to_guest,
7013 char **ntuser,
7014 --
7015 2.39.0
7016
7017
7018 From 8fd8d952c4396484f822c51f71667baaf49402b4 Mon Sep 17 00:00:00 2001
7019 From: Stefan Metzmacher <metze@samba.org>
7020 Date: Fri, 8 Oct 2021 18:03:04 +0200
7021 Subject: [PATCH 081/142] CVE-2020-25717: s3:auth: simplify
7022 make_session_info_krb5() by removing unused arguments
7023
7024 This is only ever be called in standalone mode with an MIT realm,
7025 so we don't have a PAC/info3 structure.
7026
7027 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
7028
7029 Signed-off-by: Stefan Metzmacher <metze@samba.org>
7030 ---
7031 source3/auth/auth_generic.c | 2 +-
7032 source3/auth/proto.h | 2 --
7033 source3/auth/user_krb5.c | 20 +-------------------
7034 3 files changed, 2 insertions(+), 22 deletions(-)
7035
7036 diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
7037 index a11aae713f5..4dd1af784bf 100644
7038 --- a/source3/auth/auth_generic.c
7039 +++ b/source3/auth/auth_generic.c
7040 @@ -227,7 +227,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
7041
7042 status = make_session_info_krb5(mem_ctx,
7043 ntuser, ntdomain, username, pw,
7044 - NULL, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
7045 + is_guest, is_mapped,
7046 session_info);
7047 if (!NT_STATUS_IS_OK(status)) {
7048 DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
7049 diff --git a/source3/auth/proto.h b/source3/auth/proto.h
7050 index 1ed3f4a2f77..c00ac70fd3f 100644
7051 --- a/source3/auth/proto.h
7052 +++ b/source3/auth/proto.h
7053 @@ -427,9 +427,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
7054 char *ntdomain,
7055 char *username,
7056 struct passwd *pw,
7057 - const struct netr_SamInfo3 *info3,
7058 bool mapped_to_guest, bool username_was_mapped,
7059 - DATA_BLOB *session_key,
7060 struct auth_session_info **session_info);
7061
7062 /* The following definitions come from auth/auth_samba4.c */
7063 diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
7064 index 7b69ca6c222..b8f37cbeee0 100644
7065 --- a/source3/auth/user_krb5.c
7066 +++ b/source3/auth/user_krb5.c
7067 @@ -150,9 +150,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
7068 char *ntdomain,
7069 char *username,
7070 struct passwd *pw,
7071 - const struct netr_SamInfo3 *info3,
7072 bool mapped_to_guest, bool username_was_mapped,
7073 - DATA_BLOB *session_key,
7074 struct auth_session_info **session_info)
7075 {
7076 NTSTATUS status;
7077 @@ -166,20 +164,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
7078 return status;
7079 }
7080
7081 - } else if (info3) {
7082 - /* pass the unmapped username here since map_username()
7083 - will be called again in make_server_info_info3() */
7084 -
7085 - status = make_server_info_info3(mem_ctx,
7086 - ntuser, ntdomain,
7087 - &server_info,
7088 - info3);
7089 - if (!NT_STATUS_IS_OK(status)) {
7090 - DEBUG(1, ("make_server_info_info3 failed: %s!\n",
7091 - nt_errstr(status)));
7092 - return status;
7093 - }
7094 -
7095 } else {
7096 /*
7097 * We didn't get a PAC, we have to make up the user
7098 @@ -231,7 +215,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
7099
7100 server_info->nss_token |= username_was_mapped;
7101
7102 - status = create_local_token(mem_ctx, server_info, session_key, ntuser, session_info);
7103 + status = create_local_token(mem_ctx, server_info, NULL, ntuser, session_info);
7104 talloc_free(server_info);
7105 if (!NT_STATUS_IS_OK(status)) {
7106 DEBUG(10,("failed to create local token: %s\n",
7107 @@ -261,9 +245,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
7108 char *ntdomain,
7109 char *username,
7110 struct passwd *pw,
7111 - const struct netr_SamInfo3 *info3,
7112 bool mapped_to_guest, bool username_was_mapped,
7113 - DATA_BLOB *session_key,
7114 struct auth_session_info **session_info)
7115 {
7116 return NT_STATUS_NOT_IMPLEMENTED;
7117 --
7118 2.39.0
7119
7120
7121 From bf0696ec4f3080ebd0b61cac5a05a9284ccabda8 Mon Sep 17 00:00:00 2001
7122 From: Joseph Sutton <josephsutton@catalyst.net.nz>
7123 Date: Wed, 1 Sep 2021 15:39:19 +1200
7124 Subject: [PATCH 082/142] krb5pac.idl: Add ticket checksum PAC buffer type
7125
7126 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
7127 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7128 Reviewed-by: Isaac Boukris <iboukris@samba.org>
7129 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
7130 (cherry picked from commit ff2f38fae79220e16765e17671972f9a55eb7cce)
7131 ---
7132 librpc/idl/krb5pac.idl | 4 +++-
7133 1 file changed, 3 insertions(+), 1 deletion(-)
7134
7135 diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
7136 index f27e7243ee4..711b7f94b6c 100644
7137 --- a/librpc/idl/krb5pac.idl
7138 +++ b/librpc/idl/krb5pac.idl
7139 @@ -112,7 +112,8 @@ interface krb5pac
7140 PAC_TYPE_KDC_CHECKSUM = 7,
7141 PAC_TYPE_LOGON_NAME = 10,
7142 PAC_TYPE_CONSTRAINED_DELEGATION = 11,
7143 - PAC_TYPE_UPN_DNS_INFO = 12
7144 + PAC_TYPE_UPN_DNS_INFO = 12,
7145 + PAC_TYPE_TICKET_CHECKSUM = 16
7146 } PAC_TYPE;
7147
7148 typedef struct {
7149 @@ -128,6 +129,7 @@ interface krb5pac
7150 [case(PAC_TYPE_CONSTRAINED_DELEGATION)][subcontext(0xFFFFFC01)]
7151 PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation;
7152 [case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info;
7153 + [case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum;
7154 /* when new PAC info types are added they are supposed to be done
7155 in such a way that they are backwards compatible with existing
7156 servers. This makes it safe to just use a [default] for
7157 --
7158 2.39.0
7159
7160
7161 From 7a9f618fdbf32872594f47dd4bc83ce087af4bbc Mon Sep 17 00:00:00 2001
7162 From: Joseph Sutton <josephsutton@catalyst.net.nz>
7163 Date: Wed, 1 Sep 2021 15:40:59 +1200
7164 Subject: [PATCH 083/142] security.idl: Add well-known SIDs for FAST
7165
7166 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
7167 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7168 Reviewed-by: Isaac Boukris <iboukris@samba.org>
7169 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
7170 (cherry picked from commit 0092b4a3ed58b2c256d4dd9117cce927a3edde12)
7171 ---
7172 librpc/idl/security.idl | 3 +++
7173 1 file changed, 3 insertions(+)
7174
7175 diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
7176 index 5930f448955..e6065a35691 100644
7177 --- a/librpc/idl/security.idl
7178 +++ b/librpc/idl/security.idl
7179 @@ -292,6 +292,9 @@ interface security
7180 const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY = "S-1-18-1";
7181 const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2";
7182
7183 + const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496";
7184 + const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497";
7185 +
7186 /*
7187 * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
7188 */
7189 --
7190 2.39.0
7191
7192
7193 From 7713b56a8a8b26e05aa9a517348e3f95da1144a7 Mon Sep 17 00:00:00 2001
7194 From: Joseph Sutton <josephsutton@catalyst.net.nz>
7195 Date: Wed, 29 Sep 2021 16:15:26 +1300
7196 Subject: [PATCH 084/142] krb5pac.idl: Add missing buffer type values
7197
7198 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
7199
7200 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
7201 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7202 Backported-by: Andreas Schneider <asn@samba.org>
7203 ---
7204 librpc/idl/krb5pac.idl | 3 +++
7205 1 file changed, 3 insertions(+)
7206
7207 diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
7208 index 711b7f94b6c..141894ec5f1 100644
7209 --- a/librpc/idl/krb5pac.idl
7210 +++ b/librpc/idl/krb5pac.idl
7211 @@ -113,6 +113,9 @@ interface krb5pac
7212 PAC_TYPE_LOGON_NAME = 10,
7213 PAC_TYPE_CONSTRAINED_DELEGATION = 11,
7214 PAC_TYPE_UPN_DNS_INFO = 12,
7215 + PAC_TYPE_CLIENT_CLAIMS_INFO = 13,
7216 + PAC_TYPE_DEVICE_INFO = 14,
7217 + PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
7218 PAC_TYPE_TICKET_CHECKSUM = 16
7219 } PAC_TYPE;
7220
7221 --
7222 2.39.0
7223
7224
7225 From a85bf1d86d6e081c781cc93a8e7aaa049c3818d0 Mon Sep 17 00:00:00 2001
7226 From: Joseph Sutton <josephsutton@catalyst.net.nz>
7227 Date: Tue, 26 Oct 2021 20:33:38 +1300
7228 Subject: [PATCH 085/142] CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO
7229 PAC buffer type
7230
7231 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
7232
7233 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
7234 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7235 ---
7236 librpc/idl/krb5pac.idl | 14 +++++++++++++-
7237 1 file changed, 13 insertions(+), 1 deletion(-)
7238
7239 diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
7240 index 141894ec5f1..4bfec2de5e6 100644
7241 --- a/librpc/idl/krb5pac.idl
7242 +++ b/librpc/idl/krb5pac.idl
7243 @@ -97,6 +97,16 @@ interface krb5pac
7244 PAC_UPN_DNS_FLAGS flags;
7245 } PAC_UPN_DNS_INFO;
7246
7247 + typedef [bitmap32bit] bitmap {
7248 + PAC_ATTRIBUTE_FLAG_PAC_WAS_REQUESTED = 0x00000001,
7249 + PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY = 0x00000002
7250 + } PAC_ATTRIBUTE_INFO_FLAGS;
7251 +
7252 + typedef struct {
7253 + uint32 flags_length; /* length in bits */
7254 + PAC_ATTRIBUTE_INFO_FLAGS flags;
7255 + } PAC_ATTRIBUTES_INFO;
7256 +
7257 typedef [public] struct {
7258 PAC_LOGON_INFO *info;
7259 } PAC_LOGON_INFO_CTR;
7260 @@ -116,7 +126,8 @@ interface krb5pac
7261 PAC_TYPE_CLIENT_CLAIMS_INFO = 13,
7262 PAC_TYPE_DEVICE_INFO = 14,
7263 PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
7264 - PAC_TYPE_TICKET_CHECKSUM = 16
7265 + PAC_TYPE_TICKET_CHECKSUM = 16,
7266 + PAC_TYPE_ATTRIBUTES_INFO = 17
7267 } PAC_TYPE;
7268
7269 typedef struct {
7270 @@ -133,6 +144,7 @@ interface krb5pac
7271 PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation;
7272 [case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info;
7273 [case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum;
7274 + [case(PAC_TYPE_ATTRIBUTES_INFO)] PAC_ATTRIBUTES_INFO attributes_info;
7275 /* when new PAC info types are added they are supposed to be done
7276 in such a way that they are backwards compatible with existing
7277 servers. This makes it safe to just use a [default] for
7278 --
7279 2.39.0
7280
7281
7282 From 57e4c415ecae66ee984a30eb66d5d248e0e8587d Mon Sep 17 00:00:00 2001
7283 From: Joseph Sutton <josephsutton@catalyst.net.nz>
7284 Date: Tue, 26 Oct 2021 20:33:49 +1300
7285 Subject: [PATCH 086/142] CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC
7286 buffer type
7287
7288 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
7289
7290 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
7291 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7292 ---
7293 librpc/idl/krb5pac.idl | 8 +++++++-
7294 1 file changed, 7 insertions(+), 1 deletion(-)
7295
7296 diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
7297 index 4bfec2de5e6..f750359a069 100644
7298 --- a/librpc/idl/krb5pac.idl
7299 +++ b/librpc/idl/krb5pac.idl
7300 @@ -107,6 +107,10 @@ interface krb5pac
7301 PAC_ATTRIBUTE_INFO_FLAGS flags;
7302 } PAC_ATTRIBUTES_INFO;
7303
7304 + typedef struct {
7305 + dom_sid sid;
7306 + } PAC_REQUESTER_SID;
7307 +
7308 typedef [public] struct {
7309 PAC_LOGON_INFO *info;
7310 } PAC_LOGON_INFO_CTR;
7311 @@ -127,7 +131,8 @@ interface krb5pac
7312 PAC_TYPE_DEVICE_INFO = 14,
7313 PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
7314 PAC_TYPE_TICKET_CHECKSUM = 16,
7315 - PAC_TYPE_ATTRIBUTES_INFO = 17
7316 + PAC_TYPE_ATTRIBUTES_INFO = 17,
7317 + PAC_TYPE_REQUESTER_SID = 18
7318 } PAC_TYPE;
7319
7320 typedef struct {
7321 @@ -145,6 +150,7 @@ interface krb5pac
7322 [case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info;
7323 [case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum;
7324 [case(PAC_TYPE_ATTRIBUTES_INFO)] PAC_ATTRIBUTES_INFO attributes_info;
7325 + [case(PAC_TYPE_REQUESTER_SID)] PAC_REQUESTER_SID requester_sid;
7326 /* when new PAC info types are added they are supposed to be done
7327 in such a way that they are backwards compatible with existing
7328 servers. This makes it safe to just use a [default] for
7329 --
7330 2.39.0
7331
7332
7333 From 7782a97868ead29b6e87fa98dcef8dbc2706b67d Mon Sep 17 00:00:00 2001
7334 From: Andrew Bartlett <abartlet@samba.org>
7335 Date: Mon, 27 Sep 2021 11:20:19 +1300
7336 Subject: [PATCH 087/142] CVE-2020-25721 krb5pac: Add new buffers for
7337 samAccountName and objectSID
7338
7339 These appear when PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID is set.
7340
7341 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
7342
7343 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
7344 Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
7345 ---
7346 librpc/idl/krb5pac.idl | 18 ++++++++++++++++--
7347 librpc/ndr/ndr_krb5pac.c | 4 ++--
7348 2 files changed, 18 insertions(+), 4 deletions(-)
7349
7350 diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
7351 index f750359a069..94b9160d6eb 100644
7352 --- a/librpc/idl/krb5pac.idl
7353 +++ b/librpc/idl/krb5pac.idl
7354 @@ -86,15 +86,29 @@ interface krb5pac
7355 } PAC_CONSTRAINED_DELEGATION;
7356
7357 typedef [bitmap32bit] bitmap {
7358 - PAC_UPN_DNS_FLAG_CONSTRUCTED = 0x00000001
7359 + PAC_UPN_DNS_FLAG_CONSTRUCTED = 0x00000001,
7360 + PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID = 0x00000002
7361 } PAC_UPN_DNS_FLAGS;
7362
7363 + typedef struct {
7364 + [value(2*strlen_m(samaccountname))] uint16 samaccountname_size;
7365 + [relative_short,subcontext(0),subcontext_size(samaccountname_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *samaccountname;
7366 + [value(ndr_size_dom_sid(objectsid, ndr->flags))] uint16 objectsid_size;
7367 + [relative_short,subcontext(0),subcontext_size(objectsid_size)] dom_sid *objectsid;
7368 + } PAC_UPN_DNS_INFO_SAM_NAME_AND_SID;
7369 +
7370 + typedef [nodiscriminant] union {
7371 + [case(PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID)] PAC_UPN_DNS_INFO_SAM_NAME_AND_SID sam_name_and_sid;
7372 + [default];
7373 + } PAC_UPN_DNS_INFO_EX;
7374 +
7375 typedef struct {
7376 [value(2*strlen_m(upn_name))] uint16 upn_name_size;
7377 [relative_short,subcontext(0),subcontext_size(upn_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *upn_name;
7378 [value(2*strlen_m(dns_domain_name))] uint16 dns_domain_name_size;
7379 [relative_short,subcontext(0),subcontext_size(dns_domain_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *dns_domain_name;
7380 PAC_UPN_DNS_FLAGS flags;
7381 + [switch_is(flags & PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID)] PAC_UPN_DNS_INFO_EX ex;
7382 } PAC_UPN_DNS_INFO;
7383
7384 typedef [bitmap32bit] bitmap {
7385 @@ -160,7 +174,7 @@ interface krb5pac
7386
7387 typedef [public,nopush,nopull] struct {
7388 PAC_TYPE type;
7389 - [value(_ndr_size_PAC_INFO(info, type, 0))] uint32 _ndr_size;
7390 + [value(_ndr_size_PAC_INFO(info, type, LIBNDR_FLAG_ALIGN8))] uint32 _ndr_size;
7391 /*
7392 * We need to have two subcontexts to get the padding right,
7393 * the outer subcontext uses NDR_ROUND(_ndr_size, 8), while
7394 diff --git a/librpc/ndr/ndr_krb5pac.c b/librpc/ndr/ndr_krb5pac.c
7395 index a9ae2c4a789..57b28df9e52 100644
7396 --- a/librpc/ndr/ndr_krb5pac.c
7397 +++ b/librpc/ndr/ndr_krb5pac.c
7398 @@ -41,7 +41,7 @@ enum ndr_err_code ndr_push_PAC_BUFFER(struct ndr_push *ndr, int ndr_flags, const
7399 if (ndr_flags & NDR_SCALARS) {
7400 NDR_CHECK(ndr_push_align(ndr, 4));
7401 NDR_CHECK(ndr_push_PAC_TYPE(ndr, NDR_SCALARS, r->type));
7402 - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, _ndr_size_PAC_INFO(r->info,r->type,0)));
7403 + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, _ndr_size_PAC_INFO(r->info,r->type,LIBNDR_FLAG_ALIGN8)));
7404 {
7405 uint32_t _flags_save_PAC_INFO = ndr->flags;
7406 ndr_set_flags(&ndr->flags, LIBNDR_FLAG_ALIGN8);
7407 @@ -59,7 +59,7 @@ enum ndr_err_code ndr_push_PAC_BUFFER(struct ndr_push *ndr, int ndr_flags, const
7408 {
7409 struct ndr_push *_ndr_info_pad;
7410 struct ndr_push *_ndr_info;
7411 - size_t _ndr_size = _ndr_size_PAC_INFO(r->info, r->type, 0);
7412 + size_t _ndr_size = _ndr_size_PAC_INFO(r->info, r->type, LIBNDR_FLAG_ALIGN8);
7413 NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_info_pad, 0, NDR_ROUND(_ndr_size, 8)));
7414 NDR_CHECK(ndr_push_subcontext_start(_ndr_info_pad, &_ndr_info, 0, _ndr_size));
7415 NDR_CHECK(ndr_push_set_switch_value(_ndr_info, r->info, r->type));
7416 --
7417 2.39.0
7418
7419
7420 From 44e8dd1a9a3c02dee31497fe20411758fce1acf9 Mon Sep 17 00:00:00 2001
7421 From: Alexander Bokovoy <ab@samba.org>
7422 Date: Fri, 12 Nov 2021 19:06:01 +0200
7423 Subject: [PATCH 088/142] IPA DC: add missing checks
7424
7425 When introducing FreeIPA support, two places were forgotten:
7426
7427 - schannel gensec module needs to be aware of IPA DC
7428 - _lsa_QueryInfoPolicy should treat IPA DC as PDC
7429
7430 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14903
7431
7432 Signed-off-by: Alexander Bokovoy <ab@samba.org>
7433 Reviewed-by: Guenther Deschner <gd@samba.org>
7434
7435 Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
7436 Autobuild-Date(master): Sat Nov 13 07:01:26 UTC 2021 on sn-devel-184
7437
7438 (cherry picked from commit c69b66f649c1d47a7367f7efe25b8df32369a3a5)
7439 ---
7440 auth/gensec/schannel.c | 1 +
7441 source3/rpc_server/lsa/srv_lsa_nt.c | 1 +
7442 2 files changed, 2 insertions(+)
7443
7444 diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
7445 index 71e9afdf48e..f23c1effb23 100644
7446 --- a/auth/gensec/schannel.c
7447 +++ b/auth/gensec/schannel.c
7448 @@ -740,6 +740,7 @@ static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
7449 case ROLE_DOMAIN_BDC:
7450 case ROLE_DOMAIN_PDC:
7451 case ROLE_ACTIVE_DIRECTORY_DC:
7452 + case ROLE_IPA_DC:
7453 return NT_STATUS_OK;
7454 default:
7455 return NT_STATUS_NOT_IMPLEMENTED;
7456 diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
7457 index 57bfc596005..3f77856457e 100644
7458 --- a/source3/rpc_server/lsa/srv_lsa_nt.c
7459 +++ b/source3/rpc_server/lsa/srv_lsa_nt.c
7460 @@ -672,6 +672,7 @@ NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p,
7461 switch (lp_server_role()) {
7462 case ROLE_DOMAIN_PDC:
7463 case ROLE_DOMAIN_BDC:
7464 + case ROLE_IPA_DC:
7465 name = get_global_sam_name();
7466 sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid());
7467 if (!sid) {
7468 --
7469 2.39.0
7470
7471
7472 From c64bcd68614871cdddc9fe37c860729f490b4da1 Mon Sep 17 00:00:00 2001
7473 From: Stefan Metzmacher <metze@samba.org>
7474 Date: Fri, 12 Nov 2021 15:27:58 +0100
7475 Subject: [PATCH 089/142] CVE-2020-25717: idmap_nss: verify that the name of
7476 the sid belongs to the configured domain
7477
7478 We already check the sid belongs to the domain, but checking the name
7479 too feels better and make it easier to understand.
7480
7481 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
7482
7483 Signed-off-by: Stefan Metzmacher <metze@samba.org>
7484 Reviewed-by: Ralph Boehme <slow@samba.org>
7485
7486 [abartlet@samba.org backorted from commit bfd093648b4af51d104096c0cb3535e8706671e5
7487 as header libcli/security/dom_sid.h was not present for struct dom_sid_buf]
7488
7489 [abartlet@samba.org fix CVE marker]
7490 ---
7491 source3/winbindd/idmap_nss.c | 27 ++++++++++++++++++++++-----
7492 1 file changed, 22 insertions(+), 5 deletions(-)
7493
7494 diff --git a/source3/winbindd/idmap_nss.c b/source3/winbindd/idmap_nss.c
7495 index 3fe98cbc729..243b67ccafd 100644
7496 --- a/source3/winbindd/idmap_nss.c
7497 +++ b/source3/winbindd/idmap_nss.c
7498 @@ -25,6 +25,7 @@
7499 #include "nsswitch/winbind_client.h"
7500 #include "idmap.h"
7501 #include "lib/winbind_util.h"
7502 +#include "libcli/security/dom_sid.h"
7503
7504 #undef DBGC_CLASS
7505 #define DBGC_CLASS DBGC_IDMAP
7506 @@ -135,18 +136,21 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma
7507 for (i = 0; ids[i]; i++) {
7508 struct group *gr;
7509 enum lsa_SidType type;
7510 - const char *p = NULL;
7511 + const char *_domain = NULL;
7512 + const char *_name = NULL;
7513 + char *domain = NULL;
7514 char *name = NULL;
7515 bool ret;
7516
7517 /* by default calls to winbindd are disabled
7518 the following call will not recurse so this is safe */
7519 (void)winbind_on();
7520 - ret = winbind_lookup_sid(talloc_tos(), ids[i]->sid, NULL,
7521 - &p, &type);
7522 + ret = winbind_lookup_sid(talloc_tos(),
7523 + ids[i]->sid,
7524 + &_domain,
7525 + &_name,
7526 + &type);
7527 (void)winbind_off();
7528 - name = discard_const_p(char, p);
7529 -
7530 if (!ret) {
7531 /* TODO: how do we know if the name is really not mapped,
7532 * or something just failed ? */
7533 @@ -154,6 +158,18 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma
7534 continue;
7535 }
7536
7537 + domain = discard_const_p(char, _domain);
7538 + name = discard_const_p(char, _name);
7539 +
7540 + if (!strequal(domain, dom->name)) {
7541 + struct dom_sid_buf buf;
7542 + DBG_ERR("DOMAIN[%s] ignoring SID[%s] belongs to %s [%s\\%s]\n",
7543 + dom->name, dom_sid_str_buf(ids[i]->sid, &buf),
7544 + sid_type_lookup(type), domain, name);
7545 + ids[i]->status = ID_UNMAPPED;
7546 + continue;
7547 + }
7548 +
7549 switch (type) {
7550 case SID_NAME_USER: {
7551 struct passwd *pw;
7552 @@ -186,6 +202,7 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma
7553 ids[i]->status = ID_UNKNOWN;
7554 break;
7555 }
7556 + TALLOC_FREE(domain);
7557 TALLOC_FREE(name);
7558 }
7559 return NT_STATUS_OK;
7560 --
7561 2.39.0
7562
7563
7564 From c7d277ef2c902482eca00fc981bf340a088fbfe1 Mon Sep 17 00:00:00 2001
7565 From: Joseph Sutton <josephsutton@catalyst.net.nz>
7566 Date: Fri, 12 Nov 2021 20:53:30 +1300
7567 Subject: [PATCH 090/142] CVE-2020-25717: nsswitch/nsstest.c: Lower 'non
7568 existent uid' to make room for new accounts
7569
7570 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
7571
7572 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
7573 Reviewed-by: Stefan Metzmacher <metze@samba.org>
7574 Reviewed-by: Ralph Boehme <slow@samba.org>
7575 (cherry picked from commit fdbee5e074ebd76d659613b8b7114d70f938c38a)
7576 ---
7577 nsswitch/nsstest.c | 2 +-
7578 1 file changed, 1 insertion(+), 1 deletion(-)
7579
7580 diff --git a/nsswitch/nsstest.c b/nsswitch/nsstest.c
7581 index 46f96795f39..8ce7493d1b6 100644
7582 --- a/nsswitch/nsstest.c
7583 +++ b/nsswitch/nsstest.c
7584 @@ -460,7 +460,7 @@ static void nss_test_errors(void)
7585 printf("ERROR Non existent user gave error %d\n", last_error);
7586 }
7587
7588 - pwd = getpwuid(0xFFF0);
7589 + pwd = getpwuid(0xFF00);
7590 if (pwd || last_error != NSS_STATUS_NOTFOUND) {
7591 total_errors++;
7592 printf("ERROR Non existent uid gave error %d\n", last_error);
7593 --
7594 2.39.0
7595
7596
7597 From 0ff9bba35a043267a2781c294f5832378cd6da54 Mon Sep 17 00:00:00 2001
7598 From: Andrew Bartlett <abartlet@samba.org>
7599 Date: Fri, 12 Nov 2021 16:10:31 +1300
7600 Subject: [PATCH 091/142] CVE-2020-25717: s3:auth: Fallback to a SID/UID based
7601 mapping if the named based lookup fails
7602 MIME-Version: 1.0
7603 Content-Type: text/plain; charset=UTF-8
7604 Content-Transfer-Encoding: 8bit
7605
7606 Before the CVE-2020-25717 fixes we had a fallback from
7607 getpwnam('DOMAIN\user') to getpwnam('user') which was very dangerous and
7608 unpredictable.
7609
7610 Now we do the fallback based on sid_to_uid() followed by
7611 getpwuid() on the returned uid.
7612
7613 This obsoletes 'username map [script]' based workaround adviced
7614 for CVE-2020-25717, when nss_winbindd is not used or
7615 idmap_nss is actually used.
7616
7617 In future we may decide to prefer or only do the SID/UID based
7618 lookup, but for now we want to keep this unchanged as much as possible.
7619
7620 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
7621
7622 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
7623
7624 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
7625 Signed-off-by: Stefan Metzmacher <metze@samba.org>
7626
7627 [metze@samba.org moved the new logic into the fallback codepath only
7628 in order to avoid behavior changes as much as possible]
7629 Reviewed-by: Ralph Boehme <slow@samba.org>
7630
7631 Autobuild-User(master): Ralph Böhme <slow@samba.org>
7632 Autobuild-Date(master): Mon Nov 15 19:01:56 UTC 2021 on sn-devel-184
7633
7634 [abartlet@samba.org backported from commit 0a546be05295a7e4a552f9f4f0c74aeb2e9a0d6e
7635 as usage.py is not present in Samba 4.10]
7636 ---
7637 source3/auth/auth_util.c | 34 +++++++++++++++++++++++++++++++++-
7638 1 file changed, 33 insertions(+), 1 deletion(-)
7639
7640 diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
7641 index c0e5cfd7fa8..b463059f259 100644
7642 --- a/source3/auth/auth_util.c
7643 +++ b/source3/auth/auth_util.c
7644 @@ -1837,7 +1837,9 @@ const struct auth_session_info *get_session_info_system(void)
7645 ***************************************************************************/
7646
7647 static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
7648 - const char *username, char **found_username,
7649 + const char *username,
7650 + const struct dom_sid *sid,
7651 + char **found_username,
7652 struct passwd **pwd,
7653 bool *username_was_mapped)
7654 {
7655 @@ -1872,6 +1874,31 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
7656 }
7657
7658 passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, false);
7659 + if (!passwd && !*username_was_mapped) {
7660 + struct dom_sid_buf buf;
7661 + uid_t uid;
7662 + bool ok;
7663 +
7664 + DBG_DEBUG("Failed to find authenticated user %s via "
7665 + "getpwnam(), fallback to sid_to_uid(%s).\n",
7666 + dom_user, dom_sid_str_buf(sid, &buf));
7667 +
7668 + ok = sid_to_uid(sid, &uid);
7669 + if (!ok) {
7670 + DBG_ERR("Failed to convert SID %s to a UID (dom_user[%s])\n",
7671 + dom_sid_str_buf(sid, &buf), dom_user);
7672 + return NT_STATUS_NO_SUCH_USER;
7673 + }
7674 + passwd = getpwuid_alloc(mem_ctx, uid);
7675 + if (!passwd) {
7676 + DBG_ERR("Failed to find local account with UID %lld for SID %s (dom_user[%s])\n",
7677 + (long long)uid,
7678 + dom_sid_str_buf(sid, &buf),
7679 + dom_user);
7680 + return NT_STATUS_NO_SUCH_USER;
7681 + }
7682 + real_username = talloc_strdup(mem_ctx, passwd->pw_name);
7683 + }
7684 if (!passwd) {
7685 DEBUG(3, ("Failed to find authenticated user %s via "
7686 "getpwnam(), denying access.\n", dom_user));
7687 @@ -2017,6 +2044,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
7688 bool username_was_mapped;
7689 struct passwd *pwd;
7690 struct auth_serversupplied_info *result;
7691 + struct dom_sid sid;
7692 TALLOC_CTX *tmp_ctx = talloc_stackframe();
7693
7694 /*
7695 @@ -2063,9 +2091,13 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
7696
7697 /* this call will try to create the user if necessary */
7698
7699 + sid_copy(&sid, info3->base.domain_sid);
7700 + sid_append_rid(&sid, info3->base.rid);
7701 +
7702 nt_status = check_account(tmp_ctx,
7703 nt_domain,
7704 nt_username,
7705 + &sid,
7706 &found_username,
7707 &pwd,
7708 &username_was_mapped);
7709 --
7710 2.39.0
7711
7712
7713 From f035c041e42594bacfe7c3f4e5ea5d05399e1c5a Mon Sep 17 00:00:00 2001
7714 From: Ralph Boehme <slow@samba.org>
7715 Date: Fri, 26 Nov 2021 10:57:17 +0100
7716 Subject: [PATCH 092/142] CVE-2020-25717: s3-auth: fix MIT Realm regression
7717
7718 This looks like a regression introduced by the recent security fixes. This
7719 commit should hopefully fixes it.
7720
7721 As a quick solution it might be possible to use the username map script based on
7722 the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're not
7723 sure this behaves identical, but it might work in the standalone server case.
7724
7725 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922
7726
7727 Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html
7728
7729 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
7730
7731 Signed-off-by: Ralph Boehme <slow@samba.org>
7732 Signed-off-by: Stefan Metzmacher <metze@samba.org>
7733 (cherry picked from commit 1e61de8306604a0d3858342df8a1d2412d8d418b)
7734 ---
7735 source3/auth/user_krb5.c | 9 +++++++++
7736 1 file changed, 9 insertions(+)
7737
7738 diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
7739 index b8f37cbeee0..169bf563368 100644
7740 --- a/source3/auth/user_krb5.c
7741 +++ b/source3/auth/user_krb5.c
7742 @@ -46,6 +46,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
7743 char *fuser = NULL;
7744 char *unixuser = NULL;
7745 struct passwd *pw = NULL;
7746 + bool may_retry = false;
7747
7748 DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
7749
7750 @@ -71,6 +72,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
7751 domain = realm;
7752 } else {
7753 domain = lp_workgroup();
7754 + may_retry = true;
7755 }
7756
7757 fuser = talloc_asprintf(mem_ctx,
7758 @@ -89,6 +91,13 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
7759 *mapped_to_guest = false;
7760
7761 pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
7762 + if (may_retry && pw == NULL && !*is_mapped) {
7763 + fuser = talloc_strdup(mem_ctx, user);
7764 + if (!fuser) {
7765 + return NT_STATUS_NO_MEMORY;
7766 + }
7767 + pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
7768 + }
7769 if (pw) {
7770 if (!unixuser) {
7771 return NT_STATUS_NO_MEMORY;
7772 --
7773 2.39.0
7774
7775
7776 From 8b8d1b20b16381c305c23ce03a559b8c7de67f5d Mon Sep 17 00:00:00 2001
7777 From: Ralph Boehme <slow@samba.org>
7778 Date: Thu, 13 Jan 2022 16:48:01 +0100
7779 Subject: [PATCH 093/142] CVE-2021-44142: libadouble: add defines for icon
7780 lengths
7781
7782 From https://www.ietf.org/rfc/rfc1740.txt
7783
7784 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
7785
7786 Signed-off-by: Ralph Boehme <slow@samba.org>
7787 ---
7788 source3/modules/vfs_fruit.c | 2 ++
7789 1 file changed, 2 insertions(+)
7790
7791 diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
7792 index afad70ce180..3a35620bfe4 100644
7793 --- a/source3/modules/vfs_fruit.c
7794 +++ b/source3/modules/vfs_fruit.c
7795 @@ -283,6 +283,8 @@ typedef enum {ADOUBLE_META, ADOUBLE_RSRC} adouble_type_t;
7796 #define ADEDLEN_MACFILEI 4
7797 #define ADEDLEN_PRODOSFILEI 8
7798 #define ADEDLEN_MSDOSFILEI 2
7799 +#define ADEDLEN_ICONBW 128
7800 +#define ADEDLEN_ICONCOL 1024
7801 #define ADEDLEN_DID 4
7802 #define ADEDLEN_PRIVDEV 8
7803 #define ADEDLEN_PRIVINO 8
7804 --
7805 2.39.0
7806
7807
7808 From 3f2e9a6de36c086cff0bb3296f00c85a37a2653c Mon Sep 17 00:00:00 2001
7809 From: Ralph Boehme <slow@samba.org>
7810 Date: Sat, 20 Nov 2021 16:36:42 +0100
7811 Subject: [PATCH 094/142] CVE-2021-44142: smbd: add Netatalk xattr used by
7812 vfs_fruit to the list of private Samba xattrs
7813
7814 This is an internal xattr that should not be user visible.
7815
7816 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
7817
7818 Signed-off-by: Ralph Boehme <slow@samba.org>
7819 [slow@samba.org: conflict due to changed includes in source3/smbd/trans2.c]
7820 ---
7821 source3/smbd/trans2.c | 11 +++++++++++
7822 1 file changed, 11 insertions(+)
7823
7824 diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
7825 index f8d987bbe63..406087c0419 100644
7826 --- a/source3/smbd/trans2.c
7827 +++ b/source3/smbd/trans2.c
7828 @@ -176,6 +176,16 @@ void aapl_force_zero_file_id(struct smbd_server_connection *sconn)
7829 Refuse to allow clients to overwrite our private xattrs.
7830 ****************************************************************************/
7831
7832 +/*
7833 + * Taken from vfs_fruit.c
7834 + */
7835 +#define NETATALK_META_XATTR "org.netatalk.Metadata"
7836 +#if defined(HAVE_ATTROPEN)
7837 +#define AFPINFO_EA_NETATALK NETATALK_META_XATTR
7838 +#else
7839 +#define AFPINFO_EA_NETATALK "user." NETATALK_META_XATTR
7840 +#endif
7841 +
7842 bool samba_private_attr_name(const char *unix_ea_name)
7843 {
7844 static const char * const prohibited_ea_names[] = {
7845 @@ -183,6 +193,7 @@ bool samba_private_attr_name(const char *unix_ea_name)
7846 SAMBA_XATTR_DOS_ATTRIB,
7847 SAMBA_XATTR_MARKER,
7848 XATTR_NTACL_NAME,
7849 + AFPINFO_EA_NETATALK,
7850 NULL
7851 };
7852
7853 --
7854 2.39.0
7855
7856
7857 From 00287584703e9e91e804e0f182bd844b7c436716 Mon Sep 17 00:00:00 2001
7858 From: Ralph Boehme <slow@samba.org>
7859 Date: Fri, 26 Nov 2021 07:19:32 +0100
7860 Subject: [PATCH 095/142] CVE-2021-44142: libadouble: harden ad_unpack_xattrs()
7861
7862 This ensures ad_unpack_xattrs() is only called for an ad_type of ADOUBLE_RSRC,
7863 which is used for parsing ._ AppleDouble sidecar files, and the buffer
7864 ad->ad_data is AD_XATTR_MAX_HDR_SIZE bytes large which is a prerequisite for all
7865 buffer out-of-bounds access checks in ad_unpack_xattrs().
7866
7867 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
7868
7869 Signed-off-by: Ralph Boehme <slow@samba.org>
7870 ---
7871 source3/modules/vfs_fruit.c | 22 ++++++++++++++++++----
7872 1 file changed, 18 insertions(+), 4 deletions(-)
7873
7874 diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
7875 index 3a35620bfe4..76139e51047 100644
7876 --- a/source3/modules/vfs_fruit.c
7877 +++ b/source3/modules/vfs_fruit.c
7878 @@ -728,14 +728,27 @@ static bool ad_pack(struct adouble *ad)
7879 static bool ad_unpack_xattrs(struct adouble *ad)
7880 {
7881 struct ad_xattr_header *h = &ad->adx_header;
7882 + size_t bufsize = talloc_get_size(ad->ad_data);
7883 const char *p = ad->ad_data;
7884 uint32_t hoff;
7885 uint32_t i;
7886
7887 + if (ad->ad_type != ADOUBLE_RSRC) {
7888 + return false;
7889 + }
7890 +
7891 if (ad_getentrylen(ad, ADEID_FINDERI) <= ADEDLEN_FINDERI) {
7892 return true;
7893 }
7894
7895 + /*
7896 + * Ensure the buffer ad->ad_data was allocated by ad_alloc() for an
7897 + * ADOUBLE_RSRC type (._ AppleDouble file on-disk).
7898 + */
7899 + if (bufsize != AD_XATTR_MAX_HDR_SIZE) {
7900 + return false;
7901 + }
7902 +
7903 /* 2 bytes padding */
7904 hoff = ad_getentryoff(ad, ADEID_FINDERI) + ADEDLEN_FINDERI + 2;
7905
7906 @@ -985,11 +998,12 @@ static bool ad_unpack(struct adouble *ad, const size_t nentries,
7907 ad->ad_eid[eid].ade_len = len;
7908 }
7909
7910 - ok = ad_unpack_xattrs(ad);
7911 - if (!ok) {
7912 - return false;
7913 + if (ad->ad_type == ADOUBLE_RSRC) {
7914 + ok = ad_unpack_xattrs(ad);
7915 + if (!ok) {
7916 + return false;
7917 + }
7918 }
7919 -
7920 return true;
7921 }
7922
7923 --
7924 2.39.0
7925
7926
7927 From 94141fa38e082e4ab50be6c2f79c8506e72bc274 Mon Sep 17 00:00:00 2001
7928 From: Ralph Boehme <slow@samba.org>
7929 Date: Thu, 25 Nov 2021 15:04:03 +0100
7930 Subject: [PATCH 096/142] CVE-2021-44142: libadouble: add basic cmocka tests
7931
7932 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
7933
7934 Signed-off-by: Ralph Boehme <slow@samba.org>
7935 [slow@samba.org: conflict due to missing test in selftest/tests.py]
7936 ---
7937 selftest/knownfail.d/samba.unittests.adouble | 3 +
7938 selftest/tests.py | 2 +
7939 source3/lib/test_adouble.c | 393 +++++++++++++++++++
7940 source3/wscript_build | 5 +
7941 4 files changed, 403 insertions(+)
7942 create mode 100644 selftest/knownfail.d/samba.unittests.adouble
7943 create mode 100644 source3/lib/test_adouble.c
7944
7945 diff --git a/selftest/knownfail.d/samba.unittests.adouble b/selftest/knownfail.d/samba.unittests.adouble
7946 new file mode 100644
7947 index 00000000000..8b0314f2fae
7948 --- /dev/null
7949 +++ b/selftest/knownfail.d/samba.unittests.adouble
7950 @@ -0,0 +1,3 @@
7951 +^samba.unittests.adouble.parse_abouble_finderinfo2\(none\)
7952 +^samba.unittests.adouble.parse_abouble_finderinfo3\(none\)
7953 +^samba.unittests.adouble.parse_abouble_date2\(none\)
7954 diff --git a/selftest/tests.py b/selftest/tests.py
7955 index e3f7d9acb4a..4bc4d301c4c 100644
7956 --- a/selftest/tests.py
7957 +++ b/selftest/tests.py
7958 @@ -260,3 +260,5 @@ plantestsuite("samba.unittests.ntlm_check", "none",
7959 [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")])
7960 plantestsuite("samba.unittests.test_registry_regfio", "none",
7961 [os.path.join(bindir(), "default/source3/test_registry_regfio")])
7962 +plantestsuite("samba.unittests.adouble", "none",
7963 + [os.path.join(bindir(), "test_adouble")])
7964 diff --git a/source3/lib/test_adouble.c b/source3/lib/test_adouble.c
7965 new file mode 100644
7966 index 00000000000..667d2a7542e
7967 --- /dev/null
7968 +++ b/source3/lib/test_adouble.c
7969 @@ -0,0 +1,393 @@
7970 +/*
7971 + * Unix SMB/CIFS implementation.
7972 + *
7973 + * Copyright (C) 2021 Ralph Boehme <slow@samba.org>
7974 + *
7975 + * This program is free software; you can redistribute it and/or modify
7976 + * it under the terms of the GNU General Public License as published by
7977 + * the Free Software Foundation; either version 3 of the License, or
7978 + * (at your option) any later version.
7979 + *
7980 + * This program is distributed in the hope that it will be useful,
7981 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
7982 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
7983 + * GNU General Public License for more details.
7984 + *
7985 + * You should have received a copy of the GNU General Public License
7986 + * along with this program. If not, see <http://www.gnu.org/licenses/>.
7987 + */
7988 +
7989 +#include "includes.h"
7990 +extern NTSTATUS vfs_fruit_init(TALLOC_CTX *mem_ctx);
7991 +
7992 +#include "vfs_fruit.c"
7993 +#include <cmocka.h>
7994 +
7995 +
7996 +static int setup_talloc_context(void **state)
7997 +{
7998 + TALLOC_CTX *frame = talloc_stackframe();
7999 +
8000 + *state = frame;
8001 + return 0;
8002 +}
8003 +
8004 +static int teardown_talloc_context(void **state)
8005 +{
8006 + TALLOC_CTX *frame = *state;
8007 +
8008 + TALLOC_FREE(frame);
8009 + return 0;
8010 +}
8011 +
8012 +/*
8013 + * Basic and sane buffer.
8014 + */
8015 +static uint8_t ad_basic[] = {
8016 + 0x00, 0x05, 0x16, 0x07, /* Magic */
8017 + 0x00, 0x02, 0x00, 0x00, /* Version */
8018 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8019 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8020 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8021 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8022 + 0x00, 0x02, /* Count */
8023 + /* adentry 1: FinderInfo */
8024 + 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */
8025 + 0x00, 0x00, 0x00, 0x32, /* offset */
8026 + 0x00, 0x00, 0x00, 0x20, /* length */
8027 + /* adentry 2: Resourcefork */
8028 + 0x00, 0x00, 0x00, 0x02, /* eid: Resourcefork */
8029 + 0x00, 0x00, 0x00, 0x52, /* offset */
8030 + 0xff, 0xff, 0xff, 0x00, /* length */
8031 + /* FinderInfo data: 32 bytes */
8032 + 0x00, 0x00, 0x00, 0x00,
8033 + 0x00, 0x00, 0x00, 0x00,
8034 + 0x00, 0x00, 0x00, 0x00,
8035 + 0x00, 0x00, 0x00, 0x00,
8036 + 0x00, 0x00, 0x00, 0x00,
8037 + 0x00, 0x00, 0x00, 0x00,
8038 + 0x00, 0x00, 0x00, 0x00,
8039 + 0x00, 0x00, 0x00, 0x00,
8040 +};
8041 +
8042 +/*
8043 + * An empty FinderInfo entry.
8044 + */
8045 +static uint8_t ad_finderinfo1[] = {
8046 + 0x00, 0x05, 0x16, 0x07, /* Magic */
8047 + 0x00, 0x02, 0x00, 0x00, /* Version */
8048 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8049 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8050 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8051 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8052 + 0x00, 0x02, /* Count */
8053 + /* adentry 1: FinderInfo */
8054 + 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */
8055 + 0x00, 0x00, 0x00, 0x52, /* off: points at end of buffer */
8056 + 0x00, 0x00, 0x00, 0x00, /* len: 0, so off+len don't exceed bufferlen */
8057 + /* adentry 2: Resourcefork */
8058 + 0x00, 0x00, 0x00, 0x02, /* eid: Resourcefork */
8059 + 0x00, 0x00, 0x00, 0x52, /* offset */
8060 + 0xff, 0xff, 0xff, 0x00, /* length */
8061 + /* FinderInfo data: 32 bytes */
8062 + 0x00, 0x00, 0x00, 0x00,
8063 + 0x00, 0x00, 0x00, 0x00,
8064 + 0x00, 0x00, 0x00, 0x00,
8065 + 0x00, 0x00, 0x00, 0x00,
8066 + 0x00, 0x00, 0x00, 0x00,
8067 + 0x00, 0x00, 0x00, 0x00,
8068 + 0x00, 0x00, 0x00, 0x00,
8069 + 0x00, 0x00, 0x00, 0x00,
8070 +};
8071 +
8072 +/*
8073 + * A dangerous FinderInfo with correct length exceeding buffer by one byte.
8074 + */
8075 +static uint8_t ad_finderinfo2[] = {
8076 + 0x00, 0x05, 0x16, 0x07, /* Magic */
8077 + 0x00, 0x02, 0x00, 0x00, /* Version */
8078 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8079 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8080 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8081 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8082 + 0x00, 0x02, /* Count */
8083 + /* adentry 1: FinderInfo */
8084 + 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */
8085 + 0x00, 0x00, 0x00, 0x33, /* off: points at beginng of data + 1 */
8086 + 0x00, 0x00, 0x00, 0x20, /* len: 32, so off+len exceeds bufferlen by 1 */
8087 + /* adentry 2: Resourcefork */
8088 + 0x00, 0x00, 0x00, 0x02, /* eid: Resourcefork */
8089 + 0x00, 0x00, 0x00, 0x52, /* offset */
8090 + 0xff, 0xff, 0xff, 0x00, /* length */
8091 + /* FinderInfo data: 32 bytes */
8092 + 0x00, 0x00, 0x00, 0x00,
8093 + 0x00, 0x00, 0x00, 0x00,
8094 + 0x00, 0x00, 0x00, 0x00,
8095 + 0x00, 0x00, 0x00, 0x00,
8096 + 0x00, 0x00, 0x00, 0x00,
8097 + 0x00, 0x00, 0x00, 0x00,
8098 + 0x00, 0x00, 0x00, 0x00,
8099 + 0x00, 0x00, 0x00, 0x00,
8100 +};
8101 +
8102 +static uint8_t ad_finderinfo3[] = {
8103 + 0x00, 0x05, 0x16, 0x07, /* Magic */
8104 + 0x00, 0x02, 0x00, 0x00, /* Version */
8105 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8106 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8107 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8108 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8109 + 0x00, 0x02, /* Count */
8110 + /* adentry 1: FinderInfo */
8111 + 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */
8112 + 0x00, 0x00, 0x00, 0x33, /* off: points at beginng of data + 1 */
8113 + 0x00, 0x00, 0x00, 0x1f, /* len: 31, so off+len don't exceed buf */
8114 + /* adentry 2: Resourcefork */
8115 + 0x00, 0x00, 0x00, 0x02, /* eid: Resourcefork */
8116 + 0x00, 0x00, 0x00, 0x52, /* offset */
8117 + 0xff, 0xff, 0xff, 0x00, /* length */
8118 + /* FinderInfo data: 32 bytes */
8119 + 0x00, 0x00, 0x00, 0x00,
8120 + 0x00, 0x00, 0x00, 0x00,
8121 + 0x00, 0x00, 0x00, 0x00,
8122 + 0x00, 0x00, 0x00, 0x00,
8123 + 0x00, 0x00, 0x00, 0x00,
8124 + 0x00, 0x00, 0x00, 0x00,
8125 + 0x00, 0x00, 0x00, 0x00,
8126 + 0x00, 0x00, 0x00, 0x00,
8127 +};
8128 +
8129 +/*
8130 + * A dangerous name entry.
8131 + */
8132 +static uint8_t ad_name[] = {
8133 + 0x00, 0x05, 0x16, 0x07, /* Magic */
8134 + 0x00, 0x02, 0x00, 0x00, /* Version */
8135 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8136 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8137 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8138 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8139 + 0x00, 0x02, /* Count */
8140 + /* adentry 1: FinderInfo */
8141 + 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */
8142 + 0x00, 0x00, 0x00, 0x32, /* offset */
8143 + 0x00, 0x00, 0x00, 0x20, /* length */
8144 + /* adentry 2: Name */
8145 + 0x00, 0x00, 0x00, 0x03, /* eid: Name */
8146 + 0x00, 0x00, 0x00, 0x52, /* off: points at end of buffer */
8147 + 0x00, 0x00, 0x00, 0x01, /* len: 1, so off+len exceeds bufferlen */
8148 + /* FinderInfo data: 32 bytes */
8149 + 0x00, 0x00, 0x00, 0x00,
8150 + 0x00, 0x00, 0x00, 0x00,
8151 + 0x00, 0x00, 0x00, 0x00,
8152 + 0x00, 0x00, 0x00, 0x00,
8153 + 0x00, 0x00, 0x00, 0x00,
8154 + 0x00, 0x00, 0x00, 0x00,
8155 + 0x00, 0x00, 0x00, 0x00,
8156 + 0x00, 0x00, 0x00, 0x00,
8157 +};
8158 +
8159 +/*
8160 + * A empty ADEID_FILEDATESI entry.
8161 + */
8162 +static uint8_t ad_date1[] = {
8163 + 0x00, 0x05, 0x16, 0x07, /* Magic */
8164 + 0x00, 0x02, 0x00, 0x00, /* Version */
8165 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8166 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8167 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8168 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8169 + 0x00, 0x02, /* Count */
8170 + /* adentry 1: FinderInfo */
8171 + 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */
8172 + 0x00, 0x00, 0x00, 0x32, /* offset */
8173 + 0x00, 0x00, 0x00, 0x20, /* length */
8174 + /* adentry 2: Dates */
8175 + 0x00, 0x00, 0x00, 0x08, /* eid: dates */
8176 + 0x00, 0x00, 0x00, 0x52, /* off: end of buffer */
8177 + 0x00, 0x00, 0x00, 0x00, /* len: 0, empty entry, valid */
8178 + /* FinderInfo data: 32 bytes */
8179 + 0x00, 0x00, 0x00, 0x00,
8180 + 0x00, 0x00, 0x00, 0x00,
8181 + 0x00, 0x00, 0x00, 0x00,
8182 + 0x00, 0x00, 0x00, 0x00,
8183 + 0x00, 0x00, 0x00, 0x00,
8184 + 0x00, 0x00, 0x00, 0x00,
8185 + 0x00, 0x00, 0x00, 0x00,
8186 + 0x00, 0x00, 0x00, 0x00,
8187 +};
8188 +
8189 +/*
8190 + * A dangerous ADEID_FILEDATESI entry, invalid length.
8191 + */
8192 +static uint8_t ad_date2[] = {
8193 + 0x00, 0x05, 0x16, 0x07, /* Magic */
8194 + 0x00, 0x02, 0x00, 0x00, /* Version */
8195 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8196 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8197 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8198 + 0x00, 0x00, 0x00, 0x00, /* Filler */
8199 + 0x00, 0x02, /* Count */
8200 + /* adentry 1: FinderInfo */
8201 + 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */
8202 + 0x00, 0x00, 0x00, 0x32, /* offset */
8203 + 0x00, 0x00, 0x00, 0x20, /* length */
8204 + /* adentry 2: Dates */
8205 + 0x00, 0x00, 0x00, 0x08, /* eid: dates */
8206 + 0x00, 0x00, 0x00, 0x43, /* off: FinderInfo buf but one byte short */
8207 + 0x00, 0x00, 0x00, 0x0f, /* len: 15, so off+len don't exceed bufferlen */
8208 + /* FinderInfo data: 32 bytes */
8209 + 0x00, 0x00, 0x00, 0x00,
8210 + 0x00, 0x00, 0x00, 0x00,
8211 + 0x00, 0x00, 0x00, 0x00,
8212 + 0x00, 0x00, 0x00, 0x00,
8213 + 0x00, 0x00, 0x00, 0x00,
8214 + 0x00, 0x00, 0x00, 0x00,
8215 + 0x00, 0x00, 0x00, 0x00,
8216 + 0x00, 0x00, 0x00, 0x00,
8217 +};
8218 +
8219 +static struct adouble *parse_adouble(TALLOC_CTX *mem_ctx,
8220 + uint8_t *adbuf,
8221 + size_t adsize,
8222 + off_t filesize)
8223 +{
8224 + struct adouble *ad = NULL;
8225 + bool ok;
8226 +
8227 + ad = talloc_zero(mem_ctx, struct adouble);
8228 + ad->ad_data = talloc_zero_size(ad, adsize);
8229 + assert_non_null(ad);
8230 +
8231 + memcpy(ad->ad_data, adbuf, adsize);
8232 +
8233 + ok = ad_unpack(ad, 2, filesize);
8234 + if (!ok) {
8235 + return NULL;
8236 + }
8237 +
8238 + return ad;
8239 +}
8240 +
8241 +static void parse_abouble_basic(void **state)
8242 +{
8243 + TALLOC_CTX *frame = *state;
8244 + struct adouble *ad = NULL;
8245 + char *p = NULL;
8246 +
8247 + ad = parse_adouble(frame, ad_basic, sizeof(ad_basic), 0xffffff52);
8248 + assert_non_null(ad);
8249 +
8250 + p = ad_get_entry(ad, ADEID_FINDERI);
8251 + assert_non_null(p);
8252 +
8253 + return;
8254 +}
8255 +
8256 +static void parse_abouble_finderinfo1(void **state)
8257 +{
8258 + TALLOC_CTX *frame = *state;
8259 + struct adouble *ad = NULL;
8260 + char *p = NULL;
8261 +
8262 + ad = parse_adouble(frame,
8263 + ad_finderinfo1,
8264 + sizeof(ad_finderinfo1),
8265 + 0xffffff52);
8266 + assert_non_null(ad);
8267 +
8268 + p = ad_get_entry(ad, ADEID_FINDERI);
8269 + assert_null(p);
8270 +
8271 + return;
8272 +}
8273 +
8274 +static void parse_abouble_finderinfo2(void **state)
8275 +{
8276 + TALLOC_CTX *frame = *state;
8277 + struct adouble *ad = NULL;
8278 +
8279 + ad = parse_adouble(frame,
8280 + ad_finderinfo2,
8281 + sizeof(ad_finderinfo2),
8282 + 0xffffff52);
8283 + assert_null(ad);
8284 +
8285 + return;
8286 +}
8287 +
8288 +static void parse_abouble_finderinfo3(void **state)
8289 +{
8290 + TALLOC_CTX *frame = *state;
8291 + struct adouble *ad = NULL;
8292 +
8293 + ad = parse_adouble(frame,
8294 + ad_finderinfo3,
8295 + sizeof(ad_finderinfo3),
8296 + 0xffffff52);
8297 + assert_null(ad);
8298 +
8299 + return;
8300 +}
8301 +
8302 +static void parse_abouble_name(void **state)
8303 +{
8304 + TALLOC_CTX *frame = *state;
8305 + struct adouble *ad = NULL;
8306 +
8307 + ad = parse_adouble(frame, ad_name, sizeof(ad_name), 0x52);
8308 + assert_null(ad);
8309 +
8310 + return;
8311 +}
8312 +
8313 +static void parse_abouble_date1(void **state)
8314 +{
8315 + TALLOC_CTX *frame = *state;
8316 + struct adouble *ad = NULL;
8317 + char *p = NULL;
8318 +
8319 + ad = parse_adouble(frame, ad_date1, sizeof(ad_date1), 0x52);
8320 + assert_non_null(ad);
8321 +
8322 + p = ad_get_entry(ad, ADEID_FILEDATESI);
8323 + assert_null(p);
8324 +
8325 + return;
8326 +}
8327 +
8328 +static void parse_abouble_date2(void **state)
8329 +{
8330 + TALLOC_CTX *frame = *state;
8331 + struct adouble *ad = NULL;
8332 +
8333 + ad = parse_adouble(frame, ad_date2, sizeof(ad_date2), 0x52);
8334 + assert_null(ad);
8335 +
8336 + return;
8337 +}
8338 +
8339 +int main(int argc, char *argv[])
8340 +{
8341 + int rc;
8342 + const struct CMUnitTest tests[] = {
8343 + cmocka_unit_test(parse_abouble_basic),
8344 + cmocka_unit_test(parse_abouble_finderinfo1),
8345 + cmocka_unit_test(parse_abouble_finderinfo2),
8346 + cmocka_unit_test(parse_abouble_finderinfo3),
8347 + cmocka_unit_test(parse_abouble_name),
8348 + cmocka_unit_test(parse_abouble_date1),
8349 + cmocka_unit_test(parse_abouble_date2),
8350 + };
8351 +
8352 + if (argc == 2) {
8353 + cmocka_set_test_filter(argv[1]);
8354 + }
8355 + cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
8356 +
8357 + rc = cmocka_run_group_tests(tests,
8358 + setup_talloc_context,
8359 + teardown_talloc_context);
8360 +
8361 + return rc;
8362 +}
8363 diff --git a/source3/wscript_build b/source3/wscript_build
8364 index 26e251f442a..5230ae32934 100644
8365 --- a/source3/wscript_build
8366 +++ b/source3/wscript_build
8367 @@ -1080,6 +1080,11 @@ bld.SAMBA3_SUBSYSTEM('SPOOLSSD',
8368
8369 ########################## BINARIES #################################
8370
8371 +bld.SAMBA3_BINARY('test_adouble',
8372 + source='lib/test_adouble.c',
8373 + deps='smbd_base STRING_REPLACE cmocka OFFLOAD_TOKEN',
8374 + install=False)
8375 +
8376 bld.SAMBA3_BINARY('smbd/smbd',
8377 source='smbd/server.c smbd/smbd_cleanupd.c',
8378 deps='''
8379 --
8380 2.39.0
8381
8382
8383 From 5c1c2ea3dbe554f621014bb2b3133c0859dce2da Mon Sep 17 00:00:00 2001
8384 From: Ralph Boehme <slow@samba.org>
8385 Date: Thu, 13 Jan 2022 17:03:02 +0100
8386 Subject: [PATCH 097/142] CVE-2021-44142: libadouble: harden parsing code
8387
8388 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
8389
8390 Signed-off-by: Ralph Boehme <slow@samba.org>
8391 ---
8392 selftest/knownfail.d/samba.unittests.adouble | 3 -
8393 source3/modules/vfs_fruit.c | 114 ++++++++++++++++---
8394 2 files changed, 100 insertions(+), 17 deletions(-)
8395 delete mode 100644 selftest/knownfail.d/samba.unittests.adouble
8396
8397 diff --git a/selftest/knownfail.d/samba.unittests.adouble b/selftest/knownfail.d/samba.unittests.adouble
8398 deleted file mode 100644
8399 index 8b0314f2fae..00000000000
8400 --- a/selftest/knownfail.d/samba.unittests.adouble
8401 +++ /dev/null
8402 @@ -1,3 +0,0 @@
8403 -^samba.unittests.adouble.parse_abouble_finderinfo2\(none\)
8404 -^samba.unittests.adouble.parse_abouble_finderinfo3\(none\)
8405 -^samba.unittests.adouble.parse_abouble_date2\(none\)
8406 diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
8407 index 76139e51047..17e97d15bdb 100644
8408 --- a/source3/modules/vfs_fruit.c
8409 +++ b/source3/modules/vfs_fruit.c
8410 @@ -540,6 +540,94 @@ static AfpInfo *afpinfo_new(TALLOC_CTX *ctx);
8411 static ssize_t afpinfo_pack(const AfpInfo *ai, char *buf);
8412 static AfpInfo *afpinfo_unpack(TALLOC_CTX *ctx, const void *data);
8413
8414 +/*
8415 + * All entries besides FinderInfo and resource fork must fit into the
8416 + * buffer. FinderInfo is special as it may be larger then the default 32 bytes
8417 + * if it contains marshalled xattrs, which we will fixup that in
8418 + * ad_convert(). The first 32 bytes however must also be part of the buffer.
8419 + *
8420 + * The resource fork is never accessed directly by the ad_data buf.
8421 + */
8422 +static bool ad_entry_check_size(uint32_t eid,
8423 + size_t bufsize,
8424 + uint32_t off,
8425 + uint32_t got_len)
8426 +{
8427 + struct {
8428 + off_t expected_len;
8429 + bool fixed_size;
8430 + bool minimum_size;
8431 + } ad_checks[] = {
8432 + [ADEID_DFORK] = {-1, false, false}, /* not applicable */
8433 + [ADEID_RFORK] = {-1, false, false}, /* no limit */
8434 + [ADEID_NAME] = {ADEDLEN_NAME, false, false},
8435 + [ADEID_COMMENT] = {ADEDLEN_COMMENT, false, false},
8436 + [ADEID_ICONBW] = {ADEDLEN_ICONBW, true, false},
8437 + [ADEID_ICONCOL] = {ADEDLEN_ICONCOL, false, false},
8438 + [ADEID_FILEI] = {ADEDLEN_FILEI, true, false},
8439 + [ADEID_FILEDATESI] = {ADEDLEN_FILEDATESI, true, false},
8440 + [ADEID_FINDERI] = {ADEDLEN_FINDERI, false, true},
8441 + [ADEID_MACFILEI] = {ADEDLEN_MACFILEI, true, false},
8442 + [ADEID_PRODOSFILEI] = {ADEDLEN_PRODOSFILEI, true, false},
8443 + [ADEID_MSDOSFILEI] = {ADEDLEN_MSDOSFILEI, true, false},
8444 + [ADEID_SHORTNAME] = {ADEDLEN_SHORTNAME, false, false},
8445 + [ADEID_AFPFILEI] = {ADEDLEN_AFPFILEI, true, false},
8446 + [ADEID_DID] = {ADEDLEN_DID, true, false},
8447 + [ADEID_PRIVDEV] = {ADEDLEN_PRIVDEV, true, false},
8448 + [ADEID_PRIVINO] = {ADEDLEN_PRIVINO, true, false},
8449 + [ADEID_PRIVSYN] = {ADEDLEN_PRIVSYN, true, false},
8450 + [ADEID_PRIVID] = {ADEDLEN_PRIVID, true, false},
8451 + };
8452 +
8453 + if (eid >= ADEID_MAX) {
8454 + return false;
8455 + }
8456 + if (got_len == 0) {
8457 + /* Entry present, but empty, allow */
8458 + return true;
8459 + }
8460 + if (ad_checks[eid].expected_len == 0) {
8461 + /*
8462 + * Shouldn't happen: implicitly initialized to zero because
8463 + * explicit initializer missing.
8464 + */
8465 + return false;
8466 + }
8467 + if (ad_checks[eid].expected_len == -1) {
8468 + /* Unused or no limit */
8469 + return true;
8470 + }
8471 + if (ad_checks[eid].fixed_size) {
8472 + if (ad_checks[eid].expected_len != got_len) {
8473 + /* Wrong size fo fixed size entry. */
8474 + return false;
8475 + }
8476 + } else {
8477 + if (ad_checks[eid].minimum_size) {
8478 + if (got_len < ad_checks[eid].expected_len) {
8479 + /*
8480 + * Too small for variable sized entry with
8481 + * minimum size.
8482 + */
8483 + return false;
8484 + }
8485 + } else {
8486 + if (got_len > ad_checks[eid].expected_len) {
8487 + /* Too big for variable sized entry. */
8488 + return false;
8489 + }
8490 + }
8491 + }
8492 + if (off + got_len < off) {
8493 + /* wrap around */
8494 + return false;
8495 + }
8496 + if (off + got_len > bufsize) {
8497 + /* overflow */
8498 + return false;
8499 + }
8500 + return true;
8501 +}
8502
8503 /**
8504 * Return a pointer to an AppleDouble entry
8505 @@ -548,8 +636,15 @@ static AfpInfo *afpinfo_unpack(TALLOC_CTX *ctx, const void *data);
8506 **/
8507 static char *ad_get_entry(const struct adouble *ad, int eid)
8508 {
8509 + size_t bufsize = talloc_get_size(ad->ad_data);
8510 off_t off = ad_getentryoff(ad, eid);
8511 size_t len = ad_getentrylen(ad, eid);
8512 + bool valid;
8513 +
8514 + valid = ad_entry_check_size(eid, bufsize, off, len);
8515 + if (!valid) {
8516 + return NULL;
8517 + }
8518
8519 if (off == 0 || len == 0) {
8520 return NULL;
8521 @@ -935,20 +1030,11 @@ static bool ad_unpack(struct adouble *ad, const size_t nentries,
8522 return false;
8523 }
8524
8525 - /*
8526 - * All entries besides FinderInfo and resource fork
8527 - * must fit into the buffer. FinderInfo is special as
8528 - * it may be larger then the default 32 bytes (if it
8529 - * contains marshalled xattrs), but we will fixup that
8530 - * in ad_convert(). And the resource fork is never
8531 - * accessed directly by the ad_data buf (also see
8532 - * comment above) anyway.
8533 - */
8534 - if ((eid != ADEID_RFORK) &&
8535 - (eid != ADEID_FINDERI) &&
8536 - ((off + len) > bufsize)) {
8537 - DEBUG(1, ("bogus eid %d: off: %" PRIu32 ", len: %" PRIu32 "\n",
8538 - eid, off, len));
8539 + ok = ad_entry_check_size(eid, bufsize, off, len);
8540 + if (!ok) {
8541 + DBG_ERR("bogus eid [%"PRIu32"] bufsize [%zu] "
8542 + "off [%"PRIu32"] len [%"PRIu32"]\n",
8543 + eid, bufsize, off, len);
8544 return false;
8545 }
8546
8547 --
8548 2.39.0
8549
8550
8551 From 2c1f15a39367493733e4d275c3709a6497225917 Mon Sep 17 00:00:00 2001
8552 From: Christof Schmitt <cs@samba.org>
8553 Date: Fri, 5 Mar 2021 15:48:29 -0700
8554 Subject: [PATCH 098/142] winbind: Only use unixid2sid mapping when module
8555 reports ID_MAPPED
8556
8557 Only consider a mapping to be valid when the idmap module reports
8558 ID_MAPPED. Otherwise return the null SID.
8559
8560 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14663
8561
8562 Signed-off-by: Christof Schmitt <cs@samba.org>
8563 Reviewed-by: Volker Lendecke <vl@samba.org>
8564 (cherry picked from commit db2afa57e4aa926b478db1be4d693edbdf4d2a23)
8565 (cherry picked from commit 3aa06edf38bc4002f031476baa50712fd1a67f4d)
8566 ---
8567 source3/winbindd/winbindd_dual_srv.c | 6 ++++--
8568 1 file changed, 4 insertions(+), 2 deletions(-)
8569
8570 diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
8571 index 0842241e02e..94331163006 100644
8572 --- a/source3/winbindd/winbindd_dual_srv.c
8573 +++ b/source3/winbindd/winbindd_dual_srv.c
8574 @@ -275,8 +275,10 @@ NTSTATUS _wbint_UnixIDs2Sids(struct pipes_struct *p,
8575 }
8576
8577 for (i=0; i<r->in.num_ids; i++) {
8578 - r->out.xids[i] = maps[i]->xid;
8579 - sid_copy(&r->out.sids[i], maps[i]->sid);
8580 + if (maps[i]->status == ID_MAPPED) {
8581 + r->out.xids[i] = maps[i]->xid;
8582 + sid_copy(&r->out.sids[i], maps[i]->sid);
8583 + }
8584 }
8585
8586 TALLOC_FREE(maps);
8587 --
8588 2.39.0
8589
8590
8591 From 754ece447c2dea8cccbe8740df5aff75dca7b646 Mon Sep 17 00:00:00 2001
8592 From: Christof Schmitt <cs@samba.org>
8593 Date: Fri, 5 Mar 2021 16:01:13 -0700
8594 Subject: [PATCH 099/142] idmap_rfc2307: Do not return SID from unixids_to_sids
8595 on type mismatch
8596
8597 The call to winbind_lookup_name already wrote the result in the id_map
8598 array. The later check for the type detected a mismatch, but that did
8599 not remove the SID from the result struct.
8600
8601 Change this by first assigning the SID to a temporary variable and only
8602 write it to the id_map array after the type checks.
8603
8604 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14663
8605
8606 Signed-off-by: Christof Schmitt <cs@samba.org>
8607 (cherry picked from commit 79dd4b133c37451c98fe7f7c45da881e89e91ffc)
8608 (cherry picked from commit af37d5abae924d095e7b35620d850cf1f19021c4)
8609 ---
8610 source3/winbindd/idmap_rfc2307.c | 4 +++-
8611 source3/winbindd/winbindd_dual_srv.c | 2 ++
8612 2 files changed, 5 insertions(+), 1 deletion(-)
8613
8614 diff --git a/source3/winbindd/idmap_rfc2307.c b/source3/winbindd/idmap_rfc2307.c
8615 index e3bf58d8165..2fffaec6cca 100644
8616 --- a/source3/winbindd/idmap_rfc2307.c
8617 +++ b/source3/winbindd/idmap_rfc2307.c
8618 @@ -228,6 +228,7 @@ static void idmap_rfc2307_map_sid_results(struct idmap_rfc2307_context *ctx,
8619
8620 for (i = 0; i < count; i++) {
8621 char *name;
8622 + struct dom_sid sid;
8623 enum lsa_SidType lsa_type;
8624 struct id_map *map;
8625 uint32_t id;
8626 @@ -276,7 +277,7 @@ static void idmap_rfc2307_map_sid_results(struct idmap_rfc2307_context *ctx,
8627 the following call will not recurse so this is safe */
8628 (void)winbind_on();
8629 /* Lookup name from PDC using lsa_lookup_names() */
8630 - b = winbind_lookup_name(dom_name, name, map->sid, &lsa_type);
8631 + b = winbind_lookup_name(dom_name, name, &sid, &lsa_type);
8632 (void)winbind_off();
8633
8634 if (!b) {
8635 @@ -300,6 +301,7 @@ static void idmap_rfc2307_map_sid_results(struct idmap_rfc2307_context *ctx,
8636 }
8637
8638 map->status = ID_MAPPED;
8639 + sid_copy(map->sid, &sid);
8640 }
8641 }
8642
8643 diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
8644 index 94331163006..34375b3858f 100644
8645 --- a/source3/winbindd/winbindd_dual_srv.c
8646 +++ b/source3/winbindd/winbindd_dual_srv.c
8647 @@ -278,6 +278,8 @@ NTSTATUS _wbint_UnixIDs2Sids(struct pipes_struct *p,
8648 if (maps[i]->status == ID_MAPPED) {
8649 r->out.xids[i] = maps[i]->xid;
8650 sid_copy(&r->out.sids[i], maps[i]->sid);
8651 + } else {
8652 + r->out.sids[i] = (struct dom_sid) { 0 };
8653 }
8654 }
8655
8656 --
8657 2.39.0
8658
8659
8660 From f831d80dde35ba0e29014a9e4f34cb3ce6eb6161 Mon Sep 17 00:00:00 2001
8661 From: Christof Schmitt <cs@samba.org>
8662 Date: Fri, 5 Mar 2021 16:07:54 -0700
8663 Subject: [PATCH 100/142] idmap_nss: Do not return SID from unixids_to_sids on
8664 type mismatch
8665
8666 The call to winbind_lookup_name already wrote the result in the id_map
8667 array. The later check for the type detected a mismatch, but that did
8668 not remove the SID from the result struct.
8669
8670 Change this by first assigning the SID to a temporary variable and only
8671 write it to the id_map array after the type checks.
8672
8673 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14663
8674
8675 Signed-off-by: Christof Schmitt <cs@samba.org>
8676 Reviewed-by: Volker Lendecke <vl@samba.org>
8677
8678 Autobuild-User(master): Volker Lendecke <vl@samba.org>
8679 Autobuild-Date(master): Thu Mar 11 08:38:41 UTC 2021 on sn-devel-184
8680
8681 (cherry picked from commit 0e789ba1802ca22e5a01abd6e93ef66cd45566a7)
8682 (cherry picked from commit 3f366878d33cf977230137021f6376936b2a1862)
8683 ---
8684 source3/winbindd/idmap_nss.c | 5 ++++-
8685 1 file changed, 4 insertions(+), 1 deletion(-)
8686
8687 diff --git a/source3/winbindd/idmap_nss.c b/source3/winbindd/idmap_nss.c
8688 index 243b67ccafd..e4bf1923786 100644
8689 --- a/source3/winbindd/idmap_nss.c
8690 +++ b/source3/winbindd/idmap_nss.c
8691 @@ -56,6 +56,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma
8692 struct passwd *pw;
8693 struct group *gr;
8694 const char *name;
8695 + struct dom_sid sid;
8696 enum lsa_SidType type;
8697 bool ret;
8698
8699 @@ -87,7 +88,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma
8700 the following call will not recurse so this is safe */
8701 (void)winbind_on();
8702 /* Lookup name from PDC using lsa_lookup_names() */
8703 - ret = winbind_lookup_name(dom->name, name, ids[i]->sid, &type);
8704 + ret = winbind_lookup_name(dom->name, name, &sid, &type);
8705 (void)winbind_off();
8706
8707 if (!ret) {
8708 @@ -100,6 +101,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma
8709 switch (type) {
8710 case SID_NAME_USER:
8711 if (ids[i]->xid.type == ID_TYPE_UID) {
8712 + sid_copy(ids[i]->sid, &sid);
8713 ids[i]->status = ID_MAPPED;
8714 }
8715 break;
8716 @@ -108,6 +110,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma
8717 case SID_NAME_ALIAS:
8718 case SID_NAME_WKN_GRP:
8719 if (ids[i]->xid.type == ID_TYPE_GID) {
8720 + sid_copy(ids[i]->sid, &sid);
8721 ids[i]->status = ID_MAPPED;
8722 }
8723 break;
8724 --
8725 2.39.0
8726
8727
8728 From 4ef3d95fb680cf278e68b6794459ff7bce1489aa Mon Sep 17 00:00:00 2001
8729 From: Andreas Schneider <asn@samba.org>
8730 Date: Tue, 23 Nov 2021 15:48:57 +0100
8731 Subject: [PATCH 101/142] s3:winbind: Fix possible NULL pointer dereference
8732
8733 BUG: https://bugzilla.redhat.com/show_bug.cgi?id=2019888
8734
8735 Signed-off-by: Andreas Schneider <asn@samba.org>
8736 Rewiewed-by: Jeremy Allison <jra@samba.org>
8737
8738 Autobuild-User(master): Jeremy Allison <jra@samba.org>
8739 Autobuild-Date(master): Mon Nov 29 19:40:50 UTC 2021 on sn-devel-184
8740
8741 (cherry picked from commit cbf312f02bc86f9325fb89f6f5441bc61fd3974f)
8742 ---
8743 source3/winbindd/winbindd_util.c | 3 +++
8744 1 file changed, 3 insertions(+)
8745
8746 diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
8747 index 04e79e70f6b..d1bd81b2372 100644
8748 --- a/source3/winbindd/winbindd_util.c
8749 +++ b/source3/winbindd/winbindd_util.c
8750 @@ -1691,6 +1691,9 @@ char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
8751 }
8752
8753 tmp_user = talloc_strdup(mem_ctx, user);
8754 + if (tmp_user == NULL) {
8755 + return NULL;
8756 + }
8757 if (!strlower_m(tmp_user)) {
8758 TALLOC_FREE(tmp_user);
8759 return NULL;
8760 --
8761 2.39.0
8762
8763
8764 From 95c9485bb600e965f24712534850d1a7fd325c44 Mon Sep 17 00:00:00 2001
8765 From: Ralph Boehme <slow@samba.org>
8766 Date: Tue, 6 Dec 2022 16:00:36 +0100
8767 Subject: [PATCH 102/142] CVE-2022-38023 docs-xml: improve wording for several
8768 options: "takes precedence" -> "overrides"
8769
8770 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
8771
8772 Signed-off-by: Ralph Boehme <slow@samba.org>
8773 Reviewed-by: Stefan Metzmacher <metze@samba.org>
8774 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
8775 (cherry picked from commit 8ec62694a94c346e6ba8f3144a417c9984a1c8b9)
8776 ---
8777 docs-xml/smbdotconf/logon/rejectmd5clients.xml | 2 +-
8778 docs-xml/smbdotconf/security/serverschannel.xml | 2 +-
8779 docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 2 +-
8780 docs-xml/smbdotconf/winbind/requirestrongkey.xml | 2 +-
8781 4 files changed, 4 insertions(+), 4 deletions(-)
8782
8783 diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
8784 index 41684ef1080..0bb9f6f6c8e 100644
8785 --- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml
8786 +++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
8787 @@ -10,7 +10,7 @@
8788 <para>You can set this to yes if all domain members support aes.
8789 This will prevent downgrade attacks.</para>
8790
8791 - <para>This option takes precedence to the 'allow nt4 crypto' option.</para>
8792 + <para>This option overrides the 'allow nt4 crypto' option.</para>
8793 </description>
8794
8795 <value type="default">no</value>
8796 diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
8797 index b682d086f76..79e4e73a95c 100644
8798 --- a/docs-xml/smbdotconf/security/serverschannel.xml
8799 +++ b/docs-xml/smbdotconf/security/serverschannel.xml
8800 @@ -59,7 +59,7 @@
8801 See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
8802 </para>
8803
8804 - <para>This option takes precedence to the <smbconfoption name="server schannel"/> option.</para>
8805 + <para>This option overrides the <smbconfoption name="server schannel"/> option.</para>
8806
8807 <programlisting>
8808 server require schannel:LEGACYCOMPUTER1$ = no
8809 diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
8810 index 37656293aa4..151b4676c57 100644
8811 --- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
8812 +++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
8813 @@ -15,7 +15,7 @@
8814 <para>The behavior can be controlled per netbios domain
8815 by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>
8816
8817 - <para>This option takes precedence to the <smbconfoption name="require strong key"/> option.</para>
8818 + <para>This option overrides the <smbconfoption name="require strong key"/> option.</para>
8819 </description>
8820
8821 <value type="default">no</value>
8822 diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
8823 index 4db62bfb02d..b17620ec8f1 100644
8824 --- a/docs-xml/smbdotconf/winbind/requirestrongkey.xml
8825 +++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
8826 @@ -19,7 +19,7 @@
8827
8828 <para>This option yields precedence to the <smbconfoption name="reject md5 servers"/> option.</para>
8829
8830 - <para>This option takes precedence to the <smbconfoption name="client schannel"/> option.</para>
8831 + <para>This option overrides the <smbconfoption name="client schannel"/> option.</para>
8832 </description>
8833
8834 <value type="default">yes</value>
8835 --
8836 2.39.0
8837
8838
8839 From d6ab8377e55e4bda76c86de9bba1ddee30361481 Mon Sep 17 00:00:00 2001
8840 From: Ralph Boehme <slow@samba.org>
8841 Date: Tue, 6 Dec 2022 16:05:26 +0100
8842 Subject: [PATCH 103/142] CVE-2022-38023 docs-xml: improve wording for several
8843 options: "yields precedence" -> "is over-riden"
8844
8845 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
8846
8847 Signed-off-by: Ralph Boehme <slow@samba.org>
8848 Reviewed-by: Stefan Metzmacher <metze@samba.org>
8849 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
8850 (cherry picked from commit 830e865ba5648f6520bc552ffd71b61f754b8251)
8851 ---
8852 docs-xml/smbdotconf/logon/allownt4crypto.xml | 2 +-
8853 docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml | 2 +-
8854 docs-xml/smbdotconf/security/clientschannel.xml | 2 +-
8855 docs-xml/smbdotconf/security/serverschannel.xml | 2 +-
8856 docs-xml/smbdotconf/winbind/requirestrongkey.xml | 2 +-
8857 5 files changed, 5 insertions(+), 5 deletions(-)
8858
8859 diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
8860 index 03dc8fa93f7..06afcef73b1 100644
8861 --- a/docs-xml/smbdotconf/logon/allownt4crypto.xml
8862 +++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
8863 @@ -18,7 +18,7 @@
8864
8865 <para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
8866
8867 - <para>This option yields precedence to the 'reject md5 clients' option.</para>
8868 + <para>This option is over-ridden by the 'reject md5 clients' option.</para>
8869 </description>
8870
8871 <value type="default">no</value>
8872 diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
8873 index 03531adbfb3..8bccab391cc 100644
8874 --- a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
8875 +++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
8876 @@ -15,7 +15,7 @@
8877 <para>The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc,
8878 winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option.</para>
8879
8880 - <para>This option yields precedence to the implementation specific restrictions.
8881 + <para>This option is over-ridden by the implementation specific restrictions.
8882 E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
8883 The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
8884 </para>
8885 diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
8886 index 5b07da95050..d124ad48181 100644
8887 --- a/docs-xml/smbdotconf/security/clientschannel.xml
8888 +++ b/docs-xml/smbdotconf/security/clientschannel.xml
8889 @@ -23,7 +23,7 @@
8890 <para>Note that for active directory domains this is hardcoded to
8891 <smbconfoption name="client schannel">yes</smbconfoption>.</para>
8892
8893 - <para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>
8894 + <para>This option is over-ridden by the <smbconfoption name="require strong key"/> option.</para>
8895 </description>
8896 <value type="default">yes</value>
8897 <value type="example">auto</value>
8898 diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
8899 index 79e4e73a95c..3e66df1c203 100644
8900 --- a/docs-xml/smbdotconf/security/serverschannel.xml
8901 +++ b/docs-xml/smbdotconf/security/serverschannel.xml
8902 @@ -23,7 +23,7 @@
8903 <para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.
8904 </para>
8905
8906 - <para>This option yields precedence to the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>
8907 + <para>This option is over-ridden by the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>
8908
8909 </description>
8910
8911 diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
8912 index b17620ec8f1..9c1c1d7af14 100644
8913 --- a/docs-xml/smbdotconf/winbind/requirestrongkey.xml
8914 +++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
8915 @@ -17,7 +17,7 @@
8916
8917 <para>Note for active directory domain this option is hardcoded to 'yes'</para>
8918
8919 - <para>This option yields precedence to the <smbconfoption name="reject md5 servers"/> option.</para>
8920 + <para>This option is over-ridden by the <smbconfoption name="reject md5 servers"/> option.</para>
8921
8922 <para>This option overrides the <smbconfoption name="client schannel"/> option.</para>
8923 </description>
8924 --
8925 2.39.0
8926
8927
8928 From 976080e72039b68ab66b757f1c3cb258eaca23df Mon Sep 17 00:00:00 2001
8929 From: Stefan Metzmacher <metze@samba.org>
8930 Date: Wed, 30 Nov 2022 14:46:59 +0100
8931 Subject: [PATCH 104/142] CVE-2022-38023 libcli/auth: pass lp_ctx to
8932 netlogon_creds_cli_set_global_db()
8933
8934 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
8935
8936 Signed-off-by: Stefan Metzmacher <metze@samba.org>
8937 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
8938 Reviewed-by: Ralph Boehme <slow@samba.org>
8939 (cherry picked from commit 992f39a2c8a58301ceeb965f401e29cd64c5a209)
8940 ---
8941 libcli/auth/netlogon_creds_cli.c | 3 ++-
8942 libcli/auth/netlogon_creds_cli.h | 2 +-
8943 source3/rpc_client/cli_netlogon.c | 2 +-
8944 source3/utils/destroy_netlogon_creds_cli.c | 2 +-
8945 4 files changed, 5 insertions(+), 4 deletions(-)
8946
8947 diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
8948 index 0f6ca11ff96..c9873a5748e 100644
8949 --- a/libcli/auth/netlogon_creds_cli.c
8950 +++ b/libcli/auth/netlogon_creds_cli.c
8951 @@ -201,7 +201,8 @@ static NTSTATUS netlogon_creds_cli_context_common(
8952
8953 static struct db_context *netlogon_creds_cli_global_db;
8954
8955 -NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db)
8956 +NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx,
8957 + struct db_context **db)
8958 {
8959 if (netlogon_creds_cli_global_db != NULL) {
8960 return NT_STATUS_INVALID_PARAMETER_MIX;
8961 diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
8962 index 56a2dd9bc77..2ce5de9d305 100644
8963 --- a/libcli/auth/netlogon_creds_cli.h
8964 +++ b/libcli/auth/netlogon_creds_cli.h
8965 @@ -31,7 +31,7 @@ struct messaging_context;
8966 struct dcerpc_binding_handle;
8967 struct db_context;
8968
8969 -NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db);
8970 +NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, struct db_context **db);
8971 NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
8972 void netlogon_creds_cli_close_global_db(void);
8973
8974 diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
8975 index f073f0d925e..b784064f17e 100644
8976 --- a/source3/rpc_client/cli_netlogon.c
8977 +++ b/source3/rpc_client/cli_netlogon.c
8978 @@ -76,7 +76,7 @@ NTSTATUS rpccli_pre_open_netlogon_creds(void)
8979 return NT_STATUS_NO_MEMORY;
8980 }
8981
8982 - status = netlogon_creds_cli_set_global_db(&global_db);
8983 + status = netlogon_creds_cli_set_global_db(lp_ctx, &global_db);
8984 TALLOC_FREE(frame);
8985 if (!NT_STATUS_IS_OK(status)) {
8986 return status;
8987 diff --git a/source3/utils/destroy_netlogon_creds_cli.c b/source3/utils/destroy_netlogon_creds_cli.c
8988 index 137ac8393e7..95a650f4654 100644
8989 --- a/source3/utils/destroy_netlogon_creds_cli.c
8990 +++ b/source3/utils/destroy_netlogon_creds_cli.c
8991 @@ -83,7 +83,7 @@ int main(int argc, const char *argv[])
8992 goto done;
8993 }
8994
8995 - status = netlogon_creds_cli_set_global_db(&global_db);
8996 + status = netlogon_creds_cli_set_global_db(lp_ctx, &global_db);
8997 if (!NT_STATUS_IS_OK(status)) {
8998 fprintf(stderr,
8999 "netlogon_creds_cli_set_global_db failed: %s\n",
9000 --
9001 2.39.0
9002
9003
9004 From dfe17c3453980d53445a2cc6221cb8728fc9e3cf Mon Sep 17 00:00:00 2001
9005 From: Stefan Metzmacher <metze@samba.org>
9006 Date: Wed, 30 Nov 2022 14:47:33 +0100
9007 Subject: [PATCH 105/142] CVE-2022-38023 libcli/auth: add/use
9008 netlogon_creds_cli_warn_options()
9009
9010 This warns the admin about insecure options
9011
9012 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
9013
9014 Signed-off-by: Stefan Metzmacher <metze@samba.org>
9015 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
9016 Reviewed-by: Ralph Boehme <slow@samba.org>
9017
9018 (similar to commit 7e7adf86e59e8a673fbe87de46cef0d62221e800)
9019 [jsutton@samba.org Replaced call to tevent_cached_getpid() with one to
9020 getpid()]
9021 ---
9022 libcli/auth/netlogon_creds_cli.c | 66 ++++++++++++++++++++++++++++++++
9023 libcli/auth/netlogon_creds_cli.h | 2 +
9024 2 files changed, 68 insertions(+)
9025
9026 diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
9027 index c9873a5748e..20a3da5060f 100644
9028 --- a/libcli/auth/netlogon_creds_cli.c
9029 +++ b/libcli/auth/netlogon_creds_cli.c
9030 @@ -204,6 +204,8 @@ static struct db_context *netlogon_creds_cli_global_db;
9031 NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx,
9032 struct db_context **db)
9033 {
9034 + netlogon_creds_cli_warn_options(lp_ctx);
9035 +
9036 if (netlogon_creds_cli_global_db != NULL) {
9037 return NT_STATUS_INVALID_PARAMETER_MIX;
9038 }
9039 @@ -218,6 +220,8 @@ NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx)
9040 struct db_context *global_db;
9041 int hash_size, tdb_flags;
9042
9043 + netlogon_creds_cli_warn_options(lp_ctx);
9044 +
9045 if (netlogon_creds_cli_global_db != NULL) {
9046 return NT_STATUS_OK;
9047 }
9048 @@ -258,6 +262,68 @@ void netlogon_creds_cli_close_global_db(void)
9049 TALLOC_FREE(netlogon_creds_cli_global_db);
9050 }
9051
9052 +void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx)
9053 +{
9054 + bool global_reject_md5_servers = lpcfg_reject_md5_servers(lp_ctx);
9055 + bool global_require_strong_key = lpcfg_require_strong_key(lp_ctx);
9056 + int global_client_schannel = lpcfg_client_schannel(lp_ctx);
9057 + bool global_seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx);
9058 + static bool warned_global_reject_md5_servers = false;
9059 + static bool warned_global_require_strong_key = false;
9060 + static bool warned_global_client_schannel = false;
9061 + static bool warned_global_seal_secure_channel = false;
9062 + static int warned_global_pid = 0;
9063 + int current_pid = getpid();
9064 +
9065 + if (warned_global_pid != current_pid) {
9066 + warned_global_reject_md5_servers = false;
9067 + warned_global_require_strong_key = false;
9068 + warned_global_client_schannel = false;
9069 + warned_global_seal_secure_channel = false;
9070 + warned_global_pid = current_pid;
9071 + }
9072 +
9073 + if (!global_reject_md5_servers && !warned_global_reject_md5_servers) {
9074 + /*
9075 + * We want admins to notice their misconfiguration!
9076 + */
9077 + DBG_ERR("CVE-2022-38023 (and others): "
9078 + "Please configure 'reject md5 servers = yes' (the default), "
9079 + "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
9080 + warned_global_reject_md5_servers = true;
9081 + }
9082 +
9083 + if (!global_require_strong_key && !warned_global_require_strong_key) {
9084 + /*
9085 + * We want admins to notice their misconfiguration!
9086 + */
9087 + DBG_ERR("CVE-2022-38023 (and others): "
9088 + "Please configure 'require strong key = yes' (the default), "
9089 + "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
9090 + warned_global_require_strong_key = true;
9091 + }
9092 +
9093 + if (global_client_schannel != true && !warned_global_client_schannel) {
9094 + /*
9095 + * We want admins to notice their misconfiguration!
9096 + */
9097 + DBG_ERR("CVE-2022-38023 (and others): "
9098 + "Please configure 'client schannel = yes' (the default), "
9099 + "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
9100 + warned_global_client_schannel = true;
9101 + }
9102 +
9103 + if (!global_seal_secure_channel && !warned_global_seal_secure_channel) {
9104 + /*
9105 + * We want admins to notice their misconfiguration!
9106 + */
9107 + DBG_ERR("CVE-2022-38023 (and others): "
9108 + "Please configure 'winbind sealed pipes = yes' (the default), "
9109 + "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
9110 + warned_global_seal_secure_channel = true;
9111 + }
9112 +}
9113 +
9114 NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
9115 struct messaging_context *msg_ctx,
9116 const char *client_account,
9117 diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
9118 index 2ce5de9d305..e4e0232e92f 100644
9119 --- a/libcli/auth/netlogon_creds_cli.h
9120 +++ b/libcli/auth/netlogon_creds_cli.h
9121 @@ -35,6 +35,8 @@ NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, struc
9122 NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
9123 void netlogon_creds_cli_close_global_db(void);
9124
9125 +void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx);
9126 +
9127 NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
9128 struct messaging_context *msg_ctx,
9129 const char *client_account,
9130 --
9131 2.39.0
9132
9133
9134 From 75c44fdccf18bfa34530f05937e8e3305b2c927e Mon Sep 17 00:00:00 2001
9135 From: Stefan Metzmacher <metze@samba.org>
9136 Date: Wed, 30 Nov 2022 16:16:05 +0100
9137 Subject: [PATCH 106/142] CVE-2022-38023 s3:net: add and use
9138 net_warn_member_options() helper
9139
9140 This makes sure domain member related 'net' commands print warnings
9141 about unsecure smb.conf options.
9142
9143 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
9144
9145 Signed-off-by: Stefan Metzmacher <metze@samba.org>
9146 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
9147 Reviewed-by: Ralph Boehme <slow@samba.org>
9148 (cherry picked from commit 1fdf1d55a5dd550bdb16d037b5dc995c33c1a67a)
9149 ---
9150 source3/utils/net.c | 6 ++++++
9151 source3/utils/net_ads.c | 14 ++++++++++++++
9152 source3/utils/net_dom.c | 2 ++
9153 source3/utils/net_join.c | 2 ++
9154 source3/utils/net_proto.h | 2 ++
9155 source3/utils/net_rpc.c | 10 ++++++++++
9156 source3/utils/net_util.c | 15 +++++++++++++++
9157 7 files changed, 51 insertions(+)
9158
9159 diff --git a/source3/utils/net.c b/source3/utils/net.c
9160 index 8350e8c0967..c17dd972c3f 100644
9161 --- a/source3/utils/net.c
9162 +++ b/source3/utils/net.c
9163 @@ -83,6 +83,8 @@ enum netr_SchannelType get_sec_channel_type(const char *param)
9164
9165 static int net_changetrustpw(struct net_context *c, int argc, const char **argv)
9166 {
9167 + net_warn_member_options();
9168 +
9169 if (net_ads_check_our_domain(c) == 0)
9170 return net_ads_changetrustpw(c, argc, argv);
9171
9172 @@ -110,6 +112,8 @@ static int net_primarytrust_dumpinfo(struct net_context *c, int argc,
9173 return 1;
9174 }
9175
9176 + net_warn_member_options();
9177 +
9178 if (c->opt_stdin) {
9179 set_line_buffering(stdin);
9180 set_line_buffering(stdout);
9181 @@ -185,6 +189,8 @@ static int net_changesecretpw(struct net_context *c, int argc,
9182 return 1;
9183 }
9184
9185 + net_warn_member_options();
9186 +
9187 if(c->opt_force) {
9188 struct secrets_domain_info1 *info = NULL;
9189 struct secrets_domain_info1_change *prev = NULL;
9190 diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
9191 index 3cf8fbbf7c8..32a7b2d7f7f 100644
9192 --- a/source3/utils/net_ads.c
9193 +++ b/source3/utils/net_ads.c
9194 @@ -1290,6 +1290,8 @@ static int net_ads_status(struct net_context *c, int argc, const char **argv)
9195 return 0;
9196 }
9197
9198 + net_warn_member_options();
9199 +
9200 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
9201 return -1;
9202 }
9203 @@ -1431,6 +1433,8 @@ static NTSTATUS net_ads_join_ok(struct net_context *c)
9204 return NT_STATUS_ACCESS_DENIED;
9205 }
9206
9207 + net_warn_member_options();
9208 +
9209 net_use_krb_machine_account(c);
9210
9211 get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip);
9212 @@ -1461,6 +1465,8 @@ int net_ads_testjoin(struct net_context *c, int argc, const char **argv)
9213 return 0;
9214 }
9215
9216 + net_warn_member_options();
9217 +
9218 /* Display success or failure */
9219 status = net_ads_join_ok(c);
9220 if (!NT_STATUS_IS_OK(status)) {
9221 @@ -1846,6 +1852,8 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
9222 if (c->display_usage)
9223 return net_ads_join_usage(c, argc, argv);
9224
9225 + net_warn_member_options();
9226 +
9227 if (!modify_config) {
9228
9229 werr = check_ads_config();
9230 @@ -2732,6 +2740,8 @@ int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
9231 return -1;
9232 }
9233
9234 + net_warn_member_options();
9235 +
9236 net_use_krb_machine_account(c);
9237
9238 use_in_memory_ccache();
9239 @@ -3001,6 +3011,8 @@ static int net_ads_keytab_add(struct net_context *c,
9240 return 0;
9241 }
9242
9243 + net_warn_member_options();
9244 +
9245 d_printf(_("Processing principals to add...\n"));
9246 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
9247 return -1;
9248 @@ -3040,6 +3052,8 @@ static int net_ads_keytab_create(struct net_context *c, int argc, const char **a
9249 return 0;
9250 }
9251
9252 + net_warn_member_options();
9253 +
9254 if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
9255 return -1;
9256 }
9257 diff --git a/source3/utils/net_dom.c b/source3/utils/net_dom.c
9258 index 1e45c59220c..db6e34e52de 100644
9259 --- a/source3/utils/net_dom.c
9260 +++ b/source3/utils/net_dom.c
9261 @@ -154,6 +154,8 @@ static int net_dom_join(struct net_context *c, int argc, const char **argv)
9262 return net_dom_usage(c, argc, argv);
9263 }
9264
9265 + net_warn_member_options();
9266 +
9267 if (c->opt_host) {
9268 server_name = c->opt_host;
9269 }
9270 diff --git a/source3/utils/net_join.c b/source3/utils/net_join.c
9271 index 1493dff74d7..f67f08f79a8 100644
9272 --- a/source3/utils/net_join.c
9273 +++ b/source3/utils/net_join.c
9274 @@ -39,6 +39,8 @@ int net_join(struct net_context *c, int argc, const char **argv)
9275 return 0;
9276 }
9277
9278 + net_warn_member_options();
9279 +
9280 if (net_ads_check_our_domain(c) == 0) {
9281 if (net_ads_join(c, argc, argv) == 0)
9282 return 0;
9283 diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
9284 index 22fe39e0f1c..38581a796cb 100644
9285 --- a/source3/utils/net_proto.h
9286 +++ b/source3/utils/net_proto.h
9287 @@ -423,6 +423,8 @@ int net_run_function(struct net_context *c, int argc, const char **argv,
9288 const char *whoami, struct functable *table);
9289 void net_display_usage_from_functable(struct functable *table);
9290
9291 +void net_warn_member_options(void);
9292 +
9293 const char *net_share_type_str(int num_type);
9294
9295 NTSTATUS net_scan_dc(struct net_context *c,
9296 diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
9297 index f2d63d2af65..52c2ec37a89 100644
9298 --- a/source3/utils/net_rpc.c
9299 +++ b/source3/utils/net_rpc.c
9300 @@ -370,6 +370,8 @@ static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
9301 return 0;
9302 }
9303
9304 + net_warn_member_options();
9305 +
9306 mem_ctx = talloc_init("net_rpc_oldjoin");
9307 if (!mem_ctx) {
9308 return -1;
9309 @@ -489,6 +491,8 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
9310 return 0;
9311 }
9312
9313 + net_warn_member_options();
9314 +
9315 mem_ctx = talloc_init("net_rpc_testjoin");
9316 if (!mem_ctx) {
9317 return -1;
9318 @@ -563,6 +567,8 @@ static int net_rpc_join_newstyle(struct net_context *c, int argc, const char **a
9319 return 0;
9320 }
9321
9322 + net_warn_member_options();
9323 +
9324 mem_ctx = talloc_init("net_rpc_join_newstyle");
9325 if (!mem_ctx) {
9326 return -1;
9327 @@ -684,6 +690,8 @@ int net_rpc_join(struct net_context *c, int argc, const char **argv)
9328 return -1;
9329 }
9330
9331 + net_warn_member_options();
9332 +
9333 if (strlen(lp_netbios_name()) > 15) {
9334 d_printf(_("Our netbios name can be at most 15 chars long, "
9335 "\"%s\" is %u chars long\n"),
9336 @@ -814,6 +822,8 @@ int net_rpc_info(struct net_context *c, int argc, const char **argv)
9337 return 0;
9338 }
9339
9340 + net_warn_member_options();
9341 +
9342 return run_rpc_command(c, NULL, &ndr_table_samr,
9343 NET_FLAGS_PDC, rpc_info_internals,
9344 argc, argv);
9345 diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
9346 index a84b4f5500e..94a8dc9defe 100644
9347 --- a/source3/utils/net_util.c
9348 +++ b/source3/utils/net_util.c
9349 @@ -29,6 +29,8 @@
9350 #include "secrets.h"
9351 #include "../libcli/security/security.h"
9352 #include "libsmb/libsmb.h"
9353 +#include "libcli/auth/netlogon_creds_cli.h"
9354 +#include "lib/param/param.h"
9355
9356 NTSTATUS net_rpc_lookup_name(struct net_context *c,
9357 TALLOC_CTX *mem_ctx, struct cli_state *cli,
9358 @@ -534,6 +536,19 @@ void net_display_usage_from_functable(struct functable *table)
9359 }
9360 }
9361
9362 +void net_warn_member_options(void)
9363 +{
9364 + TALLOC_CTX *frame = talloc_stackframe();
9365 + struct loadparm_context *lp_ctx = NULL;
9366 +
9367 + lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
9368 + if (lp_ctx != NULL) {
9369 + netlogon_creds_cli_warn_options(lp_ctx);
9370 + }
9371 +
9372 + TALLOC_FREE(frame);
9373 +}
9374 +
9375 const char *net_share_type_str(int num_type)
9376 {
9377 switch(num_type) {
9378 --
9379 2.39.0
9380
9381
9382 From 9d7eba489e7f798dd3115439da1bc92a87059ce1 Mon Sep 17 00:00:00 2001
9383 From: Stefan Metzmacher <metze@samba.org>
9384 Date: Wed, 30 Nov 2022 14:59:36 +0100
9385 Subject: [PATCH 107/142] CVE-2022-38023 s3:winbindd: also allow per domain
9386 "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN"
9387
9388 This avoids advising insecure defaults for the global options.
9389
9390 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
9391
9392 Signed-off-by: Stefan Metzmacher <metze@samba.org>
9393 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
9394 Reviewed-by: Ralph Boehme <slow@samba.org>
9395 (cherry picked from commit d60828f6391307a59abaa02b72b6a8acf66b2fef)
9396 ---
9397 source3/winbindd/winbindd_cm.c | 41 +++++++++++++++++++++++++++-------
9398 1 file changed, 33 insertions(+), 8 deletions(-)
9399
9400 diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
9401 index 502331f7260..1a8017cf4cc 100644
9402 --- a/source3/winbindd/winbindd_cm.c
9403 +++ b/source3/winbindd/winbindd_cm.c
9404 @@ -2734,6 +2734,8 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
9405 struct netlogon_creds_cli_context *p_creds;
9406 struct cli_credentials *creds = NULL;
9407 bool retry = false; /* allow one retry attempt for expired session */
9408 + bool sealed_pipes = true;
9409 + bool strong_key = true;
9410
9411 if (sid_check_is_our_sam(&domain->sid)) {
9412 if (domain->rodc == false || need_rw_dc == false) {
9413 @@ -2907,14 +2909,24 @@ retry:
9414
9415 anonymous:
9416
9417 + sealed_pipes = lp_winbind_sealed_pipes();
9418 + sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes",
9419 + domain->name,
9420 + sealed_pipes);
9421 + strong_key = lp_require_strong_key();
9422 + strong_key = lp_parm_bool(-1, "require strong key",
9423 + domain->name,
9424 + strong_key);
9425 +
9426 /* Finally fall back to anonymous. */
9427 - if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
9428 + if (sealed_pipes || strong_key) {
9429 status = NT_STATUS_DOWNGRADE_DETECTED;
9430 DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
9431 "without connection level security, "
9432 - "must set 'winbind sealed pipes = false' and "
9433 - "'require strong key = false' to proceed: %s\n",
9434 - domain->name, nt_errstr(status)));
9435 + "must set 'winbind sealed pipes:%s = false' and "
9436 + "'require strong key:%s = false' to proceed: %s\n",
9437 + domain->name, domain->name, domain->name,
9438 + nt_errstr(status)));
9439 goto done;
9440 }
9441 status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr,
9442 @@ -3061,6 +3073,8 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
9443 struct netlogon_creds_cli_context *p_creds;
9444 struct cli_credentials *creds = NULL;
9445 bool retry = false; /* allow one retry attempt for expired session */
9446 + bool sealed_pipes = true;
9447 + bool strong_key = true;
9448
9449 retry:
9450 result = init_dc_connection_rpc(domain, false);
9451 @@ -3216,13 +3230,24 @@ retry:
9452 goto done;
9453 }
9454
9455 - if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
9456 + sealed_pipes = lp_winbind_sealed_pipes();
9457 + sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes",
9458 + domain->name,
9459 + sealed_pipes);
9460 + strong_key = lp_require_strong_key();
9461 + strong_key = lp_parm_bool(-1, "require strong key",
9462 + domain->name,
9463 + strong_key);
9464 +
9465 + /* Finally fall back to anonymous. */
9466 + if (sealed_pipes || strong_key) {
9467 result = NT_STATUS_DOWNGRADE_DETECTED;
9468 DEBUG(1, ("Unwilling to make LSA connection to domain %s "
9469 "without connection level security, "
9470 - "must set 'winbind sealed pipes = false' and "
9471 - "'require strong key = false' to proceed: %s\n",
9472 - domain->name, nt_errstr(result)));
9473 + "must set 'winbind sealed pipes:%s = false' and "
9474 + "'require strong key:%s = false' to proceed: %s\n",
9475 + domain->name, domain->name, domain->name,
9476 + nt_errstr(result)));
9477 goto done;
9478 }
9479
9480 --
9481 2.39.0
9482
9483
9484 From b310b2672f80a717188675b6c762d184436a190c Mon Sep 17 00:00:00 2001
9485 From: Stefan Metzmacher <metze@samba.org>
9486 Date: Thu, 24 Nov 2022 18:22:23 +0100
9487 Subject: [PATCH 108/142] CVE-2022-38023 docs-xml/smbdotconf: change 'reject
9488 md5 servers' default to yes
9489
9490 AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no
9491 reason to allow md5 servers by default.
9492
9493 Note the change in netlogon_creds_cli_context_global() is only cosmetic,
9494 but avoids confusion while reading the code. Check with:
9495
9496 git show -U35 libcli/auth/netlogon_creds_cli.c
9497
9498 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
9499
9500 Signed-off-by: Stefan Metzmacher <metze@samba.org>
9501 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
9502 Reviewed-by: Ralph Boehme <slow@samba.org>
9503 (cherry picked from commit 1c6c1129905d0c7a60018e7bf0f17a0fd198a584)
9504 ---
9505 docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 7 +++++--
9506 lib/param/loadparm.c | 1 +
9507 libcli/auth/netlogon_creds_cli.c | 4 ++--
9508 source3/param/loadparm.c | 1 +
9509 4 files changed, 9 insertions(+), 4 deletions(-)
9510
9511 diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
9512 index 151b4676c57..3bc4eaf7b02 100644
9513 --- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
9514 +++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
9515 @@ -13,10 +13,13 @@
9516 This will prevent downgrade attacks.</para>
9517
9518 <para>The behavior can be controlled per netbios domain
9519 - by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>
9520 + by using 'reject md5 servers:NETBIOSDOMAIN = no' as option.</para>
9521 +
9522 + <para>The default changed from 'no' to 'yes, with the patches for CVE-2022-38023,
9523 + see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
9524
9525 <para>This option overrides the <smbconfoption name="require strong key"/> option.</para>
9526 </description>
9527
9528 -<value type="default">no</value>
9529 +<value type="default">yes</value>
9530 </samba:parameter>
9531 diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
9532 index 4aa91f4d404..dc659a449ea 100644
9533 --- a/lib/param/loadparm.c
9534 +++ b/lib/param/loadparm.c
9535 @@ -2733,6 +2733,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
9536 lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
9537 lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "True");
9538 lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
9539 + lpcfg_do_global_parameter(lp_ctx, "reject md5 servers", "True");
9540 lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
9541 lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
9542 lpcfg_do_global_parameter_var(lp_ctx, "gpo update command", "%s/samba-gpupdate", dyn_SCRIPTSBINDIR);
9543 diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
9544 index 20a3da5060f..0558cb237a4 100644
9545 --- a/libcli/auth/netlogon_creds_cli.c
9546 +++ b/libcli/auth/netlogon_creds_cli.c
9547 @@ -340,8 +340,8 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
9548 const char *client_computer;
9549 uint32_t proposed_flags;
9550 uint32_t required_flags = 0;
9551 - bool reject_md5_servers = false;
9552 - bool require_strong_key = false;
9553 + bool reject_md5_servers = true;
9554 + bool require_strong_key = true;
9555 int require_sign_or_seal = true;
9556 bool seal_secure_channel = true;
9557 enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
9558 diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
9559 index 98e05d13d59..fbc987e119a 100644
9560 --- a/source3/param/loadparm.c
9561 +++ b/source3/param/loadparm.c
9562 @@ -657,6 +657,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
9563 Globals.client_schannel = true;
9564 Globals.winbind_sealed_pipes = true;
9565 Globals.require_strong_key = true;
9566 + Globals.reject_md5_servers = true;
9567 Globals.server_schannel = true;
9568 Globals.read_raw = true;
9569 Globals.write_raw = true;
9570 --
9571 2.39.0
9572
9573
9574 From b62fb90dd434c99131086f27cb74cf2c109fb9d2 Mon Sep 17 00:00:00 2001
9575 From: Stefan Metzmacher <metze@samba.org>
9576 Date: Tue, 6 Dec 2022 10:56:29 +0100
9577 Subject: [PATCH 109/142] CVE-2022-38023 s4:rpc_server/netlogon: 'server
9578 schannel != yes' warning to dcesrv_interface_netlogon_bind
9579
9580 This will simplify the following changes.
9581
9582 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
9583
9584 Signed-off-by: Stefan Metzmacher <metze@samba.org>
9585 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
9586 Reviewed-by: Ralph Boehme <slow@samba.org>
9587 (cherry picked from commit e060ea5b3edbe3cba492062c9605f88fae212ee0)
9588 ---
9589 source4/rpc_server/netlogon/dcerpc_netlogon.c | 26 +++++++++++--------
9590 1 file changed, 15 insertions(+), 11 deletions(-)
9591
9592 diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
9593 index 7668a9eb923..e7f8cd5c075 100644
9594 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
9595 +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
9596 @@ -60,6 +60,21 @@
9597 static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context *context,
9598 const struct dcesrv_interface *iface)
9599 {
9600 + struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx;
9601 + int schannel = lpcfg_server_schannel(lp_ctx);
9602 + bool schannel_global_required = (schannel == true);
9603 + static bool warned_global_schannel_once = false;
9604 +
9605 + if (!schannel_global_required && !warned_global_schannel_once) {
9606 + /*
9607 + * We want admins to notice their misconfiguration!
9608 + */
9609 + D_ERR("CVE-2020-1472(ZeroLogon): "
9610 + "Please configure 'server schannel = yes' (the default), "
9611 + "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
9612 + warned_global_schannel_once = true;
9613 + }
9614 +
9615 return dcesrv_interface_bind_reject_connect(context, iface);
9616 }
9617
9618 @@ -629,7 +644,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9619 enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
9620 uint16_t opnum = dce_call->pkt.u.request.opnum;
9621 const char *opname = "<unknown>";
9622 - static bool warned_global_once = false;
9623
9624 if (opnum < ndr_table_netlogon.num_calls) {
9625 opname = ndr_table_netlogon.calls[opnum].name;
9626 @@ -681,16 +695,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9627 return NT_STATUS_ACCESS_DENIED;
9628 }
9629
9630 - if (!schannel_global_required && !warned_global_once) {
9631 - /*
9632 - * We want admins to notice their misconfiguration!
9633 - */
9634 - DBG_ERR("CVE-2020-1472(ZeroLogon): "
9635 - "Please configure 'server schannel = yes', "
9636 - "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
9637 - warned_global_once = true;
9638 - }
9639 -
9640 if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
9641 DBG_ERR("CVE-2020-1472(ZeroLogon): "
9642 "%s request (opnum[%u]) WITH schannel from "
9643 --
9644 2.39.0
9645
9646
9647 From dbddee016499bddab42870226eda0b19facca936 Mon Sep 17 00:00:00 2001
9648 From: Stefan Metzmacher <metze@samba.org>
9649 Date: Mon, 12 Dec 2022 14:03:50 +0100
9650 Subject: [PATCH 110/142] CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx
9651 variable to dcesrv_netr_creds_server_step_check()
9652
9653 This will simplify the following changes.
9654
9655 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
9656
9657 Signed-off-by: Stefan Metzmacher <metze@samba.org>
9658 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
9659 Reviewed-by: Ralph Boehme <slow@samba.org>
9660 (cherry picked from commit 7baabbe9819cd5a2714e7ea4e57a0c23062c0150)
9661 ---
9662 source4/rpc_server/netlogon/dcerpc_netlogon.c | 7 ++++---
9663 1 file changed, 4 insertions(+), 3 deletions(-)
9664
9665 diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
9666 index e7f8cd5c075..bd3a36e60cc 100644
9667 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
9668 +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
9669 @@ -635,8 +635,9 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9670 struct netr_Authenticator *return_authenticator,
9671 struct netlogon_creds_CredentialState **creds_out)
9672 {
9673 + struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
9674 NTSTATUS nt_status;
9675 - int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx);
9676 + int schannel = lpcfg_server_schannel(lp_ctx);
9677 bool schannel_global_required = (schannel == true);
9678 bool schannel_required = schannel_global_required;
9679 const char *explicit_opt = NULL;
9680 @@ -652,7 +653,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9681 dcesrv_call_auth_info(dce_call, &auth_type, NULL);
9682
9683 nt_status = schannel_check_creds_state(mem_ctx,
9684 - dce_call->conn->dce_ctx->lp_ctx,
9685 + lp_ctx,
9686 computer_name,
9687 received_authenticator,
9688 return_authenticator,
9689 @@ -667,7 +668,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9690 * need the explicit_opt pointer in order to
9691 * adjust the debug messages.
9692 */
9693 - explicit_opt = lpcfg_get_parametric(dce_call->conn->dce_ctx->lp_ctx,
9694 + explicit_opt = lpcfg_get_parametric(lp_ctx,
9695 NULL,
9696 "server require schannel",
9697 creds->account_name);
9698 --
9699 2.39.0
9700
9701
9702 From da1c4d9055c0b7fcb5e6952e3e63c7089b2b0432 Mon Sep 17 00:00:00 2001
9703 From: Stefan Metzmacher <metze@samba.org>
9704 Date: Mon, 12 Dec 2022 14:03:50 +0100
9705 Subject: [PATCH 111/142] CVE-2022-38023 s4:rpc_server/netlogon: add
9706 talloc_stackframe() to dcesrv_netr_creds_server_step_check()
9707
9708 This will simplify the following changes.
9709
9710 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
9711
9712 Signed-off-by: Stefan Metzmacher <metze@samba.org>
9713 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
9714 Reviewed-by: Ralph Boehme <slow@samba.org>
9715 (cherry picked from commit 0e6a2ba83ef1be3c6a0f5514c21395121621a145)
9716 ---
9717 source4/rpc_server/netlogon/dcerpc_netlogon.c | 32 +++++++++++--------
9718 1 file changed, 19 insertions(+), 13 deletions(-)
9719
9720 diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
9721 index bd3a36e60cc..b842fa6a556 100644
9722 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
9723 +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
9724 @@ -636,6 +636,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9725 struct netlogon_creds_CredentialState **creds_out)
9726 {
9727 struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
9728 + TALLOC_CTX *frame = talloc_stackframe();
9729 NTSTATUS nt_status;
9730 int schannel = lpcfg_server_schannel(lp_ctx);
9731 bool schannel_global_required = (schannel == true);
9732 @@ -679,6 +680,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9733 if (schannel_required) {
9734 if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
9735 *creds_out = creds;
9736 + TALLOC_FREE(frame);
9737 return NT_STATUS_OK;
9738 }
9739
9740 @@ -686,13 +688,15 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9741 "%s request (opnum[%u]) without schannel from "
9742 "client_account[%s] client_computer_name[%s]\n",
9743 opname, opnum,
9744 - log_escape(mem_ctx, creds->account_name),
9745 - log_escape(mem_ctx, creds->computer_name));
9746 + log_escape(frame, creds->account_name),
9747 + log_escape(frame, creds->computer_name));
9748 DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
9749 - "'server require schannel:%s = no' is needed! \n",
9750 - log_escape(mem_ctx, creds->account_name));
9751 + "'server require schannel:%s = no' "
9752 + "might be needed for a legacy client.\n",
9753 + log_escape(frame, creds->account_name));
9754 TALLOC_FREE(creds);
9755 ZERO_STRUCTP(return_authenticator);
9756 + TALLOC_FREE(frame);
9757 return NT_STATUS_ACCESS_DENIED;
9758 }
9759
9760 @@ -701,13 +705,14 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9761 "%s request (opnum[%u]) WITH schannel from "
9762 "client_account[%s] client_computer_name[%s]\n",
9763 opname, opnum,
9764 - log_escape(mem_ctx, creds->account_name),
9765 - log_escape(mem_ctx, creds->computer_name));
9766 + log_escape(frame, creds->account_name),
9767 + log_escape(frame, creds->computer_name));
9768 DBG_ERR("CVE-2020-1472(ZeroLogon): "
9769 "Option 'server require schannel:%s = no' not needed!?\n",
9770 - log_escape(mem_ctx, creds->account_name));
9771 + log_escape(frame, creds->account_name));
9772
9773 *creds_out = creds;
9774 + TALLOC_FREE(frame);
9775 return NT_STATUS_OK;
9776 }
9777
9778 @@ -717,24 +722,25 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9779 "%s request (opnum[%u]) without schannel from "
9780 "client_account[%s] client_computer_name[%s]\n",
9781 opname, opnum,
9782 - log_escape(mem_ctx, creds->account_name),
9783 - log_escape(mem_ctx, creds->computer_name));
9784 + log_escape(frame, creds->account_name),
9785 + log_escape(frame, creds->computer_name));
9786 DBG_INFO("CVE-2020-1472(ZeroLogon): "
9787 "Option 'server require schannel:%s = no' still needed!\n",
9788 - log_escape(mem_ctx, creds->account_name));
9789 + log_escape(frame, creds->account_name));
9790 } else {
9791 DBG_ERR("CVE-2020-1472(ZeroLogon): "
9792 "%s request (opnum[%u]) without schannel from "
9793 "client_account[%s] client_computer_name[%s]\n",
9794 opname, opnum,
9795 - log_escape(mem_ctx, creds->account_name),
9796 - log_escape(mem_ctx, creds->computer_name));
9797 + log_escape(frame, creds->account_name),
9798 + log_escape(frame, creds->computer_name));
9799 DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
9800 "'server require schannel:%s = no' might be needed!\n",
9801 - log_escape(mem_ctx, creds->account_name));
9802 + log_escape(frame, creds->account_name));
9803 }
9804
9805 *creds_out = creds;
9806 + TALLOC_FREE(frame);
9807 return NT_STATUS_OK;
9808 }
9809
9810 --
9811 2.39.0
9812
9813
9814 From 01d4d64eaca505da9c542f2149c0bd362ad180d1 Mon Sep 17 00:00:00 2001
9815 From: Stefan Metzmacher <metze@samba.org>
9816 Date: Wed, 30 Nov 2022 12:37:03 +0100
9817 Subject: [PATCH 112/142] CVE-2022-38023 s4:rpc_server/netlogon: re-order
9818 checking in dcesrv_netr_creds_server_step_check()
9819
9820 This will simplify the following changes.
9821
9822 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
9823
9824 Signed-off-by: Stefan Metzmacher <metze@samba.org>
9825 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
9826 Reviewed-by: Ralph Boehme <slow@samba.org>
9827 (cherry picked from commit ec62151a2fb49ecbeaa3bf924f49a956832b735e)
9828 ---
9829 source4/rpc_server/netlogon/dcerpc_netlogon.c | 41 +++++++++----------
9830 1 file changed, 19 insertions(+), 22 deletions(-)
9831
9832 diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
9833 index b842fa6a556..9b3a933abca 100644
9834 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
9835 +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
9836 @@ -677,13 +677,27 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9837 schannel_required = lp_bool(explicit_opt);
9838 }
9839
9840 - if (schannel_required) {
9841 - if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
9842 - *creds_out = creds;
9843 - TALLOC_FREE(frame);
9844 - return NT_STATUS_OK;
9845 + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
9846 + if (!schannel_required) {
9847 + DBG_ERR("CVE-2020-1472(ZeroLogon): "
9848 + "%s request (opnum[%u]) WITH schannel from "
9849 + "client_account[%s] client_computer_name[%s]\n",
9850 + opname, opnum,
9851 + log_escape(frame, creds->account_name),
9852 + log_escape(frame, creds->computer_name));
9853 + }
9854 + if (explicit_opt != NULL && !schannel_required) {
9855 + DBG_ERR("CVE-2020-1472(ZeroLogon): "
9856 + "Option 'server require schannel:%s = no' not needed!?\n",
9857 + log_escape(frame, creds->account_name));
9858 }
9859
9860 + *creds_out = creds;
9861 + TALLOC_FREE(frame);
9862 + return NT_STATUS_OK;
9863 + }
9864 +
9865 + if (schannel_required) {
9866 DBG_ERR("CVE-2020-1472(ZeroLogon): "
9867 "%s request (opnum[%u]) without schannel from "
9868 "client_account[%s] client_computer_name[%s]\n",
9869 @@ -700,23 +714,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9870 return NT_STATUS_ACCESS_DENIED;
9871 }
9872
9873 - if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
9874 - DBG_ERR("CVE-2020-1472(ZeroLogon): "
9875 - "%s request (opnum[%u]) WITH schannel from "
9876 - "client_account[%s] client_computer_name[%s]\n",
9877 - opname, opnum,
9878 - log_escape(frame, creds->account_name),
9879 - log_escape(frame, creds->computer_name));
9880 - DBG_ERR("CVE-2020-1472(ZeroLogon): "
9881 - "Option 'server require schannel:%s = no' not needed!?\n",
9882 - log_escape(frame, creds->account_name));
9883 -
9884 - *creds_out = creds;
9885 - TALLOC_FREE(frame);
9886 - return NT_STATUS_OK;
9887 - }
9888 -
9889 -
9890 if (explicit_opt != NULL) {
9891 DBG_INFO("CVE-2020-1472(ZeroLogon): "
9892 "%s request (opnum[%u]) without schannel from "
9893 --
9894 2.39.0
9895
9896
9897 From 90531a4cb89b0d390261de1920f17a8ea7a9cbcb Mon Sep 17 00:00:00 2001
9898 From: Stefan Metzmacher <metze@samba.org>
9899 Date: Wed, 30 Nov 2022 12:37:03 +0100
9900 Subject: [PATCH 113/142] CVE-2022-38023 s4:rpc_server/netlogon: improve
9901 CVE-2020-1472(ZeroLogon) debug messages
9902
9903 In order to avoid generating useless debug messages during make test,
9904 we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3'
9905 and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings.
9906
9907 Review with: git show -w
9908
9909 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
9910
9911 Signed-off-by: Stefan Metzmacher <metze@samba.org>
9912 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
9913 Reviewed-by: Ralph Boehme <slow@samba.org>
9914 (cherry picked from commit 16ee03efc194d9c1c2c746f63236b977a419918d)
9915 ---
9916 source4/rpc_server/netlogon/dcerpc_netlogon.c | 147 +++++++++++++-----
9917 1 file changed, 106 insertions(+), 41 deletions(-)
9918
9919 diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
9920 index 9b3a933abca..8084061aabc 100644
9921 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
9922 +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
9923 @@ -643,15 +643,34 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9924 bool schannel_required = schannel_global_required;
9925 const char *explicit_opt = NULL;
9926 struct netlogon_creds_CredentialState *creds = NULL;
9927 + int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL,
9928 + "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
9929 + int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
9930 + "CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
9931 + unsigned int dbg_lvl = DBGLVL_DEBUG;
9932 enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
9933 + enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
9934 uint16_t opnum = dce_call->pkt.u.request.opnum;
9935 const char *opname = "<unknown>";
9936 + const char *reason = "<unknown>";
9937
9938 if (opnum < ndr_table_netlogon.num_calls) {
9939 opname = ndr_table_netlogon.calls[opnum].name;
9940 }
9941
9942 - dcesrv_call_auth_info(dce_call, &auth_type, NULL);
9943 + dcesrv_call_auth_info(dce_call, &auth_type, &auth_level);
9944 +
9945 + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
9946 + if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
9947 + reason = "WITH SEALED";
9948 + } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
9949 + reason = "WITH SIGNED";
9950 + } else {
9951 + smb_panic("Schannel without SIGN/SEAL");
9952 + }
9953 + } else {
9954 + reason = "WITHOUT";
9955 + }
9956
9957 nt_status = schannel_check_creds_state(mem_ctx,
9958 lp_ctx,
9959 @@ -678,62 +697,108 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
9960 }
9961
9962 if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
9963 - if (!schannel_required) {
9964 - DBG_ERR("CVE-2020-1472(ZeroLogon): "
9965 - "%s request (opnum[%u]) WITH schannel from "
9966 - "client_account[%s] client_computer_name[%s]\n",
9967 - opname, opnum,
9968 - log_escape(frame, creds->account_name),
9969 - log_escape(frame, creds->computer_name));
9970 + nt_status = NT_STATUS_OK;
9971 +
9972 + if (explicit_opt != NULL && !schannel_required) {
9973 + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
9974 + } else if (!schannel_required) {
9975 + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
9976 }
9977 +
9978 + DEBUG(dbg_lvl, (
9979 + "CVE-2020-1472(ZeroLogon): "
9980 + "%s request (opnum[%u]) %s schannel from "
9981 + "client_account[%s] client_computer_name[%s] %s\n",
9982 + opname, opnum, reason,
9983 + log_escape(frame, creds->account_name),
9984 + log_escape(frame, creds->computer_name),
9985 + nt_errstr(nt_status)));
9986 +
9987 if (explicit_opt != NULL && !schannel_required) {
9988 - DBG_ERR("CVE-2020-1472(ZeroLogon): "
9989 - "Option 'server require schannel:%s = no' not needed!?\n",
9990 - log_escape(frame, creds->account_name));
9991 + DEBUG(CVE_2020_1472_warn_level, (
9992 + "CVE-2020-1472(ZeroLogon): "
9993 + "Option 'server require schannel:%s = no' not needed for '%s'!\n",
9994 + log_escape(frame, creds->account_name),
9995 + log_escape(frame, creds->computer_name)));
9996 }
9997
9998 *creds_out = creds;
9999 TALLOC_FREE(frame);
10000 - return NT_STATUS_OK;
10001 + return nt_status;
10002 }
10003
10004 if (schannel_required) {
10005 - DBG_ERR("CVE-2020-1472(ZeroLogon): "
10006 - "%s request (opnum[%u]) without schannel from "
10007 - "client_account[%s] client_computer_name[%s]\n",
10008 - opname, opnum,
10009 - log_escape(frame, creds->account_name),
10010 - log_escape(frame, creds->computer_name));
10011 - DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
10012 - "'server require schannel:%s = no' "
10013 - "might be needed for a legacy client.\n",
10014 - log_escape(frame, creds->account_name));
10015 + nt_status = NT_STATUS_ACCESS_DENIED;
10016 +
10017 + if (explicit_opt != NULL) {
10018 + dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
10019 + } else {
10020 + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
10021 + }
10022 +
10023 + DEBUG(dbg_lvl, (
10024 + "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
10025 + "%s request (opnum[%u]) %s schannel from "
10026 + "client_account[%s] client_computer_name[%s] %s\n",
10027 + opname, opnum, reason,
10028 + log_escape(frame, creds->account_name),
10029 + log_escape(frame, creds->computer_name),
10030 + nt_errstr(nt_status)));
10031 + if (explicit_opt != NULL) {
10032 + D_NOTICE("CVE-2020-1472(ZeroLogon): Option "
10033 + "'server require schannel:%s = yes' "
10034 + "rejects access for client.\n",
10035 + log_escape(frame, creds->account_name));
10036 + } else {
10037 + DEBUG(CVE_2020_1472_error_level, (
10038 + "CVE-2020-1472(ZeroLogon): Check if option "
10039 + "'server require schannel:%s = no' "
10040 + "might be needed for a legacy client.\n",
10041 + log_escape(frame, creds->account_name)));
10042 + }
10043 TALLOC_FREE(creds);
10044 ZERO_STRUCTP(return_authenticator);
10045 TALLOC_FREE(frame);
10046 - return NT_STATUS_ACCESS_DENIED;
10047 + return nt_status;
10048 }
10049
10050 + nt_status = NT_STATUS_OK;
10051 +
10052 if (explicit_opt != NULL) {
10053 - DBG_INFO("CVE-2020-1472(ZeroLogon): "
10054 - "%s request (opnum[%u]) without schannel from "
10055 - "client_account[%s] client_computer_name[%s]\n",
10056 - opname, opnum,
10057 - log_escape(frame, creds->account_name),
10058 - log_escape(frame, creds->computer_name));
10059 - DBG_INFO("CVE-2020-1472(ZeroLogon): "
10060 - "Option 'server require schannel:%s = no' still needed!\n",
10061 - log_escape(frame, creds->account_name));
10062 + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
10063 } else {
10064 - DBG_ERR("CVE-2020-1472(ZeroLogon): "
10065 - "%s request (opnum[%u]) without schannel from "
10066 - "client_account[%s] client_computer_name[%s]\n",
10067 - opname, opnum,
10068 - log_escape(frame, creds->account_name),
10069 - log_escape(frame, creds->computer_name));
10070 - DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
10071 - "'server require schannel:%s = no' might be needed!\n",
10072 - log_escape(frame, creds->account_name));
10073 + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
10074 + }
10075 +
10076 + DEBUG(dbg_lvl, (
10077 + "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
10078 + "%s request (opnum[%u]) %s schannel from "
10079 + "client_account[%s] client_computer_name[%s] %s\n",
10080 + opname, opnum, reason,
10081 + log_escape(frame, creds->account_name),
10082 + log_escape(frame, creds->computer_name),
10083 + nt_errstr(nt_status)));
10084 +
10085 + if (explicit_opt != NULL) {
10086 + D_INFO("CVE-2020-1472(ZeroLogon): Option "
10087 + "'server require schannel:%s = no' "
10088 + "still needed for '%s'!\n",
10089 + log_escape(frame, creds->account_name),
10090 + log_escape(frame, creds->computer_name));
10091 + } else {
10092 + /*
10093 + * admins should set
10094 + * server require schannel:COMPUTER$ = no
10095 + * in order to avoid the level 0 messages.
10096 + * Over time they can switch the global value
10097 + * to be strict.
10098 + */
10099 + DEBUG(CVE_2020_1472_error_level, (
10100 + "CVE-2020-1472(ZeroLogon): "
10101 + "Please use 'server require schannel:%s = no' "
10102 + "for '%s' to avoid this warning!\n",
10103 + log_escape(frame, creds->account_name),
10104 + log_escape(frame, creds->computer_name)));
10105 }
10106
10107 *creds_out = creds;
10108 --
10109 2.39.0
10110
10111
10112 From 2ea49737a5cac8ead895da30d40f18019103b285 Mon Sep 17 00:00:00 2001
10113 From: Stefan Metzmacher <metze@samba.org>
10114 Date: Wed, 30 Nov 2022 12:26:01 +0100
10115 Subject: [PATCH 114/142] CVE-2022-38023 selftest:Samba4: avoid global 'server
10116 schannel = auto'
10117
10118 Instead of using the generic deprecated option use the specific
10119 server require schannel:COMPUTERACCOUNT = no in order to allow
10120 legacy tests for pass.
10121
10122 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
10123
10124 Signed-off-by: Stefan Metzmacher <metze@samba.org>
10125 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
10126 Reviewed-by: Ralph Boehme <slow@samba.org>
10127 (cherry picked from commit 63c96ea6c02981795e67336401143f2a8836992c)
10128 ---
10129 selftest/target/Samba4.pm | 37 ++++++++++++++++++++++++++++++++++---
10130 1 file changed, 34 insertions(+), 3 deletions(-)
10131
10132 diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
10133 index 0f644661176..8dad74cae43 100755
10134 --- a/selftest/target/Samba4.pm
10135 +++ b/selftest/target/Samba4.pm
10136 @@ -1708,7 +1708,24 @@ sub provision_ad_dc_ntvfs($$)
10137 dsdb event notification = true
10138 dsdb password event notification = true
10139 dsdb group change notification = true
10140 - server schannel = auto
10141 +
10142 + CVE_2020_1472:warn_about_unused_debug_level = 3
10143 + server require schannel:schannel0\$ = no
10144 + server require schannel:schannel1\$ = no
10145 + server require schannel:schannel2\$ = no
10146 + server require schannel:schannel3\$ = no
10147 + server require schannel:schannel4\$ = no
10148 + server require schannel:schannel5\$ = no
10149 + server require schannel:schannel6\$ = no
10150 + server require schannel:schannel7\$ = no
10151 + server require schannel:schannel8\$ = no
10152 + server require schannel:schannel9\$ = no
10153 + server require schannel:schannel10\$ = no
10154 + server require schannel:schannel11\$ = no
10155 + server require schannel:torturetest\$ = no
10156 +
10157 + # needed for 'samba.tests.auth_log' tests
10158 + server require schannel:LOCALDC\$ = no
10159 ";
10160 my $extra_provision_options = ["--use-ntvfs"];
10161 my $ret = $self->provision($prefix,
10162 @@ -2085,8 +2102,22 @@ sub provision_ad_dc($$$$$$)
10163 lpq cache time = 0
10164 print notify backchannel = yes
10165
10166 - server schannel = auto
10167 - auth event notification = true
10168 + CVE_2020_1472:warn_about_unused_debug_level = 3
10169 + server require schannel:schannel0\$ = no
10170 + server require schannel:schannel1\$ = no
10171 + server require schannel:schannel2\$ = no
10172 + server require schannel:schannel3\$ = no
10173 + server require schannel:schannel4\$ = no
10174 + server require schannel:schannel5\$ = no
10175 + server require schannel:schannel6\$ = no
10176 + server require schannel:schannel7\$ = no
10177 + server require schannel:schannel8\$ = no
10178 + server require schannel:schannel9\$ = no
10179 + server require schannel:schannel10\$ = no
10180 + server require schannel:schannel11\$ = no
10181 + server require schannel:torturetest\$ = no
10182 +
10183 + auth event notification = true
10184 dsdb event notification = true
10185 dsdb password event notification = true
10186 dsdb group change notification = true
10187 --
10188 2.39.0
10189
10190
10191 From a9ad04a6a886c4f17120fcf585bba7b979752d3c Mon Sep 17 00:00:00 2001
10192 From: Stefan Metzmacher <metze@samba.org>
10193 Date: Mon, 28 Nov 2022 15:02:13 +0100
10194 Subject: [PATCH 115/142] CVE-2022-38023 s4:torture: use
10195 NETLOGON_NEG_SUPPORTS_AES by default
10196
10197 For generic tests we should use the best available features.
10198
10199 And AES will be required by default soon.
10200
10201 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
10202
10203 Signed-off-by: Stefan Metzmacher <metze@samba.org>
10204 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
10205 Reviewed-by: Ralph Boehme <slow@samba.org>
10206 (cherry picked from commit cfd55a22cda113fbb2bfa373b54091dde1ea6e66)
10207 ---
10208 source4/torture/ntp/ntp_signd.c | 2 +-
10209 source4/torture/rpc/lsa.c | 4 ++--
10210 source4/torture/rpc/netlogon.c | 18 +++++++++---------
10211 source4/torture/rpc/samba3rpc.c | 15 ++++++++++++---
10212 4 files changed, 24 insertions(+), 15 deletions(-)
10213
10214 diff --git a/source4/torture/ntp/ntp_signd.c b/source4/torture/ntp/ntp_signd.c
10215 index d2a41819fcf..66f2b8956a2 100644
10216 --- a/source4/torture/ntp/ntp_signd.c
10217 +++ b/source4/torture/ntp/ntp_signd.c
10218 @@ -68,7 +68,7 @@ static bool test_ntp_signd(struct torture_context *tctx,
10219 uint32_t rid;
10220 const char *machine_name;
10221 const struct samr_Password *pwhash = cli_credentials_get_nt_hash(credentials, mem_ctx);
10222 - uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
10223 + uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
10224
10225 struct sign_request sign_req;
10226 struct signed_reply signed_reply;
10227 diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
10228 index 7bdc0cf679a..52e220ce225 100644
10229 --- a/source4/torture/rpc/lsa.c
10230 +++ b/source4/torture/rpc/lsa.c
10231 @@ -4260,7 +4260,7 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p,
10232 torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b");
10233
10234 ok = check_pw_with_ServerAuthenticate3(p1, tctx,
10235 - NETLOGON_NEG_AUTH2_ADS_FLAGS,
10236 + NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
10237 server_name,
10238 incoming_creds, &creds);
10239 torture_assert_int_equal(tctx, ok, expected_result,
10240 @@ -4357,7 +4357,7 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p,
10241 torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b");
10242
10243 ok = check_pw_with_ServerAuthenticate3(p2, tctx,
10244 - NETLOGON_NEG_AUTH2_ADS_FLAGS,
10245 + NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
10246 server_name,
10247 incoming_creds, &creds);
10248 torture_assert(tctx, ok, "check_pw_with_ServerAuthenticate3 with changed password");
10249 diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
10250 index 97c16688bc9..1fceeae88cc 100644
10251 --- a/source4/torture/rpc/netlogon.c
10252 +++ b/source4/torture/rpc/netlogon.c
10253 @@ -189,7 +189,7 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
10254
10255 /* This allows the tests to continue against the more fussy windows 2008 */
10256 if (NT_STATUS_EQUAL(a.out.result, NT_STATUS_DOWNGRADE_DETECTED)) {
10257 - return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
10258 + return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
10259 credentials,
10260 cli_credentials_get_secure_channel_type(credentials),
10261 creds_out);
10262 @@ -423,7 +423,7 @@ bool test_SetupCredentialsDowngrade(struct torture_context *tctx,
10263 "ServerAuthenticate3 failed");
10264 torture_assert_ntstatus_equal(tctx, a.out.result, NT_STATUS_DOWNGRADE_DETECTED, "ServerAuthenticate3 should have failed");
10265
10266 - negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
10267 + negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
10268 creds = netlogon_creds_client_init(tctx, a.in.account_name,
10269 a.in.computer_name,
10270 a.in.secure_channel_type,
10271 @@ -490,7 +490,7 @@ static bool test_ServerReqChallenge(
10272 const char *machine_name;
10273 struct dcerpc_binding_handle *b = p->binding_handle;
10274 struct netr_ServerAuthenticate2 a;
10275 - uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
10276 + uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
10277 uint32_t out_negotiate_flags = 0;
10278 const struct samr_Password *mach_password = NULL;
10279 enum netr_SchannelType sec_chan_type = 0;
10280 @@ -562,7 +562,7 @@ static bool test_ServerReqChallenge_zero_challenge(
10281 const char *machine_name;
10282 struct dcerpc_binding_handle *b = p->binding_handle;
10283 struct netr_ServerAuthenticate2 a;
10284 - uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
10285 + uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
10286 uint32_t out_negotiate_flags = 0;
10287 const struct samr_Password *mach_password = NULL;
10288 enum netr_SchannelType sec_chan_type = 0;
10289 @@ -639,7 +639,7 @@ static bool test_ServerReqChallenge_5_repeats(
10290 const char *machine_name;
10291 struct dcerpc_binding_handle *b = p->binding_handle;
10292 struct netr_ServerAuthenticate2 a;
10293 - uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
10294 + uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
10295 uint32_t out_negotiate_flags = 0;
10296 const struct samr_Password *mach_password = NULL;
10297 enum netr_SchannelType sec_chan_type = 0;
10298 @@ -723,7 +723,7 @@ static bool test_ServerReqChallenge_4_repeats(
10299 const char *machine_name;
10300 struct dcerpc_binding_handle *b = p->binding_handle;
10301 struct netr_ServerAuthenticate2 a;
10302 - uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
10303 + uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
10304 uint32_t out_negotiate_flags = 0;
10305 const struct samr_Password *mach_password = NULL;
10306 enum netr_SchannelType sec_chan_type = 0;
10307 @@ -3459,7 +3459,7 @@ static bool test_netr_GetForestTrustInformation(struct torture_context *tctx,
10308 struct dcerpc_pipe *p = NULL;
10309 struct dcerpc_binding_handle *b = NULL;
10310
10311 - if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
10312 + if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
10313 machine_credentials, &creds)) {
10314 return false;
10315 }
10316 @@ -4398,7 +4398,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx,
10317
10318 torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n");
10319
10320 - if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
10321 + if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
10322 machine_credentials, &creds)) {
10323 return false;
10324 }
10325 @@ -4973,7 +4973,7 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx,
10326
10327 torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT);
10328
10329 - if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
10330 + if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
10331 machine_credentials, &creds)) {
10332 return false;
10333 }
10334 diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c
10335 index 9cd479c9baf..6fc4ed326d2 100644
10336 --- a/source4/torture/rpc/samba3rpc.c
10337 +++ b/source4/torture/rpc/samba3rpc.c
10338 @@ -1074,7 +1074,7 @@ static bool auth2(struct torture_context *tctx,
10339 goto done;
10340 }
10341
10342 - negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
10343 + negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
10344 E_md4hash(cli_credentials_get_password(wks_cred), mach_pw.hash);
10345
10346 a.in.server_name = talloc_asprintf(
10347 @@ -1264,10 +1264,19 @@ static bool schan(struct torture_context *tctx,
10348 E_md4hash(cli_credentials_get_password(user_creds),
10349 pinfo.ntpassword.hash);
10350
10351 - netlogon_creds_arcfour_crypt(creds_state, pinfo.ntpassword.hash, 16);
10352 -
10353 logon.password = &pinfo;
10354
10355 + /*
10356 + * We don't use this here:
10357 + *
10358 + * netlogon_creds_encrypt_samlogon_logon(creds_state,
10359 + * NetlogonInteractiveInformation,
10360 + * &logon);
10361 + *
10362 + * in order to detect bugs
10363 + */
10364 + netlogon_creds_aes_encrypt(creds_state, pinfo.ntpassword.hash, 16);
10365 +
10366 r.in.logon_level = NetlogonInteractiveInformation;
10367 r.in.logon = &logon;
10368 r.out.return_authenticator = &return_authenticator;
10369 --
10370 2.39.0
10371
10372
10373 From 6088b76def86b8f56511707c69b6cdd016722715 Mon Sep 17 00:00:00 2001
10374 From: Stefan Metzmacher <metze@samba.org>
10375 Date: Fri, 25 Nov 2022 09:54:17 +0100
10376 Subject: [PATCH 116/142] CVE-2022-38023 s4:rpc_server/netlogon: split out
10377 dcesrv_netr_ServerAuthenticate3_check_downgrade()
10378
10379 We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
10380 which means we'll need the downgrade detection in more places.
10381
10382 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
10383
10384 Signed-off-by: Stefan Metzmacher <metze@samba.org>
10385 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
10386 Reviewed-by: Ralph Boehme <slow@samba.org>
10387 (cherry picked from commit b6339fd1dcbe903e73efeea074ab0bd04ef83561)
10388 ---
10389 source4/rpc_server/netlogon/dcerpc_netlogon.c | 114 ++++++++++--------
10390 1 file changed, 67 insertions(+), 47 deletions(-)
10391
10392 diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
10393 index 8084061aabc..6a00fe4efcf 100644
10394 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
10395 +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
10396 @@ -128,6 +128,67 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal
10397 return NT_STATUS_OK;
10398 }
10399
10400 +static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
10401 + struct dcesrv_call_state *dce_call,
10402 + struct netr_ServerAuthenticate3 *r,
10403 + struct netlogon_server_pipe_state *pipe_state,
10404 + uint32_t negotiate_flags,
10405 + NTSTATUS orig_status)
10406 +{
10407 + struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
10408 + bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx);
10409 + bool reject_des_client = !allow_nt4_crypto;
10410 + bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
10411 +
10412 + if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
10413 + reject_des_client = false;
10414 + }
10415 +
10416 + if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
10417 + reject_des_client = false;
10418 + reject_md5_client = false;
10419 + }
10420 +
10421 + if (reject_des_client || reject_md5_client) {
10422 + /*
10423 + * Here we match Windows 2012 and return no flags.
10424 + */
10425 + *r->out.negotiate_flags = 0;
10426 + return NT_STATUS_DOWNGRADE_DETECTED;
10427 + }
10428 +
10429 + /*
10430 + * This talloc_free is important to prevent re-use of the
10431 + * challenge. We have to delay it this far due to NETApp
10432 + * servers per:
10433 + * https://bugzilla.samba.org/show_bug.cgi?id=11291
10434 + */
10435 + TALLOC_FREE(pipe_state);
10436 +
10437 + /*
10438 + * At this point we must also cleanup the TDB cache
10439 + * entry, if we fail the client needs to call
10440 + * netr_ServerReqChallenge again.
10441 + *
10442 + * Note: this handles a non existing record just fine,
10443 + * the r->in.computer_name might not be the one used
10444 + * in netr_ServerReqChallenge(), but we are trying to
10445 + * just tidy up the normal case to prevent re-use.
10446 + */
10447 + schannel_delete_challenge(dce_call->conn->dce_ctx->lp_ctx,
10448 + r->in.computer_name);
10449 +
10450 + /*
10451 + * According to Microsoft (see bugid #6099)
10452 + * Windows 7 looks at the negotiate_flags
10453 + * returned in this structure *even if the
10454 + * call fails with access denied!
10455 + */
10456 + *r->out.negotiate_flags = negotiate_flags;
10457 +
10458 + return orig_status;
10459 +}
10460 +
10461 /*
10462 * Do the actual processing of a netr_ServerAuthenticate3 message.
10463 * called from dcesrv_netr_ServerAuthenticate3, which handles the logging.
10464 @@ -155,11 +216,9 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10465 "objectSid", "samAccountName", NULL};
10466 uint32_t server_flags = 0;
10467 uint32_t negotiate_flags = 0;
10468 - bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(dce_call->conn->dce_ctx->lp_ctx);
10469 - bool reject_des_client = !allow_nt4_crypto;
10470 - bool reject_md5_client = lpcfg_reject_md5_clients(dce_call->conn->dce_ctx->lp_ctx);
10471
10472 ZERO_STRUCTP(r->out.return_credentials);
10473 + *r->out.negotiate_flags = 0;
10474 *r->out.rid = 0;
10475
10476 pipe_state = dcesrv_iface_state_find_conn(dce_call,
10477 @@ -238,52 +297,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10478
10479 negotiate_flags = *r->in.negotiate_flags & server_flags;
10480
10481 - if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
10482 - reject_des_client = false;
10483 - }
10484 -
10485 - if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
10486 - reject_des_client = false;
10487 - reject_md5_client = false;
10488 - }
10489 -
10490 - if (reject_des_client || reject_md5_client) {
10491 - /*
10492 - * Here we match Windows 2012 and return no flags.
10493 - */
10494 - *r->out.negotiate_flags = 0;
10495 - return NT_STATUS_DOWNGRADE_DETECTED;
10496 + nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade(
10497 + dce_call, r, pipe_state, negotiate_flags,
10498 + NT_STATUS_OK);
10499 + if (!NT_STATUS_IS_OK(nt_status)) {
10500 + return nt_status;
10501 }
10502
10503 - /*
10504 - * This talloc_free is important to prevent re-use of the
10505 - * challenge. We have to delay it this far due to NETApp
10506 - * servers per:
10507 - * https://bugzilla.samba.org/show_bug.cgi?id=11291
10508 - */
10509 - TALLOC_FREE(pipe_state);
10510 -
10511 - /*
10512 - * At this point we must also cleanup the TDB cache
10513 - * entry, if we fail the client needs to call
10514 - * netr_ServerReqChallenge again.
10515 - *
10516 - * Note: this handles a non existing record just fine,
10517 - * the r->in.computer_name might not be the one used
10518 - * in netr_ServerReqChallenge(), but we are trying to
10519 - * just tidy up the normal case to prevent re-use.
10520 - */
10521 - schannel_delete_challenge(dce_call->conn->dce_ctx->lp_ctx,
10522 - r->in.computer_name);
10523 -
10524 - /*
10525 - * According to Microsoft (see bugid #6099)
10526 - * Windows 7 looks at the negotiate_flags
10527 - * returned in this structure *even if the
10528 - * call fails with access denied!
10529 - */
10530 - *r->out.negotiate_flags = negotiate_flags;
10531 -
10532 switch (r->in.secure_channel_type) {
10533 case SEC_CHAN_WKSTA:
10534 case SEC_CHAN_DNS_DOMAIN:
10535 --
10536 2.39.0
10537
10538
10539 From 3e43111a1417414b545fcc46a72e701cf6e71c59 Mon Sep 17 00:00:00 2001
10540 From: Stefan Metzmacher <metze@samba.org>
10541 Date: Thu, 24 Nov 2022 18:26:18 +0100
10542 Subject: [PATCH 117/142] CVE-2022-38023 docs-xml/smbdotconf: change 'reject
10543 md5 clients' default to yes
10544
10545 AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0,
10546 so there's no reason to allow md5 clients by default.
10547 However some third party domain members may need it.
10548
10549 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
10550
10551 Signed-off-by: Stefan Metzmacher <metze@samba.org>
10552 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
10553 Reviewed-by: Ralph Boehme <slow@samba.org>
10554 (cherry picked from commit c8e53394b98b128ed460a6111faf05dfbad980d1)
10555 ---
10556 docs-xml/smbdotconf/logon/rejectmd5clients.xml | 11 ++++++++---
10557 lib/param/loadparm.c | 1 +
10558 selftest/target/Samba4.pm | 4 ++++
10559 source3/param/loadparm.c | 1 +
10560 4 files changed, 14 insertions(+), 3 deletions(-)
10561
10562 diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
10563 index 0bb9f6f6c8e..edcbe02e99a 100644
10564 --- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml
10565 +++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
10566 @@ -7,11 +7,16 @@
10567 only in 'active directory domain controller' mode), will
10568 reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
10569
10570 - <para>You can set this to yes if all domain members support aes.
10571 - This will prevent downgrade attacks.</para>
10572 + <para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows
10573 + starting with Server 2008R2 and Windows 7, it's available in Samba
10574 + starting with 4.0, however third party domain members like NetApp ONTAP
10575 + still uses RC4 (HMAC-MD5), see https://www.samba.org/samba/security/CVE-2022-38023.html for more details.</para>
10576 +
10577 + <para>The default changed from 'no' to 'yes', with the patches for CVE-2022-38023,
10578 + see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
10579
10580 <para>This option overrides the 'allow nt4 crypto' option.</para>
10581 </description>
10582
10583 -<value type="default">no</value>
10584 +<value type="default">yes</value>
10585 </samba:parameter>
10586 diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
10587 index dc659a449ea..77a80176f7d 100644
10588 --- a/lib/param/loadparm.c
10589 +++ b/lib/param/loadparm.c
10590 @@ -2790,6 +2790,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
10591 lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template");
10592
10593 lpcfg_do_global_parameter(lp_ctx, "server schannel", "True");
10594 + lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True");
10595
10596 lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True");
10597
10598 diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
10599 index 8dad74cae43..7e3d7c9de8e 100755
10600 --- a/selftest/target/Samba4.pm
10601 +++ b/selftest/target/Samba4.pm
10602 @@ -1709,6 +1709,8 @@ sub provision_ad_dc_ntvfs($$)
10603 dsdb password event notification = true
10604 dsdb group change notification = true
10605
10606 + reject md5 clients = no
10607 +
10608 CVE_2020_1472:warn_about_unused_debug_level = 3
10609 server require schannel:schannel0\$ = no
10610 server require schannel:schannel1\$ = no
10611 @@ -2102,6 +2104,8 @@ sub provision_ad_dc($$$$$$)
10612 lpq cache time = 0
10613 print notify backchannel = yes
10614
10615 + reject md5 clients = no
10616 +
10617 CVE_2020_1472:warn_about_unused_debug_level = 3
10618 server require schannel:schannel0\$ = no
10619 server require schannel:schannel1\$ = no
10620 diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
10621 index fbc987e119a..1cf468b1009 100644
10622 --- a/source3/param/loadparm.c
10623 +++ b/source3/param/loadparm.c
10624 @@ -659,6 +659,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
10625 Globals.require_strong_key = true;
10626 Globals.reject_md5_servers = true;
10627 Globals.server_schannel = true;
10628 + Globals.reject_md5_clients = true;
10629 Globals.read_raw = true;
10630 Globals.write_raw = true;
10631 Globals.null_passwords = false;
10632 --
10633 2.39.0
10634
10635
10636 From 886878d18d22eb4a2f3b63663e0ffe284ed9788b Mon Sep 17 00:00:00 2001
10637 From: Stefan Metzmacher <metze@samba.org>
10638 Date: Fri, 25 Nov 2022 10:31:08 +0100
10639 Subject: [PATCH 118/142] CVE-2022-38023 s4:rpc_server/netlogon: defer
10640 downgrade check until we found the account in our SAM
10641
10642 We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
10643 which means we'll need use the account name from our SAM.
10644
10645 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
10646
10647 Signed-off-by: Stefan Metzmacher <metze@samba.org>
10648 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
10649 Reviewed-by: Ralph Boehme <slow@samba.org>
10650 (cherry picked from commit b09f51eefc311bbb1525efd1dc7b9a837f7ec3c2)
10651 ---
10652 source4/rpc_server/netlogon/dcerpc_netlogon.c | 76 +++++++++++++------
10653 1 file changed, 53 insertions(+), 23 deletions(-)
10654
10655 diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
10656 index 6a00fe4efcf..1c180343252 100644
10657 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
10658 +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
10659 @@ -297,13 +297,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10660
10661 negotiate_flags = *r->in.negotiate_flags & server_flags;
10662
10663 - nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade(
10664 - dce_call, r, pipe_state, negotiate_flags,
10665 - NT_STATUS_OK);
10666 - if (!NT_STATUS_IS_OK(nt_status)) {
10667 - return nt_status;
10668 - }
10669 -
10670 switch (r->in.secure_channel_type) {
10671 case SEC_CHAN_WKSTA:
10672 case SEC_CHAN_DNS_DOMAIN:
10673 @@ -312,11 +305,15 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10674 case SEC_CHAN_RODC:
10675 break;
10676 case SEC_CHAN_NULL:
10677 - return NT_STATUS_INVALID_PARAMETER;
10678 + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10679 + dce_call, r, pipe_state, negotiate_flags,
10680 + NT_STATUS_INVALID_PARAMETER);
10681 default:
10682 DEBUG(1, ("Client asked for an invalid secure channel type: %d\n",
10683 r->in.secure_channel_type));
10684 - return NT_STATUS_INVALID_PARAMETER;
10685 + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10686 + dce_call, r, pipe_state, negotiate_flags,
10687 + NT_STATUS_INVALID_PARAMETER);
10688 }
10689
10690 sam_ctx = samdb_connect(mem_ctx,
10691 @@ -326,7 +323,9 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10692 dce_call->conn->remote_address,
10693 0);
10694 if (sam_ctx == NULL) {
10695 - return NT_STATUS_INVALID_SYSTEM_SERVICE;
10696 + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10697 + dce_call, r, pipe_state, negotiate_flags,
10698 + NT_STATUS_INVALID_SYSTEM_SERVICE);
10699 }
10700
10701 if (r->in.secure_channel_type == SEC_CHAN_DOMAIN ||
10702 @@ -355,16 +354,22 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10703 encoded_name = ldb_binary_encode_string(mem_ctx,
10704 r->in.account_name);
10705 if (encoded_name == NULL) {
10706 - return NT_STATUS_NO_MEMORY;
10707 + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10708 + dce_call, r, pipe_state, negotiate_flags,
10709 + NT_STATUS_NO_MEMORY);
10710 }
10711
10712 len = strlen(encoded_name);
10713 if (len < 2) {
10714 - return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
10715 + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10716 + dce_call, r, pipe_state, negotiate_flags,
10717 + NT_STATUS_NO_TRUST_SAM_ACCOUNT);
10718 }
10719
10720 if (require_trailer && encoded_name[len - 1] != trailer) {
10721 - return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
10722 + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10723 + dce_call, r, pipe_state, negotiate_flags,
10724 + NT_STATUS_NO_TRUST_SAM_ACCOUNT);
10725 }
10726 encoded_name[len - 1] = '\0';
10727
10728 @@ -382,30 +387,42 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10729 "but there's no tdo for [%s] => [%s] \n",
10730 log_escape(mem_ctx, r->in.account_name),
10731 encoded_name));
10732 - return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
10733 + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10734 + dce_call, r, pipe_state, negotiate_flags,
10735 + NT_STATUS_NO_TRUST_SAM_ACCOUNT);
10736 }
10737 if (!NT_STATUS_IS_OK(nt_status)) {
10738 - return nt_status;
10739 + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10740 + dce_call, r, pipe_state, negotiate_flags,
10741 + nt_status);
10742 }
10743
10744 nt_status = dsdb_trust_get_incoming_passwords(tdo_msg, mem_ctx,
10745 &curNtHash,
10746 &prevNtHash);
10747 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) {
10748 - return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
10749 + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10750 + dce_call, r, pipe_state, negotiate_flags,
10751 + NT_STATUS_NO_TRUST_SAM_ACCOUNT);
10752 }
10753 if (!NT_STATUS_IS_OK(nt_status)) {
10754 - return nt_status;
10755 + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10756 + dce_call, r, pipe_state, negotiate_flags,
10757 + nt_status);
10758 }
10759
10760 flatname = ldb_msg_find_attr_as_string(tdo_msg, "flatName", NULL);
10761 if (flatname == NULL) {
10762 - return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
10763 + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10764 + dce_call, r, pipe_state, negotiate_flags,
10765 + NT_STATUS_NO_TRUST_SAM_ACCOUNT);
10766 }
10767
10768 *trust_account_for_search = talloc_asprintf(mem_ctx, "%s$", flatname);
10769 if (*trust_account_for_search == NULL) {
10770 - return NT_STATUS_NO_MEMORY;
10771 + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10772 + dce_call, r, pipe_state, negotiate_flags,
10773 + NT_STATUS_NO_MEMORY);
10774 }
10775 } else {
10776 *trust_account_for_search = r->in.account_name;
10777 @@ -420,14 +437,18 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10778 if (num_records == 0) {
10779 DEBUG(3,("Couldn't find user [%s] in samdb.\n",
10780 log_escape(mem_ctx, r->in.account_name)));
10781 - return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
10782 + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10783 + dce_call, r, pipe_state, negotiate_flags,
10784 + NT_STATUS_NO_TRUST_SAM_ACCOUNT);
10785 }
10786
10787 if (num_records > 1) {
10788 DEBUG(0,("Found %d records matching user [%s]\n",
10789 num_records,
10790 log_escape(mem_ctx, r->in.account_name)));
10791 - return NT_STATUS_INTERNAL_DB_CORRUPTION;
10792 + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10793 + dce_call, r, pipe_state, negotiate_flags,
10794 + NT_STATUS_INTERNAL_DB_CORRUPTION);
10795 }
10796
10797 *trust_account_in_db = ldb_msg_find_attr_as_string(msgs[0],
10798 @@ -436,9 +457,18 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10799 if (*trust_account_in_db == NULL) {
10800 DEBUG(0,("No samAccountName returned in record matching user [%s]\n",
10801 r->in.account_name));
10802 - return NT_STATUS_INTERNAL_DB_CORRUPTION;
10803 + return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10804 + dce_call, r, pipe_state, negotiate_flags,
10805 + NT_STATUS_INTERNAL_DB_CORRUPTION);
10806 }
10807 -
10808 +
10809 + nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade(
10810 + dce_call, r, pipe_state, negotiate_flags,
10811 + NT_STATUS_OK);
10812 + if (!NT_STATUS_IS_OK(nt_status)) {
10813 + return nt_status;
10814 + }
10815 +
10816 user_account_control = ldb_msg_find_attr_as_uint(msgs[0], "userAccountControl", 0);
10817
10818 if (user_account_control & UF_ACCOUNTDISABLE) {
10819 --
10820 2.39.0
10821
10822
10823 From ed628f5bf355801023c1bb2ac4aabd06c5c878a6 Mon Sep 17 00:00:00 2001
10824 From: Stefan Metzmacher <metze@samba.org>
10825 Date: Fri, 25 Nov 2022 13:13:36 +0100
10826 Subject: [PATCH 119/142] CVE-2022-38023 s4:rpc_server/netlogon: add 'server
10827 reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4
10828 crypto:COMPUTERACCOUNT = yes'
10829
10830 This makes it more flexible when we change the global default to
10831 'reject md5 servers = yes'.
10832
10833 'allow nt4 crypto = no' is already the default.
10834
10835 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
10836
10837 Signed-off-by: Stefan Metzmacher <metze@samba.org>
10838 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
10839 Reviewed-by: Ralph Boehme <slow@samba.org>
10840 (cherry picked from commit 69b36541606d7064de9648cd54b35adfdf8f0e8f)
10841 ---
10842 source4/rpc_server/netlogon/dcerpc_netlogon.c | 58 ++++++++++++++++++-
10843 1 file changed, 55 insertions(+), 3 deletions(-)
10844
10845 diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
10846 index 1c180343252..b605daea794 100644
10847 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
10848 +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
10849 @@ -133,12 +133,48 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
10850 struct netr_ServerAuthenticate3 *r,
10851 struct netlogon_server_pipe_state *pipe_state,
10852 uint32_t negotiate_flags,
10853 + const char *trust_account_in_db,
10854 NTSTATUS orig_status)
10855 {
10856 struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
10857 - bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx);
10858 - bool reject_des_client = !allow_nt4_crypto;
10859 - bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
10860 + bool global_allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx);
10861 + bool account_allow_nt4_crypto = global_allow_nt4_crypto;
10862 + const char *explicit_nt4_opt = NULL;
10863 + bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
10864 + bool account_reject_md5_client = global_reject_md5_client;
10865 + const char *explicit_md5_opt = NULL;
10866 + bool reject_des_client;
10867 + bool allow_nt4_crypto;
10868 + bool reject_md5_client;
10869 +
10870 + /*
10871 + * We don't use lpcfg_parm_bool(), as we
10872 + * need the explicit_opt pointer in order to
10873 + * adjust the debug messages.
10874 + */
10875 +
10876 + if (trust_account_in_db != NULL) {
10877 + explicit_nt4_opt = lpcfg_get_parametric(lp_ctx,
10878 + NULL,
10879 + "allow nt4 crypto",
10880 + trust_account_in_db);
10881 + }
10882 + if (explicit_nt4_opt != NULL) {
10883 + account_allow_nt4_crypto = lp_bool(explicit_nt4_opt);
10884 + }
10885 + allow_nt4_crypto = account_allow_nt4_crypto;
10886 + if (trust_account_in_db != NULL) {
10887 + explicit_md5_opt = lpcfg_get_parametric(lp_ctx,
10888 + NULL,
10889 + "server reject md5 schannel",
10890 + trust_account_in_db);
10891 + }
10892 + if (explicit_md5_opt != NULL) {
10893 + account_reject_md5_client = lp_bool(explicit_md5_opt);
10894 + }
10895 + reject_md5_client = account_reject_md5_client;
10896 +
10897 + reject_des_client = !allow_nt4_crypto;
10898
10899 if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
10900 reject_des_client = false;
10901 @@ -307,12 +343,14 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10902 case SEC_CHAN_NULL:
10903 return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10904 dce_call, r, pipe_state, negotiate_flags,
10905 + NULL, /* trust_account_in_db */
10906 NT_STATUS_INVALID_PARAMETER);
10907 default:
10908 DEBUG(1, ("Client asked for an invalid secure channel type: %d\n",
10909 r->in.secure_channel_type));
10910 return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10911 dce_call, r, pipe_state, negotiate_flags,
10912 + NULL, /* trust_account_in_db */
10913 NT_STATUS_INVALID_PARAMETER);
10914 }
10915
10916 @@ -325,6 +363,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10917 if (sam_ctx == NULL) {
10918 return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10919 dce_call, r, pipe_state, negotiate_flags,
10920 + NULL, /* trust_account_in_db */
10921 NT_STATUS_INVALID_SYSTEM_SERVICE);
10922 }
10923
10924 @@ -356,6 +395,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10925 if (encoded_name == NULL) {
10926 return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10927 dce_call, r, pipe_state, negotiate_flags,
10928 + NULL, /* trust_account_in_db */
10929 NT_STATUS_NO_MEMORY);
10930 }
10931
10932 @@ -363,12 +403,14 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10933 if (len < 2) {
10934 return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10935 dce_call, r, pipe_state, negotiate_flags,
10936 + NULL, /* trust_account_in_db */
10937 NT_STATUS_NO_TRUST_SAM_ACCOUNT);
10938 }
10939
10940 if (require_trailer && encoded_name[len - 1] != trailer) {
10941 return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10942 dce_call, r, pipe_state, negotiate_flags,
10943 + NULL, /* trust_account_in_db */
10944 NT_STATUS_NO_TRUST_SAM_ACCOUNT);
10945 }
10946 encoded_name[len - 1] = '\0';
10947 @@ -389,11 +431,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10948 encoded_name));
10949 return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10950 dce_call, r, pipe_state, negotiate_flags,
10951 + NULL, /* trust_account_in_db */
10952 NT_STATUS_NO_TRUST_SAM_ACCOUNT);
10953 }
10954 if (!NT_STATUS_IS_OK(nt_status)) {
10955 return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10956 dce_call, r, pipe_state, negotiate_flags,
10957 + NULL, /* trust_account_in_db */
10958 nt_status);
10959 }
10960
10961 @@ -403,11 +447,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10962 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) {
10963 return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10964 dce_call, r, pipe_state, negotiate_flags,
10965 + NULL, /* trust_account_in_db */
10966 NT_STATUS_NO_TRUST_SAM_ACCOUNT);
10967 }
10968 if (!NT_STATUS_IS_OK(nt_status)) {
10969 return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10970 dce_call, r, pipe_state, negotiate_flags,
10971 + NULL, /* trust_account_in_db */
10972 nt_status);
10973 }
10974
10975 @@ -415,6 +461,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10976 if (flatname == NULL) {
10977 return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10978 dce_call, r, pipe_state, negotiate_flags,
10979 + NULL, /* trust_account_in_db */
10980 NT_STATUS_NO_TRUST_SAM_ACCOUNT);
10981 }
10982
10983 @@ -422,6 +469,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10984 if (*trust_account_for_search == NULL) {
10985 return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10986 dce_call, r, pipe_state, negotiate_flags,
10987 + NULL, /* trust_account_in_db */
10988 NT_STATUS_NO_MEMORY);
10989 }
10990 } else {
10991 @@ -439,6 +487,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
10992 log_escape(mem_ctx, r->in.account_name)));
10993 return dcesrv_netr_ServerAuthenticate3_check_downgrade(
10994 dce_call, r, pipe_state, negotiate_flags,
10995 + NULL, /* trust_account_in_db */
10996 NT_STATUS_NO_TRUST_SAM_ACCOUNT);
10997 }
10998
10999 @@ -448,6 +497,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
11000 log_escape(mem_ctx, r->in.account_name)));
11001 return dcesrv_netr_ServerAuthenticate3_check_downgrade(
11002 dce_call, r, pipe_state, negotiate_flags,
11003 + NULL, /* trust_account_in_db */
11004 NT_STATUS_INTERNAL_DB_CORRUPTION);
11005 }
11006
11007 @@ -459,11 +509,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
11008 r->in.account_name));
11009 return dcesrv_netr_ServerAuthenticate3_check_downgrade(
11010 dce_call, r, pipe_state, negotiate_flags,
11011 + NULL, /* trust_account_in_db */
11012 NT_STATUS_INTERNAL_DB_CORRUPTION);
11013 }
11014
11015 nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade(
11016 dce_call, r, pipe_state, negotiate_flags,
11017 + *trust_account_in_db,
11018 NT_STATUS_OK);
11019 if (!NT_STATUS_IS_OK(nt_status)) {
11020 return nt_status;
11021 --
11022 2.39.0
11023
11024
11025 From b15c69701d065504588671187a5cec9eea9dcf57 Mon Sep 17 00:00:00 2001
11026 From: Stefan Metzmacher <metze@samba.org>
11027 Date: Fri, 25 Nov 2022 13:31:14 +0100
11028 Subject: [PATCH 120/142] CVE-2022-38023 docs-xml/smbdotconf: document "allow
11029 nt4 crypto:COMPUTERACCOUNT = no"
11030
11031 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
11032
11033 Signed-off-by: Stefan Metzmacher <metze@samba.org>
11034 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
11035 Reviewed-by: Ralph Boehme <slow@samba.org>
11036 (cherry picked from commit bd429d025981b445bf63935063e8e302bfab3f9b)
11037 ---
11038 docs-xml/smbdotconf/logon/allownt4crypto.xml | 76 +++++++++++++++++++-
11039 1 file changed, 74 insertions(+), 2 deletions(-)
11040
11041 diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
11042 index 06afcef73b1..bbd03a42db7 100644
11043 --- a/docs-xml/smbdotconf/logon/allownt4crypto.xml
11044 +++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
11045 @@ -1,11 +1,18 @@
11046 <samba:parameter name="allow nt4 crypto"
11047 context="G"
11048 type="boolean"
11049 + deprecated="1"
11050 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
11051 <description>
11052 + <para>
11053 + This option is deprecated and will be removed in future,
11054 + as it is a security problem if not set to "no" (which will be
11055 + the hardcoded behavior in future).
11056 + </para>
11057 +
11058 <para>This option controls whether the netlogon server (currently
11059 only in 'active directory domain controller' mode), will
11060 - reject clients which does not support NETLOGON_NEG_STRONG_KEYS
11061 + reject clients which do not support NETLOGON_NEG_STRONG_KEYS
11062 nor NETLOGON_NEG_SUPPORTS_AES.</para>
11063
11064 <para>This option was added with Samba 4.2.0. It may lock out clients
11065 @@ -18,8 +25,73 @@
11066
11067 <para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
11068
11069 - <para>This option is over-ridden by the 'reject md5 clients' option.</para>
11070 + <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' instead!
11071 + Which is available with the patches for
11072 + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
11073 + see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink></para>
11074 +
11075 + <para>
11076 + Samba will log an error in the log files at log level 0
11077 + if legacy a client is rejected or allowed without an explicit,
11078 + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' option
11079 + for the client. The message will indicate
11080 + the explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
11081 + line to be added, if the legacy client software requires it. (The log level can be adjusted with
11082 + '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
11083 + in order to complain only at a higher log level).
11084 + </para>
11085 +
11086 + <para>This allows admins to use "yes" only for a short grace period,
11087 + in order to collect the explicit
11088 + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para>
11089 +
11090 + <para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para>
11091 </description>
11092
11093 <value type="default">no</value>
11094 </samba:parameter>
11095 +
11096 +<samba:parameter name="allow nt4 crypto:COMPUTERACCOUNT"
11097 + context="G"
11098 + type="string"
11099 + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
11100 +<description>
11101 +
11102 + <para>If you still have legacy domain members which required 'allow nt4 crypto = yes',
11103 + it is possible to specify an explicit exception per computer account
11104 + by using 'allow nt4 crypto:COMPUTERACCOUNT = yes' as option.
11105 + Note that COMPUTERACCOUNT has to be the sAMAccountName value of
11106 + the computer account (including the trailing '$' sign).
11107 + </para>
11108 +
11109 + <para>
11110 + Samba will log a complaint in the log files at log level 0
11111 + about the security problem if the option is set to "yes",
11112 + but the related computer does not require it.
11113 + (The log level can be adjusted with
11114 + '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
11115 + in order to complain only at a higher log level).
11116 + </para>
11117 +
11118 + <para>
11119 + Samba will log a warning in the log files at log level 5,
11120 + if a setting is still needed for the specified computer account.
11121 + </para>
11122 +
11123 + <para>
11124 + See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
11125 + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
11126 + </para>
11127 +
11128 + <para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para>
11129 +
11130 + <para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para>
11131 +
11132 + <programlisting>
11133 + allow nt4 crypto:LEGACYCOMPUTER1$ = yes
11134 + allow nt4 crypto:NASBOX$ = yes
11135 + allow nt4 crypto:LEGACYCOMPUTER2$ = yes
11136 + </programlisting>
11137 +</description>
11138 +
11139 +</samba:parameter>
11140 --
11141 2.39.0
11142
11143
11144 From bbc9f54fdc1ebbfc0c27b61aff43a63a16aed9d9 Mon Sep 17 00:00:00 2001
11145 From: Stefan Metzmacher <metze@samba.org>
11146 Date: Fri, 25 Nov 2022 14:02:11 +0100
11147 Subject: [PATCH 121/142] CVE-2022-38023 docs-xml/smbdotconf: document "server
11148 reject md5 schannel:COMPUTERACCOUNT"
11149
11150 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
11151
11152 Signed-off-by: Stefan Metzmacher <metze@samba.org>
11153 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
11154 Reviewed-by: Ralph Boehme <slow@samba.org>
11155 (cherry picked from commit 2ad302b42254e3c2800aaf11669fe2e6d55fa8a1)
11156 ---
11157 docs-xml/smbdotconf/logon/allownt4crypto.xml | 13 ++-
11158 .../smbdotconf/logon/rejectmd5clients.xml | 96 ++++++++++++++++++-
11159 2 files changed, 103 insertions(+), 6 deletions(-)
11160
11161 diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
11162 index bbd03a42db7..ee63e6cc245 100644
11163 --- a/docs-xml/smbdotconf/logon/allownt4crypto.xml
11164 +++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
11165 @@ -45,7 +45,9 @@
11166 in order to collect the explicit
11167 '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para>
11168
11169 - <para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para>
11170 + <para>This option is over-ridden by the effective value of 'yes' from
11171 + the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
11172 + and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
11173 </description>
11174
11175 <value type="default">no</value>
11176 @@ -85,12 +87,19 @@
11177
11178 <para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para>
11179
11180 - <para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para>
11181 + <para>This option is over-ridden by the effective value of 'yes' from
11182 + the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
11183 + and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
11184 + <para>Which means '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
11185 + is only useful in combination with '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'</para>
11186
11187 <programlisting>
11188 allow nt4 crypto:LEGACYCOMPUTER1$ = yes
11189 + server reject md5 schannel:LEGACYCOMPUTER1$ = no
11190 allow nt4 crypto:NASBOX$ = yes
11191 + server reject md5 schannel:NASBOX$ = no
11192 allow nt4 crypto:LEGACYCOMPUTER2$ = yes
11193 + server reject md5 schannel:LEGACYCOMPUTER2$ = no
11194 </programlisting>
11195 </description>
11196
11197 diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
11198 index edcbe02e99a..fe7701d9277 100644
11199 --- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml
11200 +++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
11201 @@ -1,8 +1,15 @@
11202 <samba:parameter name="reject md5 clients"
11203 context="G"
11204 type="boolean"
11205 + deprecated="1"
11206 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
11207 <description>
11208 + <para>
11209 + This option is deprecated and will be removed in a future release,
11210 + as it is a security problem if not set to "yes" (which will be
11211 + the hardcoded behavior in the future).
11212 + </para>
11213 +
11214 <para>This option controls whether the netlogon server (currently
11215 only in 'active directory domain controller' mode), will
11216 reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
11217 @@ -10,13 +17,94 @@
11218 <para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows
11219 starting with Server 2008R2 and Windows 7, it's available in Samba
11220 starting with 4.0, however third party domain members like NetApp ONTAP
11221 - still uses RC4 (HMAC-MD5), see https://www.samba.org/samba/security/CVE-2022-38023.html for more details.</para>
11222 + still uses RC4 (HMAC-MD5), see
11223 + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">https://www.samba.org/samba/security/CVE-2022-38023.html</ulink>
11224 + for more details.
11225 + </para>
11226 +
11227 + <para>The default changed from 'no' to 'yes', with the patches for
11228 + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
11229 + see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
11230 + </para>
11231 +
11232 + <para><emphasis>Avoid using this option!</emphasis> Use an explicit per machine account
11233 + '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' instead!
11234 + Which is available with the patches for
11235 + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
11236 + see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
11237 + </para>
11238
11239 - <para>The default changed from 'no' to 'yes', with the patches for CVE-2022-38023,
11240 - see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
11241 + <para>
11242 + Samba will log an error in the log files at log level 0
11243 + if legacy a client is rejected or allowed without an explicit,
11244 + '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' option
11245 + for the client. The message will indicate
11246 + the explicit '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'
11247 + line to be added, if the legacy client software requires it. (The log level can be adjusted with
11248 + '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
11249 + in order to complain only at a higher log level).
11250 + </para>
11251
11252 - <para>This option overrides the 'allow nt4 crypto' option.</para>
11253 + <para>This allows admins to use "no" only for a short grace period,
11254 + in order to collect the explicit
11255 + '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' options.</para>
11256 +
11257 + <para>When set to 'yes' this option overrides the
11258 + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and
11259 + '<smbconfoption name="allow nt4 crypto"/>' options and implies
11260 + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'.
11261 + </para>
11262 </description>
11263
11264 <value type="default">yes</value>
11265 </samba:parameter>
11266 +
11267 +<samba:parameter name="server reject md5 schannel:COMPUTERACCOUNT"
11268 + context="G"
11269 + type="string"
11270 + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
11271 +<description>
11272 +
11273 + <para>If you still have legacy domain members or trusted domains,
11274 + which required "reject md5 clients = no" before,
11275 + it is possible to specify an explicit exception per computer account
11276 + by setting 'server reject md5 schannel:COMPUTERACCOUNT = no'.
11277 + Note that COMPUTERACCOUNT has to be the sAMAccountName value of
11278 + the computer account (including the trailing '$' sign).
11279 + </para>
11280 +
11281 + <para>
11282 + Samba will log a complaint in the log files at log level 0
11283 + about the security problem if the option is set to "no",
11284 + but the related computer does not require it.
11285 + (The log level can be adjusted with
11286 + '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
11287 + in order to complain only at a higher log level).
11288 + </para>
11289 +
11290 + <para>
11291 + Samba will log a warning in the log files at log level 5
11292 + if a setting is still needed for the specified computer account.
11293 + </para>
11294 +
11295 + <para>
11296 + See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
11297 + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
11298 + </para>
11299 +
11300 + <para>This option overrides the <smbconfoption name="reject md5 clients"/> option.</para>
11301 +
11302 + <para>When set to 'yes' this option overrides the
11303 + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and
11304 + '<smbconfoption name="allow nt4 crypto"/>' options and implies
11305 + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'.
11306 + </para>
11307 +
11308 + <programlisting>
11309 + server reject md5 schannel:LEGACYCOMPUTER1$ = no
11310 + server reject md5 schannel:NASBOX$ = no
11311 + server reject md5 schannel:LEGACYCOMPUTER2$ = no
11312 + </programlisting>
11313 +</description>
11314 +
11315 +</samba:parameter>
11316 --
11317 2.39.0
11318
11319
11320 From 88311bae73bfdd2863ee94f421ef89266bff97f0 Mon Sep 17 00:00:00 2001
11321 From: Stefan Metzmacher <metze@samba.org>
11322 Date: Fri, 25 Nov 2022 13:13:36 +0100
11323 Subject: [PATCH 122/142] CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject
11324 md5 servers' and 'allow nt4 crypto' misconfigurations
11325
11326 This allows the admin to notice what's wrong in order to adjust the
11327 configuration if required.
11328
11329 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
11330
11331 Signed-off-by: Stefan Metzmacher <metze@samba.org>
11332 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
11333 Reviewed-by: Ralph Boehme <slow@samba.org>
11334 (cherry picked from commit 43df4be35950f491864ae8ada05d51b42a556381)
11335 ---
11336 source4/rpc_server/netlogon/dcerpc_netlogon.c | 121 ++++++++++++++++++
11337 1 file changed, 121 insertions(+)
11338
11339 diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
11340 index b605daea794..b93ff08abcd 100644
11341 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
11342 +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
11343 @@ -61,10 +61,34 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context
11344 const struct dcesrv_interface *iface)
11345 {
11346 struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx;
11347 + bool global_allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx);
11348 + bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
11349 int schannel = lpcfg_server_schannel(lp_ctx);
11350 bool schannel_global_required = (schannel == true);
11351 + static bool warned_global_nt4_once = false;
11352 + static bool warned_global_md5_once = false;
11353 static bool warned_global_schannel_once = false;
11354
11355 + if (global_allow_nt4_crypto && !warned_global_nt4_once) {
11356 + /*
11357 + * We want admins to notice their misconfiguration!
11358 + */
11359 + D_ERR("CVE-2022-38023 (and others): "
11360 + "Please configure 'allow nt4 crypto = no' (the default), "
11361 + "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
11362 + warned_global_nt4_once = true;
11363 + }
11364 +
11365 + if (!global_reject_md5_client && !warned_global_md5_once) {
11366 + /*
11367 + * We want admins to notice their misconfiguration!
11368 + */
11369 + D_ERR("CVE-2022-38023: "
11370 + "Please configure 'reject md5 clients = yes' (the default), "
11371 + "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
11372 + warned_global_md5_once = true;
11373 + }
11374 +
11375 if (!schannel_global_required && !warned_global_schannel_once) {
11376 /*
11377 * We want admins to notice their misconfiguration!
11378 @@ -146,6 +170,12 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
11379 bool reject_des_client;
11380 bool allow_nt4_crypto;
11381 bool reject_md5_client;
11382 + bool need_des = true;
11383 + bool need_md5 = true;
11384 + int CVE_2022_38023_warn_level = lpcfg_parm_int(lp_ctx, NULL,
11385 + "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR);
11386 + int CVE_2022_38023_error_level = lpcfg_parm_int(lp_ctx, NULL,
11387 + "CVE_2022_38023", "error_debug_level", DBGLVL_ERR);
11388
11389 /*
11390 * We don't use lpcfg_parm_bool(), as we
11391 @@ -177,19 +207,62 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
11392 reject_des_client = !allow_nt4_crypto;
11393
11394 if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
11395 + need_des = false;
11396 reject_des_client = false;
11397 }
11398
11399 if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
11400 + need_des = false;
11401 + need_md5 = false;
11402 reject_des_client = false;
11403 reject_md5_client = false;
11404 }
11405
11406 if (reject_des_client || reject_md5_client) {
11407 + TALLOC_CTX *frame = talloc_stackframe();
11408 +
11409 + DEBUG(CVE_2022_38023_error_level, (
11410 + "CVE-2022-38023: "
11411 + "client_account[%s] computer_name[%s] "
11412 + "schannel_type[%u] "
11413 + "client_negotiate_flags[0x%x] "
11414 + "%s%s%s "
11415 + "NT_STATUS_DOWNGRADE_DETECTED "
11416 + "reject_des[%u] reject_md5[%u]\n",
11417 + log_escape(frame, r->in.account_name),
11418 + log_escape(frame, r->in.computer_name),
11419 + r->in.secure_channel_type,
11420 + (unsigned)*r->in.negotiate_flags,
11421 + trust_account_in_db ? "real_account[" : "",
11422 + trust_account_in_db ? trust_account_in_db : "",
11423 + trust_account_in_db ? "]" : "",
11424 + reject_des_client,
11425 + reject_md5_client));
11426 + if (trust_account_in_db == NULL) {
11427 + goto return_downgrade;
11428 + }
11429 +
11430 + if (reject_md5_client && explicit_md5_opt == NULL) {
11431 + DEBUG(CVE_2022_38023_error_level, (
11432 + "CVE-2022-38023: Check if option "
11433 + "'server reject md5 schannel:%s = no' "
11434 + "might be needed for a legacy client.\n",
11435 + trust_account_in_db));
11436 + }
11437 + if (reject_des_client && explicit_nt4_opt == NULL) {
11438 + DEBUG(CVE_2022_38023_error_level, (
11439 + "CVE-2022-38023: Check if option "
11440 + "'allow nt4 crypto:%s = yes' "
11441 + "might be needed for a legacy client.\n",
11442 + trust_account_in_db));
11443 + }
11444 +
11445 +return_downgrade:
11446 /*
11447 * Here we match Windows 2012 and return no flags.
11448 */
11449 *r->out.negotiate_flags = 0;
11450 + TALLOC_FREE(frame);
11451 return NT_STATUS_DOWNGRADE_DETECTED;
11452 }
11453
11454 @@ -222,6 +295,54 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
11455 */
11456 *r->out.negotiate_flags = negotiate_flags;
11457
11458 + if (!NT_STATUS_IS_OK(orig_status) || trust_account_in_db == NULL) {
11459 + return orig_status;
11460 + }
11461 +
11462 + if (global_reject_md5_client && account_reject_md5_client && explicit_md5_opt) {
11463 + D_INFO("CVE-2022-38023: Check if option "
11464 + "'server reject md5 schannel:%s = yes' not needed!?\n",
11465 + trust_account_in_db);
11466 + } else if (need_md5 && !account_reject_md5_client && explicit_md5_opt) {
11467 + D_INFO("CVE-2022-38023: Check if option "
11468 + "'server reject md5 schannel:%s = no' "
11469 + "still needed for a legacy client.\n",
11470 + trust_account_in_db);
11471 + } else if (need_md5 && explicit_md5_opt == NULL) {
11472 + DEBUG(CVE_2022_38023_error_level, (
11473 + "CVE-2022-38023: Check if option "
11474 + "'server reject md5 schannel:%s = no' "
11475 + "might be needed for a legacy client.\n",
11476 + trust_account_in_db));
11477 + } else if (!account_reject_md5_client && explicit_md5_opt) {
11478 + DEBUG(CVE_2022_38023_warn_level, (
11479 + "CVE-2022-38023: Check if option "
11480 + "'server reject md5 schannel:%s = no' not needed!?\n",
11481 + trust_account_in_db));
11482 + }
11483 +
11484 + if (!global_allow_nt4_crypto && !account_allow_nt4_crypto && explicit_nt4_opt) {
11485 + D_INFO("CVE-2022-38023: Check if option "
11486 + "'allow nt4 crypto:%s = no' not needed!?\n",
11487 + trust_account_in_db);
11488 + } else if (need_des && account_allow_nt4_crypto && explicit_nt4_opt) {
11489 + D_INFO("CVE-2022-38023: Check if option "
11490 + "'allow nt4 crypto:%s = yes' "
11491 + "still needed for a legacy client.\n",
11492 + trust_account_in_db);
11493 + } else if (need_des && explicit_nt4_opt == NULL) {
11494 + DEBUG(CVE_2022_38023_error_level, (
11495 + "CVE-2022-38023: Check if option "
11496 + "'allow nt4 crypto:%s = yes' "
11497 + "might be needed for a legacy client.\n",
11498 + trust_account_in_db));
11499 + } else if (account_allow_nt4_crypto && explicit_nt4_opt) {
11500 + DEBUG(CVE_2022_38023_warn_level, (
11501 + "CVE-2022-38023: Check if option "
11502 + "'allow nt4 crypto:%s = yes' not needed!?\n",
11503 + trust_account_in_db));
11504 + }
11505 +
11506 return orig_status;
11507 }
11508
11509 --
11510 2.39.0
11511
11512
11513 From 73230d08dd1ec2390e52b24f0398d328a55e5866 Mon Sep 17 00:00:00 2001
11514 From: Stefan Metzmacher <metze@samba.org>
11515 Date: Wed, 30 Nov 2022 14:57:20 +0100
11516 Subject: [PATCH 123/142] CVE-2022-38023 selftest:Samba4: avoid global 'allow
11517 nt4 crypto = yes' and 'reject md5 clients = no'
11518
11519 Instead of using the generic deprecated option use the specific
11520 allow nt4 crypto:COMPUTERACCOUNT = yes and
11521 server reject md5 schannel:COMPUTERACCOUNT = no
11522 in order to allow legacy tests for pass.
11523
11524 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
11525
11526 Signed-off-by: Stefan Metzmacher <metze@samba.org>
11527 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
11528 Reviewed-by: Ralph Boehme <slow@samba.org>
11529 (backported from commit 7ae3735810c2db32fa50f309f8af3c76ffa29768)
11530 ---
11531 selftest/target/Samba4.pm | 60 ++++++++++++++++++++++++++++++++++-----
11532 1 file changed, 53 insertions(+), 7 deletions(-)
11533
11534 diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
11535 index 7e3d7c9de8e..aafb9ee14ca 100755
11536 --- a/selftest/target/Samba4.pm
11537 +++ b/selftest/target/Samba4.pm
11538 @@ -1700,7 +1700,6 @@ sub provision_ad_dc_ntvfs($$)
11539 my $extra_conf_options = "netbios aliases = localDC1-a
11540 server services = +winbind -winbindd
11541 ldap server require strong auth = allow_sasl_over_tls
11542 - allow nt4 crypto = yes
11543 raw NTLMv2 auth = yes
11544 lsa over netlogon = yes
11545 rpc server port = 1027
11546 @@ -1709,9 +1708,19 @@ sub provision_ad_dc_ntvfs($$)
11547 dsdb password event notification = true
11548 dsdb group change notification = true
11549
11550 - reject md5 clients = no
11551 -
11552 CVE_2020_1472:warn_about_unused_debug_level = 3
11553 + CVE_2022_38023:warn_about_unused_debug_level = 3
11554 + allow nt4 crypto:torturetest\$ = yes
11555 + server reject md5 schannel:schannel2\$ = no
11556 + server reject md5 schannel:schannel3\$ = no
11557 + server reject md5 schannel:schannel8\$ = no
11558 + server reject md5 schannel:schannel9\$ = no
11559 + server reject md5 schannel:torturetest\$ = no
11560 + server reject md5 schannel:tests4u2proxywk\$ = no
11561 + server reject md5 schannel:tests4u2selfbdc\$ = no
11562 + server reject md5 schannel:tests4u2selfwk\$ = no
11563 + server reject md5 schannel:torturepacbdc\$ = no
11564 + server reject md5 schannel:torturepacwksta\$ = no
11565 server require schannel:schannel0\$ = no
11566 server require schannel:schannel1\$ = no
11567 server require schannel:schannel2\$ = no
11568 @@ -1770,6 +1779,13 @@ sub provision_fl2000dc($$)
11569 my $extra_conf_options = "
11570 spnego:simulate_w2k=yes
11571 ntlmssp_server:force_old_spnego=yes
11572 +
11573 + CVE_2022_38023:warn_about_unused_debug_level = 3
11574 + server reject md5 schannel:tests4u2proxywk\$ = no
11575 + server reject md5 schannel:tests4u2selfbdc\$ = no
11576 + server reject md5 schannel:tests4u2selfwk\$ = no
11577 + server reject md5 schannel:torturepacbdc\$ = no
11578 + server reject md5 schannel:torturepacwksta\$ = no
11579 ";
11580 my $extra_provision_options = ["--use-ntvfs"];
11581 # This environment uses plain text secrets
11582 @@ -1818,7 +1834,16 @@ sub provision_fl2003dc($$$)
11583 my $extra_conf_options = "allow dns updates = nonsecure and secure
11584 dcesrv:header signing = no
11585 dcesrv:max auth states = 0
11586 - dns forwarder = 127.0.0.$swiface1 127.0.0.$swiface2";
11587 + dns forwarder = 127.0.0.$swiface1 127.0.0.$swiface2
11588 +
11589 + CVE_2022_38023:warn_about_unused_debug_level = 3
11590 + server reject md5 schannel:tests4u2proxywk\$ = no
11591 + server reject md5 schannel:tests4u2selfbdc\$ = no
11592 + server reject md5 schannel:tests4u2selfwk\$ = no
11593 + server reject md5 schannel:torturepacbdc\$ = no
11594 + server reject md5 schannel:torturepacwksta\$ = no
11595 +";
11596 +
11597 my $extra_provision_options = ["--use-ntvfs"];
11598 my $ret = $self->provision($prefix,
11599 "domain controller",
11600 @@ -1874,8 +1899,18 @@ sub provision_fl2008r2dc($$$)
11601 my ($self, $prefix, $dcvars) = @_;
11602
11603 print "PROVISIONING DC WITH FOREST LEVEL 2008r2...\n";
11604 - my $extra_conf_options = "ldap server require strong auth = no";
11605 + my $extra_conf_options = "
11606 + ldap server require strong auth = no
11607 +
11608 + CVE_2022_38023:warn_about_unused_debug_level = 3
11609 + server reject md5 schannel:tests4u2proxywk\$ = no
11610 + server reject md5 schannel:tests4u2selfbdc\$ = no
11611 + server reject md5 schannel:tests4u2selfwk\$ = no
11612 + server reject md5 schannel:torturepacbdc\$ = no
11613 + server reject md5 schannel:torturepacwksta\$ = no
11614 +";
11615 my $extra_provision_options = ["--use-ntvfs"];
11616 +
11617 my $ret = $self->provision($prefix,
11618 "domain controller",
11619 "dc7",
11620 @@ -2104,9 +2139,20 @@ sub provision_ad_dc($$$$$$)
11621 lpq cache time = 0
11622 print notify backchannel = yes
11623
11624 - reject md5 clients = no
11625 -
11626 CVE_2020_1472:warn_about_unused_debug_level = 3
11627 + CVE_2022_38023:warn_about_unused_debug_level = 3
11628 + CVE_2022_38023:error_debug_level = 2
11629 + server reject md5 schannel:schannel2\$ = no
11630 + server reject md5 schannel:schannel3\$ = no
11631 + server reject md5 schannel:schannel8\$ = no
11632 + server reject md5 schannel:schannel9\$ = no
11633 + server reject md5 schannel:torturetest\$ = no
11634 + server reject md5 schannel:tests4u2proxywk\$ = no
11635 + server reject md5 schannel:tests4u2selfbdc\$ = no
11636 + server reject md5 schannel:tests4u2selfwk\$ = no
11637 + server reject md5 schannel:torturepacbdc\$ = no
11638 + server reject md5 schannel:torturepacwksta\$ = no
11639 + server reject md5 schannel:samlogontest\$ = no
11640 server require schannel:schannel0\$ = no
11641 server require schannel:schannel1\$ = no
11642 server require schannel:schannel2\$ = no
11643 --
11644 2.39.0
11645
11646
11647 From 2efdacb36c42985595284db6db90953feecc6e1a Mon Sep 17 00:00:00 2001
11648 From: Stefan Metzmacher <metze@samba.org>
11649 Date: Wed, 30 Nov 2022 16:57:24 +0100
11650 Subject: [PATCH 124/142] CVE-2022-38023 s4:rpc_server/netlogon: split out
11651 dcesrv_netr_check_schannel() function
11652
11653 This will allow us to reuse the function in other places.
11654 As it will also get some additional checks soon.
11655
11656 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
11657
11658 Signed-off-by: Stefan Metzmacher <metze@samba.org>
11659 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
11660 Reviewed-by: Ralph Boehme <slow@samba.org>
11661 (cherry picked from commit f43dc4f0bd60d4e127b714565147f82435aa4f07)
11662 ---
11663 source4/rpc_server/netlogon/dcerpc_netlogon.c | 84 +++++++++++--------
11664 1 file changed, 51 insertions(+), 33 deletions(-)
11665
11666 diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
11667 index b93ff08abcd..94adb74165f 100644
11668 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
11669 +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
11670 @@ -845,18 +845,11 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_ca
11671 return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &r3);
11672 }
11673
11674 -/*
11675 - * NOTE: The following functions are nearly identical to the ones available in
11676 - * source3/rpc_server/srv_nelog_nt.c
11677 - * The reason we keep 2 copies is that they use different structures to
11678 - * represent the auth_info and the decrpc pipes.
11679 - */
11680 -static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call,
11681 - TALLOC_CTX *mem_ctx,
11682 - const char *computer_name,
11683 - struct netr_Authenticator *received_authenticator,
11684 - struct netr_Authenticator *return_authenticator,
11685 - struct netlogon_creds_CredentialState **creds_out)
11686 +static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
11687 + const struct netlogon_creds_CredentialState *creds,
11688 + enum dcerpc_AuthType auth_type,
11689 + enum dcerpc_AuthLevel auth_level,
11690 + uint16_t opnum)
11691 {
11692 struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
11693 TALLOC_CTX *frame = talloc_stackframe();
11694 @@ -865,15 +858,11 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
11695 bool schannel_global_required = (schannel == true);
11696 bool schannel_required = schannel_global_required;
11697 const char *explicit_opt = NULL;
11698 - struct netlogon_creds_CredentialState *creds = NULL;
11699 int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL,
11700 "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
11701 int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
11702 "CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
11703 unsigned int dbg_lvl = DBGLVL_DEBUG;
11704 - enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
11705 - enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
11706 - uint16_t opnum = dce_call->pkt.u.request.opnum;
11707 const char *opname = "<unknown>";
11708 const char *reason = "<unknown>";
11709
11710 @@ -881,8 +870,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
11711 opname = ndr_table_netlogon.calls[opnum].name;
11712 }
11713
11714 - dcesrv_call_auth_info(dce_call, &auth_type, &auth_level);
11715 -
11716 if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
11717 if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
11718 reason = "WITH SEALED";
11719 @@ -895,17 +882,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
11720 reason = "WITHOUT";
11721 }
11722
11723 - nt_status = schannel_check_creds_state(mem_ctx,
11724 - lp_ctx,
11725 - computer_name,
11726 - received_authenticator,
11727 - return_authenticator,
11728 - &creds);
11729 - if (!NT_STATUS_IS_OK(nt_status)) {
11730 - ZERO_STRUCTP(return_authenticator);
11731 - return nt_status;
11732 - }
11733 -
11734 /*
11735 * We don't use lpcfg_parm_bool(), as we
11736 * need the explicit_opt pointer in order to
11737 @@ -945,7 +921,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
11738 log_escape(frame, creds->computer_name)));
11739 }
11740
11741 - *creds_out = creds;
11742 TALLOC_FREE(frame);
11743 return nt_status;
11744 }
11745 @@ -979,8 +954,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
11746 "might be needed for a legacy client.\n",
11747 log_escape(frame, creds->account_name)));
11748 }
11749 - TALLOC_FREE(creds);
11750 - ZERO_STRUCTP(return_authenticator);
11751 TALLOC_FREE(frame);
11752 return nt_status;
11753 }
11754 @@ -1024,11 +997,56 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
11755 log_escape(frame, creds->computer_name)));
11756 }
11757
11758 - *creds_out = creds;
11759 TALLOC_FREE(frame);
11760 return NT_STATUS_OK;
11761 }
11762
11763 +/*
11764 + * NOTE: The following functions are nearly identical to the ones available in
11765 + * source3/rpc_server/srv_nelog_nt.c
11766 + * The reason we keep 2 copies is that they use different structures to
11767 + * represent the auth_info and the decrpc pipes.
11768 + */
11769 +static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call,
11770 + TALLOC_CTX *mem_ctx,
11771 + const char *computer_name,
11772 + struct netr_Authenticator *received_authenticator,
11773 + struct netr_Authenticator *return_authenticator,
11774 + struct netlogon_creds_CredentialState **creds_out)
11775 +{
11776 + NTSTATUS nt_status;
11777 + struct netlogon_creds_CredentialState *creds = NULL;
11778 + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
11779 + enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
11780 +
11781 + dcesrv_call_auth_info(dce_call, &auth_type, &auth_level);
11782 +
11783 + nt_status = schannel_check_creds_state(mem_ctx,
11784 + dce_call->conn->dce_ctx->lp_ctx,
11785 + computer_name,
11786 + received_authenticator,
11787 + return_authenticator,
11788 + &creds);
11789 + if (!NT_STATUS_IS_OK(nt_status)) {
11790 + ZERO_STRUCTP(return_authenticator);
11791 + return nt_status;
11792 + }
11793 +
11794 + nt_status = dcesrv_netr_check_schannel(dce_call,
11795 + creds,
11796 + auth_type,
11797 + auth_level,
11798 + dce_call->pkt.u.request.opnum);
11799 + if (!NT_STATUS_IS_OK(nt_status)) {
11800 + TALLOC_FREE(creds);
11801 + ZERO_STRUCTP(return_authenticator);
11802 + return nt_status;
11803 + }
11804 +
11805 + *creds_out = creds;
11806 + return NT_STATUS_OK;
11807 +}
11808 +
11809 /*
11810 Change the machine account password for the currently connected
11811 client. Supplies only the NT#.
11812 --
11813 2.39.0
11814
11815
11816 From b95d07ebad63544c585a43590bdeaf5247cbaf46 Mon Sep 17 00:00:00 2001
11817 From: Stefan Metzmacher <metze@samba.org>
11818 Date: Wed, 30 Nov 2022 17:15:36 +0100
11819 Subject: [PATCH 125/142] CVE-2022-38023 s4:rpc_server/netlogon: make sure all
11820 dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
11821
11822 We'll soon add some additional contraints in dcesrv_netr_check_schannel(),
11823 which are also required for dcesrv_netr_LogonSamLogonEx().
11824
11825 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
11826
11827 Signed-off-by: Stefan Metzmacher <metze@samba.org>
11828 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
11829 Reviewed-by: Ralph Boehme <slow@samba.org>
11830 (cherry picked from commit 689507457f5e6666488732f91a355a2183fb1662)
11831 ---
11832 source4/rpc_server/netlogon/dcerpc_netlogon.c | 36 +++++++++++++++----
11833 1 file changed, 29 insertions(+), 7 deletions(-)
11834
11835 diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
11836 index 94adb74165f..f4413d7a03b 100644
11837 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
11838 +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
11839 @@ -1408,6 +1408,35 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base_call(struct dcesrv_netr_LogonSamL
11840 struct auth_usersupplied_info *user_info = NULL;
11841 NTSTATUS nt_status;
11842 struct tevent_req *subreq = NULL;
11843 + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
11844 + enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
11845 +
11846 + dcesrv_call_auth_info(dce_call, &auth_type, &auth_level);
11847 +
11848 + switch (dce_call->pkt.u.request.opnum) {
11849 + case NDR_NETR_LOGONSAMLOGON:
11850 + case NDR_NETR_LOGONSAMLOGONWITHFLAGS:
11851 + /*
11852 + * These already called dcesrv_netr_check_schannel()
11853 + * via dcesrv_netr_creds_server_step_check()
11854 + */
11855 + break;
11856 + case NDR_NETR_LOGONSAMLOGONEX:
11857 + default:
11858 + if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
11859 + return NT_STATUS_ACCESS_DENIED;
11860 + }
11861 +
11862 + nt_status = dcesrv_netr_check_schannel(dce_call,
11863 + creds,
11864 + auth_type,
11865 + auth_level,
11866 + dce_call->pkt.u.request.opnum);
11867 + if (!NT_STATUS_IS_OK(nt_status)) {
11868 + return nt_status;
11869 + }
11870 + break;
11871 + }
11872
11873 *r->out.authoritative = 1;
11874
11875 @@ -1739,7 +1768,6 @@ static void dcesrv_netr_LogonSamLogon_base_reply(
11876 static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
11877 struct netr_LogonSamLogonEx *r)
11878 {
11879 - enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
11880 struct dcesrv_netr_LogonSamLogon_base_state *state;
11881 NTSTATUS nt_status;
11882
11883 @@ -1777,12 +1805,6 @@ static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call,
11884 return nt_status;
11885 }
11886
11887 - dcesrv_call_auth_info(dce_call, &auth_type, NULL);
11888 -
11889 - if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
11890 - return NT_STATUS_ACCESS_DENIED;
11891 - }
11892 -
11893 nt_status = dcesrv_netr_LogonSamLogon_base_call(state);
11894
11895 if (dce_call->state_flags & DCESRV_CALL_STATE_FLAG_ASYNC) {
11896 --
11897 2.39.0
11898
11899
11900 From 5e5019dbdf9b49e07bd5f88bafa7275d5d076166 Mon Sep 17 00:00:00 2001
11901 From: Stefan Metzmacher <metze@samba.org>
11902 Date: Fri, 25 Nov 2022 16:53:35 +0100
11903 Subject: [PATCH 126/142] CVE-2022-38023 docs-xml/smbdotconf: add "server
11904 schannel require seal[:COMPUTERACCOUNT]" options
11905
11906 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
11907
11908 Signed-off-by: Stefan Metzmacher <metze@samba.org>
11909 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
11910 Reviewed-by: Ralph Boehme <slow@samba.org>
11911 (cherry picked from commit 7732a4b0bde1d9f98a0371f17d22648495329470)
11912 ---
11913 .../smbdotconf/security/serverschannel.xml | 43 ++++++-
11914 .../security/serverschannelrequireseal.xml | 118 ++++++++++++++++++
11915 lib/param/loadparm.c | 1 +
11916 source3/param/loadparm.c | 1 +
11917 4 files changed, 157 insertions(+), 6 deletions(-)
11918 create mode 100644 docs-xml/smbdotconf/security/serverschannelrequireseal.xml
11919
11920 diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
11921 index 3e66df1c203..42a657912ca 100644
11922 --- a/docs-xml/smbdotconf/security/serverschannel.xml
11923 +++ b/docs-xml/smbdotconf/security/serverschannel.xml
11924 @@ -12,19 +12,37 @@
11925 the hardcoded behavior in future).
11926 </para>
11927
11928 - <para>
11929 - Samba will complain in the log files at log level 0,
11930 - about the security problem if the option is not set to "yes".
11931 + <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' instead!
11932 </para>
11933 +
11934 + <para>
11935 + Samba will log an error in the log files at log level 0
11936 + if legacy a client is rejected or allowed without an explicit,
11937 + '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' option
11938 + for the client. The message will indicate
11939 + the explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>'
11940 + line to be added, if the legacy client software requires it. (The log level can be adjusted with
11941 + '<smbconfoption name="CVE_2020_1472:error_debug_level">1</smbconfoption>'
11942 + in order to complain only at a higher log level).
11943 + </para>
11944 +
11945 <para>
11946 - See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
11947 + This allows admins to use "auto" only for a short grace period,
11948 + in order to collect the explicit
11949 + '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' options.
11950 </para>
11951
11952 - <para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.
11953 + <para>
11954 + See <ulink url="https://www.samba.org/samba/security/CVE-2020-1472.html">CVE-2020-1472(ZeroLogon)</ulink>,
11955 + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=14497">https://bugzilla.samba.org/show_bug.cgi?id=14497</ulink>.
11956 </para>
11957
11958 <para>This option is over-ridden by the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>
11959
11960 + <para>This option is over-ridden by the effective value of 'yes' from
11961 + the '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>'
11962 + and/or '<smbconfoption name="server schannel require seal"/>' options.</para>
11963 +
11964 </description>
11965
11966 <value type="default">yes</value>
11967 @@ -48,6 +66,9 @@
11968 about the security problem if the option is not set to "no",
11969 but the related computer is actually using the netlogon
11970 secure channel (schannel) feature.
11971 + (The log level can be adjusted with
11972 + '<smbconfoption name="CVE_2020_1472:warn_about_unused_debug_level">1</smbconfoption>'
11973 + in order to complain only at a higher log level).
11974 </para>
11975
11976 <para>
11977 @@ -56,15 +77,25 @@
11978 </para>
11979
11980 <para>
11981 - See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
11982 + See <ulink url="https://www.samba.org/samba/security/CVE-2020-1472.html">CVE-2020-1472(ZeroLogon)</ulink>,
11983 + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=14497">https://bugzilla.samba.org/show_bug.cgi?id=14497</ulink>.
11984 </para>
11985
11986 <para>This option overrides the <smbconfoption name="server schannel"/> option.</para>
11987
11988 + <para>This option is over-ridden by the effective value of 'yes' from
11989 + the '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>'
11990 + and/or '<smbconfoption name="server schannel require seal"/>' options.</para>
11991 + <para>Which means '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>'
11992 + is only useful in combination with '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>'</para>
11993 +
11994 <programlisting>
11995 server require schannel:LEGACYCOMPUTER1$ = no
11996 + server require schannel seal:LEGACYCOMPUTER1$ = no
11997 server require schannel:NASBOX$ = no
11998 + server require schannel seal:NASBOX$ = no
11999 server require schannel:LEGACYCOMPUTER2$ = no
12000 + server require schannel seal:LEGACYCOMPUTER2$ = no
12001 </programlisting>
12002 </description>
12003
12004 diff --git a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
12005 new file mode 100644
12006 index 00000000000..d4620d1252d
12007 --- /dev/null
12008 +++ b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
12009 @@ -0,0 +1,118 @@
12010 +<samba:parameter name="server schannel require seal"
12011 + context="G"
12012 + type="boolean"
12013 + deprecated="1"
12014 + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
12015 +<description>
12016 +
12017 + <para>
12018 + This option is deprecated and will be removed in future,
12019 + as it is a security problem if not set to "yes" (which will be
12020 + the hardcoded behavior in future).
12021 + </para>
12022 +
12023 + <para>
12024 + This option controls whether the netlogon server (currently
12025 + only in 'active directory domain controller' mode), will
12026 + reject the usage of netlogon secure channel without privacy/enryption.
12027 + </para>
12028 +
12029 + <para>
12030 + The option is modelled after the registry key available on Windows.
12031 + </para>
12032 +
12033 + <programlisting>
12034 + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSeal=2
12035 + </programlisting>
12036 +
12037 + <para>
12038 + <emphasis>Avoid using this option!</emphasis> Use the per computer account specific option
12039 + '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>' instead!
12040 + Which is available with the patches for
12041 + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
12042 + see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
12043 + </para>
12044 +
12045 + <para>
12046 + Samba will log an error in the log files at log level 0
12047 + if legacy a client is rejected or allowed without an explicit,
12048 + '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' option
12049 + for the client. The message will indicate
12050 + the explicit '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>'
12051 + line to be added, if the legacy client software requires it. (The log level can be adjusted with
12052 + '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
12053 + in order to complain only at a higher log level).
12054 + </para>
12055 +
12056 + <para>This allows admins to use "no" only for a short grace period,
12057 + in order to collect the explicit
12058 + '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' options.</para>
12059 +
12060 + <para>
12061 + When set to 'yes' this option overrides the
12062 + '<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and
12063 + '<smbconfoption name="server schannel"/>' options and implies
12064 + '<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'.
12065 + </para>
12066 +
12067 + <para>
12068 + This option is over-ridden by the <smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/> option.
12069 + </para>
12070 +
12071 +</description>
12072 +
12073 +<value type="default">yes</value>
12074 +</samba:parameter>
12075 +
12076 +<samba:parameter name="server schannel require seal:COMPUTERACCOUNT"
12077 + context="G"
12078 + type="string"
12079 + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
12080 +<description>
12081 +
12082 + <para>
12083 + If you still have legacy domain members, which required "server schannel require seal = no" before,
12084 + it is possible to specify explicit exception per computer account
12085 + by using 'server schannel require seal:COMPUTERACCOUNT = no' as option.
12086 + Note that COMPUTERACCOUNT has to be the sAMAccountName value of
12087 + the computer account (including the trailing '$' sign).
12088 + </para>
12089 +
12090 + <para>
12091 + Samba will log a complaint in the log files at log level 0
12092 + about the security problem if the option is set to "no",
12093 + but the related computer does not require it.
12094 + (The log level can be adjusted with
12095 + '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
12096 + in order to complain only at a higher log level).
12097 + </para>
12098 +
12099 + <para>
12100 + Samba will warn in the log files at log level 5,
12101 + if a setting is still needed for the specified computer account.
12102 + </para>
12103 +
12104 + <para>
12105 + See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
12106 + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
12107 + </para>
12108 +
12109 + <para>
12110 + This option overrides the '<smbconfoption name="server schannel require seal"/>' option.
12111 + </para>
12112 +
12113 + <para>
12114 + When set to 'yes' this option overrides the
12115 + '<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and
12116 + '<smbconfoption name="server schannel"/>' options and implies
12117 + '<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'.
12118 + </para>
12119 +
12120 + <programlisting>
12121 + server require schannel seal:LEGACYCOMPUTER1$ = no
12122 + server require schannel seal:NASBOX$ = no
12123 + server require schannel seal:LEGACYCOMPUTER2$ = no
12124 + </programlisting>
12125 +</description>
12126 +
12127 +</samba:parameter>
12128 diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
12129 index 77a80176f7d..4b3976ebdb6 100644
12130 --- a/lib/param/loadparm.c
12131 +++ b/lib/param/loadparm.c
12132 @@ -2790,6 +2790,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
12133 lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template");
12134
12135 lpcfg_do_global_parameter(lp_ctx, "server schannel", "True");
12136 + lpcfg_do_global_parameter(lp_ctx, "server schannel require seal", "True");
12137 lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True");
12138
12139 lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True");
12140 diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
12141 index 1cf468b1009..8dab202fc17 100644
12142 --- a/source3/param/loadparm.c
12143 +++ b/source3/param/loadparm.c
12144 @@ -659,6 +659,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
12145 Globals.require_strong_key = true;
12146 Globals.reject_md5_servers = true;
12147 Globals.server_schannel = true;
12148 + Globals.server_schannel_require_seal = true;
12149 Globals.reject_md5_clients = true;
12150 Globals.read_raw = true;
12151 Globals.write_raw = true;
12152 --
12153 2.39.0
12154
12155
12156 From 83be39efadc4c4fad4a873e23016e1c5a8d65380 Mon Sep 17 00:00:00 2001
12157 From: Stefan Metzmacher <metze@samba.org>
12158 Date: Fri, 2 Dec 2022 14:31:26 +0100
12159 Subject: [PATCH 127/142] CVE-2022-38023 s4:rpc_server/netlogon: add a per
12160 connection cache to dcesrv_netr_check_schannel()
12161
12162 It's enough to warn the admin once per connection.
12163
12164 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
12165
12166 Signed-off-by: Stefan Metzmacher <metze@samba.org>
12167 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
12168 Reviewed-by: Ralph Boehme <slow@samba.org>
12169 (cherry picked from commit 3c57608e1109c1d6e8bb8fbad2ef0b5d79d00e1a)
12170 ---
12171 source4/rpc_server/netlogon/dcerpc_netlogon.c | 193 ++++++++++++++----
12172 1 file changed, 153 insertions(+), 40 deletions(-)
12173
12174 diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
12175 index f4413d7a03b..474d0806e6b 100644
12176 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
12177 +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
12178 @@ -845,23 +845,105 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_ca
12179 return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &r3);
12180 }
12181
12182 -static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
12183 - const struct netlogon_creds_CredentialState *creds,
12184 - enum dcerpc_AuthType auth_type,
12185 - enum dcerpc_AuthLevel auth_level,
12186 - uint16_t opnum)
12187 +struct dcesrv_netr_check_schannel_state {
12188 + struct dom_sid account_sid;
12189 + enum dcerpc_AuthType auth_type;
12190 + enum dcerpc_AuthLevel auth_level;
12191 +
12192 + bool schannel_global_required;
12193 + bool schannel_required;
12194 + bool schannel_explicitly_set;
12195 +
12196 + NTSTATUS result;
12197 +};
12198 +
12199 +static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state *dce_call,
12200 + const struct netlogon_creds_CredentialState *creds,
12201 + enum dcerpc_AuthType auth_type,
12202 + enum dcerpc_AuthLevel auth_level,
12203 + struct dcesrv_netr_check_schannel_state **_s)
12204 {
12205 struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
12206 - TALLOC_CTX *frame = talloc_stackframe();
12207 - NTSTATUS nt_status;
12208 int schannel = lpcfg_server_schannel(lp_ctx);
12209 bool schannel_global_required = (schannel == true);
12210 bool schannel_required = schannel_global_required;
12211 const char *explicit_opt = NULL;
12212 +#define DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC (NETLOGON_SERVER_PIPE_STATE_MAGIC+1)
12213 + struct dcesrv_netr_check_schannel_state *s = NULL;
12214 + NTSTATUS status;
12215 +
12216 + *_s = NULL;
12217 +
12218 + s = dcesrv_iface_state_find_conn(dce_call,
12219 + DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC,
12220 + struct dcesrv_netr_check_schannel_state);
12221 + if (s != NULL) {
12222 + if (!dom_sid_equal(&s->account_sid, creds->sid)) {
12223 + goto new_state;
12224 + }
12225 + if (s->auth_type != auth_type) {
12226 + goto new_state;
12227 + }
12228 + if (s->auth_level != auth_level) {
12229 + goto new_state;
12230 + }
12231 +
12232 + *_s = s;
12233 + return NT_STATUS_OK;
12234 + }
12235 +
12236 +new_state:
12237 + TALLOC_FREE(s);
12238 + s = talloc_zero(dce_call,
12239 + struct dcesrv_netr_check_schannel_state);
12240 + if (s == NULL) {
12241 + return NT_STATUS_NO_MEMORY;
12242 + }
12243 +
12244 + s->account_sid = *creds->sid;
12245 + s->auth_type = auth_type;
12246 + s->auth_level = auth_level;
12247 + s->result = NT_STATUS_MORE_PROCESSING_REQUIRED;
12248 +
12249 + /*
12250 + * We don't use lpcfg_parm_bool(), as we
12251 + * need the explicit_opt pointer in order to
12252 + * adjust the debug messages.
12253 + */
12254 + explicit_opt = lpcfg_get_parametric(lp_ctx,
12255 + NULL,
12256 + "server require schannel",
12257 + creds->account_name);
12258 + if (explicit_opt != NULL) {
12259 + schannel_required = lp_bool(explicit_opt);
12260 + }
12261 +
12262 + s->schannel_global_required = schannel_global_required;
12263 + s->schannel_required = schannel_required;
12264 + s->schannel_explicitly_set = explicit_opt != NULL;
12265 +
12266 + status = dcesrv_iface_state_store_conn(dce_call,
12267 + DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC,
12268 + s);
12269 + if (!NT_STATUS_IS_OK(status)) {
12270 + return status;
12271 + }
12272 +
12273 + *_s = s;
12274 + return NT_STATUS_OK;
12275 +}
12276 +
12277 +static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_call,
12278 + struct dcesrv_netr_check_schannel_state *s,
12279 + const struct netlogon_creds_CredentialState *creds,
12280 + uint16_t opnum)
12281 +{
12282 + struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
12283 int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL,
12284 "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
12285 int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
12286 "CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
12287 + TALLOC_CTX *frame = talloc_stackframe();
12288 unsigned int dbg_lvl = DBGLVL_DEBUG;
12289 const char *opname = "<unknown>";
12290 const char *reason = "<unknown>";
12291 @@ -870,37 +952,43 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
12292 opname = ndr_table_netlogon.calls[opnum].name;
12293 }
12294
12295 - if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
12296 - if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
12297 + if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
12298 + if (s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
12299 reason = "WITH SEALED";
12300 - } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
12301 + } else if (s->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
12302 reason = "WITH SIGNED";
12303 } else {
12304 - smb_panic("Schannel without SIGN/SEAL");
12305 + reason = "WITH INVALID";
12306 + dbg_lvl = DBGLVL_ERR;
12307 + s->result = NT_STATUS_INTERNAL_ERROR;
12308 }
12309 } else {
12310 reason = "WITHOUT";
12311 }
12312
12313 - /*
12314 - * We don't use lpcfg_parm_bool(), as we
12315 - * need the explicit_opt pointer in order to
12316 - * adjust the debug messages.
12317 - */
12318 - explicit_opt = lpcfg_get_parametric(lp_ctx,
12319 - NULL,
12320 - "server require schannel",
12321 - creds->account_name);
12322 - if (explicit_opt != NULL) {
12323 - schannel_required = lp_bool(explicit_opt);
12324 + if (!NT_STATUS_EQUAL(s->result, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
12325 + if (!NT_STATUS_IS_OK(s->result)) {
12326 + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
12327 + }
12328 +
12329 + DEBUG(dbg_lvl, (
12330 + "CVE-2020-1472(ZeroLogon): "
12331 + "%s request (opnum[%u]) %s schannel from "
12332 + "client_account[%s] client_computer_name[%s] %s\n",
12333 + opname, opnum, reason,
12334 + log_escape(frame, creds->account_name),
12335 + log_escape(frame, creds->computer_name),
12336 + nt_errstr(s->result)));
12337 + TALLOC_FREE(frame);
12338 + return s->result;
12339 }
12340
12341 - if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
12342 - nt_status = NT_STATUS_OK;
12343 + if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
12344 + s->result = NT_STATUS_OK;
12345
12346 - if (explicit_opt != NULL && !schannel_required) {
12347 + if (s->schannel_explicitly_set && !s->schannel_required) {
12348 dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
12349 - } else if (!schannel_required) {
12350 + } else if (!s->schannel_required) {
12351 dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
12352 }
12353
12354 @@ -911,9 +999,8 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
12355 opname, opnum, reason,
12356 log_escape(frame, creds->account_name),
12357 log_escape(frame, creds->computer_name),
12358 - nt_errstr(nt_status)));
12359 -
12360 - if (explicit_opt != NULL && !schannel_required) {
12361 + nt_errstr(s->result)));
12362 + if (s->schannel_explicitly_set && !s->schannel_required) {
12363 DEBUG(CVE_2020_1472_warn_level, (
12364 "CVE-2020-1472(ZeroLogon): "
12365 "Option 'server require schannel:%s = no' not needed for '%s'!\n",
12366 @@ -922,13 +1009,13 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
12367 }
12368
12369 TALLOC_FREE(frame);
12370 - return nt_status;
12371 + return s->result;
12372 }
12373
12374 - if (schannel_required) {
12375 - nt_status = NT_STATUS_ACCESS_DENIED;
12376 + if (s->schannel_required) {
12377 + s->result = NT_STATUS_ACCESS_DENIED;
12378
12379 - if (explicit_opt != NULL) {
12380 + if (s->schannel_explicitly_set) {
12381 dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
12382 } else {
12383 dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
12384 @@ -941,8 +1028,8 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
12385 opname, opnum, reason,
12386 log_escape(frame, creds->account_name),
12387 log_escape(frame, creds->computer_name),
12388 - nt_errstr(nt_status)));
12389 - if (explicit_opt != NULL) {
12390 + nt_errstr(s->result)));
12391 + if (s->schannel_explicitly_set) {
12392 D_NOTICE("CVE-2020-1472(ZeroLogon): Option "
12393 "'server require schannel:%s = yes' "
12394 "rejects access for client.\n",
12395 @@ -955,12 +1042,12 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
12396 log_escape(frame, creds->account_name)));
12397 }
12398 TALLOC_FREE(frame);
12399 - return nt_status;
12400 + return s->result;
12401 }
12402
12403 - nt_status = NT_STATUS_OK;
12404 + s->result = NT_STATUS_OK;
12405
12406 - if (explicit_opt != NULL) {
12407 + if (s->schannel_explicitly_set) {
12408 dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
12409 } else {
12410 dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
12411 @@ -973,9 +1060,9 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
12412 opname, opnum, reason,
12413 log_escape(frame, creds->account_name),
12414 log_escape(frame, creds->computer_name),
12415 - nt_errstr(nt_status)));
12416 + nt_errstr(s->result)));
12417
12418 - if (explicit_opt != NULL) {
12419 + if (s->schannel_explicitly_set) {
12420 D_INFO("CVE-2020-1472(ZeroLogon): Option "
12421 "'server require schannel:%s = no' "
12422 "still needed for '%s'!\n",
12423 @@ -998,6 +1085,32 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
12424 }
12425
12426 TALLOC_FREE(frame);
12427 + return s->result;
12428 +}
12429 +
12430 +static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
12431 + const struct netlogon_creds_CredentialState *creds,
12432 + enum dcerpc_AuthType auth_type,
12433 + enum dcerpc_AuthLevel auth_level,
12434 + uint16_t opnum)
12435 +{
12436 + struct dcesrv_netr_check_schannel_state *s = NULL;
12437 + NTSTATUS status;
12438 +
12439 + status = dcesrv_netr_check_schannel_get_state(dce_call,
12440 + creds,
12441 + auth_type,
12442 + auth_level,
12443 + &s);
12444 + if (!NT_STATUS_IS_OK(status)) {
12445 + return status;
12446 + }
12447 +
12448 + status = dcesrv_netr_check_schannel_once(dce_call, s, creds, opnum);
12449 + if (!NT_STATUS_IS_OK(status)) {
12450 + return status;
12451 + }
12452 +
12453 return NT_STATUS_OK;
12454 }
12455
12456 --
12457 2.39.0
12458
12459
12460 From ef51add9def64d75f17b394924c238fffc81168f Mon Sep 17 00:00:00 2001
12461 From: Stefan Metzmacher <metze@samba.org>
12462 Date: Fri, 25 Nov 2022 14:05:30 +0100
12463 Subject: [PATCH 128/142] CVE-2022-38023 s4:rpc_server/netlogon: implement
12464 "server schannel require seal[:COMPUTERACCOUNT]"
12465
12466 By default we'll now require schannel connections with
12467 privacy/sealing/encryption.
12468
12469 But we allow exceptions for specific computer/trust accounts.
12470
12471 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
12472
12473 Signed-off-by: Stefan Metzmacher <metze@samba.org>
12474 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
12475 Reviewed-by: Ralph Boehme <slow@samba.org>
12476 (cherry picked from commit b3ed90a0541a271a7c6d4bee1201fa47adc3c0c1)
12477 ---
12478 selftest/target/Samba4.pm | 27 ++
12479 source4/rpc_server/netlogon/dcerpc_netlogon.c | 244 +++++++++++++++++-
12480 2 files changed, 270 insertions(+), 1 deletion(-)
12481
12482 diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
12483 index aafb9ee14ca..c267b81d865 100755
12484 --- a/selftest/target/Samba4.pm
12485 +++ b/selftest/target/Samba4.pm
12486 @@ -1734,9 +1734,23 @@ sub provision_ad_dc_ntvfs($$)
12487 server require schannel:schannel10\$ = no
12488 server require schannel:schannel11\$ = no
12489 server require schannel:torturetest\$ = no
12490 + server schannel require seal:schannel0\$ = no
12491 + server schannel require seal:schannel1\$ = no
12492 + server schannel require seal:schannel2\$ = no
12493 + server schannel require seal:schannel3\$ = no
12494 + server schannel require seal:schannel4\$ = no
12495 + server schannel require seal:schannel5\$ = no
12496 + server schannel require seal:schannel6\$ = no
12497 + server schannel require seal:schannel7\$ = no
12498 + server schannel require seal:schannel8\$ = no
12499 + server schannel require seal:schannel9\$ = no
12500 + server schannel require seal:schannel10\$ = no
12501 + server schannel require seal:schannel11\$ = no
12502 + server schannel require seal:torturetest\$ = no
12503
12504 # needed for 'samba.tests.auth_log' tests
12505 server require schannel:LOCALDC\$ = no
12506 + server schannel require seal:LOCALDC\$ = no
12507 ";
12508 my $extra_provision_options = ["--use-ntvfs"];
12509 my $ret = $self->provision($prefix,
12510 @@ -2166,6 +2180,19 @@ sub provision_ad_dc($$$$$$)
12511 server require schannel:schannel10\$ = no
12512 server require schannel:schannel11\$ = no
12513 server require schannel:torturetest\$ = no
12514 + server schannel require seal:schannel0\$ = no
12515 + server schannel require seal:schannel1\$ = no
12516 + server schannel require seal:schannel2\$ = no
12517 + server schannel require seal:schannel3\$ = no
12518 + server schannel require seal:schannel4\$ = no
12519 + server schannel require seal:schannel5\$ = no
12520 + server schannel require seal:schannel6\$ = no
12521 + server schannel require seal:schannel7\$ = no
12522 + server schannel require seal:schannel8\$ = no
12523 + server schannel require seal:schannel9\$ = no
12524 + server schannel require seal:schannel10\$ = no
12525 + server schannel require seal:schannel11\$ = no
12526 + server schannel require seal:torturetest\$ = no
12527
12528 auth event notification = true
12529 dsdb event notification = true
12530 diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
12531 index 474d0806e6b..343cd53473c 100644
12532 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
12533 +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
12534 @@ -65,9 +65,11 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context
12535 bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
12536 int schannel = lpcfg_server_schannel(lp_ctx);
12537 bool schannel_global_required = (schannel == true);
12538 + bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx);
12539 static bool warned_global_nt4_once = false;
12540 static bool warned_global_md5_once = false;
12541 static bool warned_global_schannel_once = false;
12542 + static bool warned_global_seal_once = false;
12543
12544 if (global_allow_nt4_crypto && !warned_global_nt4_once) {
12545 /*
12546 @@ -99,6 +101,16 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context
12547 warned_global_schannel_once = true;
12548 }
12549
12550 + if (!global_require_seal && !warned_global_seal_once) {
12551 + /*
12552 + * We want admins to notice their misconfiguration!
12553 + */
12554 + D_ERR("CVE-2022-38023 (and others): "
12555 + "Please configure 'server schannel require seal = yes' (the default), "
12556 + "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
12557 + warned_global_seal_once = true;
12558 + }
12559 +
12560 return dcesrv_interface_bind_reject_connect(context, iface);
12561 }
12562
12563 @@ -854,6 +866,10 @@ struct dcesrv_netr_check_schannel_state {
12564 bool schannel_required;
12565 bool schannel_explicitly_set;
12566
12567 + bool seal_global_required;
12568 + bool seal_required;
12569 + bool seal_explicitly_set;
12570 +
12571 NTSTATUS result;
12572 };
12573
12574 @@ -868,6 +884,9 @@ static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state *d
12575 bool schannel_global_required = (schannel == true);
12576 bool schannel_required = schannel_global_required;
12577 const char *explicit_opt = NULL;
12578 + bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx);
12579 + bool require_seal = global_require_seal;
12580 + const char *explicit_seal_opt = NULL;
12581 #define DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC (NETLOGON_SERVER_PIPE_STATE_MAGIC+1)
12582 struct dcesrv_netr_check_schannel_state *s = NULL;
12583 NTSTATUS status;
12584 @@ -905,6 +924,19 @@ new_state:
12585 s->auth_level = auth_level;
12586 s->result = NT_STATUS_MORE_PROCESSING_REQUIRED;
12587
12588 + /*
12589 + * We don't use lpcfg_parm_bool(), as we
12590 + * need the explicit_opt pointer in order to
12591 + * adjust the debug messages.
12592 + */
12593 + explicit_seal_opt = lpcfg_get_parametric(lp_ctx,
12594 + NULL,
12595 + "server schannel require seal",
12596 + creds->account_name);
12597 + if (explicit_seal_opt != NULL) {
12598 + require_seal = lp_bool(explicit_seal_opt);
12599 + }
12600 +
12601 /*
12602 * We don't use lpcfg_parm_bool(), as we
12603 * need the explicit_opt pointer in order to
12604 @@ -922,6 +954,10 @@ new_state:
12605 s->schannel_required = schannel_required;
12606 s->schannel_explicitly_set = explicit_opt != NULL;
12607
12608 + s->seal_global_required = global_require_seal;
12609 + s->seal_required = require_seal;
12610 + s->seal_explicitly_set = explicit_seal_opt != NULL;
12611 +
12612 status = dcesrv_iface_state_store_conn(dce_call,
12613 DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC,
12614 s);
12615 @@ -943,6 +979,10 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
12616 "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
12617 int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
12618 "CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
12619 + int CVE_2022_38023_warn_level = lpcfg_parm_int(lp_ctx, NULL,
12620 + "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR);
12621 + int CVE_2022_38023_error_level = lpcfg_parm_int(lp_ctx, NULL,
12622 + "CVE_2022_38023", "error_debug_level", DBGLVL_ERR);
12623 TALLOC_CTX *frame = talloc_stackframe();
12624 unsigned int dbg_lvl = DBGLVL_DEBUG;
12625 const char *opname = "<unknown>";
12626 @@ -972,18 +1012,107 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
12627 }
12628
12629 DEBUG(dbg_lvl, (
12630 - "CVE-2020-1472(ZeroLogon): "
12631 + "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
12632 + "%s request (opnum[%u]) %s schannel from "
12633 + "client_account[%s] client_computer_name[%s] %s\n",
12634 + opname, opnum, reason,
12635 + log_escape(frame, creds->account_name),
12636 + log_escape(frame, creds->computer_name),
12637 + nt_errstr(s->result)));
12638 + TALLOC_FREE(frame);
12639 + return s->result;
12640 + }
12641 +
12642 + if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL &&
12643 + s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY)
12644 + {
12645 + s->result = NT_STATUS_OK;
12646 +
12647 + if (s->schannel_explicitly_set && !s->schannel_required) {
12648 + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
12649 + } else if (!s->schannel_required) {
12650 + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
12651 + }
12652 + if (s->seal_explicitly_set && !s->seal_required) {
12653 + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level);
12654 + } else if (!s->seal_required) {
12655 + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
12656 + }
12657 +
12658 + DEBUG(dbg_lvl, (
12659 + "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
12660 "%s request (opnum[%u]) %s schannel from "
12661 "client_account[%s] client_computer_name[%s] %s\n",
12662 opname, opnum, reason,
12663 log_escape(frame, creds->account_name),
12664 log_escape(frame, creds->computer_name),
12665 nt_errstr(s->result)));
12666 +
12667 + if (s->schannel_explicitly_set && !s->schannel_required) {
12668 + DEBUG(CVE_2020_1472_warn_level, (
12669 + "CVE-2020-1472(ZeroLogon): "
12670 + "Option 'server require schannel:%s = no' not needed for '%s'!\n",
12671 + log_escape(frame, creds->account_name),
12672 + log_escape(frame, creds->computer_name)));
12673 + }
12674 +
12675 + if (s->seal_explicitly_set && !s->seal_required) {
12676 + DEBUG(CVE_2022_38023_warn_level, (
12677 + "CVE-2022-38023: "
12678 + "Option 'server schannel require seal:%s = no' not needed for '%s'!\n",
12679 + log_escape(frame, creds->account_name),
12680 + log_escape(frame, creds->computer_name)));
12681 + }
12682 +
12683 TALLOC_FREE(frame);
12684 return s->result;
12685 }
12686
12687 if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
12688 + if (s->seal_required) {
12689 + s->result = NT_STATUS_ACCESS_DENIED;
12690 +
12691 + if (s->seal_explicitly_set) {
12692 + dbg_lvl = DBGLVL_NOTICE;
12693 + } else {
12694 + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
12695 + }
12696 + if (s->schannel_explicitly_set && !s->schannel_required) {
12697 + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level);
12698 + }
12699 +
12700 + DEBUG(dbg_lvl, (
12701 + "CVE-2022-38023: "
12702 + "%s request (opnum[%u]) %s schannel from "
12703 + "from client_account[%s] client_computer_name[%s] %s\n",
12704 + opname, opnum, reason,
12705 + log_escape(frame, creds->account_name),
12706 + log_escape(frame, creds->computer_name),
12707 + nt_errstr(s->result)));
12708 + if (s->seal_explicitly_set) {
12709 + D_NOTICE("CVE-2022-38023: Option "
12710 + "'server schannel require seal:%s = yes' "
12711 + "rejects access for client.\n",
12712 + log_escape(frame, creds->account_name));
12713 + } else {
12714 + DEBUG(CVE_2020_1472_error_level, (
12715 + "CVE-2022-38023: Check if option "
12716 + "'server schannel require seal:%s = no' "
12717 + "might be needed for a legacy client.\n",
12718 + log_escape(frame, creds->account_name)));
12719 + }
12720 + if (s->schannel_explicitly_set && !s->schannel_required) {
12721 + DEBUG(CVE_2020_1472_warn_level, (
12722 + "CVE-2020-1472(ZeroLogon): Option "
12723 + "'server require schannel:%s = no' "
12724 + "not needed for '%s'!\n",
12725 + log_escape(frame, creds->account_name),
12726 + log_escape(frame, creds->computer_name)));
12727 + }
12728 + TALLOC_FREE(frame);
12729 + return s->result;
12730 + }
12731 +
12732 s->result = NT_STATUS_OK;
12733
12734 if (s->schannel_explicitly_set && !s->schannel_required) {
12735 @@ -991,6 +1120,11 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
12736 } else if (!s->schannel_required) {
12737 dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
12738 }
12739 + if (s->seal_explicitly_set && !s->seal_required) {
12740 + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
12741 + } else if (!s->seal_required) {
12742 + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
12743 + }
12744
12745 DEBUG(dbg_lvl, (
12746 "CVE-2020-1472(ZeroLogon): "
12747 @@ -1007,11 +1141,81 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
12748 log_escape(frame, creds->account_name),
12749 log_escape(frame, creds->computer_name)));
12750 }
12751 + if (s->seal_explicitly_set && !s->seal_required) {
12752 + D_INFO("CVE-2022-38023: "
12753 + "Option 'server schannel require seal:%s = no' still needed for '%s'!\n",
12754 + log_escape(frame, creds->account_name),
12755 + log_escape(frame, creds->computer_name));
12756 + } else if (!s->seal_required) {
12757 + /*
12758 + * admins should set
12759 + * server schannel require seal:COMPUTER$ = no
12760 + * in order to avoid the level 0 messages.
12761 + * Over time they can switch the global value
12762 + * to be strict.
12763 + */
12764 + DEBUG(CVE_2022_38023_error_level, (
12765 + "CVE-2022-38023: "
12766 + "Please use 'server schannel require seal:%s = no' "
12767 + "for '%s' to avoid this warning!\n",
12768 + log_escape(frame, creds->account_name),
12769 + log_escape(frame, creds->computer_name)));
12770 + }
12771
12772 TALLOC_FREE(frame);
12773 return s->result;
12774 }
12775
12776 + if (s->seal_required) {
12777 + s->result = NT_STATUS_ACCESS_DENIED;
12778 +
12779 + if (s->seal_explicitly_set) {
12780 + dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
12781 + } else {
12782 + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
12783 + }
12784 + if (!s->schannel_explicitly_set) {
12785 + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
12786 + } else if (s->schannel_required) {
12787 + dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
12788 + }
12789 +
12790 + DEBUG(dbg_lvl, (
12791 + "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
12792 + "%s request (opnum[%u]) %s schannel from "
12793 + "from client_account[%s] client_computer_name[%s] %s\n",
12794 + opname, opnum, reason,
12795 + log_escape(frame, creds->account_name),
12796 + log_escape(frame, creds->computer_name),
12797 + nt_errstr(s->result)));
12798 + if (s->seal_explicitly_set) {
12799 + D_NOTICE("CVE-2022-38023: Option "
12800 + "'server schannel require seal:%s = yes' "
12801 + "rejects access for client.\n",
12802 + log_escape(frame, creds->account_name));
12803 + } else {
12804 + DEBUG(CVE_2022_38023_error_level, (
12805 + "CVE-2022-38023: Check if option "
12806 + "'server schannel require seal:%s = no' "
12807 + "might be needed for a legacy client.\n",
12808 + log_escape(frame, creds->account_name)));
12809 + }
12810 + if (!s->schannel_explicitly_set) {
12811 + DEBUG(CVE_2020_1472_error_level, (
12812 + "CVE-2020-1472(ZeroLogon): Check if option "
12813 + "'server require schannel:%s = no' "
12814 + "might be needed for a legacy client.\n",
12815 + log_escape(frame, creds->account_name)));
12816 + } else if (s->schannel_required) {
12817 + D_NOTICE("CVE-2022-38023: Option "
12818 + "'server require schannel:%s = yes' "
12819 + "also rejects access for client.\n",
12820 + log_escape(frame, creds->account_name));
12821 + }
12822 + TALLOC_FREE(frame);
12823 + return s->result;
12824 + }
12825 +
12826 if (s->schannel_required) {
12827 s->result = NT_STATUS_ACCESS_DENIED;
12828
12829 @@ -1020,6 +1224,9 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
12830 } else {
12831 dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
12832 }
12833 + if (!s->seal_explicitly_set) {
12834 + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
12835 + }
12836
12837 DEBUG(dbg_lvl, (
12838 "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
12839 @@ -1041,12 +1248,25 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
12840 "might be needed for a legacy client.\n",
12841 log_escape(frame, creds->account_name)));
12842 }
12843 + if (!s->seal_explicitly_set) {
12844 + DEBUG(CVE_2022_38023_error_level, (
12845 + "CVE-2022-38023: Check if option "
12846 + "'server schannel require seal:%s = no' "
12847 + "might be needed for a legacy client.\n",
12848 + log_escape(frame, creds->account_name)));
12849 + }
12850 TALLOC_FREE(frame);
12851 return s->result;
12852 }
12853
12854 s->result = NT_STATUS_OK;
12855
12856 + if (s->seal_explicitly_set) {
12857 + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
12858 + } else {
12859 + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
12860 + }
12861 +
12862 if (s->schannel_explicitly_set) {
12863 dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
12864 } else {
12865 @@ -1062,6 +1282,28 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
12866 log_escape(frame, creds->computer_name),
12867 nt_errstr(s->result)));
12868
12869 + if (s->seal_explicitly_set) {
12870 + D_INFO("CVE-2022-38023: Option "
12871 + "'server schannel require seal:%s = no' "
12872 + "still needed for '%s'!\n",
12873 + log_escape(frame, creds->account_name),
12874 + log_escape(frame, creds->computer_name));
12875 + } else {
12876 + /*
12877 + * admins should set
12878 + * server schannel require seal:COMPUTER$ = no
12879 + * in order to avoid the level 0 messages.
12880 + * Over time they can switch the global value
12881 + * to be strict.
12882 + */
12883 + DEBUG(CVE_2022_38023_error_level, (
12884 + "CVE-2022-38023: Please use "
12885 + "'server schannel require seal:%s = no' "
12886 + "for '%s' to avoid this warning!\n",
12887 + log_escape(frame, creds->account_name),
12888 + log_escape(frame, creds->computer_name)));
12889 + }
12890 +
12891 if (s->schannel_explicitly_set) {
12892 D_INFO("CVE-2020-1472(ZeroLogon): Option "
12893 "'server require schannel:%s = no' "
12894 --
12895 2.39.0
12896
12897
12898 From fe38dc0186d3505db4c105f78dc46c2270c43240 Mon Sep 17 00:00:00 2001
12899 From: Stefan Metzmacher <metze@samba.org>
12900 Date: Wed, 30 Nov 2022 15:13:47 +0100
12901 Subject: [PATCH 129/142] CVE-2022-38023 testparm: warn about server/client
12902 schannel != yes
12903
12904 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
12905
12906 Signed-off-by: Stefan Metzmacher <metze@samba.org>
12907 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
12908 Reviewed-by: Ralph Boehme <slow@samba.org>
12909 (cherry picked from commit f964c0c357214637f80d0089723b9b11d1b38f7e)
12910 ---
12911 source3/utils/testparm.c | 21 +++++++++++++++++++++
12912 1 file changed, 21 insertions(+)
12913
12914 diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
12915 index c673ef71a92..aa990b729d7 100644
12916 --- a/source3/utils/testparm.c
12917 +++ b/source3/utils/testparm.c
12918 @@ -522,6 +522,27 @@ static int do_global_checks(void)
12919 ret = 1;
12920 }
12921
12922 + if (lp_server_schannel() != true) { /* can be 'auto' */
12923 + fprintf(stderr,
12924 + "WARNING: You have not configured "
12925 + "'server schannel = yes' (the default). "
12926 + "Your server is vulernable to \"ZeroLogon\" "
12927 + "(CVE-2020-1472)\n"
12928 + "If required use individual "
12929 + "'server require schannel:COMPUTERACCOUNT$ = no' "
12930 + "options\n\n");
12931 + }
12932 + if (lp_client_schannel() != true) { /* can be 'auto' */
12933 + fprintf(stderr,
12934 + "WARNING: You have not configured "
12935 + "'client schannel = yes' (the default). "
12936 + "Your server is vulernable to \"ZeroLogon\" "
12937 + "(CVE-2020-1472)\n"
12938 + "If required use individual "
12939 + "'client schannel:NETBIOSDOMAIN = no' "
12940 + "options\n\n");
12941 + }
12942 +
12943 return ret;
12944 }
12945
12946 --
12947 2.39.0
12948
12949
12950 From c870a61377d0245a3fd25f5d5c8663d965fe469a Mon Sep 17 00:00:00 2001
12951 From: Stefan Metzmacher <metze@samba.org>
12952 Date: Tue, 6 Dec 2022 13:36:17 +0100
12953 Subject: [PATCH 130/142] CVE-2022-38023 testparm: warn about unsecure schannel
12954 related options
12955
12956 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
12957
12958 Signed-off-by: Stefan Metzmacher <metze@samba.org>
12959 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
12960 Reviewed-by: Ralph Boehme <slow@samba.org>
12961 (cherry picked from commit 4d540473c3d43d048a30dd63efaeae9ff87b2aeb)
12962 ---
12963 source3/utils/testparm.c | 61 ++++++++++++++++++++++++++++++++++++++++
12964 1 file changed, 61 insertions(+)
12965
12966 diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
12967 index aa990b729d7..f9253d323aa 100644
12968 --- a/source3/utils/testparm.c
12969 +++ b/source3/utils/testparm.c
12970 @@ -532,6 +532,37 @@ static int do_global_checks(void)
12971 "'server require schannel:COMPUTERACCOUNT$ = no' "
12972 "options\n\n");
12973 }
12974 + if (lp_allow_nt4_crypto()) {
12975 + fprintf(stderr,
12976 + "WARNING: You have not configured "
12977 + "'allow nt4 crypto = no' (the default). "
12978 + "Your server is vulernable to "
12979 + "CVE-2022-38023 and others!\n"
12980 + "If required use individual "
12981 + "'allow nt4 crypto:COMPUTERACCOUNT$ = yes' "
12982 + "options\n\n");
12983 + }
12984 + if (!lp_reject_md5_clients()) {
12985 + fprintf(stderr,
12986 + "WARNING: You have not configured "
12987 + "'reject md5 clients = yes' (the default). "
12988 + "Your server is vulernable to "
12989 + "CVE-2022-38023!\n"
12990 + "If required use individual "
12991 + "'server reject md5 schannel:COMPUTERACCOUNT$ = yes' "
12992 + "options\n\n");
12993 + }
12994 + if (!lp_server_schannel_require_seal()) {
12995 + fprintf(stderr,
12996 + "WARNING: You have not configured "
12997 + "'server schannel require seal = yes' (the default). "
12998 + "Your server is vulernable to "
12999 + "CVE-2022-38023!\n"
13000 + "If required use individual "
13001 + "'server schannel require seal:COMPUTERACCOUNT$ = no' "
13002 + "options\n\n");
13003 + }
13004 +
13005 if (lp_client_schannel() != true) { /* can be 'auto' */
13006 fprintf(stderr,
13007 "WARNING: You have not configured "
13008 @@ -542,6 +573,36 @@ static int do_global_checks(void)
13009 "'client schannel:NETBIOSDOMAIN = no' "
13010 "options\n\n");
13011 }
13012 + if (!lp_reject_md5_servers()) {
13013 + fprintf(stderr,
13014 + "WARNING: You have not configured "
13015 + "'reject md5 servers = yes' (the default). "
13016 + "Your server is vulernable to "
13017 + "CVE-2022-38023\n"
13018 + "If required use individual "
13019 + "'reject md5 servers:NETBIOSDOMAIN = no' "
13020 + "options\n\n");
13021 + }
13022 + if (!lp_require_strong_key()) {
13023 + fprintf(stderr,
13024 + "WARNING: You have not configured "
13025 + "'require strong key = yes' (the default). "
13026 + "Your server is vulernable to "
13027 + "CVE-2022-38023\n"
13028 + "If required use individual "
13029 + "'require strong key:NETBIOSDOMAIN = no' "
13030 + "options\n\n");
13031 + }
13032 + if (!lp_winbind_sealed_pipes()) {
13033 + fprintf(stderr,
13034 + "WARNING: You have not configured "
13035 + "'winbind sealed pipes = yes' (the default). "
13036 + "Your server is vulernable to "
13037 + "CVE-2022-38023\n"
13038 + "If required use individual "
13039 + "'winbind sealed pipes:NETBIOSDOMAIN = no' "
13040 + "options\n\n");
13041 + }
13042
13043 return ret;
13044 }
13045 --
13046 2.39.0
13047
13048
13049 From 938168a5f7c3225562ed772bf8a9bbecc0badb62 Mon Sep 17 00:00:00 2001
13050 From: Andreas Schneider <asn@samba.org>
13051 Date: Mon, 12 Sep 2022 16:31:05 +0200
13052 Subject: [PATCH 131/142] s3:auth: Flush the GETPWSID in memory cache for NTLM
13053 auth
13054
13055 Example valgrind output:
13056
13057 ==22502== 22,747,002 bytes in 21,049 blocks are possibly lost in loss record 1,075 of 1,075
13058 ==22502== at 0x4C29F73: malloc (vg_replace_malloc.c:309)
13059 ==22502== by 0x11D7089C: _talloc_pooled_object (in /usr/lib64/libtalloc.so.2.1.16)
13060 ==22502== by 0x9027834: tcopy_passwd (in /usr/lib64/libsmbconf.so.0)
13061 ==22502== by 0x6A1E1A3: pdb_copy_sam_account (in /usr/lib64/libsamba-passdb.so.0.27.2)
13062 ==22502== by 0x6A28AB7: pdb_getsampwnam (in /usr/lib64/libsamba-passdb.so.0.27.2)
13063 ==22502== by 0x65D0BC4: check_sam_security (in /usr/lib64/samba/libauth-samba4.so)
13064 ==22502== by 0x65C70F0: ??? (in /usr/lib64/samba/libauth-samba4.so)
13065 ==22502== by 0x65C781A: auth_check_ntlm_password (in /usr/lib64/samba/libauth-samba4.so)
13066 ==22502== by 0x14E464: ??? (in /usr/sbin/winbindd)
13067 ==22502== by 0x151CED: winbind_dual_SamLogon (in /usr/sbin/winbindd)
13068 ==22502== by 0x152072: winbindd_dual_pam_auth_crap (in /usr/sbin/winbindd)
13069 ==22502== by 0x167DE0: ??? (in /usr/sbin/winbindd)
13070 ==22502== by 0x12F29B12: tevent_common_invoke_fd_handler (in /usr/lib64/libtevent.so.0.9.39)
13071 ==22502== by 0x12F30086: ??? (in /usr/lib64/libtevent.so.0.9.39)
13072 ==22502== by 0x12F2E056: ??? (in /usr/lib64/libtevent.so.0.9.39)
13073 ==22502== by 0x12F2925C: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.39)
13074 ==22502== by 0x16A243: ??? (in /usr/sbin/winbindd)
13075 ==22502== by 0x16AA04: ??? (in /usr/sbin/winbindd)
13076 ==22502== by 0x12F29F68: tevent_common_invoke_immediate_handler (in /usr/lib64/libtevent.so.0.9.39)
13077 ==22502== by 0x12F29F8F: tevent_common_loop_immediate (in /usr/lib64/libtevent.so.0.9.39)
13078 ==22502== by 0x12F2FE3C: ??? (in /usr/lib64/libtevent.so.0.9.39)
13079 ==22502== by 0x12F2E056: ??? (in /usr/lib64/libtevent.so.0.9.39)
13080 ==22502== by 0x12F2925C: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.39)
13081 ==22502== by 0x12F4C7: main (in /usr/sbin/winbindd)
13082
13083 You can find one for each string in pdb_copy_sam_account(), in total
13084 this already has 67 MB in total for this valgrind run.
13085
13086 pdb_getsampwnam() -> memcache_add_talloc(NULL, PDB_GETPWSID_CACHE, ...)
13087
13088 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15169
13089
13090 Signed-off-by: Andreas Schneider <asn@samba.org>
13091 Reviewed-by: Jeremy Allison <jra@samba.org>
13092
13093 Autobuild-User(master): Jeremy Allison <jra@samba.org>
13094 Autobuild-Date(master): Fri Sep 16 20:30:31 UTC 2022 on sn-devel-184
13095
13096 (cherry picked from commit 9ef2f7345f0d387567fca598cc7008af95598903)
13097 ---
13098 source3/auth/check_samsec.c | 8 ++++++--
13099 1 file changed, 6 insertions(+), 2 deletions(-)
13100
13101 diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
13102 index 53b6da53dc1..4276c3060ed 100644
13103 --- a/source3/auth/check_samsec.c
13104 +++ b/source3/auth/check_samsec.c
13105 @@ -24,6 +24,7 @@
13106 #include "auth.h"
13107 #include "../libcli/auth/libcli_auth.h"
13108 #include "passdb.h"
13109 +#include "lib/util/memcache.h"
13110
13111 #undef DBGC_CLASS
13112 #define DBGC_CLASS DBGC_AUTH
13113 @@ -487,8 +488,6 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
13114 nt_status = make_server_info_sam(mem_ctx, sampass, server_info);
13115 unbecome_root();
13116
13117 - TALLOC_FREE(sampass);
13118 -
13119 if (!NT_STATUS_IS_OK(nt_status)) {
13120 DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status)));
13121 goto done;
13122 @@ -507,6 +506,11 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
13123 (*server_info)->nss_token |= user_info->was_mapped;
13124
13125 done:
13126 + /*
13127 + * Always flush the getpwsid cache or this will grow indefinetly for
13128 + * each NTLM auththentication.
13129 + */
13130 + memcache_flush(NULL, PDB_GETPWSID_CACHE);
13131 TALLOC_FREE(sampass);
13132 data_blob_free(&user_sess_key);
13133 data_blob_free(&lm_sess_key);
13134 --
13135 2.39.0
13136
13137
13138 From 296612a8c1dda253e1f2c0618f1f8330e2e23b34 Mon Sep 17 00:00:00 2001
13139 From: Samuel Cabrero <scabrero@suse.de>
13140 Date: Thu, 22 Dec 2022 16:46:15 +0100
13141 Subject: [PATCH 132/142] CVE-2022-38023 selftest:Samba3: avoid global 'server
13142 schannel = auto'
13143
13144 Instead of using the generic deprecated option use the specific
13145 server require schannel:COMPUTERACCOUNT = no in order to allow
13146 legacy tests for pass.
13147
13148 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
13149
13150 Signed-off-by: Samuel Cabrero <scabrero@samba.org>
13151 Reviewed-by: Andreas Schneider <asn@samba.org>
13152 (cherry picked from commit 3cd18690f83d2f85e847fc703ac127b4b04189fc)
13153 ---
13154 selftest/target/Samba3.pm | 17 ++++++++++++++++-
13155 1 file changed, 16 insertions(+), 1 deletion(-)
13156
13157 diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
13158 index 7034127ef0b..0c14f02be11 100755
13159 --- a/selftest/target/Samba3.pm
13160 +++ b/selftest/target/Samba3.pm
13161 @@ -199,7 +199,6 @@ sub setup_nt4_dc
13162 lanman auth = yes
13163 ntlm auth = yes
13164 raw NTLMv2 auth = yes
13165 - server schannel = auto
13166
13167 rpc_server:epmapper = external
13168 rpc_server:spoolss = external
13169 @@ -213,6 +212,22 @@ sub setup_nt4_dc
13170 rpc_daemon:spoolssd = fork
13171 rpc_daemon:lsasd = fork
13172 rpc_daemon:fssd = fork
13173 +
13174 + CVE_2020_1472:warn_about_unused_debug_level = 3
13175 + server require schannel:schannel0\$ = no
13176 + server require schannel:schannel1\$ = no
13177 + server require schannel:schannel2\$ = no
13178 + server require schannel:schannel3\$ = no
13179 + server require schannel:schannel4\$ = no
13180 + server require schannel:schannel5\$ = no
13181 + server require schannel:schannel6\$ = no
13182 + server require schannel:schannel7\$ = no
13183 + server require schannel:schannel8\$ = no
13184 + server require schannel:schannel9\$ = no
13185 + server require schannel:schannel10\$ = no
13186 + server require schannel:schannel11\$ = no
13187 + server require schannel:torturetest\$ = no
13188 +
13189 fss: sequence timeout = 1
13190 check parent directory delete on close = yes
13191 ";
13192 --
13193 2.39.0
13194
13195
13196 From 1a90fc7cbc4054f9815ffaca710b5bdba0dffd6f Mon Sep 17 00:00:00 2001
13197 From: Samuel Cabrero <scabrero@suse.de>
13198 Date: Thu, 22 Dec 2022 11:33:12 +0100
13199 Subject: [PATCH 133/142] CVE-2022-38023 s3:rpc_server/netlogon: add
13200 talloc_stackframe() to dcesrv_netr_creds_server_step_check()
13201
13202 This will simplify the following changes.
13203
13204 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
13205
13206 Signed-off-by: Samuel Cabrero <scabrero@samba.org>
13207 ---
13208 source3/rpc_server/netlogon/srv_netlog_nt.c | 38 ++++++++++++---------
13209 1 file changed, 22 insertions(+), 16 deletions(-)
13210
13211 diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
13212 index 7f6704adbda..f9b674d0052 100644
13213 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
13214 +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
13215 @@ -1071,6 +1071,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13216 struct netr_Authenticator *return_authenticator,
13217 struct netlogon_creds_CredentialState **creds_out)
13218 {
13219 + TALLOC_CTX *frame = talloc_stackframe();
13220 NTSTATUS status;
13221 bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
13222 bool schannel_required = schannel_global_required;
13223 @@ -1092,19 +1093,19 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13224
13225 auth_type = p->auth.auth_type;
13226
13227 - lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers());
13228 + lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
13229 if (lp_ctx == NULL) {
13230 DEBUG(0, ("loadparm_init_s3 failed\n"));
13231 + TALLOC_FREE(frame);
13232 return NT_STATUS_INTERNAL_ERROR;
13233 }
13234
13235 status = schannel_check_creds_state(mem_ctx, lp_ctx,
13236 computer_name, received_authenticator,
13237 return_authenticator, &creds);
13238 - talloc_unlink(mem_ctx, lp_ctx);
13239 -
13240 if (!NT_STATUS_IS_OK(status)) {
13241 ZERO_STRUCTP(return_authenticator);
13242 + TALLOC_FREE(frame);
13243 return status;
13244 }
13245
13246 @@ -1125,6 +1126,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13247 if (schannel_required) {
13248 if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
13249 *creds_out = creds;
13250 + TALLOC_FREE(frame);
13251 return NT_STATUS_OK;
13252 }
13253
13254 @@ -1132,13 +1134,15 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13255 "%s request (opnum[%u]) without schannel from "
13256 "client_account[%s] client_computer_name[%s]\n",
13257 opname, opnum,
13258 - log_escape(mem_ctx, creds->account_name),
13259 - log_escape(mem_ctx, creds->computer_name));
13260 + log_escape(frame, creds->account_name),
13261 + log_escape(frame, creds->computer_name));
13262 DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
13263 - "'server require schannel:%s = no' is needed! \n",
13264 - log_escape(mem_ctx, creds->account_name));
13265 + "'server require schannel:%s = no' "
13266 + "might be needed for a legacy client.\n",
13267 + log_escape(frame, creds->account_name));
13268 TALLOC_FREE(creds);
13269 ZERO_STRUCTP(return_authenticator);
13270 + TALLOC_FREE(frame);
13271 return NT_STATUS_ACCESS_DENIED;
13272 }
13273
13274 @@ -1157,13 +1161,14 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13275 "%s request (opnum[%u]) WITH schannel from "
13276 "client_account[%s] client_computer_name[%s]\n",
13277 opname, opnum,
13278 - log_escape(mem_ctx, creds->account_name),
13279 - log_escape(mem_ctx, creds->computer_name));
13280 + log_escape(frame, creds->account_name),
13281 + log_escape(frame, creds->computer_name));
13282 DBG_ERR("CVE-2020-1472(ZeroLogon): "
13283 "Option 'server require schannel:%s = no' not needed!?\n",
13284 - log_escape(mem_ctx, creds->account_name));
13285 + log_escape(frame, creds->account_name));
13286
13287 *creds_out = creds;
13288 + TALLOC_FREE(frame);
13289 return NT_STATUS_OK;
13290 }
13291
13292 @@ -1172,24 +1177,25 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13293 "%s request (opnum[%u]) without schannel from "
13294 "client_account[%s] client_computer_name[%s]\n",
13295 opname, opnum,
13296 - log_escape(mem_ctx, creds->account_name),
13297 - log_escape(mem_ctx, creds->computer_name));
13298 + log_escape(frame, creds->account_name),
13299 + log_escape(frame, creds->computer_name));
13300 DBG_INFO("CVE-2020-1472(ZeroLogon): "
13301 "Option 'server require schannel:%s = no' still needed!\n",
13302 - log_escape(mem_ctx, creds->account_name));
13303 + log_escape(frame, creds->account_name));
13304 } else {
13305 DBG_ERR("CVE-2020-1472(ZeroLogon): "
13306 "%s request (opnum[%u]) without schannel from "
13307 "client_account[%s] client_computer_name[%s]\n",
13308 opname, opnum,
13309 - log_escape(mem_ctx, creds->account_name),
13310 - log_escape(mem_ctx, creds->computer_name));
13311 + log_escape(frame, creds->account_name),
13312 + log_escape(frame, creds->computer_name));
13313 DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
13314 "'server require schannel:%s = no' might be needed!\n",
13315 - log_escape(mem_ctx, creds->account_name));
13316 + log_escape(frame, creds->account_name));
13317 }
13318
13319 *creds_out = creds;
13320 + TALLOC_FREE(frame);
13321 return NT_STATUS_OK;
13322 }
13323
13324 --
13325 2.39.0
13326
13327
13328 From d3e503e670501186fcce9702b72cda3b03afc0cf Mon Sep 17 00:00:00 2001
13329 From: Samuel Cabrero <scabrero@suse.de>
13330 Date: Wed, 21 Dec 2022 18:17:57 +0100
13331 Subject: [PATCH 134/142] CVE-2022-38023 s3:rpc_server/netlogon: re-order
13332 checking in netr_creds_server_step_check()
13333
13334 This will simplify the following changes.
13335
13336 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
13337
13338 Signed-off-by: Samuel Cabrero <scabrero@samba.org>
13339 ---
13340 source3/rpc_server/netlogon/srv_netlog_nt.c | 40 ++++++++++-----------
13341 1 file changed, 19 insertions(+), 21 deletions(-)
13342
13343 diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
13344 index f9b674d0052..b42794eea8d 100644
13345 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
13346 +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
13347 @@ -1123,13 +1123,27 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13348 schannel_required = lp_bool(explicit_opt);
13349 }
13350
13351 - if (schannel_required) {
13352 - if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
13353 - *creds_out = creds;
13354 - TALLOC_FREE(frame);
13355 - return NT_STATUS_OK;
13356 + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
13357 + if (!schannel_required) {
13358 + DBG_ERR("CVE-2020-1472(ZeroLogon): "
13359 + "%s request (opnum[%u]) WITH schannel from "
13360 + "client_account[%s] client_computer_name[%s]\n",
13361 + opname, opnum,
13362 + log_escape(frame, creds->account_name),
13363 + log_escape(frame, creds->computer_name));
13364 + }
13365 + if (explicit_opt != NULL && !schannel_required) {
13366 + DBG_ERR("CVE-2020-1472(ZeroLogon): "
13367 + "Option 'server require schannel:%s = no' not needed!?\n",
13368 + log_escape(frame, creds->account_name));
13369 }
13370
13371 + *creds_out = creds;
13372 + TALLOC_FREE(frame);
13373 + return NT_STATUS_OK;
13374 + }
13375 +
13376 + if (schannel_required) {
13377 DBG_ERR("CVE-2020-1472(ZeroLogon): "
13378 "%s request (opnum[%u]) without schannel from "
13379 "client_account[%s] client_computer_name[%s]\n",
13380 @@ -1156,22 +1170,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13381 warned_global_once = true;
13382 }
13383
13384 - if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
13385 - DBG_ERR("CVE-2020-1472(ZeroLogon): "
13386 - "%s request (opnum[%u]) WITH schannel from "
13387 - "client_account[%s] client_computer_name[%s]\n",
13388 - opname, opnum,
13389 - log_escape(frame, creds->account_name),
13390 - log_escape(frame, creds->computer_name));
13391 - DBG_ERR("CVE-2020-1472(ZeroLogon): "
13392 - "Option 'server require schannel:%s = no' not needed!?\n",
13393 - log_escape(frame, creds->account_name));
13394 -
13395 - *creds_out = creds;
13396 - TALLOC_FREE(frame);
13397 - return NT_STATUS_OK;
13398 - }
13399 -
13400 if (explicit_opt != NULL) {
13401 DBG_INFO("CVE-2020-1472(ZeroLogon): "
13402 "%s request (opnum[%u]) without schannel from "
13403 --
13404 2.39.0
13405
13406
13407 From 44de3ae0d4b6f1a728124429dfc748c538714a05 Mon Sep 17 00:00:00 2001
13408 From: Samuel Cabrero <scabrero@suse.de>
13409 Date: Thu, 22 Dec 2022 11:35:57 +0100
13410 Subject: [PATCH 135/142] CVE-2022-38023 s3:rpc_server/netlogon: improve
13411 CVE-2020-1472(ZeroLogon) debug messages
13412
13413 In order to avoid generating useless debug messages during make test,
13414 we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3'
13415 and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings.
13416
13417 Review with: git show -w
13418
13419 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
13420
13421 Signed-off-by: Samuel Cabrero <scabrero@samba.org>
13422 ---
13423 source3/rpc_server/netlogon/srv_netlog_nt.c | 149 ++++++++++++++------
13424 1 file changed, 109 insertions(+), 40 deletions(-)
13425
13426 diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
13427 index b42794eea8d..1d261c9a639 100644
13428 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
13429 +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
13430 @@ -1078,9 +1078,14 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13431 const char *explicit_opt = NULL;
13432 struct loadparm_context *lp_ctx;
13433 struct netlogon_creds_CredentialState *creds = NULL;
13434 + int CVE_2020_1472_warn_level = DBGLVL_ERR;
13435 + int CVE_2020_1472_error_level = DBGLVL_ERR;
13436 + unsigned int dbg_lvl = DBGLVL_DEBUG;
13437 enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
13438 + enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
13439 uint16_t opnum = p->opnum;
13440 const char *opname = "<unknown>";
13441 + const char *reason = "<unknown>";
13442 static bool warned_global_once = false;
13443
13444 if (creds_out != NULL) {
13445 @@ -1092,6 +1097,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13446 }
13447
13448 auth_type = p->auth.auth_type;
13449 + auth_level = p->auth.auth_level;
13450
13451 lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
13452 if (lp_ctx == NULL) {
13453 @@ -1100,6 +1106,23 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13454 return NT_STATUS_INTERNAL_ERROR;
13455 }
13456
13457 + CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL,
13458 + "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
13459 + CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
13460 + "CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
13461 +
13462 + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
13463 + if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
13464 + reason = "WITH SEALED";
13465 + } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
13466 + reason = "WITH SIGNED";
13467 + } else {
13468 + smb_panic("Schannel without SIGN/SEAL");
13469 + }
13470 + } else {
13471 + reason = "WITHOUT";
13472 + }
13473 +
13474 status = schannel_check_creds_state(mem_ctx, lp_ctx,
13475 computer_name, received_authenticator,
13476 return_authenticator, &creds);
13477 @@ -1124,40 +1147,69 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13478 }
13479
13480 if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
13481 - if (!schannel_required) {
13482 - DBG_ERR("CVE-2020-1472(ZeroLogon): "
13483 - "%s request (opnum[%u]) WITH schannel from "
13484 - "client_account[%s] client_computer_name[%s]\n",
13485 - opname, opnum,
13486 - log_escape(frame, creds->account_name),
13487 - log_escape(frame, creds->computer_name));
13488 + status = NT_STATUS_OK;
13489 +
13490 + if (explicit_opt != NULL && !schannel_required) {
13491 + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
13492 + } else if (!schannel_required) {
13493 + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
13494 }
13495 +
13496 + DEBUG(dbg_lvl, (
13497 + "CVE-2020-1472(ZeroLogon): "
13498 + "%s request (opnum[%u]) %s schannel from "
13499 + "client_account[%s] client_computer_name[%s] %s\n",
13500 + opname, opnum, reason,
13501 + log_escape(frame, creds->account_name),
13502 + log_escape(frame, creds->computer_name),
13503 + nt_errstr(status)));
13504 +
13505 if (explicit_opt != NULL && !schannel_required) {
13506 - DBG_ERR("CVE-2020-1472(ZeroLogon): "
13507 - "Option 'server require schannel:%s = no' not needed!?\n",
13508 - log_escape(frame, creds->account_name));
13509 + DEBUG(CVE_2020_1472_warn_level, (
13510 + "CVE-2020-1472(ZeroLogon): "
13511 + "Option 'server require schannel:%s = no' not needed for '%s'!\n",
13512 + log_escape(frame, creds->account_name),
13513 + log_escape(frame, creds->computer_name)));
13514 }
13515
13516 *creds_out = creds;
13517 TALLOC_FREE(frame);
13518 - return NT_STATUS_OK;
13519 + return status;
13520 }
13521
13522 if (schannel_required) {
13523 - DBG_ERR("CVE-2020-1472(ZeroLogon): "
13524 - "%s request (opnum[%u]) without schannel from "
13525 - "client_account[%s] client_computer_name[%s]\n",
13526 - opname, opnum,
13527 - log_escape(frame, creds->account_name),
13528 - log_escape(frame, creds->computer_name));
13529 - DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
13530 - "'server require schannel:%s = no' "
13531 - "might be needed for a legacy client.\n",
13532 - log_escape(frame, creds->account_name));
13533 + status = NT_STATUS_ACCESS_DENIED;
13534 +
13535 + if (explicit_opt != NULL) {
13536 + dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
13537 + } else {
13538 + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
13539 + }
13540 +
13541 + DEBUG(dbg_lvl, (
13542 + "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
13543 + "%s request (opnum[%u]) %s schannel from "
13544 + "client_account[%s] client_computer_name[%s] %s\n",
13545 + opname, opnum, reason,
13546 + log_escape(frame, creds->account_name),
13547 + log_escape(frame, creds->computer_name),
13548 + nt_errstr(status)));
13549 + if (explicit_opt != NULL) {
13550 + D_NOTICE("CVE-2020-1472(ZeroLogon): Option "
13551 + "'server require schannel:%s = yes' "
13552 + "rejects access for client.\n",
13553 + log_escape(frame, creds->account_name));
13554 + } else {
13555 + DEBUG(CVE_2020_1472_error_level, (
13556 + "CVE-2020-1472(ZeroLogon): Check if option "
13557 + "'server require schannel:%s = no' "
13558 + "might be needed for a legacy client.\n",
13559 + log_escape(frame, creds->account_name)));
13560 + }
13561 TALLOC_FREE(creds);
13562 ZERO_STRUCTP(return_authenticator);
13563 TALLOC_FREE(frame);
13564 - return NT_STATUS_ACCESS_DENIED;
13565 + return status;
13566 }
13567
13568 if (!schannel_global_required && !warned_global_once) {
13569 @@ -1170,26 +1222,43 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13570 warned_global_once = true;
13571 }
13572
13573 + status = NT_STATUS_OK;
13574 +
13575 if (explicit_opt != NULL) {
13576 - DBG_INFO("CVE-2020-1472(ZeroLogon): "
13577 - "%s request (opnum[%u]) without schannel from "
13578 - "client_account[%s] client_computer_name[%s]\n",
13579 - opname, opnum,
13580 - log_escape(frame, creds->account_name),
13581 - log_escape(frame, creds->computer_name));
13582 - DBG_INFO("CVE-2020-1472(ZeroLogon): "
13583 - "Option 'server require schannel:%s = no' still needed!\n",
13584 - log_escape(frame, creds->account_name));
13585 + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
13586 } else {
13587 - DBG_ERR("CVE-2020-1472(ZeroLogon): "
13588 - "%s request (opnum[%u]) without schannel from "
13589 - "client_account[%s] client_computer_name[%s]\n",
13590 - opname, opnum,
13591 - log_escape(frame, creds->account_name),
13592 - log_escape(frame, creds->computer_name));
13593 - DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
13594 - "'server require schannel:%s = no' might be needed!\n",
13595 - log_escape(frame, creds->account_name));
13596 + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
13597 + }
13598 +
13599 + DEBUG(dbg_lvl, (
13600 + "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
13601 + "%s request (opnum[%u]) %s schannel from "
13602 + "client_account[%s] client_computer_name[%s] %s\n",
13603 + opname, opnum, reason,
13604 + log_escape(frame, creds->account_name),
13605 + log_escape(frame, creds->computer_name),
13606 + nt_errstr(status)));
13607 +
13608 + if (explicit_opt != NULL) {
13609 + D_INFO("CVE-2020-1472(ZeroLogon): Option "
13610 + "'server require schannel:%s = no' "
13611 + "still needed for '%s'!\n",
13612 + log_escape(frame, creds->account_name),
13613 + log_escape(frame, creds->computer_name));
13614 + } else {
13615 + /*
13616 + * admins should set
13617 + * server require schannel:COMPUTER$ = no
13618 + * in order to avoid the level 0 messages.
13619 + * Over time they can switch the global value
13620 + * to be strict.
13621 + */
13622 + DEBUG(CVE_2020_1472_error_level, (
13623 + "CVE-2020-1472(ZeroLogon): "
13624 + "Please use 'server require schannel:%s = no' "
13625 + "for '%s' to avoid this warning!\n",
13626 + log_escape(frame, creds->account_name),
13627 + log_escape(frame, creds->computer_name)));
13628 }
13629
13630 *creds_out = creds;
13631 --
13632 2.39.0
13633
13634
13635 From 7e0bfe3db2b4d274b3bf2e5f011ae8207ce6f4ab Mon Sep 17 00:00:00 2001
13636 From: Samuel Cabrero <scabrero@suse.de>
13637 Date: Wed, 21 Dec 2022 18:37:05 +0100
13638 Subject: [PATCH 136/142] CVE-2022-38023 selftest:Samba3: avoid global 'server
13639 schannel = auto'
13640
13641 Instead of using the generic deprecated option use the specific
13642 server require schannel:COMPUTERACCOUNT = no in order to allow
13643 legacy tests for pass.
13644
13645 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
13646
13647 Signed-off-by: Samuel Cabrero <scabrero@samba.org>
13648 ---
13649 selftest/target/Samba3.pm | 21 ++++++++++++++++++---
13650 1 file changed, 18 insertions(+), 3 deletions(-)
13651
13652 diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
13653 index 0c14f02be11..e8a4c3bbbb6 100755
13654 --- a/selftest/target/Samba3.pm
13655 +++ b/selftest/target/Samba3.pm
13656 @@ -140,7 +140,7 @@ sub getlog_env_app($$$)
13657 close(LOG);
13658
13659 return "" if $out eq $title;
13660 -
13661 +
13662 return $out;
13663 }
13664
13665 @@ -200,6 +200,21 @@ sub setup_nt4_dc
13666 ntlm auth = yes
13667 raw NTLMv2 auth = yes
13668
13669 + CVE_2020_1472:warn_about_unused_debug_level = 3
13670 + server require schannel:schannel0\$ = no
13671 + server require schannel:schannel1\$ = no
13672 + server require schannel:schannel2\$ = no
13673 + server require schannel:schannel3\$ = no
13674 + server require schannel:schannel4\$ = no
13675 + server require schannel:schannel5\$ = no
13676 + server require schannel:schannel6\$ = no
13677 + server require schannel:schannel7\$ = no
13678 + server require schannel:schannel8\$ = no
13679 + server require schannel:schannel9\$ = no
13680 + server require schannel:schannel10\$ = no
13681 + server require schannel:schannel11\$ = no
13682 + server require schannel:torturetest\$ = no
13683 +
13684 rpc_server:epmapper = external
13685 rpc_server:spoolss = external
13686 rpc_server:lsarpc = external
13687 @@ -1588,7 +1603,7 @@ sub provision($$$$$$$$$)
13688 my $nmbdsockdir="$prefix_abs/nmbd";
13689 unlink($nmbdsockdir);
13690
13691 - ##
13692 + ##
13693 ## create the test directory layout
13694 ##
13695 die ("prefix_abs = ''") if $prefix_abs eq "";
13696 @@ -2393,7 +2408,7 @@ sub provision($$$$$$$$$)
13697 unless (open(PASSWD, ">$nss_wrapper_passwd")) {
13698 warn("Unable to open $nss_wrapper_passwd");
13699 return undef;
13700 - }
13701 + }
13702 print PASSWD "nobody:x:$uid_nobody:$gid_nobody:nobody gecos:$prefix_abs:/bin/false
13703 $unix_name:x:$unix_uid:$unix_gids[0]:$unix_name gecos:$prefix_abs:/bin/false
13704 pdbtest:x:$uid_pdbtest:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false
13705 --
13706 2.39.0
13707
13708
13709 From 340bdcc92d979eb67d67e2a2d8056f939a011f37 Mon Sep 17 00:00:00 2001
13710 From: Samuel Cabrero <scabrero@suse.de>
13711 Date: Thu, 22 Dec 2022 11:42:51 +0100
13712 Subject: [PATCH 137/142] CVE-2022-38023 s3:rpc_server/netlogon: split out
13713 netr_check_schannel() function
13714
13715 This will allow us to reuse the function in other places.
13716 As it will also get some additional checks soon.
13717
13718 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
13719
13720 Signed-off-by: Samuel Cabrero <scabrero@samba.org>
13721 ---
13722 source3/rpc_server/netlogon/srv_netlog_nt.c | 107 ++++++++++++--------
13723 1 file changed, 62 insertions(+), 45 deletions(-)
13724
13725 diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
13726 index 1d261c9a639..eb364eaf29a 100644
13727 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
13728 +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
13729 @@ -1064,53 +1064,30 @@ NTSTATUS _netr_ServerAuthenticate2(struct pipes_struct *p,
13730 /*************************************************************************
13731 *************************************************************************/
13732
13733 -static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13734 - TALLOC_CTX *mem_ctx,
13735 - const char *computer_name,
13736 - struct netr_Authenticator *received_authenticator,
13737 - struct netr_Authenticator *return_authenticator,
13738 - struct netlogon_creds_CredentialState **creds_out)
13739 +static NTSTATUS netr_check_schannel(struct pipes_struct *p,
13740 + const struct netlogon_creds_CredentialState *creds,
13741 + enum dcerpc_AuthType auth_type,
13742 + enum dcerpc_AuthLevel auth_level,
13743 + uint16_t opnum)
13744 {
13745 TALLOC_CTX *frame = talloc_stackframe();
13746 NTSTATUS status;
13747 bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
13748 bool schannel_required = schannel_global_required;
13749 const char *explicit_opt = NULL;
13750 - struct loadparm_context *lp_ctx;
13751 - struct netlogon_creds_CredentialState *creds = NULL;
13752 - int CVE_2020_1472_warn_level = DBGLVL_ERR;
13753 - int CVE_2020_1472_error_level = DBGLVL_ERR;
13754 + int CVE_2020_1472_warn_level = lp_parm_int(GLOBAL_SECTION_SNUM,
13755 + "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
13756 + int CVE_2020_1472_error_level = lp_parm_int(GLOBAL_SECTION_SNUM,
13757 + "CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
13758 unsigned int dbg_lvl = DBGLVL_DEBUG;
13759 - enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
13760 - enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
13761 - uint16_t opnum = p->opnum;
13762 const char *opname = "<unknown>";
13763 const char *reason = "<unknown>";
13764 static bool warned_global_once = false;
13765
13766 - if (creds_out != NULL) {
13767 - *creds_out = NULL;
13768 - }
13769 -
13770 if (opnum < ndr_table_netlogon.num_calls) {
13771 opname = ndr_table_netlogon.calls[opnum].name;
13772 }
13773
13774 - auth_type = p->auth.auth_type;
13775 - auth_level = p->auth.auth_level;
13776 -
13777 - lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
13778 - if (lp_ctx == NULL) {
13779 - DEBUG(0, ("loadparm_init_s3 failed\n"));
13780 - TALLOC_FREE(frame);
13781 - return NT_STATUS_INTERNAL_ERROR;
13782 - }
13783 -
13784 - CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL,
13785 - "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
13786 - CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
13787 - "CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
13788 -
13789 if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
13790 if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
13791 reason = "WITH SEALED";
13792 @@ -1123,15 +1100,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13793 reason = "WITHOUT";
13794 }
13795
13796 - status = schannel_check_creds_state(mem_ctx, lp_ctx,
13797 - computer_name, received_authenticator,
13798 - return_authenticator, &creds);
13799 - if (!NT_STATUS_IS_OK(status)) {
13800 - ZERO_STRUCTP(return_authenticator);
13801 - TALLOC_FREE(frame);
13802 - return status;
13803 - }
13804 -
13805 /*
13806 * We don't use lp_parm_bool(), as we
13807 * need the explicit_opt pointer in order to
13808 @@ -1172,7 +1140,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13809 log_escape(frame, creds->computer_name)));
13810 }
13811
13812 - *creds_out = creds;
13813 TALLOC_FREE(frame);
13814 return status;
13815 }
13816 @@ -1206,8 +1173,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13817 "might be needed for a legacy client.\n",
13818 log_escape(frame, creds->account_name)));
13819 }
13820 - TALLOC_FREE(creds);
13821 - ZERO_STRUCTP(return_authenticator);
13822 TALLOC_FREE(frame);
13823 return status;
13824 }
13825 @@ -1261,11 +1226,63 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13826 log_escape(frame, creds->computer_name)));
13827 }
13828
13829 - *creds_out = creds;
13830 TALLOC_FREE(frame);
13831 return NT_STATUS_OK;
13832 }
13833
13834 +static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
13835 + TALLOC_CTX *mem_ctx,
13836 + const char *computer_name,
13837 + struct netr_Authenticator *received_authenticator,
13838 + struct netr_Authenticator *return_authenticator,
13839 + struct netlogon_creds_CredentialState **creds_out)
13840 +{
13841 + struct loadparm_context *lp_ctx = NULL;
13842 + NTSTATUS status;
13843 + struct netlogon_creds_CredentialState *creds = NULL;
13844 + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
13845 + enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
13846 + uint16_t opnum = p->opnum;
13847 +
13848 + if (creds_out != NULL) {
13849 + *creds_out = NULL;
13850 + }
13851 +
13852 + auth_type = p->auth.auth_type;
13853 + auth_level = p->auth.auth_level;
13854 +
13855 + lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers());
13856 + if (lp_ctx == NULL) {
13857 + DEBUG(0, ("loadparm_init_s3 failed\n"));
13858 + return NT_STATUS_INTERNAL_ERROR;
13859 + }
13860 +
13861 + status = schannel_check_creds_state(mem_ctx,
13862 + lp_ctx,
13863 + computer_name,
13864 + received_authenticator,
13865 + return_authenticator,
13866 + &creds);
13867 + TALLOC_FREE(lp_ctx);
13868 + if (!NT_STATUS_IS_OK(status)) {
13869 + ZERO_STRUCTP(return_authenticator);
13870 + return status;
13871 + }
13872 +
13873 + status = netr_check_schannel(p,
13874 + creds,
13875 + auth_type,
13876 + auth_level,
13877 + opnum);
13878 + if (!NT_STATUS_IS_OK(status)) {
13879 + TALLOC_FREE(creds);
13880 + ZERO_STRUCTP(return_authenticator);
13881 + return status;
13882 + }
13883 +
13884 + *creds_out = creds;
13885 + return NT_STATUS_OK;
13886 +}
13887
13888 /*************************************************************************
13889 *************************************************************************/
13890 --
13891 2.39.0
13892
13893
13894 From 8b52bfc3bb274d7d1607b505c18b4ccafe25cad7 Mon Sep 17 00:00:00 2001
13895 From: Samuel Cabrero <scabrero@suse.de>
13896 Date: Thu, 22 Dec 2022 09:29:04 +0100
13897 Subject: [PATCH 138/142] CVE-2022-38023 s3:rpc_server/netlogon: make sure all
13898 dcesrv_netr_LogonSamLogon*() calls go through netr_check_schannel()
13899
13900 We'll soon add some additional contraints in dcesrv_netr_check_schannel(),
13901 which are also required for dcesrv_netr_LogonSamLogonEx().
13902
13903 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
13904
13905 Signed-off-by: Samuel Cabrero <scabrero@samba.org>
13906 ---
13907 source3/rpc_server/netlogon/srv_netlog_nt.c | 30 ++++++++++++++++-----
13908 1 file changed, 23 insertions(+), 7 deletions(-)
13909
13910 diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
13911 index eb364eaf29a..ca343d3e28a 100644
13912 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
13913 +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
13914 @@ -1766,6 +1766,8 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
13915 struct auth_serversupplied_info *server_info = NULL;
13916 struct auth_context *auth_context = NULL;
13917 const char *fn;
13918 + enum dcerpc_AuthType auth_type = p->auth.auth_type;
13919 + enum dcerpc_AuthLevel auth_level = p->auth.auth_level;
13920
13921 #ifdef DEBUG_PASSWORD
13922 logon = netlogon_creds_shallow_copy_logon(p->mem_ctx,
13923 @@ -1779,11 +1781,32 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
13924 switch (p->opnum) {
13925 case NDR_NETR_LOGONSAMLOGON:
13926 fn = "_netr_LogonSamLogon";
13927 + /*
13928 + * Already called netr_check_schannel() via
13929 + * netr_creds_server_step_check()
13930 + */
13931 break;
13932 case NDR_NETR_LOGONSAMLOGONWITHFLAGS:
13933 fn = "_netr_LogonSamLogonWithFlags";
13934 + /*
13935 + * Already called netr_check_schannel() via
13936 + * netr_creds_server_step_check()
13937 + */
13938 break;
13939 case NDR_NETR_LOGONSAMLOGONEX:
13940 + if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
13941 + return NT_STATUS_ACCESS_DENIED;
13942 + }
13943 +
13944 + status = netr_check_schannel(p,
13945 + creds,
13946 + auth_type,
13947 + auth_level,
13948 + p->opnum);
13949 + if (NT_STATUS_IS_ERR(status)) {
13950 + return status;
13951 + }
13952 +
13953 fn = "_netr_LogonSamLogonEx";
13954 break;
13955 default:
13956 @@ -2123,13 +2146,6 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p,
13957 return status;
13958 }
13959
13960 - /* Only allow this if the pipe is protected. */
13961 - if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
13962 - DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n",
13963 - get_remote_machine_name() ));
13964 - return NT_STATUS_INVALID_PARAMETER;
13965 - }
13966 -
13967 lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers());
13968 if (lp_ctx == NULL) {
13969 DEBUG(0, ("loadparm_init_s3 failed\n"));
13970 --
13971 2.39.0
13972
13973
13974 From 43dca97088ce82a5e346887b8078f346e8249929 Mon Sep 17 00:00:00 2001
13975 From: Samuel Cabrero <scabrero@suse.de>
13976 Date: Wed, 4 Jan 2023 17:23:41 +0100
13977 Subject: [PATCH 139/142] CVE-2022-38023 s3:rpc_server/netlogon: Rename
13978 variable
13979
13980 This will simplify the following changes.
13981
13982 Signed-off-by: Samuel Cabrero <scabrero@suse.de>
13983 ---
13984 source3/rpc_server/netlogon/srv_netlog_nt.c | 16 +++++++++-------
13985 1 file changed, 9 insertions(+), 7 deletions(-)
13986
13987 diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
13988 index ca343d3e28a..5500a421334 100644
13989 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
13990 +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
13991 @@ -1072,9 +1072,10 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
13992 {
13993 TALLOC_CTX *frame = talloc_stackframe();
13994 NTSTATUS status;
13995 + const char *explicit_opt = NULL;
13996 bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
13997 bool schannel_required = schannel_global_required;
13998 - const char *explicit_opt = NULL;
13999 + bool schannel_explicitly_set = false;
14000 int CVE_2020_1472_warn_level = lp_parm_int(GLOBAL_SECTION_SNUM,
14001 "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
14002 int CVE_2020_1472_error_level = lp_parm_int(GLOBAL_SECTION_SNUM,
14003 @@ -1113,11 +1114,12 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14004 if (explicit_opt != NULL) {
14005 schannel_required = lp_bool(explicit_opt);
14006 }
14007 + schannel_explicitly_set = explicit_opt != NULL;
14008
14009 if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
14010 status = NT_STATUS_OK;
14011
14012 - if (explicit_opt != NULL && !schannel_required) {
14013 + if (schannel_explicitly_set && !schannel_required) {
14014 dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
14015 } else if (!schannel_required) {
14016 dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
14017 @@ -1132,7 +1134,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14018 log_escape(frame, creds->computer_name),
14019 nt_errstr(status)));
14020
14021 - if (explicit_opt != NULL && !schannel_required) {
14022 + if (schannel_explicitly_set && !schannel_required) {
14023 DEBUG(CVE_2020_1472_warn_level, (
14024 "CVE-2020-1472(ZeroLogon): "
14025 "Option 'server require schannel:%s = no' not needed for '%s'!\n",
14026 @@ -1147,7 +1149,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14027 if (schannel_required) {
14028 status = NT_STATUS_ACCESS_DENIED;
14029
14030 - if (explicit_opt != NULL) {
14031 + if (schannel_explicitly_set) {
14032 dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
14033 } else {
14034 dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
14035 @@ -1161,7 +1163,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14036 log_escape(frame, creds->account_name),
14037 log_escape(frame, creds->computer_name),
14038 nt_errstr(status)));
14039 - if (explicit_opt != NULL) {
14040 + if (schannel_explicitly_set) {
14041 D_NOTICE("CVE-2020-1472(ZeroLogon): Option "
14042 "'server require schannel:%s = yes' "
14043 "rejects access for client.\n",
14044 @@ -1189,7 +1191,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14045
14046 status = NT_STATUS_OK;
14047
14048 - if (explicit_opt != NULL) {
14049 + if (schannel_explicitly_set) {
14050 dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
14051 } else {
14052 dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
14053 @@ -1204,7 +1206,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14054 log_escape(frame, creds->computer_name),
14055 nt_errstr(status)));
14056
14057 - if (explicit_opt != NULL) {
14058 + if (schannel_explicitly_set) {
14059 D_INFO("CVE-2020-1472(ZeroLogon): Option "
14060 "'server require schannel:%s = no' "
14061 "still needed for '%s'!\n",
14062 --
14063 2.39.0
14064
14065
14066 From 4ae0a15ed4ebde7b1725f9ada406c179de238267 Mon Sep 17 00:00:00 2001
14067 From: Samuel Cabrero <scabrero@suse.de>
14068 Date: Wed, 4 Jan 2023 17:39:20 +0100
14069 Subject: [PATCH 140/142] CVE-2022-38023 s3:rpc_server/netlogon: Return error
14070 on invalid auth level
14071
14072 Signed-off-by: Samuel Cabrero <scabrero@suse.de>
14073 ---
14074 source3/rpc_server/netlogon/srv_netlog_nt.c | 23 +++++++++++++++++++--
14075 1 file changed, 21 insertions(+), 2 deletions(-)
14076
14077 diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
14078 index 5500a421334..fb5a05b75c8 100644
14079 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
14080 +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
14081 @@ -1071,7 +1071,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14082 uint16_t opnum)
14083 {
14084 TALLOC_CTX *frame = talloc_stackframe();
14085 - NTSTATUS status;
14086 + NTSTATUS status = NT_STATUS_MORE_PROCESSING_REQUIRED;
14087 const char *explicit_opt = NULL;
14088 bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
14089 bool schannel_required = schannel_global_required;
14090 @@ -1095,12 +1095,31 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14091 } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
14092 reason = "WITH SIGNED";
14093 } else {
14094 - smb_panic("Schannel without SIGN/SEAL");
14095 + reason = "WITH INVALID";
14096 + dbg_lvl = DBGLVL_ERR;
14097 + status = NT_STATUS_INTERNAL_ERROR;
14098 }
14099 } else {
14100 reason = "WITHOUT";
14101 }
14102
14103 + if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
14104 + if (!NT_STATUS_IS_OK(status)) {
14105 + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
14106 + }
14107 +
14108 + DEBUG(dbg_lvl, (
14109 + "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
14110 + "%s request (opnum[%u]) %s schannel from "
14111 + "client_account[%s] client_computer_name[%s] %s\n",
14112 + opname, opnum, reason,
14113 + log_escape(frame, creds->account_name),
14114 + log_escape(frame, creds->computer_name),
14115 + nt_errstr(status)));
14116 + TALLOC_FREE(frame);
14117 + return status;
14118 + }
14119 +
14120 /*
14121 * We don't use lp_parm_bool(), as we
14122 * need the explicit_opt pointer in order to
14123 --
14124 2.39.0
14125
14126
14127 From f59b49f3c23a9a7879a6975aa77e9cf2560a68be Mon Sep 17 00:00:00 2001
14128 From: Samuel Cabrero <scabrero@suse.de>
14129 Date: Wed, 4 Jan 2023 17:42:37 +0100
14130 Subject: [PATCH 141/142] CVE-2022-38023 s3:rpc_server/netlogon: Rename
14131 variable
14132
14133 This will simplify the following changes.
14134
14135 Signed-off-by: Samuel Cabrero <scabrero@samba.org>
14136 ---
14137 source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++---
14138 1 file changed, 3 insertions(+), 3 deletions(-)
14139
14140 diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
14141 index fb5a05b75c8..fd128a70c8b 100644
14142 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
14143 +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
14144 @@ -1083,7 +1083,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14145 unsigned int dbg_lvl = DBGLVL_DEBUG;
14146 const char *opname = "<unknown>";
14147 const char *reason = "<unknown>";
14148 - static bool warned_global_once = false;
14149 + static bool warned_global_schannel_once = false;
14150
14151 if (opnum < ndr_table_netlogon.num_calls) {
14152 opname = ndr_table_netlogon.calls[opnum].name;
14153 @@ -1198,14 +1198,14 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14154 return status;
14155 }
14156
14157 - if (!schannel_global_required && !warned_global_once) {
14158 + if (!schannel_global_required && !warned_global_schannel_once) {
14159 /*
14160 * We want admins to notice their misconfiguration!
14161 */
14162 DBG_ERR("CVE-2020-1472(ZeroLogon): "
14163 "Please configure 'server schannel = yes', "
14164 "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
14165 - warned_global_once = true;
14166 + warned_global_schannel_once = true;
14167 }
14168
14169 status = NT_STATUS_OK;
14170 --
14171 2.39.0
14172
14173
14174 From 6b038af7f70f0331d85dac00647cfe8dedefec28 Mon Sep 17 00:00:00 2001
14175 From: Samuel Cabrero <scabrero@suse.de>
14176 Date: Wed, 4 Jan 2023 17:50:04 +0100
14177 Subject: [PATCH 142/142] CVE-2022-38023 s3:rpc_server/netlogon: implement
14178 "server schannel require seal[:COMPUTERACCOUNT]"
14179
14180 By default we'll now require schannel connections with
14181 privacy/sealing/encryption.
14182
14183 But we allow exceptions for specific computer/trust accounts.
14184
14185 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
14186
14187 Signed-off-by: Samuel Cabrero <scabrero@suse.de>
14188 ---
14189 selftest/target/Samba3.pm | 14 ++
14190 source3/rpc_server/netlogon/srv_netlog_nt.c | 237 +++++++++++++++++++-
14191 2 files changed, 249 insertions(+), 2 deletions(-)
14192
14193 diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
14194 index e8a4c3bbbb6..cf6c38562de 100755
14195 --- a/selftest/target/Samba3.pm
14196 +++ b/selftest/target/Samba3.pm
14197 @@ -215,6 +215,20 @@ sub setup_nt4_dc
14198 server require schannel:schannel11\$ = no
14199 server require schannel:torturetest\$ = no
14200
14201 + server schannel require seal:schannel0\$ = no
14202 + server schannel require seal:schannel1\$ = no
14203 + server schannel require seal:schannel2\$ = no
14204 + server schannel require seal:schannel3\$ = no
14205 + server schannel require seal:schannel4\$ = no
14206 + server schannel require seal:schannel5\$ = no
14207 + server schannel require seal:schannel6\$ = no
14208 + server schannel require seal:schannel7\$ = no
14209 + server schannel require seal:schannel8\$ = no
14210 + server schannel require seal:schannel9\$ = no
14211 + server schannel require seal:schannel10\$ = no
14212 + server schannel require seal:schannel11\$ = no
14213 + server schannel require seal:torturetest\$ = no
14214 +
14215 rpc_server:epmapper = external
14216 rpc_server:spoolss = external
14217 rpc_server:lsarpc = external
14218 diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
14219 index fd128a70c8b..38772586d81 100644
14220 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
14221 +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
14222 @@ -1076,14 +1076,22 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14223 bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
14224 bool schannel_required = schannel_global_required;
14225 bool schannel_explicitly_set = false;
14226 + bool seal_global_required = (lp_server_schannel_require_seal() == true) ? true:false;
14227 + bool seal_required = seal_global_required;
14228 + bool seal_explicitly_set = false;
14229 int CVE_2020_1472_warn_level = lp_parm_int(GLOBAL_SECTION_SNUM,
14230 "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
14231 int CVE_2020_1472_error_level = lp_parm_int(GLOBAL_SECTION_SNUM,
14232 "CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
14233 + int CVE_2022_38023_warn_level = lp_parm_int(GLOBAL_SECTION_SNUM,
14234 + "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR);
14235 + int CVE_2022_38023_error_level = lp_parm_int(GLOBAL_SECTION_SNUM,
14236 + "CVE_2022_38023", "error_debug_level", DBGLVL_ERR);
14237 unsigned int dbg_lvl = DBGLVL_DEBUG;
14238 const char *opname = "<unknown>";
14239 const char *reason = "<unknown>";
14240 static bool warned_global_schannel_once = false;
14241 + static bool warned_global_seal_once = false;
14242
14243 if (opnum < ndr_table_netlogon.num_calls) {
14244 opname = ndr_table_netlogon.calls[opnum].name;
14245 @@ -1120,6 +1128,20 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14246 return status;
14247 }
14248
14249 + /*
14250 + * We don't use lp_parm_bool(), as we
14251 + * need the explicit_opt pointer in order to
14252 + * adjust the debug messages.
14253 + */
14254 + explicit_opt = lp_parm_const_string(GLOBAL_SECTION_SNUM,
14255 + "server schannel require seal",
14256 + creds->account_name,
14257 + NULL);
14258 + if (explicit_opt != NULL) {
14259 + seal_required = lp_bool(explicit_opt);
14260 + }
14261 + seal_explicitly_set = explicit_opt != NULL;
14262 +
14263 /*
14264 * We don't use lp_parm_bool(), as we
14265 * need the explicit_opt pointer in order to
14266 @@ -1135,7 +1157,96 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14267 }
14268 schannel_explicitly_set = explicit_opt != NULL;
14269
14270 + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL &&
14271 + auth_level == DCERPC_AUTH_LEVEL_PRIVACY)
14272 + {
14273 + status = NT_STATUS_OK;
14274 +
14275 + if (schannel_explicitly_set && !schannel_required) {
14276 + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
14277 + } else if (!schannel_required) {
14278 + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
14279 + }
14280 + if (seal_explicitly_set && !seal_required) {
14281 + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level);
14282 + } else if (!seal_required) {
14283 + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
14284 + }
14285 +
14286 + DEBUG(dbg_lvl, (
14287 + "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
14288 + "%s request (opnum[%u]) %s schannel from "
14289 + "client_account[%s] client_computer_name[%s] %s\n",
14290 + opname, opnum, reason,
14291 + log_escape(frame, creds->account_name),
14292 + log_escape(frame, creds->computer_name),
14293 + nt_errstr(status)));
14294 +
14295 + if (schannel_explicitly_set && !schannel_required) {
14296 + DEBUG(CVE_2020_1472_warn_level, (
14297 + "CVE-2020-1472(ZeroLogon): "
14298 + "Option 'server require schannel:%s = no' not needed for '%s'!\n",
14299 + log_escape(frame, creds->account_name),
14300 + log_escape(frame, creds->computer_name)));
14301 + }
14302 +
14303 + if (seal_explicitly_set && !seal_required) {
14304 + DEBUG(CVE_2022_38023_warn_level, (
14305 + "CVE-2022-38023: "
14306 + "Option 'server schannel require seal:%s = no' not needed for '%s'!\n",
14307 + log_escape(frame, creds->account_name),
14308 + log_escape(frame, creds->computer_name)));
14309 + }
14310 +
14311 + TALLOC_FREE(frame);
14312 + return status;
14313 + }
14314 +
14315 if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
14316 + if (seal_required) {
14317 + status = NT_STATUS_ACCESS_DENIED;
14318 +
14319 + if (seal_explicitly_set) {
14320 + dbg_lvl = DBGLVL_NOTICE;
14321 + } else {
14322 + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
14323 + }
14324 + if (schannel_explicitly_set && !schannel_required) {
14325 + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level);
14326 + }
14327 +
14328 + DEBUG(dbg_lvl, (
14329 + "CVE-2022-38023: "
14330 + "%s request (opnum[%u]) %s schannel from "
14331 + "from client_account[%s] client_computer_name[%s] %s\n",
14332 + opname, opnum, reason,
14333 + log_escape(frame, creds->account_name),
14334 + log_escape(frame, creds->computer_name),
14335 + nt_errstr(status)));
14336 + if (seal_explicitly_set) {
14337 + D_NOTICE("CVE-2022-38023: Option "
14338 + "'server schannel require seal:%s = yes' "
14339 + "rejects access for client.\n",
14340 + log_escape(frame, creds->account_name));
14341 + } else {
14342 + DEBUG(CVE_2020_1472_error_level, (
14343 + "CVE-2022-38023: Check if option "
14344 + "'server schannel require seal:%s = no' "
14345 + "might be needed for a legacy client.\n",
14346 + log_escape(frame, creds->account_name)));
14347 + }
14348 + if (schannel_explicitly_set && !schannel_required) {
14349 + DEBUG(CVE_2020_1472_warn_level, (
14350 + "CVE-2020-1472(ZeroLogon): Option "
14351 + "'server require schannel:%s = no' "
14352 + "not needed for '%s'!\n",
14353 + log_escape(frame, creds->account_name),
14354 + log_escape(frame, creds->computer_name)));
14355 + }
14356 + TALLOC_FREE(frame);
14357 + return status;
14358 + }
14359 +
14360 status = NT_STATUS_OK;
14361
14362 if (schannel_explicitly_set && !schannel_required) {
14363 @@ -1143,6 +1254,11 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14364 } else if (!schannel_required) {
14365 dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
14366 }
14367 + if (seal_explicitly_set && !seal_required) {
14368 + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
14369 + } else if (!seal_required) {
14370 + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
14371 + }
14372
14373 DEBUG(dbg_lvl, (
14374 "CVE-2020-1472(ZeroLogon): "
14375 @@ -1152,7 +1268,6 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14376 log_escape(frame, creds->account_name),
14377 log_escape(frame, creds->computer_name),
14378 nt_errstr(status)));
14379 -
14380 if (schannel_explicitly_set && !schannel_required) {
14381 DEBUG(CVE_2020_1472_warn_level, (
14382 "CVE-2020-1472(ZeroLogon): "
14383 @@ -1160,7 +1275,77 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14384 log_escape(frame, creds->account_name),
14385 log_escape(frame, creds->computer_name)));
14386 }
14387 + if (seal_explicitly_set && !seal_required) {
14388 + D_INFO("CVE-2022-38023: "
14389 + "Option 'server schannel require seal:%s = no' still needed for '%s'!\n",
14390 + log_escape(frame, creds->account_name),
14391 + log_escape(frame, creds->computer_name));
14392 + } else if (!seal_required) {
14393 + /*
14394 + * admins should set
14395 + * server schannel require seal:COMPUTER$ = no
14396 + * in order to avoid the level 0 messages.
14397 + * Over time they can switch the global value
14398 + * to be strict.
14399 + */
14400 + DEBUG(CVE_2022_38023_error_level, (
14401 + "CVE-2022-38023: "
14402 + "Please use 'server schannel require seal:%s = no' "
14403 + "for '%s' to avoid this warning!\n",
14404 + log_escape(frame, creds->account_name),
14405 + log_escape(frame, creds->computer_name)));
14406 + }
14407 +
14408 + TALLOC_FREE(frame);
14409 + return status;
14410 + }
14411 +
14412 + if (seal_required) {
14413 + status = NT_STATUS_ACCESS_DENIED;
14414
14415 + if (seal_explicitly_set) {
14416 + dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
14417 + } else {
14418 + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
14419 + }
14420 + if (!schannel_explicitly_set) {
14421 + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
14422 + } else if (schannel_required) {
14423 + dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
14424 + }
14425 +
14426 + DEBUG(dbg_lvl, (
14427 + "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
14428 + "%s request (opnum[%u]) %s schannel from "
14429 + "from client_account[%s] client_computer_name[%s] %s\n",
14430 + opname, opnum, reason,
14431 + log_escape(frame, creds->account_name),
14432 + log_escape(frame, creds->computer_name),
14433 + nt_errstr(status)));
14434 + if (seal_explicitly_set) {
14435 + D_NOTICE("CVE-2022-38023: Option "
14436 + "'server schannel require seal:%s = yes' "
14437 + "rejects access for client.\n",
14438 + log_escape(frame, creds->account_name));
14439 + } else {
14440 + DEBUG(CVE_2022_38023_error_level, (
14441 + "CVE-2022-38023: Check if option "
14442 + "'server schannel require seal:%s = no' "
14443 + "might be needed for a legacy client.\n",
14444 + log_escape(frame, creds->account_name)));
14445 + }
14446 + if (!schannel_explicitly_set) {
14447 + DEBUG(CVE_2020_1472_error_level, (
14448 + "CVE-2020-1472(ZeroLogon): Check if option "
14449 + "'server require schannel:%s = no' "
14450 + "might be needed for a legacy client.\n",
14451 + log_escape(frame, creds->account_name)));
14452 + } else if (schannel_required) {
14453 + D_NOTICE("CVE-2022-38023: Option "
14454 + "'server require schannel:%s = yes' "
14455 + "also rejects access for client.\n",
14456 + log_escape(frame, creds->account_name));
14457 + }
14458 TALLOC_FREE(frame);
14459 return status;
14460 }
14461 @@ -1173,6 +1358,9 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14462 } else {
14463 dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
14464 }
14465 + if (!seal_explicitly_set) {
14466 + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
14467 + }
14468
14469 DEBUG(dbg_lvl, (
14470 "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
14471 @@ -1194,6 +1382,13 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14472 "might be needed for a legacy client.\n",
14473 log_escape(frame, creds->account_name)));
14474 }
14475 + if (!seal_explicitly_set) {
14476 + DEBUG(CVE_2022_38023_error_level, (
14477 + "CVE-2022-38023: Check if option "
14478 + "'server schannel require seal:%s = no' "
14479 + "might be needed for a legacy client.\n",
14480 + log_escape(frame, creds->account_name)));
14481 + }
14482 TALLOC_FREE(frame);
14483 return status;
14484 }
14485 @@ -1208,8 +1403,24 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14486 warned_global_schannel_once = true;
14487 }
14488
14489 + if (!seal_global_required && !warned_global_seal_once) {
14490 + /*
14491 + * We want admins to notice their misconfiguration!
14492 + */
14493 + DBG_ERR("CVE-2022-38023 (and others): "
14494 + "Please configure 'server schannel require seal = yes' (the default), "
14495 + "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
14496 + warned_global_seal_once = true;
14497 + }
14498 +
14499 status = NT_STATUS_OK;
14500
14501 + if (seal_explicitly_set) {
14502 + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
14503 + } else {
14504 + dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
14505 + }
14506 +
14507 if (schannel_explicitly_set) {
14508 dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
14509 } else {
14510 @@ -1225,6 +1436,28 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14511 log_escape(frame, creds->computer_name),
14512 nt_errstr(status)));
14513
14514 + if (seal_explicitly_set) {
14515 + D_INFO("CVE-2022-38023: Option "
14516 + "'server schannel require seal:%s = no' "
14517 + "still needed for '%s'!\n",
14518 + log_escape(frame, creds->account_name),
14519 + log_escape(frame, creds->computer_name));
14520 + } else {
14521 + /*
14522 + * admins should set
14523 + * server schannel require seal:COMPUTER$ = no
14524 + * in order to avoid the level 0 messages.
14525 + * Over time they can switch the global value
14526 + * to be strict.
14527 + */
14528 + DEBUG(CVE_2022_38023_error_level, (
14529 + "CVE-2022-38023: Please use "
14530 + "'server schannel require seal:%s = no' "
14531 + "for '%s' to avoid this warning!\n",
14532 + log_escape(frame, creds->account_name),
14533 + log_escape(frame, creds->computer_name)));
14534 + }
14535 +
14536 if (schannel_explicitly_set) {
14537 D_INFO("CVE-2020-1472(ZeroLogon): Option "
14538 "'server require schannel:%s = no' "
14539 @@ -1248,7 +1481,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
14540 }
14541
14542 TALLOC_FREE(frame);
14543 - return NT_STATUS_OK;
14544 + return status;
14545 }
14546
14547 static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
14548 --
14549 2.39.0
14550

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed