From 533ab9e89778073f65d006580c0c8bf663dbeb0e Mon Sep 17 00:00:00 2001 From: anolis-bot Date: Wed, 22 Feb 2023 10:12:50 +0800 Subject: [PATCH 1/2] update to samba-4.16.4-4.el8_7 Signed-off-by: anolis-bot --- CVE-2022-32742-v4-15.patch | 216 - CVE-2022-38023-for-s3-v4-16.patch | 2413 ++++++++++ CVE-2022-38023-v4-16.patch | 4417 ++++++++++++++++++ dist | 2 +- download | 4 +- samba-4-15-fix-autorid.patch | 231 - samba-4-15-fix-create-local-krb5-conf.patch | 477 -- samba-4-15-fix-winbind-refresh-tickets.patch | 411 -- samba-4-15-kerberos-clock-skew.patch | 347 -- samba-4-15-smbd-upn.patch | 273 -- samba-4-15-username-map.patch | 321 -- samba-4.16-waf-crypto.patch | 77 + samba-ctdb-etcd-reclock.patch | 30 - samba-disable-ntlmssp.patch | 764 --- samba-disable-systemd-notifications.patch | 36 - samba-glibc-dns.patch | 64 - samba-password-change-prompt.patch | 100 - samba-printing-win7.patch | 229 - samba-s4u.patch | 117 +- samba-virus_scanner.patch | 597 --- samba.spec | 175 +- 21 files changed, 7062 insertions(+), 4239 deletions(-) delete mode 100644 CVE-2022-32742-v4-15.patch create mode 100644 CVE-2022-38023-for-s3-v4-16.patch create mode 100644 CVE-2022-38023-v4-16.patch delete mode 100644 samba-4-15-fix-autorid.patch delete mode 100644 samba-4-15-fix-create-local-krb5-conf.patch delete mode 100644 samba-4-15-fix-winbind-refresh-tickets.patch delete mode 100644 samba-4-15-kerberos-clock-skew.patch delete mode 100644 samba-4-15-smbd-upn.patch delete mode 100644 samba-4-15-username-map.patch create mode 100644 samba-4.16-waf-crypto.patch delete mode 100644 samba-ctdb-etcd-reclock.patch delete mode 100644 samba-disable-ntlmssp.patch delete mode 100644 samba-disable-systemd-notifications.patch delete mode 100644 samba-glibc-dns.patch delete mode 100644 samba-password-change-prompt.patch delete mode 100644 samba-printing-win7.patch delete mode 100644 samba-virus_scanner.patch diff --git a/CVE-2022-32742-v4-15.patch b/CVE-2022-32742-v4-15.patch deleted file mode 100644 index 314b144..0000000 --- a/CVE-2022-32742-v4-15.patch +++ /dev/null @@ -1,216 +0,0 @@ -From 9ccec2afdaf8af463f321eb37d3c3bb90d1d432e Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Tue, 7 Jun 2022 09:40:45 -0700 -Subject: [PATCH 1/2] CVE-2022-32742: s4: torture: Add raw.write.bad-write test. - -Reproduces the test code in: - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085 - -Add knownfail. - -Signed-off-by: Jeremy Allison -Reviewed-by: David Disseldorp ---- - selftest/knownfail.d/bad-write | 2 + - source4/torture/raw/write.c | 89 ++++++++++++++++++++++++++++++++++ - 2 files changed, 91 insertions(+) - create mode 100644 selftest/knownfail.d/bad-write - -diff --git a/selftest/knownfail.d/bad-write b/selftest/knownfail.d/bad-write -new file mode 100644 -index 00000000000..5fc16606a13 ---- /dev/null -+++ b/selftest/knownfail.d/bad-write -@@ -0,0 +1,2 @@ -+^samba3.raw.write.bad-write\(nt4_dc_smb1\) -+^samba3.raw.write.bad-write\(ad_dc_smb1\) -diff --git a/source4/torture/raw/write.c b/source4/torture/raw/write.c -index 0a2f50f425b..661485bb548 100644 ---- a/source4/torture/raw/write.c -+++ b/source4/torture/raw/write.c -@@ -25,6 +25,7 @@ - #include "libcli/libcli.h" - #include "torture/util.h" - #include "torture/raw/proto.h" -+#include "libcli/raw/raw_proto.h" - - #define CHECK_STATUS(status, correct) do { \ - if (!NT_STATUS_EQUAL(status, correct)) { \ -@@ -694,6 +695,93 @@ done: - return ret; - } - -+/* -+ test a deliberately bad SMB1 write. -+*/ -+static bool test_bad_write(struct torture_context *tctx, -+ struct smbcli_state *cli) -+{ -+ bool ret = false; -+ int fnum = -1; -+ struct smbcli_request *req = NULL; -+ const char *fname = BASEDIR "\\badwrite.txt"; -+ bool ok = false; -+ -+ if (!torture_setup_dir(cli, BASEDIR)) { -+ torture_fail(tctx, "failed to setup basedir"); -+ } -+ -+ torture_comment(tctx, "Testing RAW_BAD_WRITE\n"); -+ -+ fnum = smbcli_open(cli->tree, fname, O_RDWR|O_CREAT, DENY_NONE); -+ if (fnum == -1) { -+ torture_fail_goto(tctx, -+ done, -+ talloc_asprintf(tctx, -+ "Failed to create %s - %s\n", -+ fname, -+ smbcli_errstr(cli->tree))); -+ } -+ -+ req = smbcli_request_setup(cli->tree, -+ SMBwrite, -+ 5, -+ 0); -+ if (req == NULL) { -+ torture_fail_goto(tctx, -+ done, -+ talloc_asprintf(tctx, "talloc fail\n")); -+ } -+ -+ SSVAL(req->out.vwv, VWV(0), fnum); -+ SSVAL(req->out.vwv, VWV(1), 65535); /* bad write length. */ -+ SIVAL(req->out.vwv, VWV(2), 0); /* offset */ -+ SSVAL(req->out.vwv, VWV(4), 0); /* remaining. */ -+ -+ if (!smbcli_request_send(req)) { -+ torture_fail_goto(tctx, -+ done, -+ talloc_asprintf(tctx, "Send failed\n")); -+ } -+ -+ if (!smbcli_request_receive(req)) { -+ torture_fail_goto(tctx, -+ done, -+ talloc_asprintf(tctx, "Reveive failed\n")); -+ } -+ -+ /* -+ * Check for expected error codes. -+ * ntvfs returns NT_STATUS_UNSUCCESSFUL. -+ */ -+ ok = (NT_STATUS_EQUAL(req->status, NT_STATUS_INVALID_PARAMETER) || -+ NT_STATUS_EQUAL(req->status, NT_STATUS_UNSUCCESSFUL)); -+ -+ if (!ok) { -+ torture_fail_goto(tctx, -+ done, -+ talloc_asprintf(tctx, -+ "Should have returned " -+ "NT_STATUS_INVALID_PARAMETER or " -+ "NT_STATUS_UNSUCCESSFUL " -+ "got %s\n", -+ nt_errstr(req->status))); -+ } -+ -+ ret = true; -+ -+done: -+ if (req != NULL) { -+ smbcli_request_destroy(req); -+ } -+ if (fnum != -1) { -+ smbcli_close(cli->tree, fnum); -+ } -+ smb_raw_exit(cli->session); -+ smbcli_deltree(cli->tree, BASEDIR); -+ return ret; -+} -+ - /* - basic testing of write calls - */ -@@ -705,6 +793,7 @@ struct torture_suite *torture_raw_write(TALLOC_CTX *mem_ctx) - torture_suite_add_1smb_test(suite, "write unlock", test_writeunlock); - torture_suite_add_1smb_test(suite, "write close", test_writeclose); - torture_suite_add_1smb_test(suite, "writex", test_writex); -+ torture_suite_add_1smb_test(suite, "bad-write", test_bad_write); - - return suite; - } --- -2.34.1 - - -From 9097c5363605e1d5f99ff5a59dc6795c612d472f Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Wed, 8 Jun 2022 13:50:51 -0700 -Subject: [PATCH 2/2] CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro. - -Fixes the raw.write.bad-write test. - -NB. We need the two (==0) changes in source3/smbd/reply.c -as the gcc optimizer now knows that the return from -smbreq_bufrem() can never be less than zero. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085 - -Remove knownfail. - -Signed-off-by: Jeremy Allison -Reviewed-by: David Disseldorp - ---- - selftest/knownfail.d/bad-write | 2 -- - source3/include/smb_macros.h | 2 +- - source3/smbd/reply.c | 4 ++-- - 3 files changed, 3 insertions(+), 5 deletions(-) - delete mode 100644 selftest/knownfail.d/bad-write - -diff --git a/selftest/knownfail.d/bad-write b/selftest/knownfail.d/bad-write -deleted file mode 100644 -index 5fc16606a13..00000000000 ---- a/selftest/knownfail.d/bad-write -+++ /dev/null -@@ -1,2 +0,0 @@ --^samba3.raw.write.bad-write\(nt4_dc_smb1\) --^samba3.raw.write.bad-write\(ad_dc_smb1\) -diff --git a/source3/include/smb_macros.h b/source3/include/smb_macros.h -index 344a997cbd2..c75b93fcc25 100644 ---- a/source3/include/smb_macros.h -+++ b/source3/include/smb_macros.h -@@ -152,7 +152,7 @@ - - /* the remaining number of bytes in smb buffer 'buf' from pointer 'p'. */ - #define smb_bufrem(buf, p) (smb_buflen(buf)-PTR_DIFF(p, smb_buf(buf))) --#define smbreq_bufrem(req, p) (req->buflen - PTR_DIFF(p, req->buf)) -+#define smbreq_bufrem(req, p) ((req)->buflen < PTR_DIFF((p), (req)->buf) ? 0 : (req)->buflen - PTR_DIFF((p), (req)->buf)) - - - /* Note that chain_size must be available as an extern int to this macro. */ -diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c -index d4573d3da55..e1a47a65662 100644 ---- a/source3/smbd/reply.c -+++ b/source3/smbd/reply.c -@@ -345,7 +345,7 @@ size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req, - { - ssize_t bufrem = smbreq_bufrem(req, src); - -- if (bufrem < 0) { -+ if (bufrem == 0) { - *err = NT_STATUS_INVALID_PARAMETER; - return 0; - } -@@ -383,7 +383,7 @@ size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req, - { - ssize_t bufrem = smbreq_bufrem(req, src); - -- if (bufrem < 0) { -+ if (bufrem == 0) { - return 0; - } - --- -2.34.1 - diff --git a/CVE-2022-38023-for-s3-v4-16.patch b/CVE-2022-38023-for-s3-v4-16.patch new file mode 100644 index 0000000..904db99 --- /dev/null +++ b/CVE-2022-38023-for-s3-v4-16.patch @@ -0,0 +1,2413 @@ +From f7c26ead133ab9b67c6802a2303a22fd98e3c41a Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Wed, 21 Dec 2022 15:53:04 +0100 +Subject: [PATCH 1/9] CVE-2022-38023 s3:rpc_server/netlogon: 'server schannel + != yes' warning to dcesrv_interface_netlogon_bind + +Follow s4 netlogon server changes and move the checks to the RPC bind +hook. Next commits will remove the s3 netr_creds_server_step_check() +function. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Andreas Schneider +(cherry picked from commit 8141eae47aad849741beb138fae866c772e4ec4c) +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 39 +++++++++++++++------ + 1 file changed, 28 insertions(+), 11 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index 5906464a9f3..a3853d482df 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1081,7 +1081,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; + uint16_t opnum = dce_call->pkt.u.request.opnum; + const char *opname = ""; +- static bool warned_global_once = false; + + if (creds_out != NULL) { + *creds_out = NULL; +@@ -1143,16 +1142,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + return NT_STATUS_ACCESS_DENIED; + } + +- if (!schannel_global_required && !warned_global_once) { +- /* +- * We want admins to notice their misconfiguration! +- */ +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "Please configure 'server schannel = yes', " +- "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n"); +- warned_global_once = true; +- } +- + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "%s request (opnum[%u]) WITH schannel from " +@@ -2997,5 +2986,33 @@ NTSTATUS _netr_DsrUpdateReadOnlyServerDnsRecords(struct pipes_struct *p, + return NT_STATUS_NOT_IMPLEMENTED; + } + ++/* ++ * Define the bind function that will be used by ndr_netlogon_scompat.c, ++ * included at the bottom of this file. ++ */ ++#define DCESRV_INTERFACE_NETLOGON_BIND(context, iface) \ ++ dcesrv_interface_netlogon_bind(context, iface) ++ ++static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context *context, ++ const struct dcesrv_interface *iface) ++{ ++ struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx; ++ int schannel = lpcfg_server_schannel(lp_ctx); ++ bool schannel_global_required = (schannel == true); ++ static bool warned_global_schannel_once = false; ++ ++ if (!schannel_global_required && !warned_global_schannel_once) { ++ /* ++ * We want admins to notice their misconfiguration! ++ */ ++ D_ERR("CVE-2020-1472(ZeroLogon): " ++ "Please configure 'server schannel = yes' (the default), " ++ "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n"); ++ warned_global_schannel_once = true; ++ } ++ ++ return NT_STATUS_OK; ++} ++ + /* include the generated boilerplate */ + #include "librpc/gen_ndr/ndr_netlogon_scompat.c" +-- +2.39.0 + + +From 1790cc254c10dfc0deb5ff84ff18a5f24bfd3f44 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Thu, 22 Dec 2022 16:46:15 +0100 +Subject: [PATCH 2/9] CVE-2022-38023 selftest:Samba3: avoid global 'server + schannel = auto' + +Instead of using the generic deprecated option use the specific +server require schannel:COMPUTERACCOUNT = no in order to allow +legacy tests for pass. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Andreas Schneider +(cherry picked from commit 3cd18690f83d2f85e847fc703ac127b4b04189fc) +--- + selftest/target/Samba3.pm | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index 0b720a68927..b58f3d45118 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -271,9 +271,23 @@ sub setup_nt4_dc + lanman auth = yes + ntlm auth = yes + raw NTLMv2 auth = yes +- server schannel = auto + rpc start on demand helpers = false + ++ CVE_2020_1472:warn_about_unused_debug_level = 3 ++ server require schannel:schannel0\$ = no ++ server require schannel:schannel1\$ = no ++ server require schannel:schannel2\$ = no ++ server require schannel:schannel3\$ = no ++ server require schannel:schannel4\$ = no ++ server require schannel:schannel5\$ = no ++ server require schannel:schannel6\$ = no ++ server require schannel:schannel7\$ = no ++ server require schannel:schannel8\$ = no ++ server require schannel:schannel9\$ = no ++ server require schannel:schannel10\$ = no ++ server require schannel:schannel11\$ = no ++ server require schannel:torturetest\$ = no ++ + fss: sequence timeout = 1 + check parent directory delete on close = yes + "; +-- +2.39.0 + + +From 0e7e7ddbf5524b8aec595227a04cb09599c61a81 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Thu, 5 Jan 2023 18:13:09 +0100 +Subject: [PATCH 3/9] CVE-2022-38023 s4:rpc_server:wscript: Reformat following + pycodestyle + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Andreas Schneider +(cherry picked from commit d9e6b490db3ead7e79bb3ff0c1f9ef8ab8bdc65b) +--- + source4/rpc_server/wscript_build | 290 ++++++++++++++++++------------- + 1 file changed, 168 insertions(+), 122 deletions(-) + +diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build +index 8c756721232..e7bb773d719 100644 +--- a/source4/rpc_server/wscript_build ++++ b/source4/rpc_server/wscript_build +@@ -1,174 +1,220 @@ + #!/usr/bin/env python + + bld.SAMBA_SUBSYSTEM('DCERPC_SHARE', +- source='common/share_info.c', +- autoproto='common/share.h', +- deps='ldb share', +- enabled=bld.CONFIG_SET('WITH_NTVFS_FILESERVER'), +- ) ++ source='common/share_info.c', ++ autoproto='common/share.h', ++ deps='ldb share', ++ enabled=bld.CONFIG_SET('WITH_NTVFS_FILESERVER'), ++ ) + + bld.SAMBA_SUBSYSTEM('DCERPC_COMMON', +- source='common/server_info.c common/forward.c common/loadparm.c', +- autoproto='common/proto.h', +- deps='ldb DCERPC_SHARE', +- enabled=bld.AD_DC_BUILD_IS_ENABLED() +- ) ++ source=''' ++ common/server_info.c ++ common/forward.c ++ common/loadparm.c ++ ''', ++ autoproto='common/proto.h', ++ deps='ldb DCERPC_SHARE', ++ enabled=bld.AD_DC_BUILD_IS_ENABLED() ++ ) + + bld.SAMBA_LIBRARY('dcerpc_server', +- source='dcerpc_server.c', +- pc_files='dcerpc_server.pc', +- deps='LIBCLI_AUTH ndr samba_server_gensec service auth', +- public_deps='dcerpc dcerpc-server-core', +- autoproto='dcerpc_server_proto.h', +- public_headers='dcerpc_server.h', +- vnum='0.0.1', +- enabled=bld.AD_DC_BUILD_IS_ENABLED() +- ) ++ source='dcerpc_server.c', ++ pc_files='dcerpc_server.pc', ++ deps='LIBCLI_AUTH ndr samba_server_gensec service auth', ++ public_deps='dcerpc dcerpc-server-core', ++ autoproto='dcerpc_server_proto.h', ++ public_headers='dcerpc_server.h', ++ vnum='0.0.1', ++ enabled=bld.AD_DC_BUILD_IS_ENABLED() ++ ) + + bld.SAMBA_MODULE('dcerpc_rpcecho', +- source='echo/rpc_echo.c', +- subsystem='dcerpc_server', +- init_function='dcerpc_server_rpcecho_init', +- deps='ndr-standard events' +- ) ++ source='echo/rpc_echo.c', ++ subsystem='dcerpc_server', ++ init_function='dcerpc_server_rpcecho_init', ++ deps='ndr-standard events' ++ ) + + + bld.SAMBA_MODULE('dcerpc_epmapper', +- source='epmapper/rpc_epmapper.c', +- subsystem='dcerpc_server', +- init_function='dcerpc_server_epmapper_init', +- deps='NDR_EPMAPPER' +- ) ++ source='epmapper/rpc_epmapper.c', ++ subsystem='dcerpc_server', ++ init_function='dcerpc_server_epmapper_init', ++ deps='NDR_EPMAPPER' ++ ) + + + bld.SAMBA_MODULE('dcerpc_remote', +- source='remote/dcesrv_remote.c', +- subsystem='dcerpc_server', +- init_function='dcerpc_server_remote_init', +- deps='LIBCLI_SMB ndr-table' +- ) ++ source='remote/dcesrv_remote.c', ++ subsystem='dcerpc_server', ++ init_function='dcerpc_server_remote_init', ++ deps='LIBCLI_SMB ndr-table' ++ ) + + + bld.SAMBA_MODULE('dcerpc_srvsvc', +- source='srvsvc/dcesrv_srvsvc.c srvsvc/srvsvc_ntvfs.c', +- autoproto='srvsvc/proto.h', +- subsystem='dcerpc_server', +- init_function='dcerpc_server_srvsvc_init', +- deps='DCERPC_COMMON NDR_SRVSVC share ntvfs', +- enabled=bld.CONFIG_SET('WITH_NTVFS_FILESERVER') +- ) ++ source='srvsvc/dcesrv_srvsvc.c srvsvc/srvsvc_ntvfs.c', ++ autoproto='srvsvc/proto.h', ++ subsystem='dcerpc_server', ++ init_function='dcerpc_server_srvsvc_init', ++ deps='DCERPC_COMMON NDR_SRVSVC share ntvfs', ++ enabled=bld.CONFIG_SET('WITH_NTVFS_FILESERVER') ++ ) + + + bld.SAMBA_MODULE('dcerpc_wkssvc', +- source='wkssvc/dcesrv_wkssvc.c', +- subsystem='dcerpc_server', +- init_function='dcerpc_server_wkssvc_init', +- deps='DCERPC_COMMON ndr-standard' +- ) ++ source='wkssvc/dcesrv_wkssvc.c', ++ subsystem='dcerpc_server', ++ init_function='dcerpc_server_wkssvc_init', ++ deps='DCERPC_COMMON ndr-standard' ++ ) + + + bld.SAMBA_MODULE('dcerpc_unixinfo', +- source='unixinfo/dcesrv_unixinfo.c', +- subsystem='dcerpc_server', +- init_function='dcerpc_server_unixinfo_init', +- deps='DCERPC_COMMON samdb NDR_UNIXINFO LIBWBCLIENT_OLD' +- ) ++ source='unixinfo/dcesrv_unixinfo.c', ++ subsystem='dcerpc_server', ++ init_function='dcerpc_server_unixinfo_init', ++ deps='DCERPC_COMMON samdb NDR_UNIXINFO LIBWBCLIENT_OLD' ++ ) + + + bld.SAMBA_MODULE('dcesrv_samr', +- source='samr/dcesrv_samr.c samr/samr_password.c', +- autoproto='samr/proto.h', +- subsystem='dcerpc_server', +- init_function='dcerpc_server_samr_init', +- deps='samdb DCERPC_COMMON ndr-standard auth4_sam GNUTLS_HELPERS DCERPC_HELPER' +- ) ++ source='samr/dcesrv_samr.c samr/samr_password.c', ++ autoproto='samr/proto.h', ++ subsystem='dcerpc_server', ++ init_function='dcerpc_server_samr_init', ++ deps=''' ++ samdb ++ DCERPC_COMMON ++ ndr-standard ++ auth4_sam ++ GNUTLS_HELPERS ++ DCERPC_HELPER ++ ''' ++ ) + + + bld.SAMBA_MODULE('dcerpc_winreg', +- source='winreg/rpc_winreg.c', +- subsystem='dcerpc_server', +- init_function='dcerpc_server_winreg_init', +- deps='registry ndr-standard', +- internal_module=True, +- enabled=bld.CONFIG_SET('WITH_NTVFS_FILESERVER') +- ) ++ source='winreg/rpc_winreg.c', ++ subsystem='dcerpc_server', ++ init_function='dcerpc_server_winreg_init', ++ deps='registry ndr-standard', ++ internal_module=True, ++ enabled=bld.CONFIG_SET('WITH_NTVFS_FILESERVER') ++ ) + + + bld.SAMBA_MODULE('dcerpc_netlogon', +- source='netlogon/dcerpc_netlogon.c', +- subsystem='dcerpc_server', +- init_function='dcerpc_server_netlogon_init', +- deps='''DCERPC_COMMON RPC_NDR_IRPC COMMON_SCHANNEL ndr-standard auth4_sam samba-hostconfig DSDB_MODULE_HELPERS +- util_str_escape''' +- ) ++ source='netlogon/dcerpc_netlogon.c', ++ subsystem='dcerpc_server', ++ init_function='dcerpc_server_netlogon_init', ++ deps=''' ++ DCERPC_COMMON ++ RPC_NDR_IRPC ++ COMMON_SCHANNEL ++ ndr-standard ++ auth4_sam ++ samba-hostconfig ++ DSDB_MODULE_HELPERS ++ util_str_escape ++ ''' ++ ) + + + bld.SAMBA_MODULE('dcerpc_lsarpc', +- source='lsa/dcesrv_lsa.c lsa/lsa_init.c lsa/lsa_lookup.c', +- autoproto='lsa/proto.h', +- subsystem='dcerpc_server', +- init_function='dcerpc_server_lsa_init', +- deps='samdb DCERPC_COMMON ndr-standard LIBCLI_AUTH NDR_DSSETUP com_err samba-security UTIL_LSARPC' +- ) ++ source='lsa/dcesrv_lsa.c lsa/lsa_init.c lsa/lsa_lookup.c', ++ autoproto='lsa/proto.h', ++ subsystem='dcerpc_server', ++ init_function='dcerpc_server_lsa_init', ++ deps=''' ++ samdb ++ DCERPC_COMMON ++ ndr-standard ++ LIBCLI_AUTH ++ NDR_DSSETUP ++ com_err ++ samba-security ++ UTIL_LSARPC ++ ''' ++ ) + + + bld.SAMBA_MODULE('dcerpc_backupkey', +- source='backupkey/dcesrv_backupkey.c ', +- autoproto='backupkey/proto.h', +- subsystem='dcerpc_server', +- init_function='dcerpc_server_backupkey_init', +- deps='samdb DCERPC_COMMON NDR_BACKUPKEY RPC_NDR_BACKUPKEY gnutls GNUTLS_HELPERS', +- ) ++ source='backupkey/dcesrv_backupkey.c ', ++ autoproto='backupkey/proto.h', ++ subsystem='dcerpc_server', ++ init_function='dcerpc_server_backupkey_init', ++ deps=''' ++ samdb ++ DCERPC_COMMON ++ NDR_BACKUPKEY ++ RPC_NDR_BACKUPKEY ++ gnutls ++ GNUTLS_HELPERS ++ ''', ++ ) + + + bld.SAMBA_MODULE('dcerpc_drsuapi', +- source='drsuapi/dcesrv_drsuapi.c drsuapi/updaterefs.c drsuapi/getncchanges.c drsuapi/addentry.c drsuapi/writespn.c drsuapi/drsutil.c', +- subsystem='dcerpc_server', +- init_function='dcerpc_server_drsuapi_init', +- deps='samdb DCERPC_COMMON NDR_DRSUAPI samba-security' +- ) ++ source=''' ++ drsuapi/dcesrv_drsuapi.c ++ drsuapi/updaterefs.c ++ drsuapi/getncchanges.c ++ drsuapi/addentry.c ++ drsuapi/writespn.c ++ drsuapi/drsutil.c ++ ''', ++ subsystem='dcerpc_server', ++ init_function='dcerpc_server_drsuapi_init', ++ deps='samdb DCERPC_COMMON NDR_DRSUAPI samba-security' ++ ) + + + bld.SAMBA_MODULE('dcerpc_browser', +- source='browser/dcesrv_browser.c', +- subsystem='dcerpc_server', +- init_function='dcerpc_server_browser_init', +- deps='DCERPC_COMMON NDR_BROWSER' +- ) ++ source='browser/dcesrv_browser.c', ++ subsystem='dcerpc_server', ++ init_function='dcerpc_server_browser_init', ++ deps='DCERPC_COMMON NDR_BROWSER' ++ ) + + bld.SAMBA_MODULE('dcerpc_eventlog', +- source='eventlog/dcesrv_eventlog6.c', +- subsystem='dcerpc_server', +- init_function='dcerpc_server_eventlog6_init', +- deps='DCERPC_COMMON' +- ) ++ source='eventlog/dcesrv_eventlog6.c', ++ subsystem='dcerpc_server', ++ init_function='dcerpc_server_eventlog6_init', ++ deps='DCERPC_COMMON' ++ ) + + bld.SAMBA_MODULE('dcerpc_dnsserver', +- source='dnsserver/dcerpc_dnsserver.c dnsserver/dnsutils.c dnsserver/dnsdata.c dnsserver/dnsdb.c', +- subsystem='dcerpc_server', +- init_function='dcerpc_server_dnsserver_init', +- deps='DCERPC_COMMON dnsserver_common netif' +- ) ++ source=''' ++ dnsserver/dcerpc_dnsserver.c ++ dnsserver/dnsutils.c ++ dnsserver/dnsdata.c ++ dnsserver/dnsdb.c ++ ''', ++ subsystem='dcerpc_server', ++ init_function='dcerpc_server_dnsserver_init', ++ deps='DCERPC_COMMON dnsserver_common netif' ++ ) + + + bld.SAMBA_MODULE('service_dcerpc', +- source='service_rpc.c', +- autoproto='service_rpc.h', +- subsystem='service', +- init_function='server_service_rpc_init', +- internal_module=False, +- deps='dcerpc_server' +- ) +- +-bld.SAMBA_BINARY( +- 'test_rpc_dns_server_dnsutils', +- source='tests/rpc_dns_server_dnsutils_test.c', +- deps=''' +- dnsserver_common +- dcerpc_server +- cmocka +- talloc +- ''', +- for_selftest=True, +- enabled=bld.AD_DC_BUILD_IS_ENABLED() +-) ++ source='service_rpc.c', ++ autoproto='service_rpc.h', ++ subsystem='service', ++ init_function='server_service_rpc_init', ++ internal_module=False, ++ deps='dcerpc_server' ++ ) ++ ++bld.SAMBA_BINARY('test_rpc_dns_server_dnsutils', ++ source='tests/rpc_dns_server_dnsutils_test.c', ++ deps=''' ++ dnsserver_common ++ dcerpc_server ++ cmocka ++ talloc ++ ''', ++ for_selftest=True, ++ enabled=bld.AD_DC_BUILD_IS_ENABLED() ++ ) +-- +2.39.0 + + +From 740422fb6609dac3b0e2c1bb91d61b87e99c64aa Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Thu, 22 Dec 2022 14:03:23 +0100 +Subject: [PATCH 4/9] CVE-2022-38023 s4:rpc_server/netlogon: Move schannel and + credentials check functions to librpc + +Will be used later by s3 netlogon server. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Andreas Schneider +(cherry picked from commit 121e7b0e39478c5291100652ac92c263f406076b) +--- + librpc/rpc/server/netlogon/schannel_util.c | 576 ++++++++++++++++++ + librpc/rpc/server/netlogon/schannel_util.h | 54 ++ + librpc/wscript_build | 12 + + source4/rpc_server/netlogon/dcerpc_netlogon.c | 546 +---------------- + source4/rpc_server/wscript_build | 2 +- + 5 files changed, 644 insertions(+), 546 deletions(-) + create mode 100644 librpc/rpc/server/netlogon/schannel_util.c + create mode 100644 librpc/rpc/server/netlogon/schannel_util.h + +diff --git a/librpc/rpc/server/netlogon/schannel_util.c b/librpc/rpc/server/netlogon/schannel_util.c +new file mode 100644 +index 00000000000..9b2a88a2628 +--- /dev/null ++++ b/librpc/rpc/server/netlogon/schannel_util.c +@@ -0,0 +1,576 @@ ++/* ++ Unix SMB/CIFS implementation. ++ ++ netlogon schannel utility functions ++ ++ Copyright (C) Andrew Bartlett 2004-2008 ++ Copyright (C) Stefan Metzmacher 2005 ++ Copyright (C) Matthias Dieter Wallnöfer 2009-2010 ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 3 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++ ++#include "includes.h" ++#include "schannel_util.h" ++#include "param/param.h" ++#include "libcli/security/dom_sid.h" ++#include "libcli/auth/schannel.h" ++#include "librpc/rpc/dcesrv_core.h" ++#include "librpc/gen_ndr/ndr_netlogon.h" ++#include "lib/util/util_str_escape.h" ++ ++struct dcesrv_netr_check_schannel_state { ++ struct dom_sid account_sid; ++ enum dcerpc_AuthType auth_type; ++ enum dcerpc_AuthLevel auth_level; ++ ++ bool schannel_global_required; ++ bool schannel_required; ++ bool schannel_explicitly_set; ++ ++ bool seal_global_required; ++ bool seal_required; ++ bool seal_explicitly_set; ++ ++ NTSTATUS result; ++}; ++ ++static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state *dce_call, ++ const struct netlogon_creds_CredentialState *creds, ++ enum dcerpc_AuthType auth_type, ++ enum dcerpc_AuthLevel auth_level, ++ struct dcesrv_netr_check_schannel_state **_s) ++{ ++ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; ++ int schannel = lpcfg_server_schannel(lp_ctx); ++ bool schannel_global_required = (schannel == true); ++ bool schannel_required = schannel_global_required; ++ const char *explicit_opt = NULL; ++ bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx); ++ bool require_seal = global_require_seal; ++ const char *explicit_seal_opt = NULL; ++#define DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC (NETLOGON_SERVER_PIPE_STATE_MAGIC+1) ++ struct dcesrv_netr_check_schannel_state *s = NULL; ++ NTSTATUS status; ++ ++ *_s = NULL; ++ ++ s = dcesrv_iface_state_find_conn(dce_call, ++ DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC, ++ struct dcesrv_netr_check_schannel_state); ++ if (s != NULL) { ++ if (!dom_sid_equal(&s->account_sid, creds->sid)) { ++ goto new_state; ++ } ++ if (s->auth_type != auth_type) { ++ goto new_state; ++ } ++ if (s->auth_level != auth_level) { ++ goto new_state; ++ } ++ ++ *_s = s; ++ return NT_STATUS_OK; ++ } ++ ++new_state: ++ TALLOC_FREE(s); ++ s = talloc_zero(dce_call, ++ struct dcesrv_netr_check_schannel_state); ++ if (s == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ s->account_sid = *creds->sid; ++ s->auth_type = auth_type; ++ s->auth_level = auth_level; ++ s->result = NT_STATUS_MORE_PROCESSING_REQUIRED; ++ ++ /* ++ * We don't use lpcfg_parm_bool(), as we ++ * need the explicit_opt pointer in order to ++ * adjust the debug messages. ++ */ ++ explicit_seal_opt = lpcfg_get_parametric(lp_ctx, ++ NULL, ++ "server schannel require seal", ++ creds->account_name); ++ if (explicit_seal_opt != NULL) { ++ require_seal = lp_bool(explicit_seal_opt); ++ } ++ ++ /* ++ * We don't use lpcfg_parm_bool(), as we ++ * need the explicit_opt pointer in order to ++ * adjust the debug messages. ++ */ ++ explicit_opt = lpcfg_get_parametric(lp_ctx, ++ NULL, ++ "server require schannel", ++ creds->account_name); ++ if (explicit_opt != NULL) { ++ schannel_required = lp_bool(explicit_opt); ++ } ++ ++ s->schannel_global_required = schannel_global_required; ++ s->schannel_required = schannel_required; ++ s->schannel_explicitly_set = explicit_opt != NULL; ++ ++ s->seal_global_required = global_require_seal; ++ s->seal_required = require_seal; ++ s->seal_explicitly_set = explicit_seal_opt != NULL; ++ ++ status = dcesrv_iface_state_store_conn(dce_call, ++ DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC, ++ s); ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; ++ } ++ ++ *_s = s; ++ return NT_STATUS_OK; ++} ++ ++static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_call, ++ struct dcesrv_netr_check_schannel_state *s, ++ const struct netlogon_creds_CredentialState *creds, ++ uint16_t opnum) ++{ ++ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; ++ int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL, ++ "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); ++ int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, ++ "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); ++ int CVE_2022_38023_warn_level = lpcfg_parm_int(lp_ctx, NULL, ++ "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR); ++ int CVE_2022_38023_error_level = lpcfg_parm_int(lp_ctx, NULL, ++ "CVE_2022_38023", "error_debug_level", DBGLVL_ERR); ++ TALLOC_CTX *frame = talloc_stackframe(); ++ unsigned int dbg_lvl = DBGLVL_DEBUG; ++ const char *opname = ""; ++ const char *reason = ""; ++ ++ if (opnum < ndr_table_netlogon.num_calls) { ++ opname = ndr_table_netlogon.calls[opnum].name; ++ } ++ ++ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { ++ if (s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { ++ reason = "WITH SEALED"; ++ } else if (s->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { ++ reason = "WITH SIGNED"; ++ } else { ++ reason = "WITH INVALID"; ++ dbg_lvl = DBGLVL_ERR; ++ s->result = NT_STATUS_INTERNAL_ERROR; ++ } ++ } else { ++ reason = "WITHOUT"; ++ } ++ ++ if (!NT_STATUS_EQUAL(s->result, NT_STATUS_MORE_PROCESSING_REQUIRED)) { ++ if (!NT_STATUS_IS_OK(s->result)) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(s->result))); ++ TALLOC_FREE(frame); ++ return s->result; ++ } ++ ++ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL && ++ s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) ++ { ++ s->result = NT_STATUS_OK; ++ ++ if (s->schannel_explicitly_set && !s->schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); ++ } else if (!s->schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } ++ if (s->seal_explicitly_set && !s->seal_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level); ++ } else if (!s->seal_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(s->result))); ++ ++ if (s->schannel_explicitly_set && !s->schannel_required) { ++ DEBUG(CVE_2020_1472_warn_level, ( ++ "CVE-2020-1472(ZeroLogon): " ++ "Option 'server require schannel:%s = no' not needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ ++ if (s->seal_explicitly_set && !s->seal_required) { ++ DEBUG(CVE_2022_38023_warn_level, ( ++ "CVE-2022-38023: " ++ "Option 'server schannel require seal:%s = no' not needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ ++ TALLOC_FREE(frame); ++ return s->result; ++ } ++ ++ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { ++ if (s->seal_required) { ++ s->result = NT_STATUS_ACCESS_DENIED; ++ ++ if (s->seal_explicitly_set) { ++ dbg_lvl = DBGLVL_NOTICE; ++ } else { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } ++ if (s->schannel_explicitly_set && !s->schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "from client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(s->result))); ++ if (s->seal_explicitly_set) { ++ D_NOTICE("CVE-2022-38023: Option " ++ "'server schannel require seal:%s = yes' " ++ "rejects access for client.\n", ++ log_escape(frame, creds->account_name)); ++ } else { ++ DEBUG(CVE_2020_1472_error_level, ( ++ "CVE-2022-38023: Check if option " ++ "'server schannel require seal:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } ++ if (s->schannel_explicitly_set && !s->schannel_required) { ++ DEBUG(CVE_2020_1472_warn_level, ( ++ "CVE-2020-1472(ZeroLogon): Option " ++ "'server require schannel:%s = no' " ++ "not needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ TALLOC_FREE(frame); ++ return s->result; ++ } ++ ++ s->result = NT_STATUS_OK; ++ ++ if (s->schannel_explicitly_set && !s->schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); ++ } else if (!s->schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } ++ if (s->seal_explicitly_set && !s->seal_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } else if (!s->seal_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon): " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(s->result))); ++ if (s->schannel_explicitly_set && !s->schannel_required) { ++ DEBUG(CVE_2020_1472_warn_level, ( ++ "CVE-2020-1472(ZeroLogon): " ++ "Option 'server require schannel:%s = no' not needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ if (s->seal_explicitly_set && !s->seal_required) { ++ D_INFO("CVE-2022-38023: " ++ "Option 'server schannel require seal:%s = no' still needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); ++ } else if (!s->seal_required) { ++ /* ++ * admins should set ++ * server schannel require seal:COMPUTER$ = no ++ * in order to avoid the level 0 messages. ++ * Over time they can switch the global value ++ * to be strict. ++ */ ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: " ++ "Please use 'server schannel require seal:%s = no' " ++ "for '%s' to avoid this warning!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ ++ TALLOC_FREE(frame); ++ return s->result; ++ } ++ ++ if (s->seal_required) { ++ s->result = NT_STATUS_ACCESS_DENIED; ++ ++ if (s->seal_explicitly_set) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); ++ } else { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } ++ if (!s->schannel_explicitly_set) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); ++ } else if (s->schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "from client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(s->result))); ++ if (s->seal_explicitly_set) { ++ D_NOTICE("CVE-2022-38023: Option " ++ "'server schannel require seal:%s = yes' " ++ "rejects access for client.\n", ++ log_escape(frame, creds->account_name)); ++ } else { ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: Check if option " ++ "'server schannel require seal:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } ++ if (!s->schannel_explicitly_set) { ++ DEBUG(CVE_2020_1472_error_level, ( ++ "CVE-2020-1472(ZeroLogon): Check if option " ++ "'server require schannel:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } else if (s->schannel_required) { ++ D_NOTICE("CVE-2022-38023: Option " ++ "'server require schannel:%s = yes' " ++ "also rejects access for client.\n", ++ log_escape(frame, creds->account_name)); ++ } ++ TALLOC_FREE(frame); ++ return s->result; ++ } ++ ++ if (s->schannel_required) { ++ s->result = NT_STATUS_ACCESS_DENIED; ++ ++ if (s->schannel_explicitly_set) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); ++ } else { ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); ++ } ++ if (!s->seal_explicitly_set) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(s->result))); ++ if (s->schannel_explicitly_set) { ++ D_NOTICE("CVE-2020-1472(ZeroLogon): Option " ++ "'server require schannel:%s = yes' " ++ "rejects access for client.\n", ++ log_escape(frame, creds->account_name)); ++ } else { ++ DEBUG(CVE_2020_1472_error_level, ( ++ "CVE-2020-1472(ZeroLogon): Check if option " ++ "'server require schannel:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } ++ if (!s->seal_explicitly_set) { ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: Check if option " ++ "'server schannel require seal:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } ++ TALLOC_FREE(frame); ++ return s->result; ++ } ++ ++ s->result = NT_STATUS_OK; ++ ++ if (s->seal_explicitly_set) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } else { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } ++ ++ if (s->schannel_explicitly_set) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } else { ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(s->result))); ++ ++ if (s->seal_explicitly_set) { ++ D_INFO("CVE-2022-38023: Option " ++ "'server schannel require seal:%s = no' " ++ "still needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); ++ } else { ++ /* ++ * admins should set ++ * server schannel require seal:COMPUTER$ = no ++ * in order to avoid the level 0 messages. ++ * Over time they can switch the global value ++ * to be strict. ++ */ ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: Please use " ++ "'server schannel require seal:%s = no' " ++ "for '%s' to avoid this warning!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ ++ if (s->schannel_explicitly_set) { ++ D_INFO("CVE-2020-1472(ZeroLogon): Option " ++ "'server require schannel:%s = no' " ++ "still needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); ++ } else { ++ /* ++ * admins should set ++ * server require schannel:COMPUTER$ = no ++ * in order to avoid the level 0 messages. ++ * Over time they can switch the global value ++ * to be strict. ++ */ ++ DEBUG(CVE_2020_1472_error_level, ( ++ "CVE-2020-1472(ZeroLogon): " ++ "Please use 'server require schannel:%s = no' " ++ "for '%s' to avoid this warning!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ ++ TALLOC_FREE(frame); ++ return s->result; ++} ++ ++NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, ++ const struct netlogon_creds_CredentialState *creds, ++ enum dcerpc_AuthType auth_type, ++ enum dcerpc_AuthLevel auth_level, ++ uint16_t opnum) ++{ ++ struct dcesrv_netr_check_schannel_state *s = NULL; ++ NTSTATUS status; ++ ++ status = dcesrv_netr_check_schannel_get_state(dce_call, ++ creds, ++ auth_type, ++ auth_level, ++ &s); ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; ++ } ++ ++ status = dcesrv_netr_check_schannel_once(dce_call, s, creds, opnum); ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; ++ } ++ ++ return NT_STATUS_OK; ++} ++ ++/* ++ * NOTE: The following functions are nearly identical to the ones available in ++ * source3/rpc_server/srv_nelog_nt.c ++ * The reason we keep 2 copies is that they use different structures to ++ * represent the auth_info and the decrpc pipes. ++ */ ++NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call, ++ TALLOC_CTX *mem_ctx, ++ const char *computer_name, ++ struct netr_Authenticator *received_authenticator, ++ struct netr_Authenticator *return_authenticator, ++ struct netlogon_creds_CredentialState **creds_out) ++{ ++ NTSTATUS nt_status; ++ struct netlogon_creds_CredentialState *creds = NULL; ++ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; ++ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; ++ ++ dcesrv_call_auth_info(dce_call, &auth_type, &auth_level); ++ ++ nt_status = schannel_check_creds_state(mem_ctx, ++ dce_call->conn->dce_ctx->lp_ctx, ++ computer_name, ++ received_authenticator, ++ return_authenticator, ++ &creds); ++ if (!NT_STATUS_IS_OK(nt_status)) { ++ ZERO_STRUCTP(return_authenticator); ++ return nt_status; ++ } ++ ++ nt_status = dcesrv_netr_check_schannel(dce_call, ++ creds, ++ auth_type, ++ auth_level, ++ dce_call->pkt.u.request.opnum); ++ if (!NT_STATUS_IS_OK(nt_status)) { ++ TALLOC_FREE(creds); ++ ZERO_STRUCTP(return_authenticator); ++ return nt_status; ++ } ++ ++ *creds_out = creds; ++ return NT_STATUS_OK; ++} +diff --git a/librpc/rpc/server/netlogon/schannel_util.h b/librpc/rpc/server/netlogon/schannel_util.h +new file mode 100644 +index 00000000000..561e2567e02 +--- /dev/null ++++ b/librpc/rpc/server/netlogon/schannel_util.h +@@ -0,0 +1,54 @@ ++/* ++ Unix SMB/CIFS implementation. ++ ++ netlogon schannel utility functions ++ ++ Copyright (C) Andrew Bartlett 2004-2008 ++ Copyright (C) Stefan Metzmacher 2005 ++ Copyright (C) Matthias Dieter Wallnöfer 2009-2010 ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 3 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++ ++#ifndef __LIBRPC_RPC_SERVER_NETLOGON_SCHANNEL_UTIL_H__ ++#define __LIBRPC_RPC_SERVER_NETLOGON_SCHANNEL_UTIL_H__ ++ ++#include "replace.h" ++#include ++#include "libcli/util/ntstatus.h" ++ ++#define NETLOGON_SERVER_PIPE_STATE_MAGIC 0x4f555358 ++ ++struct dcesrv_call_state; ++struct netlogon_creds_CredentialState; ++struct netr_Authenticator; ++enum dcerpc_AuthType; ++enum dcerpc_AuthLevel; ++ ++NTSTATUS dcesrv_netr_check_schannel( ++ struct dcesrv_call_state *dce_call, ++ const struct netlogon_creds_CredentialState *creds, ++ enum dcerpc_AuthType auth_type, ++ enum dcerpc_AuthLevel auth_level, ++ uint16_t opnum); ++ ++NTSTATUS dcesrv_netr_creds_server_step_check( ++ struct dcesrv_call_state *dce_call, ++ TALLOC_CTX *mem_ctx, ++ const char *computer_name, ++ struct netr_Authenticator *received_authenticator, ++ struct netr_Authenticator *return_authenticator, ++ struct netlogon_creds_CredentialState **creds_out); ++ ++#endif /* __LIBRPC_RPC_SERVER_NETLOGON_SCHANNEL_UTIL_H__ */ +diff --git a/librpc/wscript_build b/librpc/wscript_build +index b82209b4299..f22ab2eabae 100644 +--- a/librpc/wscript_build ++++ b/librpc/wscript_build +@@ -678,6 +678,18 @@ bld.SAMBA_LIBRARY('dcerpc-pkt-auth', + ''', + deps='dcerpc-binding gensec') + ++bld.SAMBA_SUBSYSTEM('DCERPC_SERVER_NETLOGON', ++ source=''' ++ rpc/server/netlogon/schannel_util.c ++ ''', ++ deps=''' ++ talloc ++ util_str_escape ++ samba-hostconfig ++ NDR_NETLOGON ++ dcerpc-server-core ++ ''') ++ + bld.SAMBA_LIBRARY('dcerpc-server-core', + source=''' + rpc/dcesrv_core.c +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index ddcb8487a56..6a3e044eb9d 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -42,6 +42,7 @@ + #include "librpc/gen_ndr/ndr_irpc.h" + #include "librpc/gen_ndr/ndr_winbind.h" + #include "librpc/gen_ndr/ndr_winbind_c.h" ++#include "librpc/rpc/server/netlogon/schannel_util.h" + #include "lib/socket/netif.h" + #include "lib/util/util_str_escape.h" + #include "lib/param/loadparm.h" +@@ -889,551 +890,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_ca + return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &r3); + } + +-struct dcesrv_netr_check_schannel_state { +- struct dom_sid account_sid; +- enum dcerpc_AuthType auth_type; +- enum dcerpc_AuthLevel auth_level; +- +- bool schannel_global_required; +- bool schannel_required; +- bool schannel_explicitly_set; +- +- bool seal_global_required; +- bool seal_required; +- bool seal_explicitly_set; +- +- NTSTATUS result; +-}; +- +-static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state *dce_call, +- const struct netlogon_creds_CredentialState *creds, +- enum dcerpc_AuthType auth_type, +- enum dcerpc_AuthLevel auth_level, +- struct dcesrv_netr_check_schannel_state **_s) +-{ +- struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; +- int schannel = lpcfg_server_schannel(lp_ctx); +- bool schannel_global_required = (schannel == true); +- bool schannel_required = schannel_global_required; +- const char *explicit_opt = NULL; +- bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx); +- bool require_seal = global_require_seal; +- const char *explicit_seal_opt = NULL; +-#define DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC (NETLOGON_SERVER_PIPE_STATE_MAGIC+1) +- struct dcesrv_netr_check_schannel_state *s = NULL; +- NTSTATUS status; +- +- *_s = NULL; +- +- s = dcesrv_iface_state_find_conn(dce_call, +- DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC, +- struct dcesrv_netr_check_schannel_state); +- if (s != NULL) { +- if (!dom_sid_equal(&s->account_sid, creds->sid)) { +- goto new_state; +- } +- if (s->auth_type != auth_type) { +- goto new_state; +- } +- if (s->auth_level != auth_level) { +- goto new_state; +- } +- +- *_s = s; +- return NT_STATUS_OK; +- } +- +-new_state: +- TALLOC_FREE(s); +- s = talloc_zero(dce_call, +- struct dcesrv_netr_check_schannel_state); +- if (s == NULL) { +- return NT_STATUS_NO_MEMORY; +- } +- +- s->account_sid = *creds->sid; +- s->auth_type = auth_type; +- s->auth_level = auth_level; +- s->result = NT_STATUS_MORE_PROCESSING_REQUIRED; +- +- /* +- * We don't use lpcfg_parm_bool(), as we +- * need the explicit_opt pointer in order to +- * adjust the debug messages. +- */ +- explicit_seal_opt = lpcfg_get_parametric(lp_ctx, +- NULL, +- "server schannel require seal", +- creds->account_name); +- if (explicit_seal_opt != NULL) { +- require_seal = lp_bool(explicit_seal_opt); +- } +- +- /* +- * We don't use lpcfg_parm_bool(), as we +- * need the explicit_opt pointer in order to +- * adjust the debug messages. +- */ +- explicit_opt = lpcfg_get_parametric(lp_ctx, +- NULL, +- "server require schannel", +- creds->account_name); +- if (explicit_opt != NULL) { +- schannel_required = lp_bool(explicit_opt); +- } +- +- s->schannel_global_required = schannel_global_required; +- s->schannel_required = schannel_required; +- s->schannel_explicitly_set = explicit_opt != NULL; +- +- s->seal_global_required = global_require_seal; +- s->seal_required = require_seal; +- s->seal_explicitly_set = explicit_seal_opt != NULL; +- +- status = dcesrv_iface_state_store_conn(dce_call, +- DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC, +- s); +- if (!NT_STATUS_IS_OK(status)) { +- return status; +- } +- +- *_s = s; +- return NT_STATUS_OK; +-} +- +-static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_call, +- struct dcesrv_netr_check_schannel_state *s, +- const struct netlogon_creds_CredentialState *creds, +- uint16_t opnum) +-{ +- struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; +- int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL, +- "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); +- int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, +- "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); +- int CVE_2022_38023_warn_level = lpcfg_parm_int(lp_ctx, NULL, +- "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR); +- int CVE_2022_38023_error_level = lpcfg_parm_int(lp_ctx, NULL, +- "CVE_2022_38023", "error_debug_level", DBGLVL_ERR); +- TALLOC_CTX *frame = talloc_stackframe(); +- unsigned int dbg_lvl = DBGLVL_DEBUG; +- const char *opname = ""; +- const char *reason = ""; +- +- if (opnum < ndr_table_netlogon.num_calls) { +- opname = ndr_table_netlogon.calls[opnum].name; +- } +- +- if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { +- if (s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { +- reason = "WITH SEALED"; +- } else if (s->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { +- reason = "WITH SIGNED"; +- } else { +- reason = "WITH INVALID"; +- dbg_lvl = DBGLVL_ERR; +- s->result = NT_STATUS_INTERNAL_ERROR; +- } +- } else { +- reason = "WITHOUT"; +- } +- +- if (!NT_STATUS_EQUAL(s->result, NT_STATUS_MORE_PROCESSING_REQUIRED)) { +- if (!NT_STATUS_IS_OK(s->result)) { +- dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); +- } +- +- DEBUG(dbg_lvl, ( +- "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " +- "%s request (opnum[%u]) %s schannel from " +- "client_account[%s] client_computer_name[%s] %s\n", +- opname, opnum, reason, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name), +- nt_errstr(s->result))); +- TALLOC_FREE(frame); +- return s->result; +- } +- +- if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL && +- s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) +- { +- s->result = NT_STATUS_OK; +- +- if (s->schannel_explicitly_set && !s->schannel_required) { +- dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); +- } else if (!s->schannel_required) { +- dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); +- } +- if (s->seal_explicitly_set && !s->seal_required) { +- dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level); +- } else if (!s->seal_required) { +- dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); +- } +- +- DEBUG(dbg_lvl, ( +- "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " +- "%s request (opnum[%u]) %s schannel from " +- "client_account[%s] client_computer_name[%s] %s\n", +- opname, opnum, reason, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name), +- nt_errstr(s->result))); +- +- if (s->schannel_explicitly_set && !s->schannel_required) { +- DEBUG(CVE_2020_1472_warn_level, ( +- "CVE-2020-1472(ZeroLogon): " +- "Option 'server require schannel:%s = no' not needed for '%s'!\n", +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name))); +- } +- +- if (s->seal_explicitly_set && !s->seal_required) { +- DEBUG(CVE_2022_38023_warn_level, ( +- "CVE-2022-38023: " +- "Option 'server schannel require seal:%s = no' not needed for '%s'!\n", +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name))); +- } +- +- TALLOC_FREE(frame); +- return s->result; +- } +- +- if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { +- if (s->seal_required) { +- s->result = NT_STATUS_ACCESS_DENIED; +- +- if (s->seal_explicitly_set) { +- dbg_lvl = DBGLVL_NOTICE; +- } else { +- dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); +- } +- if (s->schannel_explicitly_set && !s->schannel_required) { +- dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level); +- } +- +- DEBUG(dbg_lvl, ( +- "CVE-2022-38023: " +- "%s request (opnum[%u]) %s schannel from " +- "from client_account[%s] client_computer_name[%s] %s\n", +- opname, opnum, reason, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name), +- nt_errstr(s->result))); +- if (s->seal_explicitly_set) { +- D_NOTICE("CVE-2022-38023: Option " +- "'server schannel require seal:%s = yes' " +- "rejects access for client.\n", +- log_escape(frame, creds->account_name)); +- } else { +- DEBUG(CVE_2020_1472_error_level, ( +- "CVE-2022-38023: Check if option " +- "'server schannel require seal:%s = no' " +- "might be needed for a legacy client.\n", +- log_escape(frame, creds->account_name))); +- } +- if (s->schannel_explicitly_set && !s->schannel_required) { +- DEBUG(CVE_2020_1472_warn_level, ( +- "CVE-2020-1472(ZeroLogon): Option " +- "'server require schannel:%s = no' " +- "not needed for '%s'!\n", +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name))); +- } +- TALLOC_FREE(frame); +- return s->result; +- } +- +- s->result = NT_STATUS_OK; +- +- if (s->schannel_explicitly_set && !s->schannel_required) { +- dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); +- } else if (!s->schannel_required) { +- dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); +- } +- if (s->seal_explicitly_set && !s->seal_required) { +- dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); +- } else if (!s->seal_required) { +- dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); +- } +- +- DEBUG(dbg_lvl, ( +- "CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) %s schannel from " +- "client_account[%s] client_computer_name[%s] %s\n", +- opname, opnum, reason, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name), +- nt_errstr(s->result))); +- if (s->schannel_explicitly_set && !s->schannel_required) { +- DEBUG(CVE_2020_1472_warn_level, ( +- "CVE-2020-1472(ZeroLogon): " +- "Option 'server require schannel:%s = no' not needed for '%s'!\n", +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name))); +- } +- if (s->seal_explicitly_set && !s->seal_required) { +- D_INFO("CVE-2022-38023: " +- "Option 'server schannel require seal:%s = no' still needed for '%s'!\n", +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); +- } else if (!s->seal_required) { +- /* +- * admins should set +- * server schannel require seal:COMPUTER$ = no +- * in order to avoid the level 0 messages. +- * Over time they can switch the global value +- * to be strict. +- */ +- DEBUG(CVE_2022_38023_error_level, ( +- "CVE-2022-38023: " +- "Please use 'server schannel require seal:%s = no' " +- "for '%s' to avoid this warning!\n", +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name))); +- } +- +- TALLOC_FREE(frame); +- return s->result; +- } +- +- if (s->seal_required) { +- s->result = NT_STATUS_ACCESS_DENIED; +- +- if (s->seal_explicitly_set) { +- dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); +- } else { +- dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); +- } +- if (!s->schannel_explicitly_set) { +- dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); +- } else if (s->schannel_required) { +- dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); +- } +- +- DEBUG(dbg_lvl, ( +- "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " +- "%s request (opnum[%u]) %s schannel from " +- "from client_account[%s] client_computer_name[%s] %s\n", +- opname, opnum, reason, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name), +- nt_errstr(s->result))); +- if (s->seal_explicitly_set) { +- D_NOTICE("CVE-2022-38023: Option " +- "'server schannel require seal:%s = yes' " +- "rejects access for client.\n", +- log_escape(frame, creds->account_name)); +- } else { +- DEBUG(CVE_2022_38023_error_level, ( +- "CVE-2022-38023: Check if option " +- "'server schannel require seal:%s = no' " +- "might be needed for a legacy client.\n", +- log_escape(frame, creds->account_name))); +- } +- if (!s->schannel_explicitly_set) { +- DEBUG(CVE_2020_1472_error_level, ( +- "CVE-2020-1472(ZeroLogon): Check if option " +- "'server require schannel:%s = no' " +- "might be needed for a legacy client.\n", +- log_escape(frame, creds->account_name))); +- } else if (s->schannel_required) { +- D_NOTICE("CVE-2022-38023: Option " +- "'server require schannel:%s = yes' " +- "also rejects access for client.\n", +- log_escape(frame, creds->account_name)); +- } +- TALLOC_FREE(frame); +- return s->result; +- } +- +- if (s->schannel_required) { +- s->result = NT_STATUS_ACCESS_DENIED; +- +- if (s->schannel_explicitly_set) { +- dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); +- } else { +- dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); +- } +- if (!s->seal_explicitly_set) { +- dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); +- } +- +- DEBUG(dbg_lvl, ( +- "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " +- "%s request (opnum[%u]) %s schannel from " +- "client_account[%s] client_computer_name[%s] %s\n", +- opname, opnum, reason, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name), +- nt_errstr(s->result))); +- if (s->schannel_explicitly_set) { +- D_NOTICE("CVE-2020-1472(ZeroLogon): Option " +- "'server require schannel:%s = yes' " +- "rejects access for client.\n", +- log_escape(frame, creds->account_name)); +- } else { +- DEBUG(CVE_2020_1472_error_level, ( +- "CVE-2020-1472(ZeroLogon): Check if option " +- "'server require schannel:%s = no' " +- "might be needed for a legacy client.\n", +- log_escape(frame, creds->account_name))); +- } +- if (!s->seal_explicitly_set) { +- DEBUG(CVE_2022_38023_error_level, ( +- "CVE-2022-38023: Check if option " +- "'server schannel require seal:%s = no' " +- "might be needed for a legacy client.\n", +- log_escape(frame, creds->account_name))); +- } +- TALLOC_FREE(frame); +- return s->result; +- } +- +- s->result = NT_STATUS_OK; +- +- if (s->seal_explicitly_set) { +- dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); +- } else { +- dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); +- } +- +- if (s->schannel_explicitly_set) { +- dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); +- } else { +- dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); +- } +- +- DEBUG(dbg_lvl, ( +- "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " +- "%s request (opnum[%u]) %s schannel from " +- "client_account[%s] client_computer_name[%s] %s\n", +- opname, opnum, reason, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name), +- nt_errstr(s->result))); +- +- if (s->seal_explicitly_set) { +- D_INFO("CVE-2022-38023: Option " +- "'server schannel require seal:%s = no' " +- "still needed for '%s'!\n", +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); +- } else { +- /* +- * admins should set +- * server schannel require seal:COMPUTER$ = no +- * in order to avoid the level 0 messages. +- * Over time they can switch the global value +- * to be strict. +- */ +- DEBUG(CVE_2022_38023_error_level, ( +- "CVE-2022-38023: Please use " +- "'server schannel require seal:%s = no' " +- "for '%s' to avoid this warning!\n", +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name))); +- } +- +- if (s->schannel_explicitly_set) { +- D_INFO("CVE-2020-1472(ZeroLogon): Option " +- "'server require schannel:%s = no' " +- "still needed for '%s'!\n", +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); +- } else { +- /* +- * admins should set +- * server require schannel:COMPUTER$ = no +- * in order to avoid the level 0 messages. +- * Over time they can switch the global value +- * to be strict. +- */ +- DEBUG(CVE_2020_1472_error_level, ( +- "CVE-2020-1472(ZeroLogon): " +- "Please use 'server require schannel:%s = no' " +- "for '%s' to avoid this warning!\n", +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name))); +- } +- +- TALLOC_FREE(frame); +- return s->result; +-} +- +-static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, +- const struct netlogon_creds_CredentialState *creds, +- enum dcerpc_AuthType auth_type, +- enum dcerpc_AuthLevel auth_level, +- uint16_t opnum) +-{ +- struct dcesrv_netr_check_schannel_state *s = NULL; +- NTSTATUS status; +- +- status = dcesrv_netr_check_schannel_get_state(dce_call, +- creds, +- auth_type, +- auth_level, +- &s); +- if (!NT_STATUS_IS_OK(status)) { +- return status; +- } +- +- status = dcesrv_netr_check_schannel_once(dce_call, s, creds, opnum); +- if (!NT_STATUS_IS_OK(status)) { +- return status; +- } +- +- return NT_STATUS_OK; +-} +- +-/* +- * NOTE: The following functions are nearly identical to the ones available in +- * source3/rpc_server/srv_nelog_nt.c +- * The reason we keep 2 copies is that they use different structures to +- * represent the auth_info and the decrpc pipes. +- */ +-static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call, +- TALLOC_CTX *mem_ctx, +- const char *computer_name, +- struct netr_Authenticator *received_authenticator, +- struct netr_Authenticator *return_authenticator, +- struct netlogon_creds_CredentialState **creds_out) +-{ +- NTSTATUS nt_status; +- struct netlogon_creds_CredentialState *creds = NULL; +- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; +- enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; +- +- dcesrv_call_auth_info(dce_call, &auth_type, &auth_level); +- +- nt_status = schannel_check_creds_state(mem_ctx, +- dce_call->conn->dce_ctx->lp_ctx, +- computer_name, +- received_authenticator, +- return_authenticator, +- &creds); +- if (!NT_STATUS_IS_OK(nt_status)) { +- ZERO_STRUCTP(return_authenticator); +- return nt_status; +- } +- +- nt_status = dcesrv_netr_check_schannel(dce_call, +- creds, +- auth_type, +- auth_level, +- dce_call->pkt.u.request.opnum); +- if (!NT_STATUS_IS_OK(nt_status)) { +- TALLOC_FREE(creds); +- ZERO_STRUCTP(return_authenticator); +- return nt_status; +- } +- +- *creds_out = creds; +- return NT_STATUS_OK; +-} +- + /* + Change the machine account password for the currently connected + client. Supplies only the NT#. +diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build +index e7bb773d719..0e44a3c2bae 100644 +--- a/source4/rpc_server/wscript_build ++++ b/source4/rpc_server/wscript_build +@@ -118,10 +118,10 @@ bld.SAMBA_MODULE('dcerpc_netlogon', + samba-hostconfig + DSDB_MODULE_HELPERS + util_str_escape ++ DCERPC_SERVER_NETLOGON + ''' + ) + +- + bld.SAMBA_MODULE('dcerpc_lsarpc', + source='lsa/dcesrv_lsa.c lsa/lsa_init.c lsa/lsa_lookup.c', + autoproto='lsa/proto.h', +-- +2.39.0 + + +From 1a1f5c53c217b5336464885a70e7eef94dd0ad5f Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Thu, 22 Dec 2022 16:30:26 +0100 +Subject: [PATCH 5/9] CVE-2022-38023 s3:rpc_server/netlogon: Use + dcesrv_netr_creds_server_step_check() + +After s3 and s4 rpc servers merge we can avoid duplicated code. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Andreas Schneider +(cherry picked from commit 25300d354c80995997d552581cd91dddaf4bbf48) +--- + librpc/rpc/server/netlogon/schannel_util.c | 6 - + selftest/target/Samba3.pm | 14 ++ + source3/rpc_server/netlogon/srv_netlog_nt.c | 201 +++++--------------- + source3/rpc_server/wscript_build | 2 +- + 4 files changed, 58 insertions(+), 165 deletions(-) + +diff --git a/librpc/rpc/server/netlogon/schannel_util.c b/librpc/rpc/server/netlogon/schannel_util.c +index 9b2a88a2628..b14497b13ce 100644 +--- a/librpc/rpc/server/netlogon/schannel_util.c ++++ b/librpc/rpc/server/netlogon/schannel_util.c +@@ -529,12 +529,6 @@ NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, + return NT_STATUS_OK; + } + +-/* +- * NOTE: The following functions are nearly identical to the ones available in +- * source3/rpc_server/srv_nelog_nt.c +- * The reason we keep 2 copies is that they use different structures to +- * represent the auth_info and the decrpc pipes. +- */ + NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call, + TALLOC_CTX *mem_ctx, + const char *computer_name, +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index b58f3d45118..75256db675c 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -288,6 +288,20 @@ sub setup_nt4_dc + server require schannel:schannel11\$ = no + server require schannel:torturetest\$ = no + ++ server schannel require seal:schannel0\$ = no ++ server schannel require seal:schannel1\$ = no ++ server schannel require seal:schannel2\$ = no ++ server schannel require seal:schannel3\$ = no ++ server schannel require seal:schannel4\$ = no ++ server schannel require seal:schannel5\$ = no ++ server schannel require seal:schannel6\$ = no ++ server schannel require seal:schannel7\$ = no ++ server schannel require seal:schannel8\$ = no ++ server schannel require seal:schannel9\$ = no ++ server schannel require seal:schannel10\$ = no ++ server schannel require seal:schannel11\$ = no ++ server schannel require seal:torturetest\$ = no ++ + fss: sequence timeout = 1 + check parent directory delete on close = yes + "; +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index a3853d482df..8e0ea522b6d 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -51,6 +51,7 @@ + #include "libsmb/dsgetdcname.h" + #include "lib/util/util_str_escape.h" + #include "source3/lib/substitute.h" ++#include "librpc/rpc/server/netlogon/schannel_util.h" + + extern userdom_struct current_user_info; + +@@ -1061,129 +1062,6 @@ NTSTATUS _netr_ServerAuthenticate2(struct pipes_struct *p, + return _netr_ServerAuthenticate3(p, &a); + } + +-/************************************************************************* +- *************************************************************************/ +- +-static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, +- TALLOC_CTX *mem_ctx, +- const char *computer_name, +- struct netr_Authenticator *received_authenticator, +- struct netr_Authenticator *return_authenticator, +- struct netlogon_creds_CredentialState **creds_out) +-{ +- struct dcesrv_call_state *dce_call = p->dce_call; +- NTSTATUS status; +- bool schannel_global_required = (lp_server_schannel() == true) ? true:false; +- bool schannel_required = schannel_global_required; +- const char *explicit_opt = NULL; +- struct loadparm_context *lp_ctx; +- struct netlogon_creds_CredentialState *creds = NULL; +- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; +- uint16_t opnum = dce_call->pkt.u.request.opnum; +- const char *opname = ""; +- +- if (creds_out != NULL) { +- *creds_out = NULL; +- } +- +- if (opnum < ndr_table_netlogon.num_calls) { +- opname = ndr_table_netlogon.calls[opnum].name; +- } +- +- dcesrv_call_auth_info(dce_call, &auth_type, NULL); +- +- lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers()); +- if (lp_ctx == NULL) { +- DEBUG(0, ("loadparm_init_s3 failed\n")); +- return NT_STATUS_INTERNAL_ERROR; +- } +- +- status = schannel_check_creds_state(mem_ctx, lp_ctx, +- computer_name, received_authenticator, +- return_authenticator, &creds); +- talloc_unlink(mem_ctx, lp_ctx); +- +- if (!NT_STATUS_IS_OK(status)) { +- ZERO_STRUCTP(return_authenticator); +- return status; +- } +- +- /* +- * We don't use lp_parm_bool(), as we +- * need the explicit_opt pointer in order to +- * adjust the debug messages. +- */ +- +- explicit_opt = lp_parm_const_string(GLOBAL_SECTION_SNUM, +- "server require schannel", +- creds->account_name, +- NULL); +- if (explicit_opt != NULL) { +- schannel_required = lp_bool(explicit_opt); +- } +- +- if (schannel_required) { +- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { +- *creds_out = creds; +- return NT_STATUS_OK; +- } +- +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) without schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(mem_ctx, creds->account_name), +- log_escape(mem_ctx, creds->computer_name)); +- DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " +- "'server require schannel:%s = no' is needed! \n", +- log_escape(mem_ctx, creds->account_name)); +- TALLOC_FREE(creds); +- ZERO_STRUCTP(return_authenticator); +- return NT_STATUS_ACCESS_DENIED; +- } +- +- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) WITH schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(mem_ctx, creds->account_name), +- log_escape(mem_ctx, creds->computer_name)); +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "Option 'server require schannel:%s = no' not needed!?\n", +- log_escape(mem_ctx, creds->account_name)); +- +- *creds_out = creds; +- return NT_STATUS_OK; +- } +- +- if (explicit_opt != NULL) { +- DBG_INFO("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) without schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(mem_ctx, creds->account_name), +- log_escape(mem_ctx, creds->computer_name)); +- DBG_INFO("CVE-2020-1472(ZeroLogon): " +- "Option 'server require schannel:%s = no' still needed!\n", +- log_escape(mem_ctx, creds->account_name)); +- } else { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) without schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(mem_ctx, creds->account_name), +- log_escape(mem_ctx, creds->computer_name)); +- DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " +- "'server require schannel:%s = no' might be needed!\n", +- log_escape(mem_ctx, creds->account_name)); +- } +- +- *creds_out = creds; +- return NT_STATUS_OK; +-} +- +- + /************************************************************************* + *************************************************************************/ + +@@ -1429,11 +1307,12 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p, + DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__)); + + become_root(); +- status = netr_creds_server_step_check(p, p->mem_ctx, +- r->in.computer_name, +- r->in.credential, +- r->out.return_authenticator, +- &creds); ++ status = dcesrv_netr_creds_server_step_check(p->dce_call, ++ p->mem_ctx, ++ r->in.computer_name, ++ r->in.credential, ++ r->out.return_authenticator, ++ &creds); + unbecome_root(); + + if (!NT_STATUS_IS_OK(status)) { +@@ -1493,11 +1372,12 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p, + bool ok; + + become_root(); +- status = netr_creds_server_step_check(p, p->mem_ctx, +- r->in.computer_name, +- r->in.credential, +- r->out.return_authenticator, +- &creds); ++ status = dcesrv_netr_creds_server_step_check(p->dce_call, ++ p->mem_ctx, ++ r->in.computer_name, ++ r->in.credential, ++ r->out.return_authenticator, ++ &creds); + unbecome_root(); + + if (!NT_STATUS_IS_OK(status)) { +@@ -1644,11 +1524,12 @@ NTSTATUS _netr_LogonSamLogoff(struct pipes_struct *p, + struct netlogon_creds_CredentialState *creds; + + become_root(); +- status = netr_creds_server_step_check(p, p->mem_ctx, +- r->in.computer_name, +- r->in.credential, +- r->out.return_authenticator, +- &creds); ++ status = dcesrv_netr_creds_server_step_check(p->dce_call, ++ p->mem_ctx, ++ r->in.computer_name, ++ r->in.credential, ++ r->out.return_authenticator, ++ &creds); + unbecome_root(); + + return status; +@@ -2061,11 +1942,12 @@ NTSTATUS _netr_LogonSamLogonWithFlags(struct pipes_struct *p, + } + + become_root(); +- status = netr_creds_server_step_check(p, p->mem_ctx, +- r->in.computer_name, +- r->in.credential, +- &return_authenticator, +- &creds); ++ status = dcesrv_netr_creds_server_step_check(p->dce_call, ++ p->mem_ctx, ++ r->in.computer_name, ++ r->in.credential, ++ &return_authenticator, ++ &creds); + unbecome_root(); + if (!NT_STATUS_IS_OK(status)) { + return status; +@@ -2411,11 +2293,12 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p, + NTSTATUS status; + + become_root(); +- status = netr_creds_server_step_check(p, p->mem_ctx, +- r->in.computer_name, +- r->in.credential, +- r->out.return_authenticator, +- &creds); ++ status = dcesrv_netr_creds_server_step_check(p->dce_call, ++ p->mem_ctx, ++ r->in.computer_name, ++ r->in.credential, ++ r->out.return_authenticator, ++ &creds); + unbecome_root(); + if (!NT_STATUS_IS_OK(status)) { + return status; +@@ -2775,11 +2658,12 @@ NTSTATUS _netr_GetForestTrustInformation(struct pipes_struct *p, + /* TODO: check server name */ + + become_root(); +- status = netr_creds_server_step_check(p, p->mem_ctx, +- r->in.computer_name, +- r->in.credential, +- r->out.return_authenticator, +- &creds); ++ status = dcesrv_netr_creds_server_step_check(p->dce_call, ++ p->mem_ctx, ++ r->in.computer_name, ++ r->in.credential, ++ r->out.return_authenticator, ++ &creds); + unbecome_root(); + if (!NT_STATUS_IS_OK(status)) { + return status; +@@ -2878,11 +2762,12 @@ NTSTATUS _netr_ServerGetTrustInfo(struct pipes_struct *p, + /* TODO: check server name */ + + become_root(); +- status = netr_creds_server_step_check(p, p->mem_ctx, +- r->in.computer_name, +- r->in.credential, +- r->out.return_authenticator, +- &creds); ++ status = dcesrv_netr_creds_server_step_check(p->dce_call, ++ p->mem_ctx, ++ r->in.computer_name, ++ r->in.credential, ++ r->out.return_authenticator, ++ &creds); + unbecome_root(); + if (!NT_STATUS_IS_OK(status)) { + return status; +diff --git a/source3/rpc_server/wscript_build b/source3/rpc_server/wscript_build +index 83ceca2a45c..341df41a321 100644 +--- a/source3/rpc_server/wscript_build ++++ b/source3/rpc_server/wscript_build +@@ -174,7 +174,7 @@ bld.SAMBA3_SUBSYSTEM('RPC_NETDFS', + + bld.SAMBA3_SUBSYSTEM('RPC_NETLOGON', + source='''netlogon/srv_netlog_nt.c''', +- deps='LIBCLI_AUTH') ++ deps='LIBCLI_AUTH DCERPC_SERVER_NETLOGON') + + bld.SAMBA3_SUBSYSTEM('RPC_NTSVCS', + source='''ntsvcs/srv_ntsvcs_nt.c''', +-- +2.39.0 + + +From 5e8a9c85fe9cd28727c284a7fa5465db00a16cac Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Thu, 22 Dec 2022 09:29:04 +0100 +Subject: [PATCH 6/9] CVE-2022-38023 s3:rpc_server/netlogon: make sure all + _netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel() + +Some checks are also required for _netr_LogonSamLogonEx(). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Andreas Schneider +(cherry picked from commit ca07f4340ce58a7e940a1123888b7409176412f7) +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 45 +++++++++++++-------- + 1 file changed, 28 insertions(+), 17 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index 8e0ea522b6d..ba2680668ed 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1632,6 +1632,11 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, + struct auth_serversupplied_info *server_info = NULL; + struct auth_context *auth_context = NULL; + const char *fn; ++ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; ++ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; ++ uint16_t opnum = dce_call->pkt.u.request.opnum; ++ ++ dcesrv_call_auth_info(dce_call, &auth_type, &auth_level); + + #ifdef DEBUG_PASSWORD + logon = netlogon_creds_shallow_copy_logon(p->mem_ctx, +@@ -1642,15 +1647,37 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, + } + #endif + +- switch (dce_call->pkt.u.request.opnum) { ++ switch (opnum) { + case NDR_NETR_LOGONSAMLOGON: + fn = "_netr_LogonSamLogon"; ++ /* ++ * Already called netr_check_schannel() via ++ * netr_creds_server_step_check() ++ */ + break; + case NDR_NETR_LOGONSAMLOGONWITHFLAGS: + fn = "_netr_LogonSamLogonWithFlags"; ++ /* ++ * Already called netr_check_schannel() via ++ * netr_creds_server_step_check() ++ */ + break; + case NDR_NETR_LOGONSAMLOGONEX: + fn = "_netr_LogonSamLogonEx"; ++ ++ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { ++ return NT_STATUS_ACCESS_DENIED; ++ } ++ ++ status = dcesrv_netr_check_schannel(p->dce_call, ++ creds, ++ auth_type, ++ auth_level, ++ opnum); ++ if (NT_STATUS_IS_ERR(status)) { ++ return status; ++ } ++ + break; + default: + return NT_STATUS_INTERNAL_ERROR; +@@ -1881,10 +1908,6 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, + r->out.validation->sam3); + break; + case 6: { +- enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; +- +- dcesrv_call_auth_info(dce_call, NULL, &auth_level); +- + /* Only allow this if the pipe is protected. */ + if (auth_level < DCERPC_AUTH_LEVEL_PRIVACY) { + DEBUG(0,("netr_Validation6: client %s not using privacy for netlogon\n", +@@ -1997,8 +2020,6 @@ NTSTATUS _netr_LogonSamLogon(struct pipes_struct *p, + NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p, + struct netr_LogonSamLogonEx *r) + { +- struct dcesrv_call_state *dce_call = p->dce_call; +- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; + NTSTATUS status; + struct netlogon_creds_CredentialState *creds = NULL; + struct loadparm_context *lp_ctx; +@@ -2010,16 +2031,6 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p, + return status; + } + +- /* Only allow this if the pipe is protected. */ +- +- dcesrv_call_auth_info(dce_call, &auth_type, NULL); +- +- if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { +- DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n", +- get_remote_machine_name() )); +- return NT_STATUS_INVALID_PARAMETER; +- } +- + lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers()); + if (lp_ctx == NULL) { + DEBUG(0, ("loadparm_init_s3 failed\n")); +-- +2.39.0 + + +From f4682b16e9e5bdc4decf6c9d02388d540482b6a7 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Thu, 22 Dec 2022 11:05:33 +0100 +Subject: [PATCH 7/9] CVE-2022-38023 s3:rpc_server/netlogon: Check for global + "server schannel require seal" + +By default we'll now require schannel connections with privacy/sealing/encryption. + +But we allow exceptions for specific computer/trust accounts. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Andreas Schneider +(cherry picked from commit a0b97e262318dc56fe663da89b0ee3172b2e7848) +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index ba2680668ed..a6f56a5ca21 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -2895,7 +2895,9 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context + struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx; + int schannel = lpcfg_server_schannel(lp_ctx); + bool schannel_global_required = (schannel == true); ++ bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx); + static bool warned_global_schannel_once = false; ++ static bool warned_global_seal_once = false; + + if (!schannel_global_required && !warned_global_schannel_once) { + /* +@@ -2907,6 +2909,16 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context + warned_global_schannel_once = true; + } + ++ if (!global_require_seal && !warned_global_seal_once) { ++ /* ++ * We want admins to notice their misconfiguration! ++ */ ++ D_ERR("CVE-2022-38023 (and others): " ++ "Please configure 'server schannel require seal = yes' (the default), " ++ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); ++ warned_global_seal_once = true; ++ } ++ + return NT_STATUS_OK; + } + +-- +2.39.0 + + +From 5ddca0370de470bf1c532a6883e0b9fa0dedf6c4 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 9 Jan 2023 12:17:48 +0100 +Subject: [PATCH 8/9] CVE-2022-38023 docs-xml/smbdotconf: The "server schannel + require seal[:COMPUTERACCOUNT]" options are also honoured by s3 netlogon + server. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Andreas Schneider +(cherry picked from commit 02fba22b8c9e9b33ab430555ef45500c45eaa9d1) +--- + docs-xml/smbdotconf/security/serverschannelrequireseal.xml | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml +index d4620d1252d..0bec67d2519 100644 +--- a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml ++++ b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml +@@ -12,9 +12,8 @@ + + + +- This option controls whether the netlogon server (currently +- only in 'active directory domain controller' mode), will +- reject the usage of netlogon secure channel without privacy/enryption. ++ This option controls whether the netlogon server, will reject the usage ++ of netlogon secure channel without privacy/enryption. + + + +-- +2.39.0 + + +From 2cb3ecb5c258fd23ca2f1fd2635be90336a0d7e0 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Thu, 22 Dec 2022 16:32:40 +0100 +Subject: [PATCH 9/9] CVE-2022-38023 s3:rpc_server/netlogon: Avoid unnecessary + loadparm_context allocations + +After s3 and s4 rpc servers merge the loadparm_context is available in +the dcesrv_context structure. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Mon Jan 9 15:17:14 UTC 2023 on sn-devel-184 + +(cherry picked from commit 56837f3d3169a02d0d92bd085d9c8250415ce29b) +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 21 ++------------------- + 1 file changed, 2 insertions(+), 19 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index a6f56a5ca21..7d17ab79f3d 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -880,7 +880,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p, + * so use a copy to avoid destroying the client values. */ + uint32_t in_neg_flags = *r->in.negotiate_flags; + const char *fn; +- struct loadparm_context *lp_ctx; ++ struct loadparm_context *lp_ctx = p->dce_call->conn->dce_ctx->lp_ctx; + struct dom_sid sid; + struct samr_Password mach_pwd; + struct netlogon_creds_CredentialState *creds; +@@ -1009,20 +1009,11 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p, + goto out; + } + +- lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers()); +- if (lp_ctx == NULL) { +- DEBUG(10, ("loadparm_init_s3 failed\n")); +- status = NT_STATUS_INTERNAL_ERROR; +- goto out; +- } +- + /* Store off the state so we can continue after client disconnect. */ + become_root(); + status = schannel_save_creds_state(p->mem_ctx, lp_ctx, creds); + unbecome_root(); + +- talloc_unlink(p->mem_ctx, lp_ctx); +- + if (!NT_STATUS_IS_OK(status)) { + ZERO_STRUCTP(r->out.return_credentials); + goto out; +@@ -2022,7 +2013,7 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p, + { + NTSTATUS status; + struct netlogon_creds_CredentialState *creds = NULL; +- struct loadparm_context *lp_ctx; ++ struct loadparm_context *lp_ctx = p->dce_call->conn->dce_ctx->lp_ctx; + + *r->out.authoritative = true; + +@@ -2031,18 +2022,10 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p, + return status; + } + +- lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers()); +- if (lp_ctx == NULL) { +- DEBUG(0, ("loadparm_init_s3 failed\n")); +- return NT_STATUS_INTERNAL_ERROR; +- } +- + become_root(); + status = schannel_get_creds_state(p->mem_ctx, lp_ctx, + r->in.computer_name, &creds); + unbecome_root(); +- talloc_unlink(p->mem_ctx, lp_ctx); +- + if (!NT_STATUS_IS_OK(status)) { + return status; + } +-- +2.39.0 + diff --git a/CVE-2022-38023-v4-16.patch b/CVE-2022-38023-v4-16.patch new file mode 100644 index 0000000..54e0604 --- /dev/null +++ b/CVE-2022-38023-v4-16.patch @@ -0,0 +1,4417 @@ +From e39dcc08705f0bf59a57ad835821cef41ec8b1e6 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Tue, 6 Dec 2022 16:00:36 +0100 +Subject: [PATCH 01/30] CVE-2022-38023 docs-xml: improve wording for several + options: "takes precedence" -> "overrides" + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +(cherry picked from commit 8ec62694a94c346e6ba8f3144a417c9984a1c8b9) +--- + docs-xml/smbdotconf/logon/rejectmd5clients.xml | 2 +- + docs-xml/smbdotconf/security/serverschannel.xml | 2 +- + docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 2 +- + docs-xml/smbdotconf/winbind/requirestrongkey.xml | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml +index 41684ef10805..0bb9f6f6c8ec 100644 +--- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml ++++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml +@@ -10,7 +10,7 @@ + You can set this to yes if all domain members support aes. + This will prevent downgrade attacks. + +- This option takes precedence to the 'allow nt4 crypto' option. ++ This option overrides the 'allow nt4 crypto' option. + + + no +diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml +index b682d086f76b..79e4e73a95c9 100644 +--- a/docs-xml/smbdotconf/security/serverschannel.xml ++++ b/docs-xml/smbdotconf/security/serverschannel.xml +@@ -59,7 +59,7 @@ + See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 + + +- This option takes precedence to the option. ++ This option overrides the option. + + + server require schannel:LEGACYCOMPUTER1$ = no +diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml +index 37656293aa47..151b4676c57b 100644 +--- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml ++++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml +@@ -15,7 +15,7 @@ + The behavior can be controlled per netbios domain + by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option. + +- This option takes precedence to the option. ++ This option overrides the option. + + + no +diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml +index 4db62bfb02db..b17620ec8f1d 100644 +--- a/docs-xml/smbdotconf/winbind/requirestrongkey.xml ++++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml +@@ -19,7 +19,7 @@ + + This option yields precedence to the option. + +- This option takes precedence to the option. ++ This option overrides the option. + + + yes +-- +2.34.1 + + +From 75fcaa4792afde7599d23316788ce8bbf780fe8a Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Tue, 6 Dec 2022 16:05:26 +0100 +Subject: [PATCH 02/30] CVE-2022-38023 docs-xml: improve wording for several + options: "yields precedence" -> "is over-riden" + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +(cherry picked from commit 830e865ba5648f6520bc552ffd71b61f754b8251) +--- + docs-xml/smbdotconf/logon/allownt4crypto.xml | 2 +- + docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml | 2 +- + docs-xml/smbdotconf/security/clientschannel.xml | 2 +- + docs-xml/smbdotconf/security/serverschannel.xml | 2 +- + docs-xml/smbdotconf/winbind/requirestrongkey.xml | 2 +- + 5 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml +index 03dc8fa93f72..06afcef73b1b 100644 +--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml ++++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml +@@ -18,7 +18,7 @@ + + "allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks. + +- This option yields precedence to the 'reject md5 clients' option. ++ This option is over-ridden by the 'reject md5 clients' option. + + + no +diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml +index 03531adbfb36..8bccab391cc2 100644 +--- a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml ++++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml +@@ -15,7 +15,7 @@ + The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc, + winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option. + +- This option yields precedence to the implementation specific restrictions. ++ This option is over-ridden by the implementation specific restrictions. + E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY. + The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY. + +diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml +index 5b07da95050c..d124ad481818 100644 +--- a/docs-xml/smbdotconf/security/clientschannel.xml ++++ b/docs-xml/smbdotconf/security/clientschannel.xml +@@ -23,7 +23,7 @@ + Note that for active directory domains this is hardcoded to + yes. + +- This option yields precedence to the option. ++ This option is over-ridden by the option. + + yes + auto +diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml +index 79e4e73a95c9..3e66df1c2032 100644 +--- a/docs-xml/smbdotconf/security/serverschannel.xml ++++ b/docs-xml/smbdotconf/security/serverschannel.xml +@@ -23,7 +23,7 @@ + If you still have legacy domain members use the option. + + +- This option yields precedence to the option. ++ This option is over-ridden by the option. + + + +diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml +index b17620ec8f1d..9c1c1d7af148 100644 +--- a/docs-xml/smbdotconf/winbind/requirestrongkey.xml ++++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml +@@ -17,7 +17,7 @@ + + Note for active directory domain this option is hardcoded to 'yes' + +- This option yields precedence to the option. ++ This option is over-ridden by the option. + + This option overrides the option. + +-- +2.34.1 + + +From cbf7cf691860d92c1890009b639a1fd495cf1cf2 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 30 Nov 2022 14:46:59 +0100 +Subject: [PATCH 03/30] CVE-2022-38023 libcli/auth: pass lp_ctx to + netlogon_creds_cli_set_global_db() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 992f39a2c8a58301ceeb965f401e29cd64c5a209) +--- + libcli/auth/netlogon_creds_cli.c | 3 ++- + libcli/auth/netlogon_creds_cli.h | 2 +- + source3/rpc_client/cli_netlogon.c | 2 +- + source3/utils/destroy_netlogon_creds_cli.c | 2 +- + 4 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c +index e92a042c0120..030191174dca 100644 +--- a/libcli/auth/netlogon_creds_cli.c ++++ b/libcli/auth/netlogon_creds_cli.c +@@ -202,7 +202,8 @@ static NTSTATUS netlogon_creds_cli_context_common( + + static struct db_context *netlogon_creds_cli_global_db; + +-NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db) ++NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, ++ struct db_context **db) + { + if (netlogon_creds_cli_global_db != NULL) { + return NT_STATUS_INVALID_PARAMETER_MIX; +diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h +index 6f40a46aa0a6..d10197c2d2af 100644 +--- a/libcli/auth/netlogon_creds_cli.h ++++ b/libcli/auth/netlogon_creds_cli.h +@@ -31,7 +31,7 @@ struct messaging_context; + struct dcerpc_binding_handle; + struct db_context; + +-NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db); ++NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, struct db_context **db); + NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx); + void netlogon_creds_cli_close_global_db(void); + +diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c +index 50dae9d7f3eb..18664e8b91af 100644 +--- a/source3/rpc_client/cli_netlogon.c ++++ b/source3/rpc_client/cli_netlogon.c +@@ -76,7 +76,7 @@ NTSTATUS rpccli_pre_open_netlogon_creds(void) + return NT_STATUS_NO_MEMORY; + } + +- status = netlogon_creds_cli_set_global_db(&global_db); ++ status = netlogon_creds_cli_set_global_db(lp_ctx, &global_db); + TALLOC_FREE(frame); + if (!NT_STATUS_IS_OK(status)) { + return status; +diff --git a/source3/utils/destroy_netlogon_creds_cli.c b/source3/utils/destroy_netlogon_creds_cli.c +index f28cad527dfb..a2e1952e434c 100644 +--- a/source3/utils/destroy_netlogon_creds_cli.c ++++ b/source3/utils/destroy_netlogon_creds_cli.c +@@ -82,7 +82,7 @@ int main(int argc, const char *argv[]) + goto done; + } + +- status = netlogon_creds_cli_set_global_db(&global_db); ++ status = netlogon_creds_cli_set_global_db(lp_ctx, &global_db); + if (!NT_STATUS_IS_OK(status)) { + fprintf(stderr, + "netlogon_creds_cli_set_global_db failed: %s\n", +-- +2.34.1 + + +From 2c4f9869b208cfd969607248420e36e3bd4aecfa Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 30 Nov 2022 14:47:33 +0100 +Subject: [PATCH 04/30] CVE-2022-38023 libcli/auth: add/use + netlogon_creds_cli_warn_options() + +This warns the admin about insecure options + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme + +(similar to commit 7e7adf86e59e8a673fbe87de46cef0d62221e800) +[jsutton@samba.org Replaced call to tevent_cached_getpid() with one to + getpid()] +--- + libcli/auth/netlogon_creds_cli.c | 66 ++++++++++++++++++++++++++++++++ + libcli/auth/netlogon_creds_cli.h | 2 + + 2 files changed, 68 insertions(+) + +diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c +index 030191174dca..3794d8b6b6ef 100644 +--- a/libcli/auth/netlogon_creds_cli.c ++++ b/libcli/auth/netlogon_creds_cli.c +@@ -205,6 +205,8 @@ static struct db_context *netlogon_creds_cli_global_db; + NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, + struct db_context **db) + { ++ netlogon_creds_cli_warn_options(lp_ctx); ++ + if (netlogon_creds_cli_global_db != NULL) { + return NT_STATUS_INVALID_PARAMETER_MIX; + } +@@ -219,6 +221,8 @@ NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx) + struct db_context *global_db; + int hash_size, tdb_flags; + ++ netlogon_creds_cli_warn_options(lp_ctx); ++ + if (netlogon_creds_cli_global_db != NULL) { + return NT_STATUS_OK; + } +@@ -259,6 +263,68 @@ void netlogon_creds_cli_close_global_db(void) + TALLOC_FREE(netlogon_creds_cli_global_db); + } + ++void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx) ++{ ++ bool global_reject_md5_servers = lpcfg_reject_md5_servers(lp_ctx); ++ bool global_require_strong_key = lpcfg_require_strong_key(lp_ctx); ++ int global_client_schannel = lpcfg_client_schannel(lp_ctx); ++ bool global_seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx); ++ static bool warned_global_reject_md5_servers = false; ++ static bool warned_global_require_strong_key = false; ++ static bool warned_global_client_schannel = false; ++ static bool warned_global_seal_secure_channel = false; ++ static int warned_global_pid = 0; ++ int current_pid = getpid(); ++ ++ if (warned_global_pid != current_pid) { ++ warned_global_reject_md5_servers = false; ++ warned_global_require_strong_key = false; ++ warned_global_client_schannel = false; ++ warned_global_seal_secure_channel = false; ++ warned_global_pid = current_pid; ++ } ++ ++ if (!global_reject_md5_servers && !warned_global_reject_md5_servers) { ++ /* ++ * We want admins to notice their misconfiguration! ++ */ ++ DBG_ERR("CVE-2022-38023 (and others): " ++ "Please configure 'reject md5 servers = yes' (the default), " ++ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); ++ warned_global_reject_md5_servers = true; ++ } ++ ++ if (!global_require_strong_key && !warned_global_require_strong_key) { ++ /* ++ * We want admins to notice their misconfiguration! ++ */ ++ DBG_ERR("CVE-2022-38023 (and others): " ++ "Please configure 'require strong key = yes' (the default), " ++ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); ++ warned_global_require_strong_key = true; ++ } ++ ++ if (global_client_schannel != true && !warned_global_client_schannel) { ++ /* ++ * We want admins to notice their misconfiguration! ++ */ ++ DBG_ERR("CVE-2022-38023 (and others): " ++ "Please configure 'client schannel = yes' (the default), " ++ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); ++ warned_global_client_schannel = true; ++ } ++ ++ if (!global_seal_secure_channel && !warned_global_seal_secure_channel) { ++ /* ++ * We want admins to notice their misconfiguration! ++ */ ++ DBG_ERR("CVE-2022-38023 (and others): " ++ "Please configure 'winbind sealed pipes = yes' (the default), " ++ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); ++ warned_global_seal_secure_channel = true; ++ } ++} ++ + NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx, + struct messaging_context *msg_ctx, + const char *client_account, +diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h +index d10197c2d2af..600242e1aea7 100644 +--- a/libcli/auth/netlogon_creds_cli.h ++++ b/libcli/auth/netlogon_creds_cli.h +@@ -35,6 +35,8 @@ NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, struc + NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx); + void netlogon_creds_cli_close_global_db(void); + ++void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx); ++ + NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx, + struct messaging_context *msg_ctx, + const char *client_account, +-- +2.34.1 + + +From 558c68e0915885ed77b3d02e52d93f4c64a0e20e Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 30 Nov 2022 16:16:05 +0100 +Subject: [PATCH 05/30] CVE-2022-38023 s3:net: add and use + net_warn_member_options() helper + +This makes sure domain member related 'net' commands print warnings +about unsecure smb.conf options. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 1fdf1d55a5dd550bdb16d037b5dc995c33c1a67a) +--- + source3/utils/net.c | 6 ++++++ + source3/utils/net_ads.c | 14 ++++++++++++++ + source3/utils/net_dom.c | 2 ++ + source3/utils/net_join.c | 2 ++ + source3/utils/net_offlinejoin.c | 2 ++ + source3/utils/net_proto.h | 2 ++ + source3/utils/net_rpc.c | 10 ++++++++++ + source3/utils/net_util.c | 14 ++++++++++++++ + 8 files changed, 52 insertions(+) + +diff --git a/source3/utils/net.c b/source3/utils/net.c +index e1e14743c117..b96d7f5d9d48 100644 +--- a/source3/utils/net.c ++++ b/source3/utils/net.c +@@ -85,6 +85,8 @@ enum netr_SchannelType get_sec_channel_type(const char *param) + + static int net_changetrustpw(struct net_context *c, int argc, const char **argv) + { ++ net_warn_member_options(); ++ + if (net_ads_check_our_domain(c) == 0) + return net_ads_changetrustpw(c, argc, argv); + +@@ -112,6 +114,8 @@ static int net_primarytrust_dumpinfo(struct net_context *c, int argc, + return 1; + } + ++ net_warn_member_options(); ++ + if (c->opt_stdin) { + set_line_buffering(stdin); + set_line_buffering(stdout); +@@ -193,6 +197,8 @@ static int net_changesecretpw(struct net_context *c, int argc, + return 1; + } + ++ net_warn_member_options(); ++ + if(c->opt_force) { + struct secrets_domain_info1 *info = NULL; + struct secrets_domain_info1_change *prev = NULL; +diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c +index d666f7fc3ec9..cc0d4a0d966c 100644 +--- a/source3/utils/net_ads.c ++++ b/source3/utils/net_ads.c +@@ -1306,6 +1306,8 @@ static int net_ads_status(struct net_context *c, int argc, const char **argv) + return 0; + } + ++ net_warn_member_options(); ++ + if (!ADS_ERR_OK(ads_startup(c, true, &ads))) { + return -1; + } +@@ -1447,6 +1449,8 @@ static NTSTATUS net_ads_join_ok(struct net_context *c) + return NT_STATUS_ACCESS_DENIED; + } + ++ net_warn_member_options(); ++ + net_use_krb_machine_account(c); + + get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip); +@@ -1477,6 +1481,8 @@ int net_ads_testjoin(struct net_context *c, int argc, const char **argv) + return 0; + } + ++ net_warn_member_options(); ++ + /* Display success or failure */ + status = net_ads_join_ok(c); + if (!NT_STATUS_IS_OK(status)) { +@@ -1571,6 +1577,8 @@ int net_ads_join(struct net_context *c, int argc, const char **argv) + if (c->display_usage) + return net_ads_join_usage(c, argc, argv); + ++ net_warn_member_options(); ++ + if (!modify_config) { + + werr = check_ads_config(); +@@ -2505,6 +2513,8 @@ int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv) + return -1; + } + ++ net_warn_member_options(); ++ + net_use_krb_machine_account(c); + + use_in_memory_ccache(); +@@ -2778,6 +2788,8 @@ static int net_ads_keytab_add(struct net_context *c, + return 0; + } + ++ net_warn_member_options(); ++ + d_printf(_("Processing principals to add...\n")); + + if (!c->opt_user_specified && c->opt_password == NULL) { +@@ -2822,6 +2834,8 @@ static int net_ads_keytab_create(struct net_context *c, int argc, const char **a + return 0; + } + ++ net_warn_member_options(); ++ + if (!c->opt_user_specified && c->opt_password == NULL) { + net_use_krb_machine_account(c); + } +diff --git a/source3/utils/net_dom.c b/source3/utils/net_dom.c +index 13e65a933142..4b48e1566bc8 100644 +--- a/source3/utils/net_dom.c ++++ b/source3/utils/net_dom.c +@@ -154,6 +154,8 @@ static int net_dom_join(struct net_context *c, int argc, const char **argv) + return net_dom_usage(c, argc, argv); + } + ++ net_warn_member_options(); ++ + if (c->opt_host) { + server_name = c->opt_host; + } +diff --git a/source3/utils/net_join.c b/source3/utils/net_join.c +index 1493dff74d7b..f67f08f79a81 100644 +--- a/source3/utils/net_join.c ++++ b/source3/utils/net_join.c +@@ -39,6 +39,8 @@ int net_join(struct net_context *c, int argc, const char **argv) + return 0; + } + ++ net_warn_member_options(); ++ + if (net_ads_check_our_domain(c) == 0) { + if (net_ads_join(c, argc, argv) == 0) + return 0; +diff --git a/source3/utils/net_offlinejoin.c b/source3/utils/net_offlinejoin.c +index 03e5df0eace9..0cfd5fdfe235 100644 +--- a/source3/utils/net_offlinejoin.c ++++ b/source3/utils/net_offlinejoin.c +@@ -49,6 +49,8 @@ int net_offlinejoin(struct net_context *c, int argc, const char **argv) + return -1; + } + ++ net_warn_member_options(); ++ + status = libnetapi_net_init(&c->netapi_ctx); + if (status != 0) { + return -1; +diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h +index b6ff639a0941..42096ba218d5 100644 +--- a/source3/utils/net_proto.h ++++ b/source3/utils/net_proto.h +@@ -442,6 +442,8 @@ int net_run_function(struct net_context *c, int argc, const char **argv, + const char *whoami, struct functable *table); + void net_display_usage_from_functable(struct functable *table); + ++void net_warn_member_options(void); ++ + const char *net_share_type_str(int num_type); + + NTSTATUS net_scan_dc(struct net_context *c, +diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c +index 97c0158d612f..16a541413d2e 100644 +--- a/source3/utils/net_rpc.c ++++ b/source3/utils/net_rpc.c +@@ -371,6 +371,8 @@ static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv) + return 0; + } + ++ net_warn_member_options(); ++ + mem_ctx = talloc_init("net_rpc_oldjoin"); + if (!mem_ctx) { + return -1; +@@ -490,6 +492,8 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv) + return 0; + } + ++ net_warn_member_options(); ++ + mem_ctx = talloc_init("net_rpc_testjoin"); + if (!mem_ctx) { + return -1; +@@ -564,6 +568,8 @@ static int net_rpc_join_newstyle(struct net_context *c, int argc, const char **a + return 0; + } + ++ net_warn_member_options(); ++ + mem_ctx = talloc_init("net_rpc_join_newstyle"); + if (!mem_ctx) { + return -1; +@@ -685,6 +691,8 @@ int net_rpc_join(struct net_context *c, int argc, const char **argv) + return -1; + } + ++ net_warn_member_options(); ++ + if (strlen(lp_netbios_name()) > 15) { + d_printf(_("Our netbios name can be at most 15 chars long, " + "\"%s\" is %u chars long\n"), +@@ -815,6 +823,8 @@ int net_rpc_info(struct net_context *c, int argc, const char **argv) + return 0; + } + ++ net_warn_member_options(); ++ + return run_rpc_command(c, NULL, &ndr_table_samr, + NET_FLAGS_PDC, rpc_info_internals, + argc, argv); +diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c +index 298d9a64dc0c..f3b7755063bf 100644 +--- a/source3/utils/net_util.c ++++ b/source3/utils/net_util.c +@@ -31,6 +31,7 @@ + #include "libsmb/libsmb.h" + #include "lib/param/param.h" + #include "auth/gensec/gensec.h" ++#include "libcli/auth/netlogon_creds_cli.h" + #include "lib/cmdline/cmdline.h" + + NTSTATUS net_rpc_lookup_name(struct net_context *c, +@@ -478,6 +479,19 @@ void net_display_usage_from_functable(struct functable *table) + } + } + ++void net_warn_member_options(void) ++{ ++ TALLOC_CTX *frame = talloc_stackframe(); ++ struct loadparm_context *lp_ctx = NULL; ++ ++ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers()); ++ if (lp_ctx != NULL) { ++ netlogon_creds_cli_warn_options(lp_ctx); ++ } ++ ++ TALLOC_FREE(frame); ++} ++ + const char *net_share_type_str(int num_type) + { + switch(num_type) { +-- +2.34.1 + + +From 9172fa1fe342a13c773d14c73ffcaa9f9561cdc7 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 30 Nov 2022 14:59:36 +0100 +Subject: [PATCH 06/30] CVE-2022-38023 s3:winbindd: also allow per domain + "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN" + +This avoids advising insecure defaults for the global options. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit d60828f6391307a59abaa02b72b6a8acf66b2fef) +--- + source3/winbindd/winbindd_cm.c | 41 +++++++++++++++++++++++++++------- + 1 file changed, 33 insertions(+), 8 deletions(-) + +diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c +index 6c6dd88a5aa4..5532e0cd0cc8 100644 +--- a/source3/winbindd/winbindd_cm.c ++++ b/source3/winbindd/winbindd_cm.c +@@ -2431,6 +2431,8 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, + bool retry = false; /* allow one retry attempt for expired session */ + const char *remote_name = NULL; + const struct sockaddr_storage *remote_sockaddr = NULL; ++ bool sealed_pipes = true; ++ bool strong_key = true; + + if (sid_check_is_our_sam(&domain->sid)) { + if (domain->rodc == false || need_rw_dc == false) { +@@ -2610,14 +2612,24 @@ retry: + + anonymous: + ++ sealed_pipes = lp_winbind_sealed_pipes(); ++ sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes", ++ domain->name, ++ sealed_pipes); ++ strong_key = lp_require_strong_key(); ++ strong_key = lp_parm_bool(-1, "require strong key", ++ domain->name, ++ strong_key); ++ + /* Finally fall back to anonymous. */ +- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { ++ if (sealed_pipes || strong_key) { + status = NT_STATUS_DOWNGRADE_DETECTED; + DEBUG(1, ("Unwilling to make SAMR connection to domain %s " + "without connection level security, " +- "must set 'winbind sealed pipes = false' and " +- "'require strong key = false' to proceed: %s\n", +- domain->name, nt_errstr(status))); ++ "must set 'winbind sealed pipes:%s = false' and " ++ "'require strong key:%s = false' to proceed: %s\n", ++ domain->name, domain->name, domain->name, ++ nt_errstr(status))); + goto done; + } + status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr, +@@ -2774,6 +2786,8 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, + bool retry = false; /* allow one retry attempt for expired session */ + const char *remote_name = NULL; + const struct sockaddr_storage *remote_sockaddr = NULL; ++ bool sealed_pipes = true; ++ bool strong_key = true; + + retry: + result = init_dc_connection_rpc(domain, false); +@@ -2935,13 +2949,24 @@ retry: + goto done; + } + +- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { ++ sealed_pipes = lp_winbind_sealed_pipes(); ++ sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes", ++ domain->name, ++ sealed_pipes); ++ strong_key = lp_require_strong_key(); ++ strong_key = lp_parm_bool(-1, "require strong key", ++ domain->name, ++ strong_key); ++ ++ /* Finally fall back to anonymous. */ ++ if (sealed_pipes || strong_key) { + result = NT_STATUS_DOWNGRADE_DETECTED; + DEBUG(1, ("Unwilling to make LSA connection to domain %s " + "without connection level security, " +- "must set 'winbind sealed pipes = false' and " +- "'require strong key = false' to proceed: %s\n", +- domain->name, nt_errstr(result))); ++ "must set 'winbind sealed pipes:%s = false' and " ++ "'require strong key:%s = false' to proceed: %s\n", ++ domain->name, domain->name, domain->name, ++ nt_errstr(result))); + goto done; + } + +-- +2.34.1 + + +From 434812f94ee12bdb55dbe8072702426f85610c02 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Thu, 24 Nov 2022 18:22:23 +0100 +Subject: [PATCH 07/30] CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 + servers' default to yes + +AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no +reason to allow md5 servers by default. + +Note the change in netlogon_creds_cli_context_global() is only cosmetic, +but avoids confusion while reading the code. Check with: + + git show -U35 libcli/auth/netlogon_creds_cli.c + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 1c6c1129905d0c7a60018e7bf0f17a0fd198a584) +--- + docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 7 +++++-- + lib/param/loadparm.c | 1 + + libcli/auth/netlogon_creds_cli.c | 4 ++-- + source3/param/loadparm.c | 1 + + 4 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml +index 151b4676c57b..3bc4eaf7b02e 100644 +--- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml ++++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml +@@ -13,10 +13,13 @@ + This will prevent downgrade attacks. + + The behavior can be controlled per netbios domain +- by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option. ++ by using 'reject md5 servers:NETBIOSDOMAIN = no' as option. ++ ++ The default changed from 'no' to 'yes, with the patches for CVE-2022-38023, ++ see https://bugzilla.samba.org/show_bug.cgi?id=15240 + + This option overrides the option. + + +-no ++yes + +diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c +index d6d845391e6f..e953499efba3 100644 +--- a/lib/param/loadparm.c ++++ b/lib/param/loadparm.c +@@ -2666,6 +2666,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) + lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True"); + lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "False"); + lpcfg_do_global_parameter(lp_ctx, "require strong key", "True"); ++ lpcfg_do_global_parameter(lp_ctx, "reject md5 servers", "True"); + lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR); + lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR); + lpcfg_do_global_parameter_var(lp_ctx, "gpo update command", "%s/samba-gpupdate", dyn_SCRIPTSBINDIR); +diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c +index 3794d8b6b6ef..ca5619d38703 100644 +--- a/libcli/auth/netlogon_creds_cli.c ++++ b/libcli/auth/netlogon_creds_cli.c +@@ -341,8 +341,8 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx, + const char *client_computer; + uint32_t proposed_flags; + uint32_t required_flags = 0; +- bool reject_md5_servers = false; +- bool require_strong_key = false; ++ bool reject_md5_servers = true; ++ bool require_strong_key = true; + int require_sign_or_seal = true; + bool seal_secure_channel = true; + enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; +diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c +index 21e061939e3e..91747e09eccd 100644 +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -664,6 +664,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) + Globals.client_schannel = true; + Globals.winbind_sealed_pipes = true; + Globals.require_strong_key = true; ++ Globals.reject_md5_servers = true; + Globals.server_schannel = true; + Globals.read_raw = true; + Globals.write_raw = true; +-- +2.34.1 + + +From 8ccaf7d47ad13313c7a80ac5f857425080d5fbab Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 6 Dec 2022 10:56:29 +0100 +Subject: [PATCH 08/30] CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel + != yes' warning to dcesrv_interface_netlogon_bind + +This will simplify the following changes. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit e060ea5b3edbe3cba492062c9605f88fae212ee0) +--- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 26 +++++++++++-------- + 1 file changed, 15 insertions(+), 11 deletions(-) + +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index cfd6d148b0a3..f63c3981f749 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -63,6 +63,21 @@ + static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context *context, + const struct dcesrv_interface *iface) + { ++ struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx; ++ int schannel = lpcfg_server_schannel(lp_ctx); ++ bool schannel_global_required = (schannel == true); ++ static bool warned_global_schannel_once = false; ++ ++ if (!schannel_global_required && !warned_global_schannel_once) { ++ /* ++ * We want admins to notice their misconfiguration! ++ */ ++ D_ERR("CVE-2020-1472(ZeroLogon): " ++ "Please configure 'server schannel = yes' (the default), " ++ "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n"); ++ warned_global_schannel_once = true; ++ } ++ + return dcesrv_interface_bind_reject_connect(context, iface); + } + +@@ -630,7 +645,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; + uint16_t opnum = dce_call->pkt.u.request.opnum; + const char *opname = ""; +- static bool warned_global_once = false; + + if (opnum < ndr_table_netlogon.num_calls) { + opname = ndr_table_netlogon.calls[opnum].name; +@@ -682,16 +696,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + return NT_STATUS_ACCESS_DENIED; + } + +- if (!schannel_global_required && !warned_global_once) { +- /* +- * We want admins to notice their misconfiguration! +- */ +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "Please configure 'server schannel = yes', " +- "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n"); +- warned_global_once = true; +- } +- + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "%s request (opnum[%u]) WITH schannel from " +-- +2.34.1 + + +From 268d1ac2f8ce3fb92a3433ada5e229d23c18c4f6 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Mon, 12 Dec 2022 14:03:50 +0100 +Subject: [PATCH 09/30] CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx + variable to dcesrv_netr_creds_server_step_check() + +This will simplify the following changes. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 7baabbe9819cd5a2714e7ea4e57a0c23062c0150) +--- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index f63c3981f749..43dcd7271729 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -636,8 +636,9 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + struct netr_Authenticator *return_authenticator, + struct netlogon_creds_CredentialState **creds_out) + { ++ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; + NTSTATUS nt_status; +- int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx); ++ int schannel = lpcfg_server_schannel(lp_ctx); + bool schannel_global_required = (schannel == true); + bool schannel_required = schannel_global_required; + const char *explicit_opt = NULL; +@@ -653,7 +654,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + dcesrv_call_auth_info(dce_call, &auth_type, NULL); + + nt_status = schannel_check_creds_state(mem_ctx, +- dce_call->conn->dce_ctx->lp_ctx, ++ lp_ctx, + computer_name, + received_authenticator, + return_authenticator, +@@ -668,7 +669,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + * need the explicit_opt pointer in order to + * adjust the debug messages. + */ +- explicit_opt = lpcfg_get_parametric(dce_call->conn->dce_ctx->lp_ctx, ++ explicit_opt = lpcfg_get_parametric(lp_ctx, + NULL, + "server require schannel", + creds->account_name); +-- +2.34.1 + + +From e4d8f31296ab5f2013585039a6e47c1a4b826ea8 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Mon, 12 Dec 2022 14:03:50 +0100 +Subject: [PATCH 10/30] CVE-2022-38023 s4:rpc_server/netlogon: add + talloc_stackframe() to dcesrv_netr_creds_server_step_check() + +This will simplify the following changes. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 0e6a2ba83ef1be3c6a0f5514c21395121621a145) +--- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 32 +++++++++++-------- + 1 file changed, 19 insertions(+), 13 deletions(-) + +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index 43dcd7271729..95fd1526d5a5 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -637,6 +637,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + struct netlogon_creds_CredentialState **creds_out) + { + struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; ++ TALLOC_CTX *frame = talloc_stackframe(); + NTSTATUS nt_status; + int schannel = lpcfg_server_schannel(lp_ctx); + bool schannel_global_required = (schannel == true); +@@ -680,6 +681,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + if (schannel_required) { + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { + *creds_out = creds; ++ TALLOC_FREE(frame); + return NT_STATUS_OK; + } + +@@ -687,13 +689,15 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + "%s request (opnum[%u]) without schannel from " + "client_account[%s] client_computer_name[%s]\n", + opname, opnum, +- log_escape(mem_ctx, creds->account_name), +- log_escape(mem_ctx, creds->computer_name)); ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); + DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " +- "'server require schannel:%s = no' is needed! \n", +- log_escape(mem_ctx, creds->account_name)); ++ "'server require schannel:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name)); + TALLOC_FREE(creds); + ZERO_STRUCTP(return_authenticator); ++ TALLOC_FREE(frame); + return NT_STATUS_ACCESS_DENIED; + } + +@@ -702,13 +706,14 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + "%s request (opnum[%u]) WITH schannel from " + "client_account[%s] client_computer_name[%s]\n", + opname, opnum, +- log_escape(mem_ctx, creds->account_name), +- log_escape(mem_ctx, creds->computer_name)); ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "Option 'server require schannel:%s = no' not needed!?\n", +- log_escape(mem_ctx, creds->account_name)); ++ log_escape(frame, creds->account_name)); + + *creds_out = creds; ++ TALLOC_FREE(frame); + return NT_STATUS_OK; + } + +@@ -718,24 +723,25 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + "%s request (opnum[%u]) without schannel from " + "client_account[%s] client_computer_name[%s]\n", + opname, opnum, +- log_escape(mem_ctx, creds->account_name), +- log_escape(mem_ctx, creds->computer_name)); ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); + DBG_INFO("CVE-2020-1472(ZeroLogon): " + "Option 'server require schannel:%s = no' still needed!\n", +- log_escape(mem_ctx, creds->account_name)); ++ log_escape(frame, creds->account_name)); + } else { + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "%s request (opnum[%u]) without schannel from " + "client_account[%s] client_computer_name[%s]\n", + opname, opnum, +- log_escape(mem_ctx, creds->account_name), +- log_escape(mem_ctx, creds->computer_name)); ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); + DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " + "'server require schannel:%s = no' might be needed!\n", +- log_escape(mem_ctx, creds->account_name)); ++ log_escape(frame, creds->account_name)); + } + + *creds_out = creds; ++ TALLOC_FREE(frame); + return NT_STATUS_OK; + } + +-- +2.34.1 + + +From 4e129119e3a2e1bfca623eb11d721329e53fba17 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 30 Nov 2022 12:37:03 +0100 +Subject: [PATCH 11/30] CVE-2022-38023 s4:rpc_server/netlogon: re-order + checking in dcesrv_netr_creds_server_step_check() + +This will simplify the following changes. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit ec62151a2fb49ecbeaa3bf924f49a956832b735e) +--- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 41 +++++++++---------- + 1 file changed, 19 insertions(+), 22 deletions(-) + +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index 95fd1526d5a5..33063942e161 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -678,13 +678,27 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + schannel_required = lp_bool(explicit_opt); + } + +- if (schannel_required) { +- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { +- *creds_out = creds; +- TALLOC_FREE(frame); +- return NT_STATUS_OK; ++ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { ++ if (!schannel_required) { ++ DBG_ERR("CVE-2020-1472(ZeroLogon): " ++ "%s request (opnum[%u]) WITH schannel from " ++ "client_account[%s] client_computer_name[%s]\n", ++ opname, opnum, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); ++ } ++ if (explicit_opt != NULL && !schannel_required) { ++ DBG_ERR("CVE-2020-1472(ZeroLogon): " ++ "Option 'server require schannel:%s = no' not needed!?\n", ++ log_escape(frame, creds->account_name)); + } + ++ *creds_out = creds; ++ TALLOC_FREE(frame); ++ return NT_STATUS_OK; ++ } ++ ++ if (schannel_required) { + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "%s request (opnum[%u]) without schannel from " + "client_account[%s] client_computer_name[%s]\n", +@@ -701,23 +715,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + return NT_STATUS_ACCESS_DENIED; + } + +- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) WITH schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "Option 'server require schannel:%s = no' not needed!?\n", +- log_escape(frame, creds->account_name)); +- +- *creds_out = creds; +- TALLOC_FREE(frame); +- return NT_STATUS_OK; +- } +- +- + if (explicit_opt != NULL) { + DBG_INFO("CVE-2020-1472(ZeroLogon): " + "%s request (opnum[%u]) without schannel from " +-- +2.34.1 + + +From 200da32d3573912098d68fd9b72f491317feb506 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 30 Nov 2022 12:37:03 +0100 +Subject: [PATCH 12/30] CVE-2022-38023 s4:rpc_server/netlogon: improve + CVE-2020-1472(ZeroLogon) debug messages + +In order to avoid generating useless debug messages during make test, +we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3' +and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings. + +Review with: git show -w + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 16ee03efc194d9c1c2c746f63236b977a419918d) +--- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 147 +++++++++++++----- + 1 file changed, 106 insertions(+), 41 deletions(-) + +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index 33063942e161..3c77d1302993 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -644,15 +644,34 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + bool schannel_required = schannel_global_required; + const char *explicit_opt = NULL; + struct netlogon_creds_CredentialState *creds = NULL; ++ int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL, ++ "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); ++ int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, ++ "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); ++ unsigned int dbg_lvl = DBGLVL_DEBUG; + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; ++ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; + uint16_t opnum = dce_call->pkt.u.request.opnum; + const char *opname = ""; ++ const char *reason = ""; + + if (opnum < ndr_table_netlogon.num_calls) { + opname = ndr_table_netlogon.calls[opnum].name; + } + +- dcesrv_call_auth_info(dce_call, &auth_type, NULL); ++ dcesrv_call_auth_info(dce_call, &auth_type, &auth_level); ++ ++ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { ++ if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { ++ reason = "WITH SEALED"; ++ } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { ++ reason = "WITH SIGNED"; ++ } else { ++ smb_panic("Schannel without SIGN/SEAL"); ++ } ++ } else { ++ reason = "WITHOUT"; ++ } + + nt_status = schannel_check_creds_state(mem_ctx, + lp_ctx, +@@ -679,62 +698,108 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + } + + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { +- if (!schannel_required) { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) WITH schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); ++ nt_status = NT_STATUS_OK; ++ ++ if (explicit_opt != NULL && !schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); ++ } else if (!schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon): " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(nt_status))); ++ + if (explicit_opt != NULL && !schannel_required) { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "Option 'server require schannel:%s = no' not needed!?\n", +- log_escape(frame, creds->account_name)); ++ DEBUG(CVE_2020_1472_warn_level, ( ++ "CVE-2020-1472(ZeroLogon): " ++ "Option 'server require schannel:%s = no' not needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); + } + + *creds_out = creds; + TALLOC_FREE(frame); +- return NT_STATUS_OK; ++ return nt_status; + } + + if (schannel_required) { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) without schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); +- DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " +- "'server require schannel:%s = no' " +- "might be needed for a legacy client.\n", +- log_escape(frame, creds->account_name)); ++ nt_status = NT_STATUS_ACCESS_DENIED; ++ ++ if (explicit_opt != NULL) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); ++ } else { ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(nt_status))); ++ if (explicit_opt != NULL) { ++ D_NOTICE("CVE-2020-1472(ZeroLogon): Option " ++ "'server require schannel:%s = yes' " ++ "rejects access for client.\n", ++ log_escape(frame, creds->account_name)); ++ } else { ++ DEBUG(CVE_2020_1472_error_level, ( ++ "CVE-2020-1472(ZeroLogon): Check if option " ++ "'server require schannel:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } + TALLOC_FREE(creds); + ZERO_STRUCTP(return_authenticator); + TALLOC_FREE(frame); +- return NT_STATUS_ACCESS_DENIED; ++ return nt_status; + } + ++ nt_status = NT_STATUS_OK; ++ + if (explicit_opt != NULL) { +- DBG_INFO("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) without schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); +- DBG_INFO("CVE-2020-1472(ZeroLogon): " +- "Option 'server require schannel:%s = no' still needed!\n", +- log_escape(frame, creds->account_name)); ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } else { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) without schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); +- DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " +- "'server require schannel:%s = no' might be needed!\n", +- log_escape(frame, creds->account_name)); ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(nt_status))); ++ ++ if (explicit_opt != NULL) { ++ D_INFO("CVE-2020-1472(ZeroLogon): Option " ++ "'server require schannel:%s = no' " ++ "still needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); ++ } else { ++ /* ++ * admins should set ++ * server require schannel:COMPUTER$ = no ++ * in order to avoid the level 0 messages. ++ * Over time they can switch the global value ++ * to be strict. ++ */ ++ DEBUG(CVE_2020_1472_error_level, ( ++ "CVE-2020-1472(ZeroLogon): " ++ "Please use 'server require schannel:%s = no' " ++ "for '%s' to avoid this warning!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); + } + + *creds_out = creds; +-- +2.34.1 + + +From 0038d0302c807bc76b073de3aeed13a29c1fc458 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 30 Nov 2022 12:26:01 +0100 +Subject: [PATCH 13/30] CVE-2022-38023 selftest:Samba4: avoid global 'server + schannel = auto' + +Instead of using the generic deprecated option use the specific +server require schannel:COMPUTERACCOUNT = no in order to allow +legacy tests for pass. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 63c96ea6c02981795e67336401143f2a8836992c) +--- + selftest/target/Samba4.pm | 40 ++++++++++++++++++++++++++++++++++++--- + 1 file changed, 37 insertions(+), 3 deletions(-) + +diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm +index b004042738a7..d26022466c66 100755 +--- a/selftest/target/Samba4.pm ++++ b/selftest/target/Samba4.pm +@@ -1616,10 +1616,27 @@ sub provision_ad_dc_ntvfs($$$) + dsdb event notification = true + dsdb password event notification = true + dsdb group change notification = true +- server schannel = auto + # override the new SMB2 only default + client min protocol = CORE + server min protocol = LANMAN1 ++ ++ CVE_2020_1472:warn_about_unused_debug_level = 3 ++ server require schannel:schannel0\$ = no ++ server require schannel:schannel1\$ = no ++ server require schannel:schannel2\$ = no ++ server require schannel:schannel3\$ = no ++ server require schannel:schannel4\$ = no ++ server require schannel:schannel5\$ = no ++ server require schannel:schannel6\$ = no ++ server require schannel:schannel7\$ = no ++ server require schannel:schannel8\$ = no ++ server require schannel:schannel9\$ = no ++ server require schannel:schannel10\$ = no ++ server require schannel:schannel11\$ = no ++ server require schannel:torturetest\$ = no ++ ++ # needed for 'samba.tests.auth_log' tests ++ server require schannel:LOCALDC\$ = no + "; + push (@{$extra_provision_options}, "--use-ntvfs"); + my $ret = $self->provision($prefix, +@@ -1968,8 +1985,22 @@ sub provision_ad_dc($$$$$$$) + lpq cache time = 0 + print notify backchannel = yes + +- server schannel = auto +- auth event notification = true ++ CVE_2020_1472:warn_about_unused_debug_level = 3 ++ server require schannel:schannel0\$ = no ++ server require schannel:schannel1\$ = no ++ server require schannel:schannel2\$ = no ++ server require schannel:schannel3\$ = no ++ server require schannel:schannel4\$ = no ++ server require schannel:schannel5\$ = no ++ server require schannel:schannel6\$ = no ++ server require schannel:schannel7\$ = no ++ server require schannel:schannel8\$ = no ++ server require schannel:schannel9\$ = no ++ server require schannel:schannel10\$ = no ++ server require schannel:schannel11\$ = no ++ server require schannel:torturetest\$ = no ++ ++ auth event notification = true + dsdb event notification = true + dsdb password event notification = true + dsdb group change notification = true +@@ -2658,6 +2689,9 @@ sub setup_ad_dc_smb1 + [global] + client min protocol = CORE + server min protocol = LANMAN1 ++ ++ # needed for 'samba.tests.auth_log' tests ++ server require schannel:ADDCSMB1\$ = no + "; + return _setup_ad_dc($self, $path, $conf_opts, "addcsmb1", "addom2.samba.example.com"); + } +-- +2.34.1 + + +From 76855044472bf75f75a204e0fe411b457478363c Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Mon, 28 Nov 2022 15:02:13 +0100 +Subject: [PATCH 14/30] CVE-2022-38023 s4:torture: use + NETLOGON_NEG_SUPPORTS_AES by default + +For generic tests we should use the best available features. + +And AES will be required by default soon. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit cfd55a22cda113fbb2bfa373b54091dde1ea6e66) +--- + source4/torture/ntp/ntp_signd.c | 2 +- + source4/torture/rpc/lsa.c | 4 ++-- + source4/torture/rpc/netlogon.c | 24 ++++++++++++------------ + source4/torture/rpc/samba3rpc.c | 15 ++++++++++++--- + 4 files changed, 27 insertions(+), 18 deletions(-) + +diff --git a/source4/torture/ntp/ntp_signd.c b/source4/torture/ntp/ntp_signd.c +index 124c9604871b..6d482bfdee16 100644 +--- a/source4/torture/ntp/ntp_signd.c ++++ b/source4/torture/ntp/ntp_signd.c +@@ -70,7 +70,7 @@ static bool test_ntp_signd(struct torture_context *tctx, + uint32_t rid; + const char *machine_name; + const struct samr_Password *pwhash = cli_credentials_get_nt_hash(credentials, mem_ctx); +- uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; ++ uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; + + struct sign_request sign_req; + struct signed_reply signed_reply; +diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c +index d430ee571081..d22546862d5b 100644 +--- a/source4/torture/rpc/lsa.c ++++ b/source4/torture/rpc/lsa.c +@@ -4408,7 +4408,7 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p, + torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b"); + + ok = check_pw_with_ServerAuthenticate3(p1, tctx, +- NETLOGON_NEG_AUTH2_ADS_FLAGS, ++ NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, + server_name, + incoming_creds, &creds); + torture_assert_int_equal(tctx, ok, expected_result, +@@ -4505,7 +4505,7 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p, + torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b"); + + ok = check_pw_with_ServerAuthenticate3(p2, tctx, +- NETLOGON_NEG_AUTH2_ADS_FLAGS, ++ NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, + server_name, + incoming_creds, &creds); + torture_assert(tctx, ok, "check_pw_with_ServerAuthenticate3 with changed password"); +diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c +index 11f950d3aab4..2803dd13b467 100644 +--- a/source4/torture/rpc/netlogon.c ++++ b/source4/torture/rpc/netlogon.c +@@ -191,7 +191,7 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx, + + /* This allows the tests to continue against the more fussy windows 2008 */ + if (NT_STATUS_EQUAL(a.out.result, NT_STATUS_DOWNGRADE_DETECTED)) { +- return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, ++ return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, + credentials, + cli_credentials_get_secure_channel_type(credentials), + creds_out); +@@ -431,7 +431,7 @@ bool test_SetupCredentialsDowngrade(struct torture_context *tctx, + "ServerAuthenticate3 failed"); + torture_assert_ntstatus_equal(tctx, a.out.result, NT_STATUS_DOWNGRADE_DETECTED, "ServerAuthenticate3 should have failed"); + +- negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; ++ negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; + creds = netlogon_creds_client_init(tctx, a.in.account_name, + a.in.computer_name, + a.in.secure_channel_type, +@@ -498,7 +498,7 @@ static bool test_ServerReqChallenge( + const char *machine_name; + struct dcerpc_binding_handle *b = p->binding_handle; + struct netr_ServerAuthenticate2 a; +- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; ++ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; + uint32_t out_negotiate_flags = 0; + const struct samr_Password *mach_password = NULL; + enum netr_SchannelType sec_chan_type = 0; +@@ -570,7 +570,7 @@ static bool test_ServerReqChallenge_zero_challenge( + const char *machine_name; + struct dcerpc_binding_handle *b = p->binding_handle; + struct netr_ServerAuthenticate2 a; +- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; ++ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; + uint32_t out_negotiate_flags = 0; + const struct samr_Password *mach_password = NULL; + enum netr_SchannelType sec_chan_type = 0; +@@ -647,7 +647,7 @@ static bool test_ServerReqChallenge_5_repeats( + const char *machine_name; + struct dcerpc_binding_handle *b = p->binding_handle; + struct netr_ServerAuthenticate2 a; +- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; ++ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; + uint32_t out_negotiate_flags = 0; + const struct samr_Password *mach_password = NULL; + enum netr_SchannelType sec_chan_type = 0; +@@ -731,7 +731,7 @@ static bool test_ServerReqChallenge_4_repeats( + const char *machine_name; + struct dcerpc_binding_handle *b = p->binding_handle; + struct netr_ServerAuthenticate2 a; +- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; ++ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; + uint32_t out_negotiate_flags = 0; + const struct samr_Password *mach_password = NULL; + enum netr_SchannelType sec_chan_type = 0; +@@ -1527,7 +1527,7 @@ static bool test_SetPassword2_all_zeros( + struct netr_CryptPassword new_password; + struct dcerpc_pipe *p = NULL; + struct dcerpc_binding_handle *b = NULL; +- uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; ++ uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; /* no AES desired here */ + + if (!test_SetupCredentials2( + p1, +@@ -1603,7 +1603,7 @@ static bool test_SetPassword2_maximum_length_password( + struct netr_CryptPassword new_password; + struct dcerpc_pipe *p = NULL; + struct dcerpc_binding_handle *b = NULL; +- uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; ++ uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; + DATA_BLOB new_random_pass = data_blob_null; + + if (!test_SetupCredentials2( +@@ -1686,7 +1686,7 @@ static bool test_SetPassword2_all_zero_password( + struct netr_CryptPassword new_password; + struct dcerpc_pipe *p = NULL; + struct dcerpc_binding_handle *b = NULL; +- uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; ++ uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; /* no AES desired here */ + + if (!test_SetupCredentials2( + p1, +@@ -4046,7 +4046,7 @@ static bool test_netr_GetForestTrustInformation(struct torture_context *tctx, + struct dcerpc_pipe *p = NULL; + struct dcerpc_binding_handle *b = NULL; + +- if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, ++ if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, + machine_credentials, &creds)) { + return false; + } +@@ -4985,7 +4985,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx, + + torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n"); + +- if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, ++ if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, + machine_credentials, &creds)) { + return false; + } +@@ -5560,7 +5560,7 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx, + + torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT); + +- if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, ++ if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, + machine_credentials, &creds)) { + return false; + } +diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c +index ff5dc1d68003..ee8dac67dfa8 100644 +--- a/source4/torture/rpc/samba3rpc.c ++++ b/source4/torture/rpc/samba3rpc.c +@@ -1071,7 +1071,7 @@ static bool auth2(struct torture_context *tctx, + goto done; + } + +- negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; ++ negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; + E_md4hash(cli_credentials_get_password(wks_cred), mach_pw.hash); + + a.in.server_name = talloc_asprintf( +@@ -1260,10 +1260,19 @@ static bool schan(struct torture_context *tctx, + E_md4hash(cli_credentials_get_password(user_creds), + pinfo.ntpassword.hash); + +- netlogon_creds_arcfour_crypt(creds_state, pinfo.ntpassword.hash, 16); +- + logon.password = &pinfo; + ++ /* ++ * We don't use this here: ++ * ++ * netlogon_creds_encrypt_samlogon_logon(creds_state, ++ * NetlogonInteractiveInformation, ++ * &logon); ++ * ++ * in order to detect bugs ++ */ ++ netlogon_creds_aes_encrypt(creds_state, pinfo.ntpassword.hash, 16); ++ + r.in.logon_level = NetlogonInteractiveInformation; + r.in.logon = &logon; + r.out.return_authenticator = &return_authenticator; +-- +2.34.1 + + +From 5a6eba6e6bf3cd87a5875634d82335b216bf1069 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 25 Nov 2022 09:54:17 +0100 +Subject: [PATCH 15/30] CVE-2022-38023 s4:rpc_server/netlogon: split out + dcesrv_netr_ServerAuthenticate3_check_downgrade() + +We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no', +which means we'll need the downgrade detection in more places. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit b6339fd1dcbe903e73efeea074ab0bd04ef83561) +--- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 114 ++++++++++-------- + 1 file changed, 67 insertions(+), 47 deletions(-) + +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index 3c77d1302993..87e4bbe00f2d 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -125,6 +125,67 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal + return NT_STATUS_OK; + } + ++static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ struct dcesrv_call_state *dce_call, ++ struct netr_ServerAuthenticate3 *r, ++ struct netlogon_server_pipe_state *pipe_state, ++ uint32_t negotiate_flags, ++ NTSTATUS orig_status) ++{ ++ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; ++ bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx); ++ bool reject_des_client = !allow_nt4_crypto; ++ bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx); ++ ++ if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { ++ reject_des_client = false; ++ } ++ ++ if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { ++ reject_des_client = false; ++ reject_md5_client = false; ++ } ++ ++ if (reject_des_client || reject_md5_client) { ++ /* ++ * Here we match Windows 2012 and return no flags. ++ */ ++ *r->out.negotiate_flags = 0; ++ return NT_STATUS_DOWNGRADE_DETECTED; ++ } ++ ++ /* ++ * This talloc_free is important to prevent re-use of the ++ * challenge. We have to delay it this far due to NETApp ++ * servers per: ++ * https://bugzilla.samba.org/show_bug.cgi?id=11291 ++ */ ++ TALLOC_FREE(pipe_state); ++ ++ /* ++ * At this point we must also cleanup the TDB cache ++ * entry, if we fail the client needs to call ++ * netr_ServerReqChallenge again. ++ * ++ * Note: this handles a non existing record just fine, ++ * the r->in.computer_name might not be the one used ++ * in netr_ServerReqChallenge(), but we are trying to ++ * just tidy up the normal case to prevent re-use. ++ */ ++ schannel_delete_challenge(dce_call->conn->dce_ctx->lp_ctx, ++ r->in.computer_name); ++ ++ /* ++ * According to Microsoft (see bugid #6099) ++ * Windows 7 looks at the negotiate_flags ++ * returned in this structure *even if the ++ * call fails with access denied! ++ */ ++ *r->out.negotiate_flags = negotiate_flags; ++ ++ return orig_status; ++} ++ + /* + * Do the actual processing of a netr_ServerAuthenticate3 message. + * called from dcesrv_netr_ServerAuthenticate3, which handles the logging. +@@ -152,11 +213,9 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + "objectSid", "samAccountName", NULL}; + uint32_t server_flags = 0; + uint32_t negotiate_flags = 0; +- bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(dce_call->conn->dce_ctx->lp_ctx); +- bool reject_des_client = !allow_nt4_crypto; +- bool reject_md5_client = lpcfg_reject_md5_clients(dce_call->conn->dce_ctx->lp_ctx); + + ZERO_STRUCTP(r->out.return_credentials); ++ *r->out.negotiate_flags = 0; + *r->out.rid = 0; + + pipe_state = dcesrv_iface_state_find_conn(dce_call, +@@ -243,52 +302,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + + negotiate_flags = *r->in.negotiate_flags & server_flags; + +- if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { +- reject_des_client = false; +- } +- +- if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { +- reject_des_client = false; +- reject_md5_client = false; +- } +- +- if (reject_des_client || reject_md5_client) { +- /* +- * Here we match Windows 2012 and return no flags. +- */ +- *r->out.negotiate_flags = 0; +- return NT_STATUS_DOWNGRADE_DETECTED; ++ nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_OK); ++ if (!NT_STATUS_IS_OK(nt_status)) { ++ return nt_status; + } + +- /* +- * This talloc_free is important to prevent re-use of the +- * challenge. We have to delay it this far due to NETApp +- * servers per: +- * https://bugzilla.samba.org/show_bug.cgi?id=11291 +- */ +- TALLOC_FREE(pipe_state); +- +- /* +- * At this point we must also cleanup the TDB cache +- * entry, if we fail the client needs to call +- * netr_ServerReqChallenge again. +- * +- * Note: this handles a non existing record just fine, +- * the r->in.computer_name might not be the one used +- * in netr_ServerReqChallenge(), but we are trying to +- * just tidy up the normal case to prevent re-use. +- */ +- schannel_delete_challenge(dce_call->conn->dce_ctx->lp_ctx, +- r->in.computer_name); +- +- /* +- * According to Microsoft (see bugid #6099) +- * Windows 7 looks at the negotiate_flags +- * returned in this structure *even if the +- * call fails with access denied! +- */ +- *r->out.negotiate_flags = negotiate_flags; +- + switch (r->in.secure_channel_type) { + case SEC_CHAN_WKSTA: + case SEC_CHAN_DNS_DOMAIN: +-- +2.34.1 + + +From 267a886bcdf3b502d83a3470e9d5b51191210153 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 25 Nov 2022 10:10:33 +0100 +Subject: [PATCH 16/30] CVE-2022-38023 s4:rpc_server/netlogon: require aes if + weak crypto is disabled + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 4c7f84798acd1e3218209d66d1a92e9f42954d51) +--- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 9 +++++++++ + source4/torture/rpc/netlogon_crypto.c | 2 +- + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index 87e4bbe00f2d..4141cc40687f 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -137,6 +137,15 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade( + bool reject_des_client = !allow_nt4_crypto; + bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx); + ++ /* ++ * If weak cryto is disabled, do not announce that we support RC4. ++ */ ++ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) { ++ /* Without RC4 and DES we require AES */ ++ reject_des_client = true; ++ reject_md5_client = true; ++ } ++ + if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { + reject_des_client = false; + } +diff --git a/source4/torture/rpc/netlogon_crypto.c b/source4/torture/rpc/netlogon_crypto.c +index 05beb2b77b3b..85844604ee27 100644 +--- a/source4/torture/rpc/netlogon_crypto.c ++++ b/source4/torture/rpc/netlogon_crypto.c +@@ -150,7 +150,7 @@ static bool test_ServerAuth3Crypto(struct dcerpc_pipe *p, + force_client_rc4) { + torture_assert_ntstatus_equal(tctx, + a.out.result, +- NT_STATUS_ACCESS_DENIED, ++ NT_STATUS_DOWNGRADE_DETECTED, + "Unexpected status code"); + return false; + } +-- +2.34.1 + + +From 2b4abfc0bf48e89cd93f97f9afcff23e932f427b Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Thu, 24 Nov 2022 18:26:18 +0100 +Subject: [PATCH 17/30] CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 + clients' default to yes + +AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0, +so there's no reason to allow md5 clients by default. +However some third party domain members may need it. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit c8e53394b98b128ed460a6111faf05dfbad980d1) +--- + docs-xml/smbdotconf/logon/rejectmd5clients.xml | 11 ++++++++--- + lib/param/loadparm.c | 1 + + selftest/target/Samba4.pm | 4 ++++ + source3/param/loadparm.c | 1 + + 4 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml +index 0bb9f6f6c8ec..edcbe02e99a3 100644 +--- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml ++++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml +@@ -7,11 +7,16 @@ + only in 'active directory domain controller' mode), will + reject clients which does not support NETLOGON_NEG_SUPPORTS_AES. + +- You can set this to yes if all domain members support aes. +- This will prevent downgrade attacks. ++ Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows ++ starting with Server 2008R2 and Windows 7, it's available in Samba ++ starting with 4.0, however third party domain members like NetApp ONTAP ++ still uses RC4 (HMAC-MD5), see https://www.samba.org/samba/security/CVE-2022-38023.html for more details. ++ ++ The default changed from 'no' to 'yes', with the patches for CVE-2022-38023, ++ see https://bugzilla.samba.org/show_bug.cgi?id=15240 + + This option overrides the 'allow nt4 crypto' option. + + +-no ++yes + +diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c +index e953499efba3..2b644ee97c02 100644 +--- a/lib/param/loadparm.c ++++ b/lib/param/loadparm.c +@@ -2725,6 +2725,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) + lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template"); + + lpcfg_do_global_parameter(lp_ctx, "server schannel", "True"); ++ lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True"); + + lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True"); + +diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm +index d26022466c66..fb63bbeff059 100755 +--- a/selftest/target/Samba4.pm ++++ b/selftest/target/Samba4.pm +@@ -1620,6 +1620,8 @@ sub provision_ad_dc_ntvfs($$$) + client min protocol = CORE + server min protocol = LANMAN1 + ++ reject md5 clients = no ++ + CVE_2020_1472:warn_about_unused_debug_level = 3 + server require schannel:schannel0\$ = no + server require schannel:schannel1\$ = no +@@ -1985,6 +1987,8 @@ sub provision_ad_dc($$$$$$$) + lpq cache time = 0 + print notify backchannel = yes + ++ reject md5 clients = no ++ + CVE_2020_1472:warn_about_unused_debug_level = 3 + server require schannel:schannel0\$ = no + server require schannel:schannel1\$ = no +diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c +index 91747e09eccd..28ce4de6dd67 100644 +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -666,6 +666,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) + Globals.require_strong_key = true; + Globals.reject_md5_servers = true; + Globals.server_schannel = true; ++ Globals.reject_md5_clients = true; + Globals.read_raw = true; + Globals.write_raw = true; + Globals.null_passwords = false; +-- +2.34.1 + + +From d05bde2dfe40483b9f31a94a8d475f628f7aa1e3 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 25 Nov 2022 10:31:08 +0100 +Subject: [PATCH 18/30] CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade + check until we found the account in our SAM + +We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no', +which means we'll need use the account name from our SAM. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit b09f51eefc311bbb1525efd1dc7b9a837f7ec3c2) +--- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 76 +++++++++++++------ + 1 file changed, 53 insertions(+), 23 deletions(-) + +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index 4141cc40687f..e39a530fd7f5 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -311,13 +311,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + + negotiate_flags = *r->in.negotiate_flags & server_flags; + +- nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade( +- dce_call, r, pipe_state, negotiate_flags, +- NT_STATUS_OK); +- if (!NT_STATUS_IS_OK(nt_status)) { +- return nt_status; +- } +- + switch (r->in.secure_channel_type) { + case SEC_CHAN_WKSTA: + case SEC_CHAN_DNS_DOMAIN: +@@ -326,16 +319,22 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + case SEC_CHAN_RODC: + break; + case SEC_CHAN_NULL: +- return NT_STATUS_INVALID_PARAMETER; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_INVALID_PARAMETER); + default: + DEBUG(1, ("Client asked for an invalid secure channel type: %d\n", + r->in.secure_channel_type)); +- return NT_STATUS_INVALID_PARAMETER; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_INVALID_PARAMETER); + } + + sam_ctx = dcesrv_samdb_connect_as_system(mem_ctx, dce_call); + if (sam_ctx == NULL) { +- return NT_STATUS_INVALID_SYSTEM_SERVICE; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_INVALID_SYSTEM_SERVICE); + } + + if (r->in.secure_channel_type == SEC_CHAN_DOMAIN || +@@ -364,16 +363,22 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + encoded_name = ldb_binary_encode_string(mem_ctx, + r->in.account_name); + if (encoded_name == NULL) { +- return NT_STATUS_NO_MEMORY; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_NO_MEMORY); + } + + len = strlen(encoded_name); + if (len < 2) { +- return NT_STATUS_NO_TRUST_SAM_ACCOUNT; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_NO_TRUST_SAM_ACCOUNT); + } + + if (require_trailer && encoded_name[len - 1] != trailer) { +- return NT_STATUS_NO_TRUST_SAM_ACCOUNT; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_NO_TRUST_SAM_ACCOUNT); + } + encoded_name[len - 1] = '\0'; + +@@ -391,30 +396,42 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + "but there's no tdo for [%s] => [%s] \n", + log_escape(mem_ctx, r->in.account_name), + encoded_name)); +- return NT_STATUS_NO_TRUST_SAM_ACCOUNT; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_NO_TRUST_SAM_ACCOUNT); + } + if (!NT_STATUS_IS_OK(nt_status)) { +- return nt_status; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ nt_status); + } + + nt_status = dsdb_trust_get_incoming_passwords(tdo_msg, mem_ctx, + &curNtHash, + &prevNtHash); + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) { +- return NT_STATUS_NO_TRUST_SAM_ACCOUNT; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_NO_TRUST_SAM_ACCOUNT); + } + if (!NT_STATUS_IS_OK(nt_status)) { +- return nt_status; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ nt_status); + } + + flatname = ldb_msg_find_attr_as_string(tdo_msg, "flatName", NULL); + if (flatname == NULL) { +- return NT_STATUS_NO_TRUST_SAM_ACCOUNT; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_NO_TRUST_SAM_ACCOUNT); + } + + *trust_account_for_search = talloc_asprintf(mem_ctx, "%s$", flatname); + if (*trust_account_for_search == NULL) { +- return NT_STATUS_NO_MEMORY; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_NO_MEMORY); + } + } else { + *trust_account_for_search = r->in.account_name; +@@ -429,14 +446,18 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + if (num_records == 0) { + DEBUG(3,("Couldn't find user [%s] in samdb.\n", + log_escape(mem_ctx, r->in.account_name))); +- return NT_STATUS_NO_TRUST_SAM_ACCOUNT; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_NO_TRUST_SAM_ACCOUNT); + } + + if (num_records > 1) { + DEBUG(0,("Found %d records matching user [%s]\n", + num_records, + log_escape(mem_ctx, r->in.account_name))); +- return NT_STATUS_INTERNAL_DB_CORRUPTION; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_INTERNAL_DB_CORRUPTION); + } + + *trust_account_in_db = ldb_msg_find_attr_as_string(msgs[0], +@@ -445,9 +466,18 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + if (*trust_account_in_db == NULL) { + DEBUG(0,("No samAccountName returned in record matching user [%s]\n", + r->in.account_name)); +- return NT_STATUS_INTERNAL_DB_CORRUPTION; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_INTERNAL_DB_CORRUPTION); + } +- ++ ++ nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_OK); ++ if (!NT_STATUS_IS_OK(nt_status)) { ++ return nt_status; ++ } ++ + user_account_control = ldb_msg_find_attr_as_uint(msgs[0], "userAccountControl", 0); + + if (user_account_control & UF_ACCOUNTDISABLE) { +-- +2.34.1 + + +From 88c10a23f06376605a29fc9ddb7737868ffad916 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 25 Nov 2022 13:13:36 +0100 +Subject: [PATCH 19/30] CVE-2022-38023 s4:rpc_server/netlogon: add 'server + reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 + crypto:COMPUTERACCOUNT = yes' + +This makes it more flexible when we change the global default to +'reject md5 servers = yes'. + +'allow nt4 crypto = no' is already the default. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 69b36541606d7064de9648cd54b35adfdf8f0e8f) +--- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 58 ++++++++++++++++++- + 1 file changed, 55 insertions(+), 3 deletions(-) + +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index e39a530fd7f5..f303dc00ada2 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -130,12 +130,48 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade( + struct netr_ServerAuthenticate3 *r, + struct netlogon_server_pipe_state *pipe_state, + uint32_t negotiate_flags, ++ const char *trust_account_in_db, + NTSTATUS orig_status) + { + struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; +- bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx); +- bool reject_des_client = !allow_nt4_crypto; +- bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx); ++ bool global_allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx); ++ bool account_allow_nt4_crypto = global_allow_nt4_crypto; ++ const char *explicit_nt4_opt = NULL; ++ bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx); ++ bool account_reject_md5_client = global_reject_md5_client; ++ const char *explicit_md5_opt = NULL; ++ bool reject_des_client; ++ bool allow_nt4_crypto; ++ bool reject_md5_client; ++ ++ /* ++ * We don't use lpcfg_parm_bool(), as we ++ * need the explicit_opt pointer in order to ++ * adjust the debug messages. ++ */ ++ ++ if (trust_account_in_db != NULL) { ++ explicit_nt4_opt = lpcfg_get_parametric(lp_ctx, ++ NULL, ++ "allow nt4 crypto", ++ trust_account_in_db); ++ } ++ if (explicit_nt4_opt != NULL) { ++ account_allow_nt4_crypto = lp_bool(explicit_nt4_opt); ++ } ++ allow_nt4_crypto = account_allow_nt4_crypto; ++ if (trust_account_in_db != NULL) { ++ explicit_md5_opt = lpcfg_get_parametric(lp_ctx, ++ NULL, ++ "server reject md5 schannel", ++ trust_account_in_db); ++ } ++ if (explicit_md5_opt != NULL) { ++ account_reject_md5_client = lp_bool(explicit_md5_opt); ++ } ++ reject_md5_client = account_reject_md5_client; ++ ++ reject_des_client = !allow_nt4_crypto; + + /* + * If weak cryto is disabled, do not announce that we support RC4. +@@ -321,12 +357,14 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + case SEC_CHAN_NULL: + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_INVALID_PARAMETER); + default: + DEBUG(1, ("Client asked for an invalid secure channel type: %d\n", + r->in.secure_channel_type)); + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_INVALID_PARAMETER); + } + +@@ -334,6 +372,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + if (sam_ctx == NULL) { + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_INVALID_SYSTEM_SERVICE); + } + +@@ -365,6 +404,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + if (encoded_name == NULL) { + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_NO_MEMORY); + } + +@@ -372,12 +412,14 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + if (len < 2) { + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_NO_TRUST_SAM_ACCOUNT); + } + + if (require_trailer && encoded_name[len - 1] != trailer) { + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_NO_TRUST_SAM_ACCOUNT); + } + encoded_name[len - 1] = '\0'; +@@ -398,11 +440,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + encoded_name)); + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_NO_TRUST_SAM_ACCOUNT); + } + if (!NT_STATUS_IS_OK(nt_status)) { + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + nt_status); + } + +@@ -412,11 +456,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) { + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_NO_TRUST_SAM_ACCOUNT); + } + if (!NT_STATUS_IS_OK(nt_status)) { + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + nt_status); + } + +@@ -424,6 +470,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + if (flatname == NULL) { + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_NO_TRUST_SAM_ACCOUNT); + } + +@@ -431,6 +478,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + if (*trust_account_for_search == NULL) { + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_NO_MEMORY); + } + } else { +@@ -448,6 +496,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + log_escape(mem_ctx, r->in.account_name))); + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_NO_TRUST_SAM_ACCOUNT); + } + +@@ -457,6 +506,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + log_escape(mem_ctx, r->in.account_name))); + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_INTERNAL_DB_CORRUPTION); + } + +@@ -468,11 +518,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + r->in.account_name)); + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_INTERNAL_DB_CORRUPTION); + } + + nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ *trust_account_in_db, + NT_STATUS_OK); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; +-- +2.34.1 + + +From b8f6e9fa3e218add0b2ca4fb14bcb9b5167ab8f5 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 25 Nov 2022 13:31:14 +0100 +Subject: [PATCH 20/30] CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 + crypto:COMPUTERACCOUNT = no" + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit bd429d025981b445bf63935063e8e302bfab3f9b) +--- + docs-xml/smbdotconf/logon/allownt4crypto.xml | 76 +++++++++++++++++++- + 1 file changed, 74 insertions(+), 2 deletions(-) + +diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml +index 06afcef73b1b..bbd03a42db74 100644 +--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml ++++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml +@@ -1,11 +1,18 @@ + + ++ ++ This option is deprecated and will be removed in future, ++ as it is a security problem if not set to "no" (which will be ++ the hardcoded behavior in future). ++ ++ + This option controls whether the netlogon server (currently + only in 'active directory domain controller' mode), will +- reject clients which does not support NETLOGON_NEG_STRONG_KEYS ++ reject clients which do not support NETLOGON_NEG_STRONG_KEYS + nor NETLOGON_NEG_SUPPORTS_AES. + + This option was added with Samba 4.2.0. It may lock out clients +@@ -18,8 +25,73 @@ + + "allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks. + +- This option is over-ridden by the 'reject md5 clients' option. ++ Avoid using this option! Use explicit 'yes' instead! ++ Which is available with the patches for ++ CVE-2022-38023 ++ see https://bugzilla.samba.org/show_bug.cgi?id=15240 ++ ++ ++ Samba will log an error in the log files at log level 0 ++ if legacy a client is rejected or allowed without an explicit, ++ 'yes' option ++ for the client. The message will indicate ++ the explicit 'yes' ++ line to be added, if the legacy client software requires it. (The log level can be adjusted with ++ '1' ++ in order to complain only at a higher log level). ++ ++ ++ This allows admins to use "yes" only for a short grace period, ++ in order to collect the explicit ++ 'yes' options. ++ ++ This option is over-ridden by the 'yes' option. + + + no + ++ ++ ++ ++ ++ If you still have legacy domain members which required 'allow nt4 crypto = yes', ++ it is possible to specify an explicit exception per computer account ++ by using 'allow nt4 crypto:COMPUTERACCOUNT = yes' as option. ++ Note that COMPUTERACCOUNT has to be the sAMAccountName value of ++ the computer account (including the trailing '$' sign). ++ ++ ++ ++ Samba will log a complaint in the log files at log level 0 ++ about the security problem if the option is set to "yes", ++ but the related computer does not require it. ++ (The log level can be adjusted with ++ '1' ++ in order to complain only at a higher log level). ++ ++ ++ ++ Samba will log a warning in the log files at log level 5, ++ if a setting is still needed for the specified computer account. ++ ++ ++ ++ See CVE-2022-38023, ++ https://bugzilla.samba.org/show_bug.cgi?id=15240. ++ ++ ++ This option overrides the option. ++ ++ This option is over-ridden by the 'yes' option. ++ ++ ++ allow nt4 crypto:LEGACYCOMPUTER1$ = yes ++ allow nt4 crypto:NASBOX$ = yes ++ allow nt4 crypto:LEGACYCOMPUTER2$ = yes ++ ++ ++ ++ +-- +2.34.1 + + +From 16895f56b2f35dda0df54b1b416d7fac05965fcc Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 25 Nov 2022 14:02:11 +0100 +Subject: [PATCH 21/30] CVE-2022-38023 docs-xml/smbdotconf: document "server + reject md5 schannel:COMPUTERACCOUNT" + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 2ad302b42254e3c2800aaf11669fe2e6d55fa8a1) +--- + docs-xml/smbdotconf/logon/allownt4crypto.xml | 13 ++- + .../smbdotconf/logon/rejectmd5clients.xml | 96 ++++++++++++++++++- + 2 files changed, 103 insertions(+), 6 deletions(-) + +diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml +index bbd03a42db74..ee63e6cc2453 100644 +--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml ++++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml +@@ -45,7 +45,9 @@ + in order to collect the explicit + 'yes' options. + +- This option is over-ridden by the 'yes' option. ++ This option is over-ridden by the effective value of 'yes' from ++ the '' ++ and/or '' options. + + + no +@@ -85,12 +87,19 @@ + + This option overrides the option. + +- This option is over-ridden by the 'yes' option. ++ This option is over-ridden by the effective value of 'yes' from ++ the '' ++ and/or '' options. ++ Which means 'yes' ++ is only useful in combination with 'no' + + + allow nt4 crypto:LEGACYCOMPUTER1$ = yes ++ server reject md5 schannel:LEGACYCOMPUTER1$ = no + allow nt4 crypto:NASBOX$ = yes ++ server reject md5 schannel:NASBOX$ = no + allow nt4 crypto:LEGACYCOMPUTER2$ = yes ++ server reject md5 schannel:LEGACYCOMPUTER2$ = no + + + +diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml +index edcbe02e99a3..fe7701d92772 100644 +--- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml ++++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml +@@ -1,8 +1,15 @@ + + ++ ++ This option is deprecated and will be removed in a future release, ++ as it is a security problem if not set to "yes" (which will be ++ the hardcoded behavior in the future). ++ ++ + This option controls whether the netlogon server (currently + only in 'active directory domain controller' mode), will + reject clients which does not support NETLOGON_NEG_SUPPORTS_AES. +@@ -10,13 +17,94 @@ + Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows + starting with Server 2008R2 and Windows 7, it's available in Samba + starting with 4.0, however third party domain members like NetApp ONTAP +- still uses RC4 (HMAC-MD5), see https://www.samba.org/samba/security/CVE-2022-38023.html for more details. ++ still uses RC4 (HMAC-MD5), see ++ https://www.samba.org/samba/security/CVE-2022-38023.html ++ for more details. ++ ++ ++ The default changed from 'no' to 'yes', with the patches for ++ CVE-2022-38023 ++ see https://bugzilla.samba.org/show_bug.cgi?id=15240. ++ ++ ++ Avoid using this option! Use an explicit per machine account ++ '' instead! ++ Which is available with the patches for ++ CVE-2022-38023 ++ see https://bugzilla.samba.org/show_bug.cgi?id=15240. ++ + +- The default changed from 'no' to 'yes', with the patches for CVE-2022-38023, +- see https://bugzilla.samba.org/show_bug.cgi?id=15240 ++ ++ Samba will log an error in the log files at log level 0 ++ if legacy a client is rejected or allowed without an explicit, ++ 'no' option ++ for the client. The message will indicate ++ the explicit 'no' ++ line to be added, if the legacy client software requires it. (The log level can be adjusted with ++ '1' ++ in order to complain only at a higher log level). ++ + +- This option overrides the 'allow nt4 crypto' option. ++ This allows admins to use "no" only for a short grace period, ++ in order to collect the explicit ++ 'no' options. ++ ++ When set to 'yes' this option overrides the ++ '' and ++ '' options and implies ++ 'no'. ++ + + + yes + ++ ++ ++ ++ ++ If you still have legacy domain members or trusted domains, ++ which required "reject md5 clients = no" before, ++ it is possible to specify an explicit exception per computer account ++ by setting 'server reject md5 schannel:COMPUTERACCOUNT = no'. ++ Note that COMPUTERACCOUNT has to be the sAMAccountName value of ++ the computer account (including the trailing '$' sign). ++ ++ ++ ++ Samba will log a complaint in the log files at log level 0 ++ about the security problem if the option is set to "no", ++ but the related computer does not require it. ++ (The log level can be adjusted with ++ '1' ++ in order to complain only at a higher log level). ++ ++ ++ ++ Samba will log a warning in the log files at log level 5 ++ if a setting is still needed for the specified computer account. ++ ++ ++ ++ See CVE-2022-38023, ++ https://bugzilla.samba.org/show_bug.cgi?id=15240. ++ ++ ++ This option overrides the option. ++ ++ When set to 'yes' this option overrides the ++ '' and ++ '' options and implies ++ 'no'. ++ ++ ++ ++ server reject md5 schannel:LEGACYCOMPUTER1$ = no ++ server reject md5 schannel:NASBOX$ = no ++ server reject md5 schannel:LEGACYCOMPUTER2$ = no ++ ++ ++ ++ +-- +2.34.1 + + +From 71283bb55feb027a94c3795bd1b94217be93c1a6 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 25 Nov 2022 13:13:36 +0100 +Subject: [PATCH 22/30] CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject + md5 servers' and 'allow nt4 crypto' misconfigurations + +This allows the admin to notice what's wrong in order to adjust the +configuration if required. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 43df4be35950f491864ae8ada05d51b42a556381) +--- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 143 ++++++++++++++++++ + 1 file changed, 143 insertions(+) + +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index f303dc00ada2..5f2f765abe5b 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -64,10 +64,34 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context + const struct dcesrv_interface *iface) + { + struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx; ++ bool global_allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx); ++ bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx); + int schannel = lpcfg_server_schannel(lp_ctx); + bool schannel_global_required = (schannel == true); ++ static bool warned_global_nt4_once = false; ++ static bool warned_global_md5_once = false; + static bool warned_global_schannel_once = false; + ++ if (global_allow_nt4_crypto && !warned_global_nt4_once) { ++ /* ++ * We want admins to notice their misconfiguration! ++ */ ++ D_ERR("CVE-2022-38023 (and others): " ++ "Please configure 'allow nt4 crypto = no' (the default), " ++ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); ++ warned_global_nt4_once = true; ++ } ++ ++ if (!global_reject_md5_client && !warned_global_md5_once) { ++ /* ++ * We want admins to notice their misconfiguration! ++ */ ++ D_ERR("CVE-2022-38023: " ++ "Please configure 'reject md5 clients = yes' (the default), " ++ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); ++ warned_global_md5_once = true; ++ } ++ + if (!schannel_global_required && !warned_global_schannel_once) { + /* + * We want admins to notice their misconfiguration! +@@ -143,6 +167,12 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade( + bool reject_des_client; + bool allow_nt4_crypto; + bool reject_md5_client; ++ bool need_des = true; ++ bool need_md5 = true; ++ int CVE_2022_38023_warn_level = lpcfg_parm_int(lp_ctx, NULL, ++ "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR); ++ int CVE_2022_38023_error_level = lpcfg_parm_int(lp_ctx, NULL, ++ "CVE_2022_38023", "error_debug_level", DBGLVL_ERR); + + /* + * We don't use lpcfg_parm_bool(), as we +@@ -183,19 +213,84 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade( + } + + if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { ++ need_des = false; + reject_des_client = false; + } + + if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { ++ need_des = false; ++ need_md5 = false; + reject_des_client = false; + reject_md5_client = false; + } + + if (reject_des_client || reject_md5_client) { ++ TALLOC_CTX *frame = talloc_stackframe(); ++ ++ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) { ++ if (CVE_2022_38023_error_level < DBGLVL_NOTICE) { ++ CVE_2022_38023_error_level = DBGLVL_NOTICE; ++ } ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: " ++ "client_account[%s] computer_name[%s] " ++ "schannel_type[%u] " ++ "client_negotiate_flags[0x%x] " ++ "%s%s%s " ++ "NT_STATUS_DOWNGRADE_DETECTED " ++ "WEAK_CRYPTO_DISALLOWED\n", ++ log_escape(frame, r->in.account_name), ++ log_escape(frame, r->in.computer_name), ++ r->in.secure_channel_type, ++ (unsigned)*r->in.negotiate_flags, ++ trust_account_in_db ? "real_account[" : "", ++ trust_account_in_db ? trust_account_in_db : "", ++ trust_account_in_db ? "]" : "")); ++ goto return_downgrade; ++ } ++ ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: " ++ "client_account[%s] computer_name[%s] " ++ "schannel_type[%u] " ++ "client_negotiate_flags[0x%x] " ++ "%s%s%s " ++ "NT_STATUS_DOWNGRADE_DETECTED " ++ "reject_des[%u] reject_md5[%u]\n", ++ log_escape(frame, r->in.account_name), ++ log_escape(frame, r->in.computer_name), ++ r->in.secure_channel_type, ++ (unsigned)*r->in.negotiate_flags, ++ trust_account_in_db ? "real_account[" : "", ++ trust_account_in_db ? trust_account_in_db : "", ++ trust_account_in_db ? "]" : "", ++ reject_des_client, ++ reject_md5_client)); ++ if (trust_account_in_db == NULL) { ++ goto return_downgrade; ++ } ++ ++ if (reject_md5_client && explicit_md5_opt == NULL) { ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: Check if option " ++ "'server reject md5 schannel:%s = no' " ++ "might be needed for a legacy client.\n", ++ trust_account_in_db)); ++ } ++ if (reject_des_client && explicit_nt4_opt == NULL) { ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: Check if option " ++ "'allow nt4 crypto:%s = yes' " ++ "might be needed for a legacy client.\n", ++ trust_account_in_db)); ++ } ++ ++return_downgrade: + /* + * Here we match Windows 2012 and return no flags. + */ + *r->out.negotiate_flags = 0; ++ TALLOC_FREE(frame); + return NT_STATUS_DOWNGRADE_DETECTED; + } + +@@ -228,6 +323,54 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade( + */ + *r->out.negotiate_flags = negotiate_flags; + ++ if (!NT_STATUS_IS_OK(orig_status) || trust_account_in_db == NULL) { ++ return orig_status; ++ } ++ ++ if (global_reject_md5_client && account_reject_md5_client && explicit_md5_opt) { ++ D_INFO("CVE-2022-38023: Check if option " ++ "'server reject md5 schannel:%s = yes' not needed!?\n", ++ trust_account_in_db); ++ } else if (need_md5 && !account_reject_md5_client && explicit_md5_opt) { ++ D_INFO("CVE-2022-38023: Check if option " ++ "'server reject md5 schannel:%s = no' " ++ "still needed for a legacy client.\n", ++ trust_account_in_db); ++ } else if (need_md5 && explicit_md5_opt == NULL) { ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: Check if option " ++ "'server reject md5 schannel:%s = no' " ++ "might be needed for a legacy client.\n", ++ trust_account_in_db)); ++ } else if (!account_reject_md5_client && explicit_md5_opt) { ++ DEBUG(CVE_2022_38023_warn_level, ( ++ "CVE-2022-38023: Check if option " ++ "'server reject md5 schannel:%s = no' not needed!?\n", ++ trust_account_in_db)); ++ } ++ ++ if (!global_allow_nt4_crypto && !account_allow_nt4_crypto && explicit_nt4_opt) { ++ D_INFO("CVE-2022-38023: Check if option " ++ "'allow nt4 crypto:%s = no' not needed!?\n", ++ trust_account_in_db); ++ } else if (need_des && account_allow_nt4_crypto && explicit_nt4_opt) { ++ D_INFO("CVE-2022-38023: Check if option " ++ "'allow nt4 crypto:%s = yes' " ++ "still needed for a legacy client.\n", ++ trust_account_in_db); ++ } else if (need_des && explicit_nt4_opt == NULL) { ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: Check if option " ++ "'allow nt4 crypto:%s = yes' " ++ "might be needed for a legacy client.\n", ++ trust_account_in_db)); ++ } else if (account_allow_nt4_crypto && explicit_nt4_opt) { ++ DEBUG(CVE_2022_38023_warn_level, ( ++ "CVE-2022-38023: Check if option " ++ "'allow nt4 crypto:%s = yes' not needed!?\n", ++ trust_account_in_db)); ++ } ++ + return orig_status; + } + +-- +2.34.1 + + +From ab3062a57e170f90bca2d88771559d7c5ea38837 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 30 Nov 2022 14:57:20 +0100 +Subject: [PATCH 23/30] CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 + crypto = yes' and 'reject md5 clients = no' + +Instead of using the generic deprecated option use the specific +allow nt4 crypto:COMPUTERACCOUNT = yes and +server reject md5 schannel:COMPUTERACCOUNT = no +in order to allow legacy tests for pass. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 7ae3735810c2db32fa50f309f8af3c76ffa29768) +--- + selftest/target/Samba4.pm | 60 ++++++++++++++++++++++++++++++++++----- + 1 file changed, 53 insertions(+), 7 deletions(-) + +diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm +index fb63bbeff059..b61acbf8e57b 100755 +--- a/selftest/target/Samba4.pm ++++ b/selftest/target/Samba4.pm +@@ -1608,7 +1608,6 @@ sub provision_ad_dc_ntvfs($$$) + my $extra_conf_options = "netbios aliases = localDC1-a + server services = +winbind -winbindd + ldap server require strong auth = allow_sasl_over_tls +- allow nt4 crypto = yes + raw NTLMv2 auth = yes + lsa over netlogon = yes + rpc server port = 1027 +@@ -1620,9 +1619,19 @@ sub provision_ad_dc_ntvfs($$$) + client min protocol = CORE + server min protocol = LANMAN1 + +- reject md5 clients = no +- + CVE_2020_1472:warn_about_unused_debug_level = 3 ++ CVE_2022_38023:warn_about_unused_debug_level = 3 ++ allow nt4 crypto:torturetest\$ = yes ++ server reject md5 schannel:schannel2\$ = no ++ server reject md5 schannel:schannel3\$ = no ++ server reject md5 schannel:schannel8\$ = no ++ server reject md5 schannel:schannel9\$ = no ++ server reject md5 schannel:torturetest\$ = no ++ server reject md5 schannel:tests4u2proxywk\$ = no ++ server reject md5 schannel:tests4u2selfbdc\$ = no ++ server reject md5 schannel:tests4u2selfwk\$ = no ++ server reject md5 schannel:torturepacbdc\$ = no ++ server reject md5 schannel:torturepacwksta\$ = no + server require schannel:schannel0\$ = no + server require schannel:schannel1\$ = no + server require schannel:schannel2\$ = no +@@ -1677,6 +1686,13 @@ sub provision_fl2000dc($$) + kdc enable fast = no + spnego:simulate_w2k=yes + ntlmssp_server:force_old_spnego=yes ++ ++ CVE_2022_38023:warn_about_unused_debug_level = 3 ++ server reject md5 schannel:tests4u2proxywk\$ = no ++ server reject md5 schannel:tests4u2selfbdc\$ = no ++ server reject md5 schannel:tests4u2selfwk\$ = no ++ server reject md5 schannel:torturepacbdc\$ = no ++ server reject md5 schannel:torturepacwksta\$ = no + "; + my $extra_provision_options = ["--base-schema=2008_R2"]; + # This environment uses plain text secrets +@@ -1717,11 +1733,23 @@ sub provision_fl2003dc($$$) + my $ip_addr2 = Samba::get_ipv6_addr("fakednsforwarder2"); + + print "PROVISIONING DC WITH FOREST LEVEL 2003...\n"; +- my $extra_conf_options = "allow dns updates = nonsecure and secure ++ my $extra_conf_options = " ++ allow dns updates = nonsecure and secure ++ + kdc enable fast = no + dcesrv:header signing = no + dcesrv:max auth states = 0 +- dns forwarder = $ip_addr1 [$ip_addr2]:54"; ++ ++ dns forwarder = $ip_addr1 [$ip_addr2]:54 ++ ++ CVE_2022_38023:warn_about_unused_debug_level = 3 ++ server reject md5 schannel:tests4u2proxywk\$ = no ++ server reject md5 schannel:tests4u2selfbdc\$ = no ++ server reject md5 schannel:tests4u2selfwk\$ = no ++ server reject md5 schannel:torturepacbdc\$ = no ++ server reject md5 schannel:torturepacwksta\$ = no ++"; ++ + my $extra_provision_options = ["--base-schema=2008_R2"]; + my $ret = $self->provision($prefix, + "domain controller", +@@ -1776,6 +1804,13 @@ sub provision_fl2008r2dc($$$) + ldap server require strong auth = no + # delay by 10 seconds, 10^7 usecs + ldap_server:delay_expire_disconnect = 10000 ++ ++ CVE_2022_38023:warn_about_unused_debug_level = 3 ++ server reject md5 schannel:tests4u2proxywk\$ = no ++ server reject md5 schannel:tests4u2selfbdc\$ = no ++ server reject md5 schannel:tests4u2selfwk\$ = no ++ server reject md5 schannel:torturepacbdc\$ = no ++ server reject md5 schannel:torturepacwksta\$ = no + "; + my $extra_provision_options = ["--base-schema=2008_R2"]; + my $ret = $self->provision($prefix, +@@ -1987,9 +2022,20 @@ sub provision_ad_dc($$$$$$$) + lpq cache time = 0 + print notify backchannel = yes + +- reject md5 clients = no +- + CVE_2020_1472:warn_about_unused_debug_level = 3 ++ CVE_2022_38023:warn_about_unused_debug_level = 3 ++ CVE_2022_38023:error_debug_level = 2 ++ server reject md5 schannel:schannel2\$ = no ++ server reject md5 schannel:schannel3\$ = no ++ server reject md5 schannel:schannel8\$ = no ++ server reject md5 schannel:schannel9\$ = no ++ server reject md5 schannel:torturetest\$ = no ++ server reject md5 schannel:tests4u2proxywk\$ = no ++ server reject md5 schannel:tests4u2selfbdc\$ = no ++ server reject md5 schannel:tests4u2selfwk\$ = no ++ server reject md5 schannel:torturepacbdc\$ = no ++ server reject md5 schannel:torturepacwksta\$ = no ++ server reject md5 schannel:samlogontest\$ = no + server require schannel:schannel0\$ = no + server require schannel:schannel1\$ = no + server require schannel:schannel2\$ = no +-- +2.34.1 + + +From 8ab5154b071bc02c540da963cf1c7e15cbf6c63b Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 30 Nov 2022 16:57:24 +0100 +Subject: [PATCH 24/30] CVE-2022-38023 s4:rpc_server/netlogon: split out + dcesrv_netr_check_schannel() function + +This will allow us to reuse the function in other places. +As it will also get some additional checks soon. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit f43dc4f0bd60d4e127b714565147f82435aa4f07) +--- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 84 +++++++++++-------- + 1 file changed, 51 insertions(+), 33 deletions(-) + +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index 5f2f765abe5b..8e952ec2e0c7 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -877,18 +877,11 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_ca + return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &r3); + } + +-/* +- * NOTE: The following functions are nearly identical to the ones available in +- * source3/rpc_server/srv_nelog_nt.c +- * The reason we keep 2 copies is that they use different structures to +- * represent the auth_info and the decrpc pipes. +- */ +-static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call, +- TALLOC_CTX *mem_ctx, +- const char *computer_name, +- struct netr_Authenticator *received_authenticator, +- struct netr_Authenticator *return_authenticator, +- struct netlogon_creds_CredentialState **creds_out) ++static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, ++ const struct netlogon_creds_CredentialState *creds, ++ enum dcerpc_AuthType auth_type, ++ enum dcerpc_AuthLevel auth_level, ++ uint16_t opnum) + { + struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; + TALLOC_CTX *frame = talloc_stackframe(); +@@ -897,15 +890,11 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + bool schannel_global_required = (schannel == true); + bool schannel_required = schannel_global_required; + const char *explicit_opt = NULL; +- struct netlogon_creds_CredentialState *creds = NULL; + int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL, + "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); + int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, + "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); + unsigned int dbg_lvl = DBGLVL_DEBUG; +- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; +- enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; +- uint16_t opnum = dce_call->pkt.u.request.opnum; + const char *opname = ""; + const char *reason = ""; + +@@ -913,8 +902,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + opname = ndr_table_netlogon.calls[opnum].name; + } + +- dcesrv_call_auth_info(dce_call, &auth_type, &auth_level); +- + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { + if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { + reason = "WITH SEALED"; +@@ -927,17 +914,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + reason = "WITHOUT"; + } + +- nt_status = schannel_check_creds_state(mem_ctx, +- lp_ctx, +- computer_name, +- received_authenticator, +- return_authenticator, +- &creds); +- if (!NT_STATUS_IS_OK(nt_status)) { +- ZERO_STRUCTP(return_authenticator); +- return nt_status; +- } +- + /* + * We don't use lpcfg_parm_bool(), as we + * need the explicit_opt pointer in order to +@@ -977,7 +953,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + log_escape(frame, creds->computer_name))); + } + +- *creds_out = creds; + TALLOC_FREE(frame); + return nt_status; + } +@@ -1011,8 +986,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + "might be needed for a legacy client.\n", + log_escape(frame, creds->account_name))); + } +- TALLOC_FREE(creds); +- ZERO_STRUCTP(return_authenticator); + TALLOC_FREE(frame); + return nt_status; + } +@@ -1056,11 +1029,56 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + log_escape(frame, creds->computer_name))); + } + +- *creds_out = creds; + TALLOC_FREE(frame); + return NT_STATUS_OK; + } + ++/* ++ * NOTE: The following functions are nearly identical to the ones available in ++ * source3/rpc_server/srv_nelog_nt.c ++ * The reason we keep 2 copies is that they use different structures to ++ * represent the auth_info and the decrpc pipes. ++ */ ++static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call, ++ TALLOC_CTX *mem_ctx, ++ const char *computer_name, ++ struct netr_Authenticator *received_authenticator, ++ struct netr_Authenticator *return_authenticator, ++ struct netlogon_creds_CredentialState **creds_out) ++{ ++ NTSTATUS nt_status; ++ struct netlogon_creds_CredentialState *creds = NULL; ++ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; ++ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; ++ ++ dcesrv_call_auth_info(dce_call, &auth_type, &auth_level); ++ ++ nt_status = schannel_check_creds_state(mem_ctx, ++ dce_call->conn->dce_ctx->lp_ctx, ++ computer_name, ++ received_authenticator, ++ return_authenticator, ++ &creds); ++ if (!NT_STATUS_IS_OK(nt_status)) { ++ ZERO_STRUCTP(return_authenticator); ++ return nt_status; ++ } ++ ++ nt_status = dcesrv_netr_check_schannel(dce_call, ++ creds, ++ auth_type, ++ auth_level, ++ dce_call->pkt.u.request.opnum); ++ if (!NT_STATUS_IS_OK(nt_status)) { ++ TALLOC_FREE(creds); ++ ZERO_STRUCTP(return_authenticator); ++ return nt_status; ++ } ++ ++ *creds_out = creds; ++ return NT_STATUS_OK; ++} ++ + /* + Change the machine account password for the currently connected + client. Supplies only the NT#. +-- +2.34.1 + + +From 875734d5294ff48950a24d6a89be52c916307bc2 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 30 Nov 2022 17:15:36 +0100 +Subject: [PATCH 25/30] CVE-2022-38023 s4:rpc_server/netlogon: make sure all + dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel() + +We'll soon add some additional contraints in dcesrv_netr_check_schannel(), +which are also required for dcesrv_netr_LogonSamLogonEx(). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 689507457f5e6666488732f91a355a2183fb1662) +--- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 36 +++++++++++++++---- + 1 file changed, 29 insertions(+), 7 deletions(-) + +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index 8e952ec2e0c7..d5bca620b0d4 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -1441,6 +1441,35 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base_call(struct dcesrv_netr_LogonSamL + struct auth_usersupplied_info *user_info = NULL; + NTSTATUS nt_status; + struct tevent_req *subreq = NULL; ++ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; ++ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; ++ ++ dcesrv_call_auth_info(dce_call, &auth_type, &auth_level); ++ ++ switch (dce_call->pkt.u.request.opnum) { ++ case NDR_NETR_LOGONSAMLOGON: ++ case NDR_NETR_LOGONSAMLOGONWITHFLAGS: ++ /* ++ * These already called dcesrv_netr_check_schannel() ++ * via dcesrv_netr_creds_server_step_check() ++ */ ++ break; ++ case NDR_NETR_LOGONSAMLOGONEX: ++ default: ++ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { ++ return NT_STATUS_ACCESS_DENIED; ++ } ++ ++ nt_status = dcesrv_netr_check_schannel(dce_call, ++ creds, ++ auth_type, ++ auth_level, ++ dce_call->pkt.u.request.opnum); ++ if (!NT_STATUS_IS_OK(nt_status)) { ++ return nt_status; ++ } ++ break; ++ } + + *r->out.authoritative = 1; + +@@ -1789,7 +1818,6 @@ static void dcesrv_netr_LogonSamLogon_base_reply( + static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_LogonSamLogonEx *r) + { +- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; + struct dcesrv_netr_LogonSamLogon_base_state *state; + NTSTATUS nt_status; + +@@ -1827,12 +1855,6 @@ static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, + return nt_status; + } + +- dcesrv_call_auth_info(dce_call, &auth_type, NULL); +- +- if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { +- return NT_STATUS_ACCESS_DENIED; +- } +- + nt_status = dcesrv_netr_LogonSamLogon_base_call(state); + + if (dce_call->state_flags & DCESRV_CALL_STATE_FLAG_ASYNC) { +-- +2.34.1 + + +From 9c294a19374d15f04649c62f4e5f8df6a59610a5 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 25 Nov 2022 16:53:35 +0100 +Subject: [PATCH 26/30] CVE-2022-38023 docs-xml/smbdotconf: add "server + schannel require seal[:COMPUTERACCOUNT]" options + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 7732a4b0bde1d9f98a0371f17d22648495329470) +--- + .../smbdotconf/security/serverschannel.xml | 43 ++++++- + .../security/serverschannelrequireseal.xml | 118 ++++++++++++++++++ + lib/param/loadparm.c | 1 + + source3/param/loadparm.c | 1 + + 4 files changed, 157 insertions(+), 6 deletions(-) + create mode 100644 docs-xml/smbdotconf/security/serverschannelrequireseal.xml + +diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml +index 3e66df1c2032..42a657912cac 100644 +--- a/docs-xml/smbdotconf/security/serverschannel.xml ++++ b/docs-xml/smbdotconf/security/serverschannel.xml +@@ -12,19 +12,37 @@ + the hardcoded behavior in future). + + +- +- Samba will complain in the log files at log level 0, +- about the security problem if the option is not set to "yes". ++ Avoid using this option! Use explicit 'no' instead! + ++ ++ ++ Samba will log an error in the log files at log level 0 ++ if legacy a client is rejected or allowed without an explicit, ++ 'no' option ++ for the client. The message will indicate ++ the explicit 'no' ++ line to be added, if the legacy client software requires it. (The log level can be adjusted with ++ '1' ++ in order to complain only at a higher log level). ++ ++ + +- See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 ++ This allows admins to use "auto" only for a short grace period, ++ in order to collect the explicit ++ 'no' options. + + +- If you still have legacy domain members use the option. ++ ++ See CVE-2020-1472(ZeroLogon), ++ https://bugzilla.samba.org/show_bug.cgi?id=14497. + + + This option is over-ridden by the option. + ++ This option is over-ridden by the effective value of 'yes' from ++ the '' ++ and/or '' options. ++ + + + yes +@@ -48,6 +66,9 @@ + about the security problem if the option is not set to "no", + but the related computer is actually using the netlogon + secure channel (schannel) feature. ++ (The log level can be adjusted with ++ '1' ++ in order to complain only at a higher log level). + + + +@@ -56,15 +77,25 @@ + + + +- See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 ++ See CVE-2020-1472(ZeroLogon), ++ https://bugzilla.samba.org/show_bug.cgi?id=14497. + + + This option overrides the option. + ++ This option is over-ridden by the effective value of 'yes' from ++ the '' ++ and/or '' options. ++ Which means 'no' ++ is only useful in combination with 'no' ++ + + server require schannel:LEGACYCOMPUTER1$ = no ++ server require schannel seal:LEGACYCOMPUTER1$ = no + server require schannel:NASBOX$ = no ++ server require schannel seal:NASBOX$ = no + server require schannel:LEGACYCOMPUTER2$ = no ++ server require schannel seal:LEGACYCOMPUTER2$ = no + + + +diff --git a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml +new file mode 100644 +index 000000000000..d4620d1252dd +--- /dev/null ++++ b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml +@@ -0,0 +1,118 @@ ++ ++ ++ ++ ++ This option is deprecated and will be removed in future, ++ as it is a security problem if not set to "yes" (which will be ++ the hardcoded behavior in future). ++ ++ ++ ++ This option controls whether the netlogon server (currently ++ only in 'active directory domain controller' mode), will ++ reject the usage of netlogon secure channel without privacy/enryption. ++ ++ ++ ++ The option is modelled after the registry key available on Windows. ++ ++ ++ ++ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSeal=2 ++ ++ ++ ++ Avoid using this option! Use the per computer account specific option ++ '' instead! ++ Which is available with the patches for ++ CVE-2022-38023 ++ see https://bugzilla.samba.org/show_bug.cgi?id=15240. ++ ++ ++ ++ Samba will log an error in the log files at log level 0 ++ if legacy a client is rejected or allowed without an explicit, ++ 'no' option ++ for the client. The message will indicate ++ the explicit 'no' ++ line to be added, if the legacy client software requires it. (The log level can be adjusted with ++ '1' ++ in order to complain only at a higher log level). ++ ++ ++ This allows admins to use "no" only for a short grace period, ++ in order to collect the explicit ++ 'no' options. ++ ++ ++ When set to 'yes' this option overrides the ++ '' and ++ '' options and implies ++ 'yes'. ++ ++ ++ ++ This option is over-ridden by the option. ++ ++ ++ ++ ++yes ++ ++ ++ ++ ++ ++ ++ If you still have legacy domain members, which required "server schannel require seal = no" before, ++ it is possible to specify explicit exception per computer account ++ by using 'server schannel require seal:COMPUTERACCOUNT = no' as option. ++ Note that COMPUTERACCOUNT has to be the sAMAccountName value of ++ the computer account (including the trailing '$' sign). ++ ++ ++ ++ Samba will log a complaint in the log files at log level 0 ++ about the security problem if the option is set to "no", ++ but the related computer does not require it. ++ (The log level can be adjusted with ++ '1' ++ in order to complain only at a higher log level). ++ ++ ++ ++ Samba will warn in the log files at log level 5, ++ if a setting is still needed for the specified computer account. ++ ++ ++ ++ See CVE-2022-38023, ++ https://bugzilla.samba.org/show_bug.cgi?id=15240. ++ ++ ++ ++ This option overrides the '' option. ++ ++ ++ ++ When set to 'yes' this option overrides the ++ '' and ++ '' options and implies ++ 'yes'. ++ ++ ++ ++ server require schannel seal:LEGACYCOMPUTER1$ = no ++ server require schannel seal:NASBOX$ = no ++ server require schannel seal:LEGACYCOMPUTER2$ = no ++ ++ ++ ++ +diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c +index 2b644ee97c02..2b1eec5c4a12 100644 +--- a/lib/param/loadparm.c ++++ b/lib/param/loadparm.c +@@ -2725,6 +2725,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) + lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template"); + + lpcfg_do_global_parameter(lp_ctx, "server schannel", "True"); ++ lpcfg_do_global_parameter(lp_ctx, "server schannel require seal", "True"); + lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True"); + + lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True"); +diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c +index 28ce4de6dd67..443b63a1cf46 100644 +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -666,6 +666,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) + Globals.require_strong_key = true; + Globals.reject_md5_servers = true; + Globals.server_schannel = true; ++ Globals.server_schannel_require_seal = true; + Globals.reject_md5_clients = true; + Globals.read_raw = true; + Globals.write_raw = true; +-- +2.34.1 + + +From 422a2c9adcc39edb4a9ea3da435a7b53822f6ccc Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 2 Dec 2022 14:31:26 +0100 +Subject: [PATCH 27/30] CVE-2022-38023 s4:rpc_server/netlogon: add a per + connection cache to dcesrv_netr_check_schannel() + +It's enough to warn the admin once per connection. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 3c57608e1109c1d6e8bb8fbad2ef0b5d79d00e1a) +--- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 193 ++++++++++++++---- + 1 file changed, 153 insertions(+), 40 deletions(-) + +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index d5bca620b0d4..624c8d407242 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -877,23 +877,105 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_ca + return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &r3); + } + +-static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, +- const struct netlogon_creds_CredentialState *creds, +- enum dcerpc_AuthType auth_type, +- enum dcerpc_AuthLevel auth_level, +- uint16_t opnum) ++struct dcesrv_netr_check_schannel_state { ++ struct dom_sid account_sid; ++ enum dcerpc_AuthType auth_type; ++ enum dcerpc_AuthLevel auth_level; ++ ++ bool schannel_global_required; ++ bool schannel_required; ++ bool schannel_explicitly_set; ++ ++ NTSTATUS result; ++}; ++ ++static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state *dce_call, ++ const struct netlogon_creds_CredentialState *creds, ++ enum dcerpc_AuthType auth_type, ++ enum dcerpc_AuthLevel auth_level, ++ struct dcesrv_netr_check_schannel_state **_s) + { + struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; +- TALLOC_CTX *frame = talloc_stackframe(); +- NTSTATUS nt_status; + int schannel = lpcfg_server_schannel(lp_ctx); + bool schannel_global_required = (schannel == true); + bool schannel_required = schannel_global_required; + const char *explicit_opt = NULL; ++#define DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC (NETLOGON_SERVER_PIPE_STATE_MAGIC+1) ++ struct dcesrv_netr_check_schannel_state *s = NULL; ++ NTSTATUS status; ++ ++ *_s = NULL; ++ ++ s = dcesrv_iface_state_find_conn(dce_call, ++ DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC, ++ struct dcesrv_netr_check_schannel_state); ++ if (s != NULL) { ++ if (!dom_sid_equal(&s->account_sid, creds->sid)) { ++ goto new_state; ++ } ++ if (s->auth_type != auth_type) { ++ goto new_state; ++ } ++ if (s->auth_level != auth_level) { ++ goto new_state; ++ } ++ ++ *_s = s; ++ return NT_STATUS_OK; ++ } ++ ++new_state: ++ TALLOC_FREE(s); ++ s = talloc_zero(dce_call, ++ struct dcesrv_netr_check_schannel_state); ++ if (s == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ s->account_sid = *creds->sid; ++ s->auth_type = auth_type; ++ s->auth_level = auth_level; ++ s->result = NT_STATUS_MORE_PROCESSING_REQUIRED; ++ ++ /* ++ * We don't use lpcfg_parm_bool(), as we ++ * need the explicit_opt pointer in order to ++ * adjust the debug messages. ++ */ ++ explicit_opt = lpcfg_get_parametric(lp_ctx, ++ NULL, ++ "server require schannel", ++ creds->account_name); ++ if (explicit_opt != NULL) { ++ schannel_required = lp_bool(explicit_opt); ++ } ++ ++ s->schannel_global_required = schannel_global_required; ++ s->schannel_required = schannel_required; ++ s->schannel_explicitly_set = explicit_opt != NULL; ++ ++ status = dcesrv_iface_state_store_conn(dce_call, ++ DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC, ++ s); ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; ++ } ++ ++ *_s = s; ++ return NT_STATUS_OK; ++} ++ ++static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_call, ++ struct dcesrv_netr_check_schannel_state *s, ++ const struct netlogon_creds_CredentialState *creds, ++ uint16_t opnum) ++{ ++ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; + int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL, + "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); + int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, + "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); ++ TALLOC_CTX *frame = talloc_stackframe(); + unsigned int dbg_lvl = DBGLVL_DEBUG; + const char *opname = ""; + const char *reason = ""; +@@ -902,37 +984,43 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, + opname = ndr_table_netlogon.calls[opnum].name; + } + +- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { +- if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { ++ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { ++ if (s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { + reason = "WITH SEALED"; +- } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { ++ } else if (s->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { + reason = "WITH SIGNED"; + } else { +- smb_panic("Schannel without SIGN/SEAL"); ++ reason = "WITH INVALID"; ++ dbg_lvl = DBGLVL_ERR; ++ s->result = NT_STATUS_INTERNAL_ERROR; + } + } else { + reason = "WITHOUT"; + } + +- /* +- * We don't use lpcfg_parm_bool(), as we +- * need the explicit_opt pointer in order to +- * adjust the debug messages. +- */ +- explicit_opt = lpcfg_get_parametric(lp_ctx, +- NULL, +- "server require schannel", +- creds->account_name); +- if (explicit_opt != NULL) { +- schannel_required = lp_bool(explicit_opt); ++ if (!NT_STATUS_EQUAL(s->result, NT_STATUS_MORE_PROCESSING_REQUIRED)) { ++ if (!NT_STATUS_IS_OK(s->result)) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon): " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(s->result))); ++ TALLOC_FREE(frame); ++ return s->result; + } + +- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { +- nt_status = NT_STATUS_OK; ++ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { ++ s->result = NT_STATUS_OK; + +- if (explicit_opt != NULL && !schannel_required) { ++ if (s->schannel_explicitly_set && !s->schannel_required) { + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); +- } else if (!schannel_required) { ++ } else if (!s->schannel_required) { + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } + +@@ -943,9 +1031,8 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, + opname, opnum, reason, + log_escape(frame, creds->account_name), + log_escape(frame, creds->computer_name), +- nt_errstr(nt_status))); +- +- if (explicit_opt != NULL && !schannel_required) { ++ nt_errstr(s->result))); ++ if (s->schannel_explicitly_set && !s->schannel_required) { + DEBUG(CVE_2020_1472_warn_level, ( + "CVE-2020-1472(ZeroLogon): " + "Option 'server require schannel:%s = no' not needed for '%s'!\n", +@@ -954,13 +1041,13 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, + } + + TALLOC_FREE(frame); +- return nt_status; ++ return s->result; + } + +- if (schannel_required) { +- nt_status = NT_STATUS_ACCESS_DENIED; ++ if (s->schannel_required) { ++ s->result = NT_STATUS_ACCESS_DENIED; + +- if (explicit_opt != NULL) { ++ if (s->schannel_explicitly_set) { + dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); + } else { + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); +@@ -973,8 +1060,8 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, + opname, opnum, reason, + log_escape(frame, creds->account_name), + log_escape(frame, creds->computer_name), +- nt_errstr(nt_status))); +- if (explicit_opt != NULL) { ++ nt_errstr(s->result))); ++ if (s->schannel_explicitly_set) { + D_NOTICE("CVE-2020-1472(ZeroLogon): Option " + "'server require schannel:%s = yes' " + "rejects access for client.\n", +@@ -987,12 +1074,12 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, + log_escape(frame, creds->account_name))); + } + TALLOC_FREE(frame); +- return nt_status; ++ return s->result; + } + +- nt_status = NT_STATUS_OK; ++ s->result = NT_STATUS_OK; + +- if (explicit_opt != NULL) { ++ if (s->schannel_explicitly_set) { + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } else { + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); +@@ -1005,9 +1092,9 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, + opname, opnum, reason, + log_escape(frame, creds->account_name), + log_escape(frame, creds->computer_name), +- nt_errstr(nt_status))); ++ nt_errstr(s->result))); + +- if (explicit_opt != NULL) { ++ if (s->schannel_explicitly_set) { + D_INFO("CVE-2020-1472(ZeroLogon): Option " + "'server require schannel:%s = no' " + "still needed for '%s'!\n", +@@ -1030,6 +1117,32 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, + } + + TALLOC_FREE(frame); ++ return s->result; ++} ++ ++static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, ++ const struct netlogon_creds_CredentialState *creds, ++ enum dcerpc_AuthType auth_type, ++ enum dcerpc_AuthLevel auth_level, ++ uint16_t opnum) ++{ ++ struct dcesrv_netr_check_schannel_state *s = NULL; ++ NTSTATUS status; ++ ++ status = dcesrv_netr_check_schannel_get_state(dce_call, ++ creds, ++ auth_type, ++ auth_level, ++ &s); ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; ++ } ++ ++ status = dcesrv_netr_check_schannel_once(dce_call, s, creds, opnum); ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; ++ } ++ + return NT_STATUS_OK; + } + +-- +2.34.1 + + +From 78d79aade1f07776266e22829a53a594bb2968b8 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 25 Nov 2022 14:05:30 +0100 +Subject: [PATCH 28/30] CVE-2022-38023 s4:rpc_server/netlogon: implement + "server schannel require seal[:COMPUTERACCOUNT]" + +By default we'll now require schannel connections with +privacy/sealing/encryption. + +But we allow exceptions for specific computer/trust accounts. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit b3ed90a0541a271a7c6d4bee1201fa47adc3c0c1) +--- + selftest/target/Samba4.pm | 28 ++ + source4/rpc_server/netlogon/dcerpc_netlogon.c | 244 +++++++++++++++++- + 2 files changed, 271 insertions(+), 1 deletion(-) + +diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm +index b61acbf8e57b..087860b9ebdd 100755 +--- a/selftest/target/Samba4.pm ++++ b/selftest/target/Samba4.pm +@@ -1645,9 +1645,23 @@ sub provision_ad_dc_ntvfs($$$) + server require schannel:schannel10\$ = no + server require schannel:schannel11\$ = no + server require schannel:torturetest\$ = no ++ server schannel require seal:schannel0\$ = no ++ server schannel require seal:schannel1\$ = no ++ server schannel require seal:schannel2\$ = no ++ server schannel require seal:schannel3\$ = no ++ server schannel require seal:schannel4\$ = no ++ server schannel require seal:schannel5\$ = no ++ server schannel require seal:schannel6\$ = no ++ server schannel require seal:schannel7\$ = no ++ server schannel require seal:schannel8\$ = no ++ server schannel require seal:schannel9\$ = no ++ server schannel require seal:schannel10\$ = no ++ server schannel require seal:schannel11\$ = no ++ server schannel require seal:torturetest\$ = no + + # needed for 'samba.tests.auth_log' tests + server require schannel:LOCALDC\$ = no ++ server schannel require seal:LOCALDC\$ = no + "; + push (@{$extra_provision_options}, "--use-ntvfs"); + my $ret = $self->provision($prefix, +@@ -2049,6 +2063,19 @@ sub provision_ad_dc($$$$$$$) + server require schannel:schannel10\$ = no + server require schannel:schannel11\$ = no + server require schannel:torturetest\$ = no ++ server schannel require seal:schannel0\$ = no ++ server schannel require seal:schannel1\$ = no ++ server schannel require seal:schannel2\$ = no ++ server schannel require seal:schannel3\$ = no ++ server schannel require seal:schannel4\$ = no ++ server schannel require seal:schannel5\$ = no ++ server schannel require seal:schannel6\$ = no ++ server schannel require seal:schannel7\$ = no ++ server schannel require seal:schannel8\$ = no ++ server schannel require seal:schannel9\$ = no ++ server schannel require seal:schannel10\$ = no ++ server schannel require seal:schannel11\$ = no ++ server schannel require seal:torturetest\$ = no + + auth event notification = true + dsdb event notification = true +@@ -2742,6 +2769,7 @@ sub setup_ad_dc_smb1 + + # needed for 'samba.tests.auth_log' tests + server require schannel:ADDCSMB1\$ = no ++ server schannel require seal:ADDCSMB1\$ = no + "; + return _setup_ad_dc($self, $path, $conf_opts, "addcsmb1", "addom2.samba.example.com"); + } +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index 624c8d407242..ddcb8487a56d 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -68,9 +68,11 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context + bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx); + int schannel = lpcfg_server_schannel(lp_ctx); + bool schannel_global_required = (schannel == true); ++ bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx); + static bool warned_global_nt4_once = false; + static bool warned_global_md5_once = false; + static bool warned_global_schannel_once = false; ++ static bool warned_global_seal_once = false; + + if (global_allow_nt4_crypto && !warned_global_nt4_once) { + /* +@@ -102,6 +104,16 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context + warned_global_schannel_once = true; + } + ++ if (!global_require_seal && !warned_global_seal_once) { ++ /* ++ * We want admins to notice their misconfiguration! ++ */ ++ D_ERR("CVE-2022-38023 (and others): " ++ "Please configure 'server schannel require seal = yes' (the default), " ++ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); ++ warned_global_seal_once = true; ++ } ++ + return dcesrv_interface_bind_reject_connect(context, iface); + } + +@@ -886,6 +898,10 @@ struct dcesrv_netr_check_schannel_state { + bool schannel_required; + bool schannel_explicitly_set; + ++ bool seal_global_required; ++ bool seal_required; ++ bool seal_explicitly_set; ++ + NTSTATUS result; + }; + +@@ -900,6 +916,9 @@ static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state *d + bool schannel_global_required = (schannel == true); + bool schannel_required = schannel_global_required; + const char *explicit_opt = NULL; ++ bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx); ++ bool require_seal = global_require_seal; ++ const char *explicit_seal_opt = NULL; + #define DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC (NETLOGON_SERVER_PIPE_STATE_MAGIC+1) + struct dcesrv_netr_check_schannel_state *s = NULL; + NTSTATUS status; +@@ -937,6 +956,19 @@ new_state: + s->auth_level = auth_level; + s->result = NT_STATUS_MORE_PROCESSING_REQUIRED; + ++ /* ++ * We don't use lpcfg_parm_bool(), as we ++ * need the explicit_opt pointer in order to ++ * adjust the debug messages. ++ */ ++ explicit_seal_opt = lpcfg_get_parametric(lp_ctx, ++ NULL, ++ "server schannel require seal", ++ creds->account_name); ++ if (explicit_seal_opt != NULL) { ++ require_seal = lp_bool(explicit_seal_opt); ++ } ++ + /* + * We don't use lpcfg_parm_bool(), as we + * need the explicit_opt pointer in order to +@@ -954,6 +986,10 @@ new_state: + s->schannel_required = schannel_required; + s->schannel_explicitly_set = explicit_opt != NULL; + ++ s->seal_global_required = global_require_seal; ++ s->seal_required = require_seal; ++ s->seal_explicitly_set = explicit_seal_opt != NULL; ++ + status = dcesrv_iface_state_store_conn(dce_call, + DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC, + s); +@@ -975,6 +1011,10 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca + "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); + int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, + "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); ++ int CVE_2022_38023_warn_level = lpcfg_parm_int(lp_ctx, NULL, ++ "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR); ++ int CVE_2022_38023_error_level = lpcfg_parm_int(lp_ctx, NULL, ++ "CVE_2022_38023", "error_debug_level", DBGLVL_ERR); + TALLOC_CTX *frame = talloc_stackframe(); + unsigned int dbg_lvl = DBGLVL_DEBUG; + const char *opname = ""; +@@ -1004,18 +1044,107 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca + } + + DEBUG(dbg_lvl, ( +- "CVE-2020-1472(ZeroLogon): " ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(s->result))); ++ TALLOC_FREE(frame); ++ return s->result; ++ } ++ ++ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL && ++ s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) ++ { ++ s->result = NT_STATUS_OK; ++ ++ if (s->schannel_explicitly_set && !s->schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); ++ } else if (!s->schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } ++ if (s->seal_explicitly_set && !s->seal_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level); ++ } else if (!s->seal_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " + "%s request (opnum[%u]) %s schannel from " + "client_account[%s] client_computer_name[%s] %s\n", + opname, opnum, reason, + log_escape(frame, creds->account_name), + log_escape(frame, creds->computer_name), + nt_errstr(s->result))); ++ ++ if (s->schannel_explicitly_set && !s->schannel_required) { ++ DEBUG(CVE_2020_1472_warn_level, ( ++ "CVE-2020-1472(ZeroLogon): " ++ "Option 'server require schannel:%s = no' not needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ ++ if (s->seal_explicitly_set && !s->seal_required) { ++ DEBUG(CVE_2022_38023_warn_level, ( ++ "CVE-2022-38023: " ++ "Option 'server schannel require seal:%s = no' not needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ + TALLOC_FREE(frame); + return s->result; + } + + if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { ++ if (s->seal_required) { ++ s->result = NT_STATUS_ACCESS_DENIED; ++ ++ if (s->seal_explicitly_set) { ++ dbg_lvl = DBGLVL_NOTICE; ++ } else { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } ++ if (s->schannel_explicitly_set && !s->schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "from client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(s->result))); ++ if (s->seal_explicitly_set) { ++ D_NOTICE("CVE-2022-38023: Option " ++ "'server schannel require seal:%s = yes' " ++ "rejects access for client.\n", ++ log_escape(frame, creds->account_name)); ++ } else { ++ DEBUG(CVE_2020_1472_error_level, ( ++ "CVE-2022-38023: Check if option " ++ "'server schannel require seal:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } ++ if (s->schannel_explicitly_set && !s->schannel_required) { ++ DEBUG(CVE_2020_1472_warn_level, ( ++ "CVE-2020-1472(ZeroLogon): Option " ++ "'server require schannel:%s = no' " ++ "not needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ TALLOC_FREE(frame); ++ return s->result; ++ } ++ + s->result = NT_STATUS_OK; + + if (s->schannel_explicitly_set && !s->schannel_required) { +@@ -1023,6 +1152,11 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca + } else if (!s->schannel_required) { + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } ++ if (s->seal_explicitly_set && !s->seal_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } else if (!s->seal_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } + + DEBUG(dbg_lvl, ( + "CVE-2020-1472(ZeroLogon): " +@@ -1039,7 +1173,77 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca + log_escape(frame, creds->account_name), + log_escape(frame, creds->computer_name))); + } ++ if (s->seal_explicitly_set && !s->seal_required) { ++ D_INFO("CVE-2022-38023: " ++ "Option 'server schannel require seal:%s = no' still needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); ++ } else if (!s->seal_required) { ++ /* ++ * admins should set ++ * server schannel require seal:COMPUTER$ = no ++ * in order to avoid the level 0 messages. ++ * Over time they can switch the global value ++ * to be strict. ++ */ ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: " ++ "Please use 'server schannel require seal:%s = no' " ++ "for '%s' to avoid this warning!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ ++ TALLOC_FREE(frame); ++ return s->result; ++ } ++ ++ if (s->seal_required) { ++ s->result = NT_STATUS_ACCESS_DENIED; ++ ++ if (s->seal_explicitly_set) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); ++ } else { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } ++ if (!s->schannel_explicitly_set) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); ++ } else if (s->schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); ++ } + ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "from client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(s->result))); ++ if (s->seal_explicitly_set) { ++ D_NOTICE("CVE-2022-38023: Option " ++ "'server schannel require seal:%s = yes' " ++ "rejects access for client.\n", ++ log_escape(frame, creds->account_name)); ++ } else { ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: Check if option " ++ "'server schannel require seal:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } ++ if (!s->schannel_explicitly_set) { ++ DEBUG(CVE_2020_1472_error_level, ( ++ "CVE-2020-1472(ZeroLogon): Check if option " ++ "'server require schannel:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } else if (s->schannel_required) { ++ D_NOTICE("CVE-2022-38023: Option " ++ "'server require schannel:%s = yes' " ++ "also rejects access for client.\n", ++ log_escape(frame, creds->account_name)); ++ } + TALLOC_FREE(frame); + return s->result; + } +@@ -1052,6 +1256,9 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca + } else { + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); + } ++ if (!s->seal_explicitly_set) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } + + DEBUG(dbg_lvl, ( + "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " +@@ -1073,12 +1280,25 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca + "might be needed for a legacy client.\n", + log_escape(frame, creds->account_name))); + } ++ if (!s->seal_explicitly_set) { ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: Check if option " ++ "'server schannel require seal:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } + TALLOC_FREE(frame); + return s->result; + } + + s->result = NT_STATUS_OK; + ++ if (s->seal_explicitly_set) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } else { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } ++ + if (s->schannel_explicitly_set) { + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } else { +@@ -1094,6 +1314,28 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca + log_escape(frame, creds->computer_name), + nt_errstr(s->result))); + ++ if (s->seal_explicitly_set) { ++ D_INFO("CVE-2022-38023: Option " ++ "'server schannel require seal:%s = no' " ++ "still needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); ++ } else { ++ /* ++ * admins should set ++ * server schannel require seal:COMPUTER$ = no ++ * in order to avoid the level 0 messages. ++ * Over time they can switch the global value ++ * to be strict. ++ */ ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: Please use " ++ "'server schannel require seal:%s = no' " ++ "for '%s' to avoid this warning!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ + if (s->schannel_explicitly_set) { + D_INFO("CVE-2020-1472(ZeroLogon): Option " + "'server require schannel:%s = no' " +-- +2.34.1 + + +From 8a9aed5d0dab28a20004ed6cc73f2472b11fbd41 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 30 Nov 2022 15:13:47 +0100 +Subject: [PATCH 29/30] CVE-2022-38023 testparm: warn about server/client + schannel != yes + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit f964c0c357214637f80d0089723b9b11d1b38f7e) +--- + source3/utils/testparm.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c +index 27a8bc1fb8e8..b3ddd48b3f1d 100644 +--- a/source3/utils/testparm.c ++++ b/source3/utils/testparm.c +@@ -598,11 +598,25 @@ static int do_global_checks(void) + ret = 1; + } + +- if (!lp_server_schannel()) { ++ if (lp_server_schannel() != true) { /* can be 'auto' */ + fprintf(stderr, +- "WARNING: You have configured 'server schannel = no'. " ++ "WARNING: You have not configured " ++ "'server schannel = yes' (the default). " + "Your server is vulernable to \"ZeroLogon\" " +- "(CVE-2020-1472)\n\n"); ++ "(CVE-2020-1472)\n" ++ "If required use individual " ++ "'server require schannel:COMPUTERACCOUNT$ = no' " ++ "options\n\n"); ++ } ++ if (lp_client_schannel() != true) { /* can be 'auto' */ ++ fprintf(stderr, ++ "WARNING: You have not configured " ++ "'client schannel = yes' (the default). " ++ "Your server is vulernable to \"ZeroLogon\" " ++ "(CVE-2020-1472)\n" ++ "If required use individual " ++ "'client schannel:NETBIOSDOMAIN = no' " ++ "options\n\n"); + } + + return ret; +-- +2.34.1 + + +From a3e10bf4b8fc328167e7219337742bf12eb41111 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 6 Dec 2022 13:36:17 +0100 +Subject: [PATCH 30/30] CVE-2022-38023 testparm: warn about unsecure schannel + related options + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 4d540473c3d43d048a30dd63efaeae9ff87b2aeb) +--- + source3/utils/testparm.c | 61 ++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 61 insertions(+) + +diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c +index b3ddd48b3f1d..02ef3de83ae5 100644 +--- a/source3/utils/testparm.c ++++ b/source3/utils/testparm.c +@@ -608,6 +608,37 @@ static int do_global_checks(void) + "'server require schannel:COMPUTERACCOUNT$ = no' " + "options\n\n"); + } ++ if (lp_allow_nt4_crypto()) { ++ fprintf(stderr, ++ "WARNING: You have not configured " ++ "'allow nt4 crypto = no' (the default). " ++ "Your server is vulernable to " ++ "CVE-2022-38023 and others!\n" ++ "If required use individual " ++ "'allow nt4 crypto:COMPUTERACCOUNT$ = yes' " ++ "options\n\n"); ++ } ++ if (!lp_reject_md5_clients()) { ++ fprintf(stderr, ++ "WARNING: You have not configured " ++ "'reject md5 clients = yes' (the default). " ++ "Your server is vulernable to " ++ "CVE-2022-38023!\n" ++ "If required use individual " ++ "'server reject md5 schannel:COMPUTERACCOUNT$ = yes' " ++ "options\n\n"); ++ } ++ if (!lp_server_schannel_require_seal()) { ++ fprintf(stderr, ++ "WARNING: You have not configured " ++ "'server schannel require seal = yes' (the default). " ++ "Your server is vulernable to " ++ "CVE-2022-38023!\n" ++ "If required use individual " ++ "'server schannel require seal:COMPUTERACCOUNT$ = no' " ++ "options\n\n"); ++ } ++ + if (lp_client_schannel() != true) { /* can be 'auto' */ + fprintf(stderr, + "WARNING: You have not configured " +@@ -618,6 +649,36 @@ static int do_global_checks(void) + "'client schannel:NETBIOSDOMAIN = no' " + "options\n\n"); + } ++ if (!lp_reject_md5_servers()) { ++ fprintf(stderr, ++ "WARNING: You have not configured " ++ "'reject md5 servers = yes' (the default). " ++ "Your server is vulernable to " ++ "CVE-2022-38023\n" ++ "If required use individual " ++ "'reject md5 servers:NETBIOSDOMAIN = no' " ++ "options\n\n"); ++ } ++ if (!lp_require_strong_key()) { ++ fprintf(stderr, ++ "WARNING: You have not configured " ++ "'require strong key = yes' (the default). " ++ "Your server is vulernable to " ++ "CVE-2022-38023\n" ++ "If required use individual " ++ "'require strong key:NETBIOSDOMAIN = no' " ++ "options\n\n"); ++ } ++ if (!lp_winbind_sealed_pipes()) { ++ fprintf(stderr, ++ "WARNING: You have not configured " ++ "'winbind sealed pipes = yes' (the default). " ++ "Your server is vulernable to " ++ "CVE-2022-38023\n" ++ "If required use individual " ++ "'winbind sealed pipes:NETBIOSDOMAIN = no' " ++ "options\n\n"); ++ } + + return ret; + } +-- +2.34.1 + diff --git a/dist b/dist index 0ee7539..535c690 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an8_6 +an8_7 diff --git a/download b/download index 4ec975e..294a99e 100644 --- a/download +++ b/download @@ -1,2 +1,2 @@ -582932d063b12cbe3fb08330609a2e56 samba-4.15.5.tar.asc -c639c72fc1e6e38c3c47f7ab5d5a8d47 samba-4.15.5.tar.xz +b9693c1820753e061ffb45ce13f7bb05 samba-4.16.4.tar.asc +0427045937d9ada381b9336231ecc9f7 samba-4.16.4.tar.xz diff --git a/samba-4-15-fix-autorid.patch b/samba-4-15-fix-autorid.patch deleted file mode 100644 index f63464c..0000000 --- a/samba-4-15-fix-autorid.patch +++ /dev/null @@ -1,231 +0,0 @@ -From 89f7b7790dd7f3a300718de2d811104dc0637bbd Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 1 Feb 2022 10:06:30 +0100 -Subject: [PATCH 1/3] s3:winbindd: Add a sanity check for the range - -What we want to avoid: - -$ ./bin/testparm -s | grep "idmap config" - idmap config * : rangesize = 10000 - idmap config * : range = 10000-19999 - idmap config * : backend = autorid - -$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators -S-1-5-32-544 SID_ALIAS (4) - -$ ./bin/wbinfo --sid-to-gid S-1-5-32-544 -10000 - -$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice -S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) - -$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 -failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND -Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid - -If only one range is configured we are either not able to map users/groups -from our primary *and* the BUILTIN domain. We need at least two ranges to also -cover the BUILTIN domain! - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit fe84ae5547313e482ea0eba8ddca5b38a033dc8f) ---- - source3/winbindd/idmap_autorid.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c -index ad53b5810ee..c7d56a37684 100644 ---- a/source3/winbindd/idmap_autorid.c -+++ b/source3/winbindd/idmap_autorid.c -@@ -856,9 +856,10 @@ static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom) - config->maxranges = (dom->high_id - dom->low_id + 1) / - config->rangesize; - -- if (config->maxranges == 0) { -- DEBUG(1, ("Allowed uid range is smaller than rangesize. " -- "Increase uid range or decrease rangesize.\n")); -+ if (config->maxranges < 2) { -+ DBG_WARNING("Allowed idmap range is not a least double the " -+ "size of the rangesize. Please increase idmap " -+ "range.\n"); - status = NT_STATUS_INVALID_PARAMETER; - goto error; - } --- -2.35.1 - - -From 70a0069038948a22b1e7dfd8917a3487206ec770 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 1 Feb 2022 10:07:50 +0100 -Subject: [PATCH 2/3] s3:utils: Add a testparm check for idmap autorid - -What we want to avoid: - -$ ./bin/testparm -s | grep "idmap config" - idmap config * : rangesize = 10000 - idmap config * : range = 10000-19999 - idmap config * : backend = autorid - -$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators -S-1-5-32-544 SID_ALIAS (4) - -$ ./bin/wbinfo --sid-to-gid S-1-5-32-544 -10000 - -$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice -S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) - -$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 -failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND -Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid - -If only one range is configured we are either not able to map users/groups -from our primary *and* the BUILTIN domain. We need at least two ranges to also -cover the BUILTIN domain! - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit db6d4da3411a910e7ce45fe1fecfabf2864eb9f4) ---- - source3/utils/testparm.c | 51 ++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 51 insertions(+) - -diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c -index 98bcc219b1e..58ba46bc15f 100644 ---- a/source3/utils/testparm.c -+++ b/source3/utils/testparm.c -@@ -128,6 +128,21 @@ static bool lp_scan_idmap_found_domain(const char *string, - return false; /* Keep scanning */ - } - -+static int idmap_config_int(const char *domname, const char *option, int def) -+{ -+ int len = snprintf(NULL, 0, "idmap config %s", domname); -+ -+ if (len == -1) { -+ return def; -+ } -+ { -+ char config_option[len+1]; -+ snprintf(config_option, sizeof(config_option), -+ "idmap config %s", domname); -+ return lp_parm_int(-1, config_option, option, def); -+ } -+} -+ - static bool do_idmap_check(void) - { - struct idmap_domains *d; -@@ -157,6 +172,42 @@ static bool do_idmap_check(void) - rc); - } - -+ /* Check autorid backend */ -+ if (strequal(lp_idmap_default_backend(), "autorid")) { -+ struct idmap_config *c = NULL; -+ bool found = false; -+ -+ for (i = 0; i < d->count; i++) { -+ c = &d->c[i]; -+ -+ if (strequal(c->backend, "autorid")) { -+ found = true; -+ break; -+ } -+ } -+ -+ if (found) { -+ uint32_t rangesize = -+ idmap_config_int("*", "rangesize", 100000); -+ uint32_t maxranges = -+ (c->high - c->low + 1) / rangesize; -+ -+ if (maxranges < 2) { -+ fprintf(stderr, -+ "ERROR: The idmap autorid range " -+ "[%u-%u] needs to be at least twice as " -+ "big as the rangesize [%u]!" -+ "\n\n", -+ c->low, -+ c->high, -+ rangesize); -+ ok = false; -+ goto done; -+ } -+ } -+ } -+ -+ /* Check for overlapping idmap ranges */ - for (i = 0; i < d->count; i++) { - struct idmap_config *c = &d->c[i]; - uint32_t j; --- -2.35.1 - - -From 9cc90a306bc31ca9fb0b82556ae28c173b77724e Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 1 Feb 2022 10:05:19 +0100 -Subject: [PATCH 3/3] docs-xml: Fix idmap_autorid documentation - -What we want to avoid: - -$ ./bin/testparm -s | grep "idmap config" - idmap config * : rangesize = 10000 - idmap config * : range = 10000-19999 - idmap config * : backend = autorid - -$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators -S-1-5-32-544 SID_ALIAS (4) - -$ ./bin/wbinfo --sid-to-gid S-1-5-32-544 -10000 - -$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice -S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) - -$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 -failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND -Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid - -If only one range is configured we are either not able to map users/groups -from our primary *and* the BUILTIN domain. We need at least two ranges to also -cover the BUILTIN domain! - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 7e5afd8f1f7e5cfab1a8ef7f4293ac465b7cd8de) ---- - docs-xml/manpages/idmap_autorid.8.xml | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/docs-xml/manpages/idmap_autorid.8.xml b/docs-xml/manpages/idmap_autorid.8.xml -index 6c4da1cad8a..980718f0bd4 100644 ---- a/docs-xml/manpages/idmap_autorid.8.xml -+++ b/docs-xml/manpages/idmap_autorid.8.xml -@@ -48,7 +48,13 @@ - and the corresponding map is discarded. It is - intended as a way to avoid accidental UID/GID - overlaps between local and remotely defined -- IDs. -+ IDs. Note that the range should be a multiple -+ of the rangesize and needs to be at least twice -+ as large in order to have sufficient id range -+ space for the mandatory BUILTIN domain. -+ With a default rangesize of 100000 the range -+ needs to span at least 200000. -+ This would be: range = 100000 - 299999. - - - --- -2.35.1 - diff --git a/samba-4-15-fix-create-local-krb5-conf.patch b/samba-4-15-fix-create-local-krb5-conf.patch deleted file mode 100644 index 2d7ad44..0000000 --- a/samba-4-15-fix-create-local-krb5-conf.patch +++ /dev/null @@ -1,477 +0,0 @@ -From 73368f962136398d79c22e7df6fe4f6d7ce3932f Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 15 Mar 2022 16:53:02 +0100 -Subject: [PATCH 1/9] testprogs: Add test that local krb5.conf has been created - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 - -Signed-off-by: Andreas Schneider ---- - testprogs/blackbox/test_net_ads.sh | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh -index 76b394b10a9..cfafb945b62 100755 ---- a/testprogs/blackbox/test_net_ads.sh -+++ b/testprogs/blackbox/test_net_ads.sh -@@ -51,6 +51,12 @@ fi - - testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` - -+workgroup=$(awk '/workgroup =/ { print $NR }' "${BASEDIR}/${WORKDIR}/client.conf") -+testit "local krb5.conf created" \ -+ test -r \ -+ "${BASEDIR}/${WORKDIR}/lockdir/smb_krb5/krb5.conf.${workgroup}" || -+ failed=$((failed + 1)) -+ - testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` - - netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1') --- -2.35.1 - - -From d50e4298d6d713128cc3a7687cb7d5c8f4c213e4 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 15 Mar 2022 12:03:40 +0100 -Subject: [PATCH 2/9] s3:libads: Remove trailing spaces in kerberos.c - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 - -Signed-off-by: Andreas Schneider ---- - source3/libads/kerberos.c | 18 +++++++++--------- - 1 file changed, 9 insertions(+), 9 deletions(-) - -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c -index 75beeef4a44..60fe03fd5d7 100644 ---- a/source3/libads/kerberos.c -+++ b/source3/libads/kerberos.c -@@ -1,4 +1,4 @@ --/* -+/* - Unix SMB/CIFS implementation. - kerberos utility library - Copyright (C) Andrew Tridgell 2001 -@@ -37,11 +37,11 @@ - #define LIBADS_CCACHE_NAME "MEMORY:libads" - - /* -- we use a prompter to avoid a crash bug in the kerberos libs when -+ we use a prompter to avoid a crash bug in the kerberos libs when - dealing with empty passwords - this prompter is just a string copy ... - */ --static krb5_error_code -+static krb5_error_code - kerb_prompter(krb5_context ctx, void *data, - const char *name, - const char *banner, -@@ -192,7 +192,7 @@ int kerberos_kinit_password_ext(const char *given_principal, - krb5_get_init_creds_opt_set_address_list(opt, addr->addrs); - } - -- if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password), -+ if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password), - kerb_prompter, discard_const_p(char, password), - 0, NULL, opt))) { - goto out; -@@ -299,7 +299,7 @@ int ads_kdestroy(const char *cc_name) - } - - if ((code = krb5_cc_destroy (ctx, cc))) { -- DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n", -+ DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n", - error_message(code))); - } - -@@ -348,10 +348,10 @@ int kerberos_kinit_password(const char *principal, - int time_offset, - const char *cache_name) - { -- return kerberos_kinit_password_ext(principal, -- password, -- time_offset, -- 0, -+ return kerberos_kinit_password_ext(principal, -+ password, -+ time_offset, -+ 0, - 0, - cache_name, - False, --- -2.35.1 - - -From 85f140daa2779dec38255a997ec77540365959ca Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 15 Mar 2022 12:04:34 +0100 -Subject: [PATCH 3/9] s3:libads: Leave early on error in get_kdc_ip_string() - -This avoids useless allocations. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 - -Signed-off-by: Andreas Schneider ---- - source3/libads/kerberos.c | 17 +++++++++++------ - 1 file changed, 11 insertions(+), 6 deletions(-) - -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c -index 60fe03fd5d7..1bf149ef09b 100644 ---- a/source3/libads/kerberos.c -+++ b/source3/libads/kerberos.c -@@ -434,9 +434,14 @@ static char *get_kdc_ip_string(char *mem_ctx, - struct netlogon_samlogon_response **responses = NULL; - NTSTATUS status; - bool ok; -- char *kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n", "", -- print_canonical_sockaddr_with_port(mem_ctx, pss)); -+ char *kdc_str = NULL; - -+ SMB_ASSERT(pss != NULL); -+ -+ kdc_str = talloc_asprintf(mem_ctx, -+ "\t\tkdc = %s\n", -+ print_canonical_sockaddr_with_port(mem_ctx, -+ pss)); - if (kdc_str == NULL) { - TALLOC_FREE(frame); - return NULL; -@@ -516,15 +521,15 @@ static char *get_kdc_ip_string(char *mem_ctx, - } - } - -- dc_addrs2 = talloc_zero_array(talloc_tos(), -- struct tsocket_address *, -- num_dcs); -- - DBG_DEBUG("%zu additional KDCs to test\n", num_dcs); - if (num_dcs == 0) { - TALLOC_FREE(kdc_str); - goto out; - } -+ -+ dc_addrs2 = talloc_zero_array(talloc_tos(), -+ struct tsocket_address *, -+ num_dcs); - if (dc_addrs2 == NULL) { - TALLOC_FREE(kdc_str); - goto out; --- -2.35.1 - - -From 010cb49995f00b6bb5058b8b1a69e684c0bb1050 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 15 Mar 2022 12:10:47 +0100 -Subject: [PATCH 4/9] s3:libads: Improve debug messages for get_kdc_ip_string() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 - -Signed-off-by: Andreas Schneider ---- - source3/libads/kerberos.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c -index 1bf149ef09b..6a46d72a156 100644 ---- a/source3/libads/kerberos.c -+++ b/source3/libads/kerberos.c -@@ -590,7 +590,11 @@ static char *get_kdc_ip_string(char *mem_ctx, - - result = kdc_str; - out: -- DBG_DEBUG("Returning\n%s\n", kdc_str); -+ if (result != NULL) { -+ DBG_DEBUG("Returning\n%s\n", kdc_str); -+ } else { -+ DBG_NOTICE("Failed to get KDC ip address\n"); -+ } - - TALLOC_FREE(ip_sa_site); - TALLOC_FREE(ip_sa_nonsite); --- -2.35.1 - - -From c0640d8ea59ef57a1d61151f790431bcf7fddeba Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 15 Mar 2022 12:48:23 +0100 -Subject: [PATCH 5/9] s3:libads: Use talloc_asprintf_append() in - get_kdc_ip_string() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 - -Signed-off-by: Andreas Schneider ---- - source3/libads/kerberos.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c -index 6a46d72a156..d1c410ffa4b 100644 ---- a/source3/libads/kerberos.c -+++ b/source3/libads/kerberos.c -@@ -578,10 +578,11 @@ static char *get_kdc_ip_string(char *mem_ctx, - } - - /* Append to the string - inefficient but not done often. */ -- new_kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n", -- kdc_str, -- print_canonical_sockaddr_with_port(mem_ctx, &dc_addrs[i])); -- TALLOC_FREE(kdc_str); -+ new_kdc_str = talloc_asprintf_append( -+ kdc_str, -+ "\t\tkdc = %s\n", -+ print_canonical_sockaddr_with_port( -+ mem_ctx, &dc_addrs[i])); - if (new_kdc_str == NULL) { - goto out; - } --- -2.35.1 - - -From b8e73356ff44f0717ed413a4e8af51f043434a7f Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 15 Mar 2022 12:56:58 +0100 -Subject: [PATCH 6/9] s3:libads: Allocate all memory on the talloc stackframe - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 - -Signed-off-by: Andreas Schneider ---- - source3/libads/kerberos.c | 10 ++++------ - 1 file changed, 4 insertions(+), 6 deletions(-) - -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c -index d1c410ffa4b..aadc65a3edc 100644 ---- a/source3/libads/kerberos.c -+++ b/source3/libads/kerberos.c -@@ -438,7 +438,7 @@ static char *get_kdc_ip_string(char *mem_ctx, - - SMB_ASSERT(pss != NULL); - -- kdc_str = talloc_asprintf(mem_ctx, -+ kdc_str = talloc_asprintf(frame, - "\t\tkdc = %s\n", - print_canonical_sockaddr_with_port(mem_ctx, - pss)); -@@ -459,7 +459,7 @@ static char *get_kdc_ip_string(char *mem_ctx, - */ - - if (sitename) { -- status = get_kdc_list(talloc_tos(), -+ status = get_kdc_list(frame, - realm, - sitename, - &ip_sa_site, -@@ -477,7 +477,7 @@ static char *get_kdc_ip_string(char *mem_ctx, - - /* Get all KDC's. */ - -- status = get_kdc_list(talloc_tos(), -+ status = get_kdc_list(frame, - realm, - NULL, - &ip_sa_nonsite, -@@ -589,7 +589,7 @@ static char *get_kdc_ip_string(char *mem_ctx, - kdc_str = new_kdc_str; - } - -- result = kdc_str; -+ result = talloc_move(mem_ctx, &kdc_str); - out: - if (result != NULL) { - DBG_DEBUG("Returning\n%s\n", kdc_str); -@@ -597,8 +597,6 @@ out: - DBG_NOTICE("Failed to get KDC ip address\n"); - } - -- TALLOC_FREE(ip_sa_site); -- TALLOC_FREE(ip_sa_nonsite); - TALLOC_FREE(frame); - return result; - } --- -2.35.1 - - -From e2ea1de6128195af937474b41a57756013c8249e Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 15 Mar 2022 12:57:18 +0100 -Subject: [PATCH 7/9] s3:libads: Remove obsolete free's of kdc_str - -This is allocated on the stackframe now! - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 - -Signed-off-by: Andreas Schneider ---- - source3/libads/kerberos.c | 12 +----------- - 1 file changed, 1 insertion(+), 11 deletions(-) - -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c -index aadc65a3edc..2087dc1e6f9 100644 ---- a/source3/libads/kerberos.c -+++ b/source3/libads/kerberos.c -@@ -443,13 +443,11 @@ static char *get_kdc_ip_string(char *mem_ctx, - print_canonical_sockaddr_with_port(mem_ctx, - pss)); - if (kdc_str == NULL) { -- TALLOC_FREE(frame); -- return NULL; -+ goto out; - } - - ok = sockaddr_storage_to_samba_sockaddr(&sa, pss); - if (!ok) { -- TALLOC_FREE(kdc_str); - goto out; - } - -@@ -467,7 +465,6 @@ static char *get_kdc_ip_string(char *mem_ctx, - if (!NT_STATUS_IS_OK(status)) { - DBG_ERR("get_kdc_list fail %s\n", - nt_errstr(status)); -- TALLOC_FREE(kdc_str); - goto out; - } - DBG_DEBUG("got %zu addresses from site %s search\n", -@@ -485,7 +482,6 @@ static char *get_kdc_ip_string(char *mem_ctx, - if (!NT_STATUS_IS_OK(status)) { - DBG_ERR("get_kdc_list (site-less) fail %s\n", - nt_errstr(status)); -- TALLOC_FREE(kdc_str); - goto out; - } - DBG_DEBUG("got %zu addresses from site-less search\n", count_nonsite); -@@ -493,7 +489,6 @@ static char *get_kdc_ip_string(char *mem_ctx, - if (count_site + count_nonsite < count_site) { - /* Wrap check. */ - DBG_ERR("get_kdc_list_talloc (site-less) fail wrap error\n"); -- TALLOC_FREE(kdc_str); - goto out; - } - -@@ -501,7 +496,6 @@ static char *get_kdc_ip_string(char *mem_ctx, - dc_addrs = talloc_array(talloc_tos(), struct sockaddr_storage, - count_site + count_nonsite); - if (dc_addrs == NULL) { -- TALLOC_FREE(kdc_str); - goto out; - } - -@@ -523,7 +517,6 @@ static char *get_kdc_ip_string(char *mem_ctx, - - DBG_DEBUG("%zu additional KDCs to test\n", num_dcs); - if (num_dcs == 0) { -- TALLOC_FREE(kdc_str); - goto out; - } - -@@ -531,7 +524,6 @@ static char *get_kdc_ip_string(char *mem_ctx, - struct tsocket_address *, - num_dcs); - if (dc_addrs2 == NULL) { -- TALLOC_FREE(kdc_str); - goto out; - } - -@@ -548,7 +540,6 @@ static char *get_kdc_ip_string(char *mem_ctx, - status = map_nt_error_from_unix(errno); - DEBUG(2,("Failed to create tsocket_address for %s - %s\n", - addr, nt_errstr(status))); -- TALLOC_FREE(kdc_str); - goto out; - } - } -@@ -566,7 +557,6 @@ static char *get_kdc_ip_string(char *mem_ctx, - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10,("get_kdc_ip_string: cldap_multi_netlogon failed: " - "%s\n", nt_errstr(status))); -- TALLOC_FREE(kdc_str); - goto out; - } - --- -2.35.1 - - -From 8242cb20ed3149acb83a140c140bdbb90de58b65 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 15 Mar 2022 13:02:05 +0100 -Subject: [PATCH 8/9] s3:libads: Check print_canonical_sockaddr_with_port() for - NULL in get_kdc_ip_string() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 - -Signed-off-by: Andreas Schneider ---- - source3/libads/kerberos.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c -index 2087dc1e6f9..20dceeefb22 100644 ---- a/source3/libads/kerberos.c -+++ b/source3/libads/kerberos.c -@@ -435,13 +435,18 @@ static char *get_kdc_ip_string(char *mem_ctx, - NTSTATUS status; - bool ok; - char *kdc_str = NULL; -+ char *canon_sockaddr = NULL; - - SMB_ASSERT(pss != NULL); - -+ canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss); -+ if (canon_sockaddr == NULL) { -+ goto out; -+ } -+ - kdc_str = talloc_asprintf(frame, - "\t\tkdc = %s\n", -- print_canonical_sockaddr_with_port(mem_ctx, -- pss)); -+ canon_sockaddr); - if (kdc_str == NULL) { - goto out; - } --- -2.35.1 - - -From fbd0843fdd257bc0e4ebef53c7afa29f171e86e5 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 15 Mar 2022 13:10:06 +0100 -Subject: [PATCH 9/9] s3:libads: Fix creating local krb5.conf - -We create an KDC ip string entry directly at the beginning, use it if we -don't have any additional DCs. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 - -Signed-off-by: Andreas Schneider ---- - source3/libads/kerberos.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c -index 20dceeefb22..3fd86e87064 100644 ---- a/source3/libads/kerberos.c -+++ b/source3/libads/kerberos.c -@@ -522,6 +522,11 @@ static char *get_kdc_ip_string(char *mem_ctx, - - DBG_DEBUG("%zu additional KDCs to test\n", num_dcs); - if (num_dcs == 0) { -+ /* -+ * We do not have additional KDCs, but we have the one passed -+ * in via `pss`. So just use that one and leave. -+ */ -+ result = talloc_move(mem_ctx, &kdc_str); - goto out; - } - --- -2.35.1 - diff --git a/samba-4-15-fix-winbind-refresh-tickets.patch b/samba-4-15-fix-winbind-refresh-tickets.patch deleted file mode 100644 index 93c2caa..0000000 --- a/samba-4-15-fix-winbind-refresh-tickets.patch +++ /dev/null @@ -1,411 +0,0 @@ -From a32bef9d1193e2bc253b7af8f4d0adb6476937f5 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Tue, 22 Feb 2022 12:59:44 +0100 -Subject: [PATCH 1/6] s3:libads: Fix memory leak in kerberos_return_pac() error - path - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 3dbcd20de98cd28683a9c248368e5082b6388111) ---- - source3/libads/authdata.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c -index dd21d895fc2..c048510d480 100644 ---- a/source3/libads/authdata.c -+++ b/source3/libads/authdata.c -@@ -61,7 +61,10 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - { - krb5_error_code ret; - NTSTATUS status = NT_STATUS_INVALID_PARAMETER; -- DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1; -+ DATA_BLOB tkt = data_blob_null; -+ DATA_BLOB tkt_wrapped = data_blob_null; -+ DATA_BLOB ap_rep = data_blob_null; -+ DATA_BLOB sesskey1 = data_blob_null; - const char *auth_princ = NULL; - const char *cc = "MEMORY:kerberos_return_pac"; - struct auth_session_info *session_info; -@@ -81,7 +84,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - ZERO_STRUCT(sesskey1); - - if (!name || !pass) { -- return NT_STATUS_INVALID_PARAMETER; -+ status = NT_STATUS_INVALID_PARAMETER; -+ goto out; - } - - if (cache_name) { -@@ -131,7 +135,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - - if (expire_time && renew_till_time && - (*expire_time == 0) && (*renew_till_time == 0)) { -- return NT_STATUS_INVALID_LOGON_TYPE; -+ status = NT_STATUS_INVALID_LOGON_TYPE; -+ goto out; - } - - ret = ads_krb5_cli_get_ticket(mem_ctx, --- -2.35.1 - - -From d5a800beb60ee0b9310fa073c2e06a7dcbe65d5e Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Tue, 22 Feb 2022 13:00:05 +0100 -Subject: [PATCH 2/6] lib:krb5_wrap: Improve debug message and use newer debug - macro - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit ed14513be055cc56eb39785323df2c538a813865) ---- - lib/krb5_wrap/krb5_samba.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index fff5b4e2a22..42d4b950f80 100644 ---- a/lib/krb5_wrap/krb5_samba.c -+++ b/lib/krb5_wrap/krb5_samba.c -@@ -1079,7 +1079,7 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, - goto done; - } - -- DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string)); -+ DBG_DEBUG("Using %s as ccache for '%s'\n", ccache_string, client_string); - - /* FIXME: we should not fall back to defaults */ - ret = krb5_cc_resolve(context, discard_const_p(char, ccache_string), &ccache); --- -2.35.1 - - -From 79d08465f66df67b69fdafed8eec48290acf24b9 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Tue, 22 Feb 2022 14:28:28 +0100 -Subject: [PATCH 3/6] lib:krb5_wrap: Fix wrong debug message and use newer - debug macro - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 1b5b4107a5081f15ba215f3025056d509fcfcf2a) ---- - lib/krb5_wrap/krb5_samba.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index 42d4b950f80..76c2dcd2126 100644 ---- a/lib/krb5_wrap/krb5_samba.c -+++ b/lib/krb5_wrap/krb5_samba.c -@@ -1101,7 +1101,10 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, - - ret = krb5_get_renewed_creds(context, &creds, client, ccache, discard_const_p(char, service_string)); - if (ret) { -- DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret))); -+ DBG_DEBUG("krb5_get_renewed_creds using ccache '%s' " -+ "for client '%s' and service '%s' failed: %s\n", -+ ccache_string, client_string, service_string, -+ error_message(ret)); - goto done; - } - --- -2.35.1 - - -From 00418e5b78fa4361c0386c13374154d310426f77 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Tue, 22 Feb 2022 13:08:56 +0100 -Subject: [PATCH 4/6] s3:libads: Return canonical principal and realm from - kerberos_return_pac() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 00b1f44a7e8f66976757535bcbc6bea97fb1c29f) ---- - source3/libads/authdata.c | 22 +++++++++++++++++++++- - source3/libads/kerberos_proto.h | 2 ++ - source3/utils/net_ads.c | 2 ++ - source3/winbindd/winbindd_pam.c | 2 ++ - 4 files changed, 27 insertions(+), 1 deletion(-) - -diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c -index c048510d480..bf9a2335445 100644 ---- a/source3/libads/authdata.c -+++ b/source3/libads/authdata.c -@@ -57,6 +57,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - time_t renewable_time, - const char *impersonate_princ_s, - const char *local_service, -+ char **_canon_principal, -+ char **_canon_realm, - struct PAC_DATA_CTR **_pac_data_ctr) - { - krb5_error_code ret; -@@ -75,6 +77,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - struct auth4_context *auth_context; - struct loadparm_context *lp_ctx; - struct PAC_DATA_CTR *pac_data_ctr = NULL; -+ char *canon_principal = NULL; -+ char *canon_realm = NULL; - - TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); - NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); -@@ -88,6 +92,14 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - goto out; - } - -+ if (_canon_principal != NULL) { -+ *_canon_principal = NULL; -+ } -+ -+ if (_canon_realm != NULL) { -+ *_canon_realm = NULL; -+ } -+ - if (cache_name) { - cc = cache_name; - } -@@ -109,7 +121,9 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - request_pac, - add_netbios_addr, - renewable_time, -- NULL, NULL, NULL, -+ tmp_ctx, -+ &canon_principal, -+ &canon_realm, - &status); - if (ret) { - DEBUG(1,("kinit failed for '%s' with: %s (%d)\n", -@@ -243,6 +257,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - } - - *_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr); -+ if (_canon_principal != NULL) { -+ *_canon_principal = talloc_move(mem_ctx, &canon_principal); -+ } -+ if (_canon_realm != NULL) { -+ *_canon_realm = talloc_move(mem_ctx, &canon_realm); -+ } - - out: - talloc_free(tmp_ctx); -diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h -index 3d7b5bc074b..807381248c8 100644 ---- a/source3/libads/kerberos_proto.h -+++ b/source3/libads/kerberos_proto.h -@@ -78,6 +78,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - time_t renewable_time, - const char *impersonate_princ_s, - const char *local_service, -+ char **_canon_principal, -+ char **_canon_realm, - struct PAC_DATA_CTR **pac_data_ctr); - - /* The following definitions come from libads/krb5_setpw.c */ -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c -index 8f993f9ba4c..c41fb0afe9c 100644 ---- a/source3/utils/net_ads.c -+++ b/source3/utils/net_ads.c -@@ -3273,6 +3273,8 @@ static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const ch - 2592000, /* one month */ - impersonate_princ_s, - local_service, -+ NULL, -+ NULL, - pac_data_ctr); - if (!NT_STATUS_IS_OK(status)) { - d_printf(_("failed to query kerberos PAC: %s\n"), -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c -index 7606bfb4ecd..025a5cbc111 100644 ---- a/source3/winbindd/winbindd_pam.c -+++ b/source3/winbindd/winbindd_pam.c -@@ -789,6 +789,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, - NULL, - local_service, -+ NULL, -+ NULL, - &pac_data_ctr); - if (user_ccache_file != NULL) { - gain_root_privilege(); --- -2.35.1 - - -From d754753ab8edf6dde241d91442fe6afba8993de5 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Tue, 22 Feb 2022 13:19:02 +0100 -Subject: [PATCH 5/6] s3:winbind: Store canonical principal and realm in ccache - entry - -They will be used later to refresh the tickets. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 0f4f330773d272b4d28ff3ba5a41bdd4ba569c8b) ---- - source3/winbindd/winbindd.h | 2 ++ - source3/winbindd/winbindd_cred_cache.c | 16 +++++++++++++++- - source3/winbindd/winbindd_pam.c | 14 ++++++++++---- - source3/winbindd/winbindd_proto.h | 4 +++- - 4 files changed, 30 insertions(+), 6 deletions(-) - -diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h -index a6b2238cec1..dac4a1fa927 100644 ---- a/source3/winbindd/winbindd.h -+++ b/source3/winbindd/winbindd.h -@@ -344,6 +344,8 @@ struct WINBINDD_CCACHE_ENTRY { - const char *service; - const char *username; - const char *realm; -+ const char *canon_principal; -+ const char *canon_realm; - struct WINBINDD_MEMORY_CREDS *cred_ptr; - int ref_count; - uid_t uid; -diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c -index c3077e21989..88847b1ab97 100644 ---- a/source3/winbindd/winbindd_cred_cache.c -+++ b/source3/winbindd/winbindd_cred_cache.c -@@ -501,7 +501,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name, - time_t create_time, - time_t ticket_end, - time_t renew_until, -- bool postponed_request) -+ bool postponed_request, -+ const char *canon_principal, -+ const char *canon_realm) - { - struct WINBINDD_CCACHE_ENTRY *entry = NULL; - struct timeval t; -@@ -617,6 +619,18 @@ NTSTATUS add_ccache_to_list(const char *princ_name, - goto no_mem; - } - } -+ if (canon_principal != NULL) { -+ entry->canon_principal = talloc_strdup(entry, canon_principal); -+ if (entry->canon_principal == NULL) { -+ goto no_mem; -+ } -+ } -+ if (canon_realm != NULL) { -+ entry->canon_realm = talloc_strdup(entry, canon_realm); -+ if (entry->canon_realm == NULL) { -+ goto no_mem; -+ } -+ } - - entry->ccname = talloc_strdup(entry, ccname); - if (!entry->ccname) { -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c -index 025a5cbc111..a24cef78440 100644 ---- a/source3/winbindd/winbindd_pam.c -+++ b/source3/winbindd/winbindd_pam.c -@@ -687,6 +687,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - const char *local_service; - uint32_t i; - struct netr_SamInfo6 *info6_copy = NULL; -+ char *canon_principal = NULL; -+ char *canon_realm = NULL; - bool ok; - - *info6 = NULL; -@@ -789,8 +791,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, - NULL, - local_service, -- NULL, -- NULL, -+ &canon_principal, -+ &canon_realm, - &pac_data_ctr); - if (user_ccache_file != NULL) { - gain_root_privilege(); -@@ -856,7 +858,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - time(NULL), - ticket_lifetime, - renewal_until, -- false); -+ false, -+ canon_principal, -+ canon_realm); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n", -@@ -1233,7 +1237,9 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, - time(NULL), - time(NULL) + lp_winbind_cache_time(), - time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, -- true); -+ true, -+ principal_s, -+ realm); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("winbindd_dual_pam_auth_cached: failed " -diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h -index c0d653a6d77..16c23f3de40 100644 ---- a/source3/winbindd/winbindd_proto.h -+++ b/source3/winbindd/winbindd_proto.h -@@ -236,7 +236,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name, - time_t create_time, - time_t ticket_end, - time_t renew_until, -- bool postponed_request); -+ bool postponed_request, -+ const char *canon_principal, -+ const char *canon_realm); - NTSTATUS remove_ccache(const char *username); - struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username); - NTSTATUS winbindd_add_memory_creds(const char *username, --- -2.35.1 - - -From 82452eb54758de50700776fb92b7e7af892fdaea Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Tue, 22 Feb 2022 14:28:44 +0100 -Subject: [PATCH 6/6] s3:winbind: Use the canonical principal name to renew the - credentials - -The principal name stored in the winbindd ccache entry might be an -enterprise principal name if enterprise principals are enabled. Use -the canonical name to renew the credentials. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 8246ccc23d064147412bb3475e6431a9fffc0d27) ---- - source3/winbindd/winbindd_cred_cache.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c -index 88847b1ab97..6c65db6a73f 100644 ---- a/source3/winbindd/winbindd_cred_cache.c -+++ b/source3/winbindd/winbindd_cred_cache.c -@@ -209,7 +209,7 @@ rekinit: - set_effective_uid(entry->uid); - - ret = smb_krb5_renew_ticket(entry->ccname, -- entry->principal_name, -+ entry->canon_principal, - entry->service, - &new_start); - #if defined(DEBUG_KRB5_TKT_RENEWAL) --- -2.35.1 - diff --git a/samba-4-15-kerberos-clock-skew.patch b/samba-4-15-kerberos-clock-skew.patch deleted file mode 100644 index 1e87049..0000000 --- a/samba-4-15-kerberos-clock-skew.patch +++ /dev/null @@ -1,347 +0,0 @@ -From 01205e1ff2a16ecdeb99fd4153f40f917decacee Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Wed, 13 Apr 2022 11:01:00 +0200 -Subject: [PATCH 1/4] s3:winbind: Do not use domain's private data to store the - SAMR pipes - -The domain's private_data pointer is also used to store a ADS_STRUCT, -which is not allocated using talloc and there are many places casting -this pointer directly. - -The recently added samba.tests.pam_winbind_setcred was randomly failing -and after debugging it the problem was that kerberos authentication was -failing because the time_offset passed to kerberos_return_pac() was -wrong. This time_offset was retrieved from ads->auth.time_offset, where -the ads pointer was directly casted from domain->private_data but -private_data was pointing to a winbind_internal_pipes struct. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit e1f29b0970f4cac52a9cd517be6862cf69a1433a) ---- - source3/winbindd/winbindd.h | 6 ++++++ - source3/winbindd/winbindd_ndr.c | 3 +++ - source3/winbindd/winbindd_samr.c | 18 ++++++------------ - 3 files changed, 15 insertions(+), 12 deletions(-) - -diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h -index dac4a1fa927..762844502e5 100644 ---- a/source3/winbindd/winbindd.h -+++ b/source3/winbindd/winbindd.h -@@ -43,6 +43,8 @@ - - #define WB_REPLACE_CHAR '_' - -+struct winbind_internal_pipes; -+ - struct winbindd_cli_state { - struct winbindd_cli_state *prev, *next; /* Linked list pointers */ - int sock; /* Open socket from client */ -@@ -157,6 +159,10 @@ struct winbindd_domain { - - void *private_data; - -+ struct { -+ struct winbind_internal_pipes *samr_pipes; -+ } backend_data; -+ - /* A working DC */ - char *dcname; - const char *ping_dcname; -diff --git a/source3/winbindd/winbindd_ndr.c b/source3/winbindd/winbindd_ndr.c -index 157ce1bff27..36901776b98 100644 ---- a/source3/winbindd/winbindd_ndr.c -+++ b/source3/winbindd/winbindd_ndr.c -@@ -144,6 +144,9 @@ void ndr_print_winbindd_domain(struct ndr_print *ndr, - ndr_print_bool(ndr, "startup", r->startup); - ndr_print_winbindd_methods(ndr, "backend", r->backend); - ndr_print_ptr(ndr, "private_data", r->private_data); -+ ndr_print_ptr(ndr, -+ "backend_data.samr_pipes", -+ r->backend_data.samr_pipes); - ndr_print_string(ndr, "dcname", r->dcname); - ndr_print_sockaddr_storage(ndr, "dcaddr", &r->dcaddr); - ndr_print_time_t(ndr, "last_seq_check", r->last_seq_check); -diff --git a/source3/winbindd/winbindd_samr.c b/source3/winbindd/winbindd_samr.c -index 5e23ff8217b..ce66adcc0c7 100644 ---- a/source3/winbindd/winbindd_samr.c -+++ b/source3/winbindd/winbindd_samr.c -@@ -130,7 +130,7 @@ static NTSTATUS open_cached_internal_pipe_conn( - { - struct winbind_internal_pipes *internal_pipes = NULL; - -- if (domain->private_data == NULL) { -+ if (domain->backend_data.samr_pipes == NULL) { - TALLOC_CTX *frame = talloc_stackframe(); - NTSTATUS status; - -@@ -156,14 +156,14 @@ static NTSTATUS open_cached_internal_pipe_conn( - return status; - } - -- domain->private_data = talloc_move(domain, &internal_pipes); -+ domain->backend_data.samr_pipes = -+ talloc_move(domain, &internal_pipes); - - TALLOC_FREE(frame); - - } - -- internal_pipes = talloc_get_type_abort( -- domain->private_data, struct winbind_internal_pipes); -+ internal_pipes = domain->backend_data.samr_pipes; - - if (samr_domain_hnd) { - *samr_domain_hnd = internal_pipes->samr_domain_hnd; -@@ -188,23 +188,17 @@ static bool reset_connection_on_error(struct winbindd_domain *domain, - struct rpc_pipe_client *p, - NTSTATUS status) - { -- struct winbind_internal_pipes *internal_pipes = NULL; - struct dcerpc_binding_handle *b = p->binding_handle; - -- internal_pipes = talloc_get_type_abort( -- domain->private_data, struct winbind_internal_pipes); -- - if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) || - NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR)) - { -- TALLOC_FREE(internal_pipes); -- domain->private_data = NULL; -+ TALLOC_FREE(domain->backend_data.samr_pipes); - return true; - } - - if (!dcerpc_binding_handle_is_connected(b)) { -- TALLOC_FREE(internal_pipes); -- domain->private_data = NULL; -+ TALLOC_FREE(domain->backend_data.samr_pipes); - return true; - } - --- -2.35.1 - - -From 79ab2a5669a1e21e96f29cecc651dccacd7ace71 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Wed, 13 Apr 2022 11:15:35 +0200 -Subject: [PATCH 2/4] s3:winbind: Simplify open_cached_internal_pipe_conn() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 91395e660a2b1b69bf74ca0b77aee416e2ac1db3) ---- - source3/winbindd/winbindd_samr.c | 10 ++++------ - 1 file changed, 4 insertions(+), 6 deletions(-) - -diff --git a/source3/winbindd/winbindd_samr.c b/source3/winbindd/winbindd_samr.c -index ce66adcc0c7..20b5d758d1a 100644 ---- a/source3/winbindd/winbindd_samr.c -+++ b/source3/winbindd/winbindd_samr.c -@@ -128,9 +128,10 @@ static NTSTATUS open_cached_internal_pipe_conn( - struct rpc_pipe_client **lsa_pipe, - struct policy_handle *lsa_hnd) - { -- struct winbind_internal_pipes *internal_pipes = NULL; -+ struct winbind_internal_pipes *internal_pipes = -+ domain->backend_data.samr_pipes; - -- if (domain->backend_data.samr_pipes == NULL) { -+ if (internal_pipes == NULL) { - TALLOC_CTX *frame = talloc_stackframe(); - NTSTATUS status; - -@@ -157,14 +158,11 @@ static NTSTATUS open_cached_internal_pipe_conn( - } - - domain->backend_data.samr_pipes = -- talloc_move(domain, &internal_pipes); -+ talloc_steal(domain, internal_pipes); - - TALLOC_FREE(frame); -- - } - -- internal_pipes = domain->backend_data.samr_pipes; -- - if (samr_domain_hnd) { - *samr_domain_hnd = internal_pipes->samr_domain_hnd; - } --- -2.35.1 - - -From d57f54deef45c638093717378adc1a0743699ae8 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Wed, 13 Apr 2022 11:31:45 +0200 -Subject: [PATCH 3/4] s3:winbind: Do not use domain's private data to store the - ADS_STRUCT - -The ADS_STRUCT is not allocated using talloc and there are many places -casting this pointer directly so use a typed pointer. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 3cb256439e9ceece26c2de82293c43486543e0cb) ---- - source3/winbindd/winbindd.h | 2 ++ - source3/winbindd/winbindd_ads.c | 10 +++++----- - source3/winbindd/winbindd_ndr.c | 3 +++ - source3/winbindd/winbindd_pam.c | 6 ++---- - 4 files changed, 12 insertions(+), 9 deletions(-) - -diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h -index 762844502e5..3cc88367b90 100644 ---- a/source3/winbindd/winbindd.h -+++ b/source3/winbindd/winbindd.h -@@ -44,6 +44,7 @@ - #define WB_REPLACE_CHAR '_' - - struct winbind_internal_pipes; -+struct ads_struct; - - struct winbindd_cli_state { - struct winbindd_cli_state *prev, *next; /* Linked list pointers */ -@@ -161,6 +162,7 @@ struct winbindd_domain { - - struct { - struct winbind_internal_pipes *samr_pipes; -+ struct ads_struct *ads_conn; - } backend_data; - - /* A working DC */ -diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c -index 6f01ef6e334..d350f160223 100644 ---- a/source3/winbindd/winbindd_ads.c -+++ b/source3/winbindd/winbindd_ads.c -@@ -269,10 +269,10 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) - } - - DEBUG(10,("ads_cached_connection\n")); -- ads_cached_connection_reuse((ADS_STRUCT **)&domain->private_data); -+ ads_cached_connection_reuse(&domain->backend_data.ads_conn); - -- if (domain->private_data) { -- return (ADS_STRUCT *)domain->private_data; -+ if (domain->backend_data.ads_conn != NULL) { -+ return domain->backend_data.ads_conn; - } - - /* the machine acct password might have change - fetch it every time */ -@@ -303,7 +303,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) - } - - status = ads_cached_connection_connect( -- (ADS_STRUCT **)&domain->private_data, -+ &domain->backend_data.ads_conn, - domain->alt_name, - domain->name, NULL, - password, realm, -@@ -322,7 +322,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) - return NULL; - } - -- return (ADS_STRUCT *)domain->private_data; -+ return domain->backend_data.ads_conn; - } - - /* Query display info for a realm. This is the basic user list fn */ -diff --git a/source3/winbindd/winbindd_ndr.c b/source3/winbindd/winbindd_ndr.c -index 36901776b98..94ce9d73747 100644 ---- a/source3/winbindd/winbindd_ndr.c -+++ b/source3/winbindd/winbindd_ndr.c -@@ -147,6 +147,9 @@ void ndr_print_winbindd_domain(struct ndr_print *ndr, - ndr_print_ptr(ndr, - "backend_data.samr_pipes", - r->backend_data.samr_pipes); -+ ndr_print_ptr(ndr, -+ "backend_data.ads_conn", -+ r->backend_data.ads_conn); - ndr_print_string(ndr, "dcname", r->dcname); - ndr_print_sockaddr_storage(ndr, "dcaddr", &r->dcaddr); - ndr_print_time_t(ndr, "last_seq_check", r->last_seq_check); -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c -index 1a2628b50ba..5505220335f 100644 ---- a/source3/winbindd/winbindd_pam.c -+++ b/source3/winbindd/winbindd_pam.c -@@ -677,7 +677,6 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - fstring name_namespace, name_domain, name_user; - time_t ticket_lifetime = 0; - time_t renewal_until = 0; -- ADS_STRUCT *ads; - time_t time_offset = 0; - const char *user_ccache_file; - struct PAC_LOGON_INFO *logon_info = NULL; -@@ -716,9 +715,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - /* 2nd step: - * get kerberos properties */ - -- if (domain->private_data) { -- ads = (ADS_STRUCT *)domain->private_data; -- time_offset = ads->auth.time_offset; -+ if (domain->backend_data.ads_conn != NULL) { -+ time_offset = domain->backend_data.ads_conn->auth.time_offset; - } - - --- -2.35.1 - - -From e32528fd5abbace15b3aad2c7cec8d9c6ade7bf7 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Wed, 13 Apr 2022 11:34:18 +0200 -Subject: [PATCH 4/4] s3:winbind: Remove no longer used domain's private_data - pointer - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit a6d6ae3cfcd64a85f82ec5b12253ca0e237d95bb) ---- - source3/winbindd/winbindd.h | 4 ---- - source3/winbindd/winbindd_ndr.c | 1 - - 2 files changed, 5 deletions(-) - -diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h -index 3cc88367b90..fe286a9a686 100644 ---- a/source3/winbindd/winbindd.h -+++ b/source3/winbindd/winbindd.h -@@ -156,10 +156,6 @@ struct winbindd_domain { - */ - struct winbindd_methods *backend; - -- /* Private data for the backends (used for connection cache) */ -- -- void *private_data; -- - struct { - struct winbind_internal_pipes *samr_pipes; - struct ads_struct *ads_conn; -diff --git a/source3/winbindd/winbindd_ndr.c b/source3/winbindd/winbindd_ndr.c -index 94ce9d73747..b393586a692 100644 ---- a/source3/winbindd/winbindd_ndr.c -+++ b/source3/winbindd/winbindd_ndr.c -@@ -143,7 +143,6 @@ void ndr_print_winbindd_domain(struct ndr_print *ndr, - ndr_print_time_t(ndr, "startup_time", r->startup_time); - ndr_print_bool(ndr, "startup", r->startup); - ndr_print_winbindd_methods(ndr, "backend", r->backend); -- ndr_print_ptr(ndr, "private_data", r->private_data); - ndr_print_ptr(ndr, - "backend_data.samr_pipes", - r->backend_data.samr_pipes); --- -2.35.1 - diff --git a/samba-4-15-smbd-upn.patch b/samba-4-15-smbd-upn.patch deleted file mode 100644 index 703a7d6..0000000 --- a/samba-4-15-smbd-upn.patch +++ /dev/null @@ -1,273 +0,0 @@ -From 25465d0bc77dd712b3d94e488f2cf0583fd7ac04 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 26 Apr 2022 07:10:56 +0200 -Subject: [PATCH 1/5] s3:passdb: Remove trailing spaces in lookup_sid.c - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054 - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison -(cherry picked from commit 756cd0eed30322ae6dbd5402ec11441387475884) ---- - source3/passdb/lookup_sid.c | 18 +++++++++--------- - 1 file changed, 9 insertions(+), 9 deletions(-) - -diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c -index a551bcfd24a..3a28cdc68a6 100644 ---- a/source3/passdb/lookup_sid.c -+++ b/source3/passdb/lookup_sid.c -@@ -1,4 +1,4 @@ --/* -+/* - Unix SMB/CIFS implementation. - uid/user handling - Copyright (C) Andrew Tridgell 1992-1998 -@@ -72,7 +72,7 @@ static bool lookup_unix_group_name(const char *name, struct dom_sid *sid) - If an explicit domain name was given in the form domain\user, it - has to try that. If no explicit domain name was given, we have - to do guesswork. --*****************************************************************/ -+*****************************************************************/ - - bool lookup_name(TALLOC_CTX *mem_ctx, - const char *full_name, int flags, -@@ -300,7 +300,7 @@ bool lookup_name(TALLOC_CTX *mem_ctx, - goto ok; - } - -- /* 6. Builtin aliases */ -+ /* 6. Builtin aliases */ - - if ((flags & LOOKUP_NAME_BUILTIN) && - lookup_builtin_name(name, &rid)) -@@ -882,7 +882,7 @@ NTSTATUS lookup_sids(TALLOC_CTX *mem_ctx, int num_sids, - } - - /* First build up the data structures: -- * -+ * - * dom_infos is a list of domains referenced in the list of - * SIDs. Later we will walk the list of domains and look up the RIDs - * in bulk. -@@ -1070,7 +1070,7 @@ NTSTATUS lookup_sids(TALLOC_CTX *mem_ctx, int num_sids, - - /***************************************************************** - *THE CANONICAL* convert SID to name function. --*****************************************************************/ -+*****************************************************************/ - - bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, - const char **ret_domain, const char **ret_name, -@@ -1104,7 +1104,7 @@ bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, - goto done; - } - -- if ((ret_name != NULL) && -+ if ((ret_name != NULL) && - !(*ret_name = talloc_strdup(mem_ctx, name->name))) { - goto done; - } -@@ -1130,7 +1130,7 @@ bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, - - /***************************************************************** - *THE LEGACY* convert SID to id function. --*****************************************************************/ -+*****************************************************************/ - - static bool legacy_sid_to_unixid(const struct dom_sid *psid, struct unixid *id) - { -@@ -1465,7 +1465,7 @@ fail: - - /***************************************************************** - *THE CANONICAL* convert SID to uid function. --*****************************************************************/ -+*****************************************************************/ - - bool sid_to_uid(const struct dom_sid *psid, uid_t *puid) - { -@@ -1527,7 +1527,7 @@ bool sid_to_uid(const struct dom_sid *psid, uid_t *puid) - /***************************************************************** - *THE CANONICAL* convert SID to gid function. - Group mapping is used for gids that maps to Wellknown SIDs --*****************************************************************/ -+*****************************************************************/ - - bool sid_to_gid(const struct dom_sid *psid, gid_t *pgid) - { --- -2.36.0 - - -From e884efce61290ad6f4125ab4e3adb08bcc1a800d Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 26 Apr 2022 07:12:02 +0200 -Subject: [PATCH 2/5] s3:passdb: Add support to handle UPNs in lookup_name() - -This address an issue if sssd is running and handling nsswitch. If we look up -a user with getpwnam("DOMAIN\user") it will return user@REALM in the passwd -structure. We need to be able to deal with that. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054 - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison -(cherry picked from commit 2a03fb91c1120718ada9d4b8421044cb7eae7b83) ---- - source3/passdb/lookup_sid.c | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - -diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c -index 3a28cdc68a6..c14d7a7b123 100644 ---- a/source3/passdb/lookup_sid.c -+++ b/source3/passdb/lookup_sid.c -@@ -100,8 +100,18 @@ bool lookup_name(TALLOC_CTX *mem_ctx, - PTR_DIFF(p, full_name)); - name = talloc_strdup(tmp_ctx, p+1); - } else { -- domain = talloc_strdup(tmp_ctx, ""); -- name = talloc_strdup(tmp_ctx, full_name); -+ char *q = strchr_m(full_name, '@'); -+ -+ /* Set the domain for UPNs */ -+ if (q != NULL) { -+ name = talloc_strndup(tmp_ctx, -+ full_name, -+ PTR_DIFF(q, full_name)); -+ domain = talloc_strdup(tmp_ctx, q + 1); -+ } else { -+ domain = talloc_strdup(tmp_ctx, ""); -+ name = talloc_strdup(tmp_ctx, full_name); -+ } - } - - if ((domain == NULL) || (name == NULL)) { --- -2.36.0 - - -From cc548efd5fa1783e8412e7ac695c8d6be3323d67 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 26 Apr 2022 12:26:25 +0200 -Subject: [PATCH 3/5] s3:passdb: Use already defined pointer in - lookup_name_smbconf() - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison -(cherry picked from commit ed8e466854d6d8d6120388716a7b604df7a4db27) ---- - source3/passdb/lookup_sid.c | 12 +++++------- - 1 file changed, 5 insertions(+), 7 deletions(-) - -diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c -index c14d7a7b123..dbea5578f92 100644 ---- a/source3/passdb/lookup_sid.c -+++ b/source3/passdb/lookup_sid.c -@@ -464,7 +464,7 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx, - const char **ret_domain, const char **ret_name, - struct dom_sid *ret_sid, enum lsa_SidType *ret_type) - { -- char *qualified_name; -+ char *qualified_name = NULL; - const char *p; - - if ((p = strchr_m(full_name, *lp_winbind_separator())) != NULL) { -@@ -472,16 +472,14 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx, - /* The name is already qualified with a domain. */ - - if (*lp_winbind_separator() != '\\') { -- char *tmp; -- - /* lookup_name() needs '\\' as a separator */ - -- tmp = talloc_strdup(mem_ctx, full_name); -- if (!tmp) { -+ qualified_name = talloc_strdup(mem_ctx, full_name); -+ if (qualified_name == NULL) { - return false; - } -- tmp[p - full_name] = '\\'; -- full_name = tmp; -+ qualified_name[p - full_name] = '\\'; -+ full_name = qualified_name; - } - - return lookup_name(mem_ctx, full_name, flags, --- -2.36.0 - - -From 3ee3336f4a3fbb80ccabe6c1494a68286af55437 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 26 Apr 2022 07:24:10 +0200 -Subject: [PATCH 4/5] s3:passdb: Refactor lookup_name_smbconf() - -This will be changed to support UPNs too in the next patch. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054 - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison -(cherry picked from commit 2690310743920dfe20ac235c1e3617e0f421eddc) ---- - source3/passdb/lookup_sid.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c -index dbea5578f92..de9dd123239 100644 ---- a/source3/passdb/lookup_sid.c -+++ b/source3/passdb/lookup_sid.c -@@ -465,13 +465,14 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx, - struct dom_sid *ret_sid, enum lsa_SidType *ret_type) - { - char *qualified_name = NULL; -- const char *p; -+ const char *p = strchr_m(full_name, *lp_winbind_separator()); -+ bool is_qualified = p != NULL; - -- if ((p = strchr_m(full_name, *lp_winbind_separator())) != NULL) { -+ if (is_qualified) { - - /* The name is already qualified with a domain. */ - -- if (*lp_winbind_separator() != '\\') { -+ if (p != NULL && *lp_winbind_separator() != '\\') { - /* lookup_name() needs '\\' as a separator */ - - qualified_name = talloc_strdup(mem_ctx, full_name); --- -2.36.0 - - -From 1baa5b170c36854eaa0a5f2c9aba29d50194f750 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 26 Apr 2022 07:39:12 +0200 -Subject: [PATCH 5/5] s3:passdb: Also allow to handle UPNs in - lookup_name_smbconf() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054 - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison -(cherry picked from commit 28fc44f2852046d03cada161ed1001d04d9e1554) ---- - source3/passdb/lookup_sid.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c -index de9dd123239..426ea3f81bd 100644 ---- a/source3/passdb/lookup_sid.c -+++ b/source3/passdb/lookup_sid.c -@@ -466,8 +466,9 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx, - { - char *qualified_name = NULL; - const char *p = strchr_m(full_name, *lp_winbind_separator()); -- bool is_qualified = p != NULL; -+ bool is_qualified = p != NULL || strchr_m(full_name, '@') != NULL; - -+ /* For DOMAIN\user or user@REALM directly call lookup_name(). */ - if (is_qualified) { - - /* The name is already qualified with a domain. */ --- -2.36.0 - diff --git a/samba-4-15-username-map.patch b/samba-4-15-username-map.patch deleted file mode 100644 index 0687115..0000000 --- a/samba-4-15-username-map.patch +++ /dev/null @@ -1,321 +0,0 @@ -From 438284e1025a96dfa2eb0928de99226f580f356f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Fri, 1 Apr 2022 15:56:30 +0200 -Subject: [PATCH 1/5] selftest: Create users "jackthemapper" and "jacknomapper" -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Noel Power -Reviewed-by: Jeremy Allison -(cherry picked from commit 1b0146182224fe01ed70815364656a626038685a) ---- - selftest/target/Samba3.pm | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 62fb3d1e39e..b0ea9804c50 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -1466,8 +1466,10 @@ sub setup_ad_member_idmap_nss - my $extra_member_options = " - # bob:x:65521:65531:localbob gecos:/:/bin/false - # jane:x:65520:65531:localjane gecos:/:/bin/false -+ # jackthemapper:x:65519:65531:localjackthemaper gecos:/:/bin/false -+ # jacknomapper:x:65518:65531:localjacknomaper gecos:/:/bin/false - idmap config $dcvars->{DOMAIN} : backend = nss -- idmap config $dcvars->{DOMAIN} : range = 65520-65521 -+ idmap config $dcvars->{DOMAIN} : range = 65518-65521 - - # Support SMB1 so that we can use posix_whoami(). - client min protocol = CORE -@@ -2532,6 +2534,8 @@ sub provision($$) - my ($uid_slashuser); - my ($uid_localbob); - my ($uid_localjane); -+ my ($uid_localjackthemapper); -+ my ($uid_localjacknomapper); - - if ($unix_uid < 0xffff - 13) { - $max_uid = 0xffff; -@@ -2554,6 +2558,8 @@ sub provision($$) - $uid_slashuser = $max_uid - 13; - $uid_localbob = $max_uid - 14; - $uid_localjane = $max_uid - 15; -+ $uid_localjackthemapper = $max_uid - 16; -+ $uid_localjacknomapper = $max_uid - 17; - - if ($unix_gids[0] < 0xffff - 8) { - $max_gid = 0xffff; -@@ -3298,6 +3304,8 @@ eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false - slashuser:x:$uid_slashuser:$gid_domusers:slashuser gecos:/:/bin/false - bob:x:$uid_localbob:$gid_domusers:localbob gecos:/:/bin/false - jane:x:$uid_localjane:$gid_domusers:localjane gecos:/:/bin/false -+jackthemapper:x:$uid_localjackthemapper:$gid_domusers:localjackthemaper gecos:/:/bin/false -+jacknomapper:x:$uid_localjacknomapper:$gid_domusers:localjacknomaper gecos:/:/bin/false - "; - if ($unix_uid != 0) { - print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false -@@ -3362,6 +3370,8 @@ force_user:x:$gid_force_user: - createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser"); - createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser"); - createuser($self, "slashuser", $password, $conffile, \%createuser_env) || die("Unable to create slashuser"); -+ createuser($self, "jackthemapper", "mApsEcrEt", $conffile, \%createuser_env) || die("Unable to create jackthemapper"); -+ createuser($self, "jacknomapper", "nOmApsEcrEt", $conffile, \%createuser_env) || die("Unable to create jacknomapper"); - - open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list"); - print DNS_UPDATE_LIST "A $server. $server_ip\n"; --- -2.34.1 - - -From 28bf2f4c52105fc11515c58e13b935ae046399b4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 5 Apr 2022 08:30:23 +0200 -Subject: [PATCH 2/5] selftest: Create groups "jackthemappergroup" and - "jacknomappergroup" -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Jeremy Allison -Reviewed-by: Noel Power -(cherry picked from commit 26e4268d6e3bde74520e36f3ca3cc9d979292d1d) ---- - selftest/target/Samba3.pm | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index b0ea9804c50..131034a0e07 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -2527,6 +2527,8 @@ sub provision($$) - my ($gid_nobody, $gid_nogroup, $gid_root, $gid_domusers, $gid_domadmins); - my ($gid_userdup, $gid_everyone); - my ($gid_force_user); -+ my ($gid_jackthemapper); -+ my ($gid_jacknomapper); - my ($uid_user1); - my ($uid_user2); - my ($uid_gooduser); -@@ -2575,6 +2577,8 @@ sub provision($$) - $gid_userdup = $max_gid - 6; - $gid_everyone = $max_gid - 7; - $gid_force_user = $max_gid - 8; -+ $gid_jackthemapper = $max_gid - 9; -+ $gid_jacknomapper = $max_gid - 10; - - ## - ## create conffile -@@ -3325,6 +3329,8 @@ domadmins:X:$gid_domadmins: - userdup:x:$gid_userdup:$unix_name - everyone:x:$gid_everyone: - force_user:x:$gid_force_user: -+jackthemappergroup:x:$gid_jackthemapper:jackthemapper -+jacknomappergroup:x:$gid_jacknomapper:jacknomapper - "; - if ($unix_gids[0] != 0) { - print GROUP "root:x:$gid_root: --- -2.34.1 - - -From deadcd6a919188a75157e54b2fd772e4bf18d4fc Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 5 Apr 2022 08:31:41 +0200 -Subject: [PATCH 3/5] selftest: Add to "username.map" mapping for - jackthemappergroup -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041 - -Only for environment ad_member_idmap_nss. - -* !jacknompapper = \@jackthemappergroup - jackthemaper from group jackthemappergroup is mapped to jacknompapper - -* !root = jacknomappergroup - since there is no '@' or '+' prefix, it is not an UNIX group mapping - -Signed-off-by: Pavel Filipenský -Reviewed-by: Jeremy Allison -Reviewed-by: Noel Power -(cherry picked from commit 0feeb6d58a6d6b1949faa842473053af4562c979) ---- - selftest/target/Samba3.pm | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 131034a0e07..8d309f9c99a 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -1490,6 +1490,8 @@ sub setup_ad_member_idmap_nss - - open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map"); - print USERMAP " -+!jacknomapper = \@jackthemappergroup -+!root = jacknomappergroup - root = $dcvars->{DOMAIN}/root - bob = $dcvars->{DOMAIN}/bob - "; --- -2.34.1 - - -From edf5d5641de92665c30804be6825040d7b0862af Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 5 Apr 2022 14:04:52 +0200 -Subject: [PATCH 4/5] s3:tests Test "username map" for UNIX groups -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Jeremy Allison -Reviewed-by: Noel Power -(cherry picked from commit af8747a28bd62937a01fa4648f404bd0b09a44c0) ---- - selftest/knownfail.d/usernamemap | 1 + - source3/script/tests/test_usernamemap.sh | 28 ++++++++++++++++++++++++ - source3/selftest/tests.py | 2 ++ - 3 files changed, 31 insertions(+) - create mode 100644 selftest/knownfail.d/usernamemap - create mode 100755 source3/script/tests/test_usernamemap.sh - -diff --git a/selftest/knownfail.d/usernamemap b/selftest/knownfail.d/usernamemap -new file mode 100644 -index 00000000000..1c720fe892d ---- /dev/null -+++ b/selftest/knownfail.d/usernamemap -@@ -0,0 +1 @@ -+samba3.blackbox.smbclient_usernamemap.jacknomapper -diff --git a/source3/script/tests/test_usernamemap.sh b/source3/script/tests/test_usernamemap.sh -new file mode 100755 -index 00000000000..3a3344a8781 ---- /dev/null -+++ b/source3/script/tests/test_usernamemap.sh -@@ -0,0 +1,28 @@ -+#!/bin/sh -+# -+# Copyright (c) 2022 Pavel Filipenský -+# -+# Tests for "username map" smb.conf parameter for UNIX groups -+ -+if [ $# -lt 2 ]; then -+cat < -Date: Fri, 25 Mar 2022 11:11:50 +0100 -Subject: [PATCH 5/5] s3:auth: Fix user_in_list() for UNIX groups -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Jeremy Allison -Reviewed-by: Noel Power - -Autobuild-User(master): Noel Power -Autobuild-Date(master): Thu Apr 7 09:49:44 UTC 2022 on sn-devel-184 - -(cherry picked from commit 6dc463d3e2eb229df1c4f620cfcaf22ac71738d4) ---- - selftest/knownfail.d/usernamemap | 1 - - source3/auth/user_util.c | 12 +++++++----- - 2 files changed, 7 insertions(+), 6 deletions(-) - delete mode 100644 selftest/knownfail.d/usernamemap - -diff --git a/selftest/knownfail.d/usernamemap b/selftest/knownfail.d/usernamemap -deleted file mode 100644 -index 1c720fe892d..00000000000 ---- a/selftest/knownfail.d/usernamemap -+++ /dev/null -@@ -1 +0,0 @@ --samba3.blackbox.smbclient_usernamemap.jacknomapper -diff --git a/source3/auth/user_util.c b/source3/auth/user_util.c -index 70b4f320c5e..aa765c2a692 100644 ---- a/source3/auth/user_util.c -+++ b/source3/auth/user_util.c -@@ -143,11 +143,11 @@ bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list) - return false; - } - -- DBG_DEBUG("Checking user %s in list\n", user); -- - while (*list) { - const char *p = *list; -- bool ok; -+ bool check_unix_group = false; -+ -+ DBG_DEBUG("Checking user '%s' in list '%s'.\n", user, *list); - - /* Check raw username */ - if (strequal(user, p)) { -@@ -155,11 +155,13 @@ bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list) - } - - while (*p == '@' || *p == '&' || *p == '+') { -+ if (*p == '@' || *p == '+') { -+ check_unix_group = true; -+ } - p++; - } - -- ok = user_in_group(user, p); -- if (ok) { -+ if (check_unix_group && user_in_group(user, p)) { - return true; - } - --- -2.34.1 - diff --git a/samba-4.16-waf-crypto.patch b/samba-4.16-waf-crypto.patch new file mode 100644 index 0000000..337be97 --- /dev/null +++ b/samba-4.16-waf-crypto.patch @@ -0,0 +1,77 @@ +From 41d3efebcf6abab9119f9b0f97c86c1c48739fee Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 4 Apr 2022 11:24:04 +0200 +Subject: [PATCH 1/2] waf: Check for GnuTLS earlier + +As GnuTLS is an essential part we need to check for it early so we can react on +GnuTLS features in other wscripts. + +Signed-off-by: Andreas Schneider +--- + wscript | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/wscript b/wscript +index d8220b35095..5b85d9a1682 100644 +--- a/wscript ++++ b/wscript +@@ -189,6 +189,8 @@ def configure(conf): + conf.RECURSE('dynconfig') + conf.RECURSE('selftest') + ++ conf.PROCESS_SEPARATE_RULE('system_gnutls') ++ + conf.CHECK_CFG(package='zlib', minversion='1.2.3', + args='--cflags --libs', + mandatory=True) +@@ -297,8 +299,6 @@ def configure(conf): + if not conf.CONFIG_GET('KRB5_VENDOR'): + conf.PROCESS_SEPARATE_RULE('embedded_heimdal') + +- conf.PROCESS_SEPARATE_RULE('system_gnutls') +- + conf.RECURSE('source4/dsdb/samdb/ldb_modules') + conf.RECURSE('source4/ntvfs/sysdep') + conf.RECURSE('lib/util') +-- +2.35.1 + + +From 63701a28116afc1550c23cb5f7b9d6e366fd1270 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 4 Apr 2022 11:25:31 +0200 +Subject: [PATCH 2/2] third_party:waf: Do not recurse in aesni-intel if GnuTLS + provides the cipher + +Signed-off-by: Andreas Schneider +--- + third_party/wscript | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/third_party/wscript b/third_party/wscript +index 1f4bc1ce1d7..a17c15bcaa7 100644 +--- a/third_party/wscript ++++ b/third_party/wscript +@@ -5,7 +5,8 @@ from waflib import Options + def configure(conf): + conf.RECURSE('cmocka') + conf.RECURSE('popt') +- conf.RECURSE('aesni-intel') ++ if not conf.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'): ++ conf.RECURSE('aesni-intel') + if conf.CONFIG_GET('ENABLE_SELFTEST'): + conf.RECURSE('socket_wrapper') + conf.RECURSE('nss_wrapper') +@@ -18,7 +19,8 @@ def configure(conf): + def build(bld): + bld.RECURSE('cmocka') + bld.RECURSE('popt') +- bld.RECURSE('aesni-intel') ++ if not bld.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'): ++ bld.RECURSE('aesni-intel') + if bld.CONFIG_GET('SOCKET_WRAPPER'): + bld.RECURSE('socket_wrapper') + if bld.CONFIG_GET('NSS_WRAPPER'): +-- +2.35.1 + diff --git a/samba-ctdb-etcd-reclock.patch b/samba-ctdb-etcd-reclock.patch deleted file mode 100644 index 2a55408..0000000 --- a/samba-ctdb-etcd-reclock.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 939aed0498269df3c1e012f3b68c314b583f25bd Mon Sep 17 00:00:00 2001 -From: Martin Schwenke -Date: Tue, 27 Apr 2021 15:46:14 +1000 -Subject: [PATCH] utils: Use Python 3 - -Due to the number of flake8 and pylint warnings it is unclear if the -source has Python 3 incompatibilities. These will be cleaned up in -subsequent commits. - -Signed-off-by: "L.P.H. van Belle" -Reviewed-by: Martin Schwenke -Reviewed-by: David Disseldorp -Reviewed-by: Jose A. Rivera ---- - ctdb/utils/etcd/ctdb_etcd_lock | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ctdb/utils/etcd/ctdb_etcd_lock b/ctdb/utils/etcd/ctdb_etcd_lock -index 000c6bb7208..7f5194eff0a 100755 ---- a/ctdb/utils/etcd/ctdb_etcd_lock -+++ b/ctdb/utils/etcd/ctdb_etcd_lock -@@ -1,4 +1,4 @@ --#!/usr/bin/python -+#!/usr/bin/env python3 - # - # This program is free software: you can redistribute it and/or modify - # it under the terms of the GNU General Public License as published by --- -2.31.1 - diff --git a/samba-disable-ntlmssp.patch b/samba-disable-ntlmssp.patch deleted file mode 100644 index d80e85b..0000000 --- a/samba-disable-ntlmssp.patch +++ /dev/null @@ -1,764 +0,0 @@ -From 1d5dc35b3c5d793f75cd6572bdda2a1ab0df99cc Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Fri, 10 Dec 2021 16:08:04 +0100 -Subject: [PATCH 01/10] s3:utils: set ads->auth.flags using krb5_state -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Pair-Programmed-With: Andreas Schneider - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit afcdb090769f6f0f66428cd29f88b0283c6bd527) ---- - source3/utils/net_ads.c | 22 +++++++++++++++++++++- - 1 file changed, 21 insertions(+), 1 deletion(-) - -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c -index 6ab4a0096b1..8f993f9ba4c 100644 ---- a/source3/utils/net_ads.c -+++ b/source3/utils/net_ads.c -@@ -607,6 +607,8 @@ static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain, - char *cp; - const char *realm = NULL; - bool tried_closest_dc = false; -+ enum credentials_use_kerberos krb5_state = -+ CRED_USE_KERBEROS_DISABLED; - - /* lp_realm() should be handled by a command line param, - However, the join requires that realm be set in smb.conf -@@ -650,10 +652,28 @@ retry: - ads->auth.password = smb_xstrdup(c->opt_password); - } - -- ads->auth.flags |= auth_flags; - SAFE_FREE(ads->auth.user_name); - ads->auth.user_name = smb_xstrdup(c->opt_user_name); - -+ ads->auth.flags |= auth_flags; -+ -+ /* The ADS code will handle FIPS mode */ -+ krb5_state = cli_credentials_get_kerberos_state(c->creds); -+ switch (krb5_state) { -+ case CRED_USE_KERBEROS_REQUIRED: -+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; -+ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ case CRED_USE_KERBEROS_DESIRED: -+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; -+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ case CRED_USE_KERBEROS_DISABLED: -+ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS; -+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ } -+ - /* - * If the username is of the form "name@realm", - * extract the realm and convert to upper case. --- -2.33.1 - - -From 8f5c1246fdf03ae4d4abba50ef41e2a5cded61d3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Wed, 8 Dec 2021 16:05:17 +0100 -Subject: [PATCH 02/10] s3:libads: Remove trailing spaces from sasl.c -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 49d18f2d6e8872c2b0cbe2bf3324e7057c8438f4) ---- - source3/libads/sasl.c | 22 +++++++++++----------- - 1 file changed, 11 insertions(+), 11 deletions(-) - -diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c -index 60fa2bf80cb..b91e2d15bcf 100644 ---- a/source3/libads/sasl.c -+++ b/source3/libads/sasl.c -@@ -1,18 +1,18 @@ --/* -+/* - Unix SMB/CIFS implementation. - ads sasl code - Copyright (C) Andrew Tridgell 2001 -- -+ - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. -- -+ - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. -- -+ - You should have received a copy of the GNU General Public License - along with this program. If not, see . - */ -@@ -117,7 +117,7 @@ static const struct ads_saslwrap_ops ads_sasl_gensec_ops = { - .disconnect = ads_sasl_gensec_disconnect - }; - --/* -+/* - perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can - we fit on one socket??) - */ -@@ -496,7 +496,7 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads, - - #endif /* HAVE_KRB5 */ - --/* -+/* - this performs a SASL/SPNEGO bind - */ - static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) -@@ -529,7 +529,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - file_save("sasl_spnego.dat", blob.data, blob.length); - #endif - -- /* the server sent us the first part of the SPNEGO exchange in the negprot -+ /* the server sent us the first part of the SPNEGO exchange in the negprot - reply */ - if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL) || - OIDs[0] == NULL) { -@@ -557,7 +557,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - - #ifdef HAVE_KRB5 - if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) && -- got_kerberos_mechanism) -+ got_kerberos_mechanism) - { - mech = "KRB5"; - -@@ -578,7 +578,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - "calling kinit\n", ads_errstr(status))); - } - -- status = ADS_ERROR_KRB5(ads_kinit_password(ads)); -+ status = ADS_ERROR_KRB5(ads_kinit_password(ads)); - - if (ADS_ERR_OK(status)) { - status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", -@@ -597,7 +597,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - } - - /* only fallback to NTLMSSP if allowed */ -- if (ADS_ERR_OK(status) || -+ if (ADS_ERR_OK(status) || - !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) { - goto done; - } -@@ -613,7 +613,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - #endif - - /* lets do NTLMSSP ... this has the big advantage that we don't need -- to sync clocks, and we don't rely on special versions of the krb5 -+ to sync clocks, and we don't rely on special versions of the krb5 - library for HMAC_MD4 encryption */ - mech = "NTLMSSP"; - status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", --- -2.33.1 - - -From 2885c2186fd2d1d8e2fc5f90e58f54b0c72a72df Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Thu, 9 Dec 2021 13:43:08 +0100 -Subject: [PATCH 03/10] s3:libads: Disable NTLMSSP for FIPS -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Pair-Programmed-With: Andreas Schneider - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 7785eb9b78066f6f7ee2541cf72d80fcf7411329) ---- - source3/libads/sasl.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c -index b91e2d15bcf..992f7022a69 100644 ---- a/source3/libads/sasl.c -+++ b/source3/libads/sasl.c -@@ -604,7 +604,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - - DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed " - "for %s/%s with user[%s] realm[%s]: %s, " -- "fallback to NTLMSSP\n", -+ "try to fallback to NTLMSSP\n", - p.service, p.hostname, - ads->auth.user_name, - ads->auth.realm, -@@ -616,6 +616,14 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - to sync clocks, and we don't rely on special versions of the krb5 - library for HMAC_MD4 encryption */ - mech = "NTLMSSP"; -+ -+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) { -+ DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is" -+ " disallowed.\n"); -+ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); -+ goto done; -+ } -+ - status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", - CRED_USE_KERBEROS_DISABLED, - p.service, p.hostname, --- -2.33.1 - - -From 636281a0b09f20e4c91f649a950a8c9ca53d1e3c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Fri, 7 Jan 2022 10:31:19 +0100 -Subject: [PATCH 04/10] s3:libads: Improve debug messages for SASL bind -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Pair-Programmed-With: Andreas Schneider - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 5f6251abf2f468b3744a96376b0e1c3bc317c738) ---- - source3/libads/sasl.c | 22 +++++++++++----------- - 1 file changed, 11 insertions(+), 11 deletions(-) - -diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c -index 992f7022a69..ea98aa47ecd 100644 ---- a/source3/libads/sasl.c -+++ b/source3/libads/sasl.c -@@ -586,13 +586,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - p.service, p.hostname, - blob); - if (!ADS_ERR_OK(status)) { -- DEBUG(0,("kinit succeeded but " -- "ads_sasl_spnego_gensec_bind(KRB5) failed " -- "for %s/%s with user[%s] realm[%s]: %s\n", -+ DBG_ERR("kinit succeeded but " -+ "SPNEGO bind with Kerberos failed " -+ "for %s/%s - user[%s], realm[%s]: %s\n", - p.service, p.hostname, - ads->auth.user_name, - ads->auth.realm, -- ads_errstr(status))); -+ ads_errstr(status)); - } - } - -@@ -602,13 +602,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - goto done; - } - -- DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed " -- "for %s/%s with user[%s] realm[%s]: %s, " -- "try to fallback to NTLMSSP\n", -- p.service, p.hostname, -- ads->auth.user_name, -- ads->auth.realm, -- ads_errstr(status))); -+ DBG_WARNING("SASL bind with Kerberos failed " -+ "for %s/%s - user[%s], realm[%s]: %s, " -+ "try to fallback to NTLMSSP\n", -+ p.service, p.hostname, -+ ads->auth.user_name, -+ ads->auth.realm, -+ ads_errstr(status)); - } - #endif - --- -2.33.1 - - -From db4df8c4ebc9a10d14174878c3303c5f7a9e3d2f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Mon, 3 Jan 2022 11:13:06 +0100 -Subject: [PATCH 05/10] s3:libads: Disable NTLMSSP if not allowed (for builds - without kerberos) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Pair-Programmed-With: Andreas Schneider - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 17ea2ccdabbe935ef571e1227908d51b755707bc) ---- - source3/libads/sasl.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c -index ea98aa47ecd..1bcfe0490a8 100644 ---- a/source3/libads/sasl.c -+++ b/source3/libads/sasl.c -@@ -617,6 +617,12 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - library for HMAC_MD4 encryption */ - mech = "NTLMSSP"; - -+ if (!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) { -+ DBG_WARNING("We can't use NTLMSSP, it is not allowed.\n"); -+ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); -+ goto done; -+ } -+ - if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) { - DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is" - " disallowed.\n"); --- -2.33.1 - - -From 86e4b3649f001e162328b1b89ea2d068056514e7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Mon, 3 Jan 2022 15:33:46 +0100 -Subject: [PATCH 06/10] tests: Add test for disabling NTLMSSP for ldap client - connections -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit eb0fa26dce77829995505f542af02e32df088cd6) ---- - .../test_weak_disable_ntlmssp_ldap.sh | 41 +++++++++++++++++++ - 1 file changed, 41 insertions(+) - create mode 100755 testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh - -diff --git a/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh -new file mode 100755 -index 00000000000..2822ab29d14 ---- /dev/null -+++ b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh -@@ -0,0 +1,41 @@ -+#!/bin/sh -+# Blackbox tests for diabing NTLMSSP for ldap clinet connections -+# Copyright (c) 2022 Pavel Filipenský -+ -+if [ $# -lt 2 ]; then -+cat <&1 || failed=`expr $failed + 1` -+ -+# We should be allowed to use NTLM for connecting -+testit "net_ads_search.ntlm" $samba_net ads search --use-kerberos=off '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1` -+ -+GNUTLS_FORCE_FIPS_MODE=1 -+export GNUTLS_FORCE_FIPS_MODE -+ -+# Checks that testparm reports: Weak crypto is disallowed -+testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1` -+ -+# We should not be allowed to use NTLM for connecting -+testit_expect_failure_grep "net_ads_search.ntlm" "We can't fallback to NTLMSSP, weak crypto is disallowed." $samba_net ads search --use-kerberos=off -d10 '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1` -+ -+unset GNUTLS_FORCE_FIPS_MODE -+ -+exit $failed --- -2.33.1 - - -From bd39e9418da9dee81d5872037aa5834deba2b40b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 4 Jan 2022 12:00:20 +0100 -Subject: [PATCH 07/10] s4:selftest: plan test suite - samba4.blackbox.test_weak_disable_ntlmssp_ldap -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 9624e60e8c32de695661ae8f0fb5f8f9d836ab95) ---- - source4/selftest/tests.py | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py -index 1e4b2ae6dd3..3a6a716f061 100755 ---- a/source4/selftest/tests.py -+++ b/source4/selftest/tests.py -@@ -636,6 +636,7 @@ plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:lo - - if have_gnutls_fips_mode_support: - plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"]) -+ plantestsuite("samba4.blackbox.test_weak_disable_ntlmssp_ldap", "ad_member:local", [os.path.join(bbdir, "test_weak_disable_ntlmssp_ldap.sh"),'$DC_USERNAME', '$DC_PASSWORD']) - - for env in ["ad_dc_fips", "ad_member_fips"]: - plantestsuite("samba4.blackbox.weak_crypto.server", env, [os.path.join(bbdir, "test_weak_crypto_server.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_fips", configuration]) --- -2.33.1 - - -From bde5c51a9eef39a165dad7aadf23ecaa5921f520 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 18 Jan 2022 19:47:38 +0100 -Subject: [PATCH 08/10] s3:winbindd: Remove trailing spaces from winbindd_ads.c -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit fcf225a356abb06d1205f66eb79f707c85803cb5) ---- - source3/winbindd/winbindd_ads.c | 38 ++++++++++++++++----------------- - 1 file changed, 19 insertions(+), 19 deletions(-) - -diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c -index 948c903f165..e415df347e6 100644 ---- a/source3/winbindd/winbindd_ads.c -+++ b/source3/winbindd/winbindd_ads.c -@@ -326,7 +326,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain, - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("query_user_list: No incoming trust for domain %s\n", -- domain->name)); -+ domain->name)); - return NT_STATUS_OK; - } - -@@ -432,7 +432,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n", -- domain->name)); -+ domain->name)); - return NT_STATUS_OK; - } - -@@ -447,7 +447,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, - * According to Section 5.1(4) of RFC 2251 if a value of a type is it's - * default value, it MUST be absent. In case of extensible matching the - * "dnattr" boolean defaults to FALSE and so it must be only be present -- * when set to TRUE. -+ * when set to TRUE. - * - * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a - * filter using bitwise matching rule then the buggy AD fails to decode -@@ -458,9 +458,9 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, - * - * Thanks to Ralf Haferkamp for input and testing - Guenther */ - -- filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))", -+ filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))", - ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED, -- ADS_LDAP_MATCHING_RULE_BIT_AND, -+ ADS_LDAP_MATCHING_RULE_BIT_AND, - enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP); - - if (filter == NULL) { -@@ -529,7 +529,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, - DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries))); - - done: -- if (res) -+ if (res) - ads_msgfree(ads, res); - - return status; -@@ -542,12 +542,12 @@ static NTSTATUS enum_local_groups(struct winbindd_domain *domain, - struct wb_acct_info **info) - { - /* -- * This is a stub function only as we returned the domain -+ * This is a stub function only as we returned the domain - * local groups in enum_dom_groups() if the domain->native field - * was true. This is a simple performance optimization when - * using LDAP. - * -- * if we ever need to enumerate domain local groups separately, -+ * if we ever need to enumerate domain local groups separately, - * then this optimization in enum_dom_groups() will need - * to be split out - */ -@@ -601,7 +601,7 @@ static NTSTATUS rids_to_names(struct winbindd_domain *domain, - tokenGroups are not available. */ - static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, -- const char *user_dn, -+ const char *user_dn, - struct dom_sid *primary_group, - uint32_t *p_num_groups, struct dom_sid **user_sids) - { -@@ -620,7 +620,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n", -- domain->name)); -+ domain->name)); - return NT_STATUS_OK; - } - -@@ -702,7 +702,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, - - DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn)); - done: -- if (res) -+ if (res) - ads_msgfree(ads, res); - - return status; -@@ -883,14 +883,14 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, - if (count != 1) { - status = NT_STATUS_UNSUCCESSFUL; - DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: " -- "invalid number of results (count=%d)\n", -+ "invalid number of results (count=%d)\n", - dom_sid_str_buf(sid, &buf), - count)); - goto done; - } - - if (!msg) { -- DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n", -+ DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n", - dom_sid_str_buf(sid, &buf))); - status = NT_STATUS_UNSUCCESSFUL; - goto done; -@@ -903,7 +903,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, - } - - if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) { -- DEBUG(1,("%s: No primary group for sid=%s !?\n", -+ DEBUG(1,("%s: No primary group for sid=%s !?\n", - domain->name, - dom_sid_str_buf(sid, &buf))); - goto done; -@@ -913,7 +913,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, - - count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids); - -- /* there must always be at least one group in the token, -+ /* there must always be at least one group in the token, - unless we are talking to a buggy Win2k server */ - - /* actually this only happens when the machine account has no read -@@ -937,7 +937,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, - /* lookup what groups this user is a member of by DN search on - * "member" */ - -- status = lookup_usergroups_member(domain, mem_ctx, user_dn, -+ status = lookup_usergroups_member(domain, mem_ctx, user_dn, - &primary_group, - &num_groups, user_sids); - *p_num_groups = num_groups; -@@ -1302,7 +1302,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, - DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could " - "not map any SIDs at all.\n")); - /* Don't handle this as an error here. -- * There is nothing left to do with respect to the -+ * There is nothing left to do with respect to the - * overall result... */ - } - else if (!NT_STATUS_IS_OK(status)) { -@@ -1367,13 +1367,13 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, - NETR_TRUST_FLAG_IN_FOREST; - } else { - flags = NETR_TRUST_FLAG_IN_FOREST; -- } -+ } - - result = cm_connect_netlogon(domain, &cli); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(5, ("trusted_domains: Could not open a connection to %s " -- "for PIPE_NETLOGON (%s)\n", -+ "for PIPE_NETLOGON (%s)\n", - domain->name, nt_errstr(result))); - return NT_STATUS_UNSUCCESSFUL; - } --- -2.33.1 - - -From db840cc208542a52a8e8a226b452c4df921fe9e6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 18 Jan 2022 19:44:54 +0100 -Subject: [PATCH 09/10] s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS - mode -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Pair-Programmed-With: Andreas Schneider - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit f03abaec2abbd22b9dc83ce4a103b1b3a2912d96) ---- - source3/winbindd/winbindd_ads.c | 19 ++++++++++++++++++- - 1 file changed, 18 insertions(+), 1 deletion(-) - -diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c -index e415df347e6..6f01ef6e334 100644 ---- a/source3/winbindd/winbindd_ads.c -+++ b/source3/winbindd/winbindd_ads.c -@@ -34,6 +34,7 @@ - #include "../libds/common/flag_mapping.h" - #include "libsmb/samlogon_cache.h" - #include "passdb.h" -+#include "auth/credentials/credentials.h" - - #ifdef HAVE_ADS - -@@ -102,6 +103,7 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp, - ADS_STATUS status; - struct sockaddr_storage dc_ss; - fstring dc_name; -+ enum credentials_use_kerberos krb5_state; - - if (auth_realm == NULL) { - return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); -@@ -125,7 +127,22 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp, - ads->auth.renewable = renewable; - ads->auth.password = password; - -- ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; -+ /* In FIPS mode, client use kerberos is forced to required. */ -+ krb5_state = lp_client_use_kerberos(); -+ switch (krb5_state) { -+ case CRED_USE_KERBEROS_REQUIRED: -+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; -+ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ case CRED_USE_KERBEROS_DESIRED: -+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; -+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ case CRED_USE_KERBEROS_DISABLED: -+ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS; -+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ } - - ads->auth.realm = SMB_STRDUP(auth_realm); - if (!strupper_m(ads->auth.realm)) { --- -2.33.1 - - -From ead4f4c0a908f22ee2edf7510033345700e2efd9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Fri, 21 Jan 2022 12:01:33 +0100 -Subject: [PATCH 10/10] s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS - mode -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Pair-Programmed-With: Andreas Schneider - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher - -Autobuild-User(master): Stefan Metzmacher -Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184 - -(cherry picked from commit fa5413b63c8f4a20ab5b803f5cc523e0658eefc9) ---- - source3/libnet/libnet_join.c | 18 +++++++++++++++++- - 1 file changed, 17 insertions(+), 1 deletion(-) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index 02705f1c70c..4c67e9af5c4 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -139,6 +139,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, - ADS_STATUS status; - ADS_STRUCT *my_ads = NULL; - char *cp; -+ enum credentials_use_kerberos krb5_state; - - my_ads = ads_init(dns_domain_name, - netbios_domain_name, -@@ -148,7 +149,22 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, - return ADS_ERROR_LDAP(LDAP_NO_MEMORY); - } - -- my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; -+ /* In FIPS mode, client use kerberos is forced to required. */ -+ krb5_state = lp_client_use_kerberos(); -+ switch (krb5_state) { -+ case CRED_USE_KERBEROS_REQUIRED: -+ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; -+ my_ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ case CRED_USE_KERBEROS_DESIRED: -+ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; -+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ case CRED_USE_KERBEROS_DISABLED: -+ my_ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS; -+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ } - - if (user_name) { - SAFE_FREE(my_ads->auth.user_name); --- -2.33.1 - diff --git a/samba-disable-systemd-notifications.patch b/samba-disable-systemd-notifications.patch deleted file mode 100644 index 9e57630..0000000 --- a/samba-disable-systemd-notifications.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 752de46cc57215b14b55f2c68334178454d7444f Mon Sep 17 00:00:00 2001 -From: "FeRD (Frank Dana)" -Date: Mon, 24 Jan 2022 22:14:31 -0500 -Subject: [PATCH] printing/bgqd: Disable systemd notifications - -samba-bgqd daemon is started by existing Samba daemons. When running -under systemd, those daemons control systemd notifications and -samba-bgqd messages need to be silenced. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14947 - -Signed-off-by: FeRD (Frank Dana) -Reviewed-by: Alexander Bokovoy -Reviewed-by: Andreas Schneider -(cherry picked from commit 36c861e25b1d9c5ce44bfcb46247e7e4747930c5) ---- - source3/printing/samba-bgqd.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/source3/printing/samba-bgqd.c b/source3/printing/samba-bgqd.c -index f21327fc622..59ed0cc40db 100644 ---- a/source3/printing/samba-bgqd.c -+++ b/source3/printing/samba-bgqd.c -@@ -252,6 +252,9 @@ int main(int argc, const char *argv[]) - - log_stdout = (debug_get_log_type() == DEBUG_STDOUT); - -+ /* main process will notify systemd */ -+ daemon_sd_notifications(false); -+ - if (!cmdline_daemon_cfg->fork) { - daemon_status(progname, "Starting process ... "); - } else { --- -2.34.1 - diff --git a/samba-glibc-dns.patch b/samba-glibc-dns.patch deleted file mode 100644 index c01d481..0000000 --- a/samba-glibc-dns.patch +++ /dev/null @@ -1,64 +0,0 @@ -From e556b4067e0c4036e20fc26523e3b4d6d5c6be42 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 7 Oct 2021 15:55:37 +0200 -Subject: [PATCH] waf: Fix resolv_wrapper with glibc 2.34 - -With glibc 2.34 we are not able to talk to the DNS server via socket_wrapper -anymore. The res_* symbols have been moved from libresolv to libc. We are not -able to intercept any traffic inside of libc. - -Signed-off-by: Andreas Schneider -Reviewed-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy ---- - selftest/wscript | 2 +- - third_party/resolv_wrapper/wscript | 13 +++++++++++++ - 2 files changed, 14 insertions(+), 1 deletion(-) - -diff --git a/selftest/wscript b/selftest/wscript -index a6be06c2ae9..85d9338489a 100644 ---- a/selftest/wscript -+++ b/selftest/wscript -@@ -252,7 +252,7 @@ def cmd_testonly(opt): - if os.environ.get('USE_NAMESPACES') is None: - env.OPTIONS += " --socket_wrapper_so_path=" + CONFIG_GET(opt, 'LIBSOCKET_WRAPPER_SO_PATH') - -- if Utils.unversioned_sys_platform() in ('netbsd', 'openbsd', 'sunos'): -+ if not CONFIG_SET(opt, 'HAVE_RESOLV_CONF_SUPPORT'): - env.OPTIONS += " --use-dns-faking" - - if CONFIG_GET(opt, 'USING_SYSTEM_KRB5') and CONFIG_GET(opt, 'MIT_KDC_PATH'): -diff --git a/third_party/resolv_wrapper/wscript b/third_party/resolv_wrapper/wscript -index a7f18389b0f..7e369bd90b5 100644 ---- a/third_party/resolv_wrapper/wscript -+++ b/third_party/resolv_wrapper/wscript -@@ -1,6 +1,7 @@ - #!/usr/bin/env python - - import os -+from waflib import Logs - - VERSION="1.1.7" - -@@ -49,6 +50,18 @@ def configure(conf): - if conf.CONFIG_SET('HAVE_RES_NCLOSE'): - conf.DEFINE('HAVE_RES_NCLOSE_IN_LIBRESOLV', 1) - -+ # If we find res_nquery in libc, we can't do resolv.conf redirect -+ conf.CHECK_FUNCS('res_nquery __res_nquery') -+ if (conf.CONFIG_SET('HAVE_RES_NQUERY') -+ or conf.CONFIG_SET('HAVE___RES_NQUERY')): -+ Logs.warn("Detection for resolv_wrapper: " -+ "Only dns faking will be available") -+ else: -+ if conf.CHECK_FUNCS('res_nquery', lib='resolv'): -+ conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1) -+ if conf.CHECK_FUNCS('__res_nquery', lib='resolv'): -+ conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1) -+ - conf.CHECK_FUNCS_IN('res_init __res_init', 'resolv', checklibc=True) - conf.CHECK_FUNCS_IN('res_ninit __res_ninit', 'resolv', checklibc=True) - conf.CHECK_FUNCS_IN('res_close __res_close', 'resolv', checklibc=True) --- -2.33.1 - diff --git a/samba-password-change-prompt.patch b/samba-password-change-prompt.patch deleted file mode 100644 index 5dee86c..0000000 --- a/samba-password-change-prompt.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 513946aec6ddf4cb61d5d460e0478fd7ffd7be21 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Wed, 17 Nov 2021 09:56:09 +0100 -Subject: [PATCH] pam_winbind: add new pwd_change_prompt option (defaults to - off). - -This change disables the prompt for the change of an expired password by -default (using the PAM_RADIO_TYPE mechanism if present). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691 - -Guenther - -Signed-off-by: Guenther Deschner -Reviewed-by: Alexander Bokovoy -Reviewed-by: Andreas Schneider -(cherry picked from commit 20c85cc1da8d8c7f1932fbdd92128bb6dafad472) ---- - docs-xml/manpages/pam_winbind.conf.5.xml | 7 +++++++ - nsswitch/pam_winbind.c | 12 ++++++++++-- - nsswitch/pam_winbind.h | 1 + - 3 files changed, 18 insertions(+), 2 deletions(-) - -diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml -index 0bc288f91a1..bae9298fc32 100644 ---- a/docs-xml/manpages/pam_winbind.conf.5.xml -+++ b/docs-xml/manpages/pam_winbind.conf.5.xml -@@ -194,6 +194,13 @@ - - - -+ -+ pwd_change_prompt = yes|no -+ -+ Generate prompt for changing an expired password. Defaults to "no". -+ -+ -+ - - - -diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c -index 720a4b90d85..06098dd07d8 100644 ---- a/nsswitch/pam_winbind.c -+++ b/nsswitch/pam_winbind.c -@@ -479,6 +479,10 @@ static int _pam_parse(const pam_handle_t *pamh, - ctrl |= WINBIND_MKHOMEDIR; - } - -+ if (tiniparser_getboolean(d, "global:pwd_change_prompt", false)) { -+ ctrl |= WINBIND_PWD_CHANGE_PROMPT; -+ } -+ - config_from_pam: - /* step through arguments */ - for (i=argc,v=argv; i-- > 0; ++v) { -@@ -522,6 +526,8 @@ config_from_pam: - else if (!strncasecmp(*v, "warn_pwd_expire", - strlen("warn_pwd_expire"))) - ctrl |= WINBIND_WARN_PWD_EXPIRE; -+ else if (!strcasecmp(*v, "pwd_change_prompt")) -+ ctrl |= WINBIND_PWD_CHANGE_PROMPT; - else if (type != PAM_WINBIND_CLEANUP) { - __pam_log(pamh, ctrl, LOG_ERR, - "pam_parse: unknown option: %s", *v); -@@ -976,7 +982,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx, - * successfully sent the warning message. - * Give the user a chance to change pwd. - */ -- if (ret == PAM_SUCCESS) { -+ if (ret == PAM_SUCCESS && -+ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) { - if (change_pwd) { - retval = _pam_winbind_change_pwd(ctx); - if (retval) { -@@ -1006,7 +1013,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx, - * successfully sent the warning message. - * Give the user a chance to change pwd. - */ -- if (ret == PAM_SUCCESS) { -+ if (ret == PAM_SUCCESS && -+ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) { - if (change_pwd) { - retval = _pam_winbind_change_pwd(ctx); - if (retval) { -diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h -index c6786d65a4d..2f4a25729bd 100644 ---- a/nsswitch/pam_winbind.h -+++ b/nsswitch/pam_winbind.h -@@ -157,6 +157,7 @@ do { \ - #define WINBIND_WARN_PWD_EXPIRE 0x00002000 - #define WINBIND_MKHOMEDIR 0x00004000 - #define WINBIND_TRY_AUTHTOK_ARG 0x00008000 -+#define WINBIND_PWD_CHANGE_PROMPT 0x00010000 - - #if defined(HAVE_GETTEXT) && !defined(__LCLINT__) - #define _(string) dgettext(MODULE_NAME, string) --- -2.35.1 - diff --git a/samba-printing-win7.patch b/samba-printing-win7.patch deleted file mode 100644 index d1a6b6a..0000000 --- a/samba-printing-win7.patch +++ /dev/null @@ -1,229 +0,0 @@ -From 10f485b3a27e10906aa6ee40833fca8bf81b5511 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Sat, 22 Jan 2022 01:08:26 +0100 -Subject: [PATCH] dcesrv_core: wrap gensec_*() calls in [un]become_root() calls - -This is important for the source3/rpc_server code as it might -be called embedded in smbd and may not run as root with access -to our private tdb/ldb files. - -Note this is only really needed for 4.15 and older, as -we no longer run the rpc_server embedded in smbd, -but we better be consistent for now. - -This should be able to fix the problem the printing no longer works -on Windows 7 with 2021-10 monthly rollup patch (KB5006743). - -Windows uses NTLMSSP with privacy at the DCERPC layer on top -of NCACN_NP (smb). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14867 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 0651fa474cd68b18d8eb9bdc7c4ba5b847ba9ad9) ---- - librpc/rpc/dcesrv_auth.c | 5 +++++ - librpc/rpc/dcesrv_core.c | 18 ++++++++++++++++++ - librpc/rpc/dcesrv_core.h | 2 ++ - source3/rpc_server/rpc_config.c | 2 ++ - source4/rpc_server/service_rpc.c | 10 ++++++++++ - 5 files changed, 37 insertions(+) - -diff --git a/librpc/rpc/dcesrv_auth.c b/librpc/rpc/dcesrv_auth.c -index fec8df513a83..99d8e0162160 100644 ---- a/librpc/rpc/dcesrv_auth.c -+++ b/librpc/rpc/dcesrv_auth.c -@@ -130,11 +130,13 @@ static bool dcesrv_auth_prepare_gensec(struct dcesrv_call_state *call) - auth->auth_level = call->in_auth_info.auth_level; - auth->auth_context_id = call->in_auth_info.auth_context_id; - -+ cb->auth.become_root(); - status = cb->auth.gensec_prepare( - auth, - call, - &auth->gensec_security, - cb->auth.private_data); -+ cb->auth.unbecome_root(); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to call samba_server_gensec_start %s\n", - nt_errstr(status))); -@@ -329,6 +331,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) - NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status) - { - struct dcesrv_auth *auth = call->auth_state; -+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; - const char *pdu = ""; - - switch (call->pkt.ptype) { -@@ -359,9 +362,11 @@ NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status) - return status; - } - -+ cb->auth.become_root(); - status = gensec_session_info(auth->gensec_security, - auth, - &auth->session_info); -+ cb->auth.unbecome_root(); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to establish session_info: %s\n", - nt_errstr(status))); -diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c -index d16159b0b6cd..ea91fc689b4a 100644 ---- a/librpc/rpc/dcesrv_core.c -+++ b/librpc/rpc/dcesrv_core.c -@@ -938,6 +938,7 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call) - struct dcerpc_binding *ep_2nd_description = NULL; - const char *endpoint = NULL; - struct dcesrv_auth *auth = call->auth_state; -+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; - struct dcerpc_ack_ctx *ack_ctx_list = NULL; - struct dcerpc_ack_ctx *ack_features = NULL; - struct tevent_req *subreq = NULL; -@@ -1143,9 +1144,11 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call) - return dcesrv_auth_reply(call); - } - -+ cb->auth.become_root(); - subreq = gensec_update_send(call, call->event_ctx, - auth->gensec_security, - call->in_auth_info.credentials); -+ cb->auth.unbecome_root(); - if (subreq == NULL) { - return NT_STATUS_NO_MEMORY; - } -@@ -1160,10 +1163,13 @@ static void dcesrv_bind_done(struct tevent_req *subreq) - tevent_req_callback_data(subreq, - struct dcesrv_call_state); - struct dcesrv_connection *conn = call->conn; -+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; - NTSTATUS status; - -+ cb->auth.become_root(); - status = gensec_update_recv(subreq, call, - &call->out_auth_info->credentials); -+ cb->auth.unbecome_root(); - TALLOC_FREE(subreq); - - status = dcesrv_auth_complete(call, status); -@@ -1221,6 +1227,7 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call) - { - struct dcesrv_connection *conn = call->conn; - struct dcesrv_auth *auth = call->auth_state; -+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; - struct tevent_req *subreq = NULL; - NTSTATUS status; - -@@ -1265,9 +1272,11 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call) - return NT_STATUS_OK; - } - -+ cb->auth.become_root(); - subreq = gensec_update_send(call, call->event_ctx, - auth->gensec_security, - call->in_auth_info.credentials); -+ cb->auth.unbecome_root(); - if (subreq == NULL) { - return NT_STATUS_NO_MEMORY; - } -@@ -1283,10 +1292,13 @@ static void dcesrv_auth3_done(struct tevent_req *subreq) - struct dcesrv_call_state); - struct dcesrv_connection *conn = call->conn; - struct dcesrv_auth *auth = call->auth_state; -+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; - NTSTATUS status; - -+ cb->auth.become_root(); - status = gensec_update_recv(subreq, call, - &call->out_auth_info->credentials); -+ cb->auth.unbecome_root(); - TALLOC_FREE(subreq); - - status = dcesrv_auth_complete(call, status); -@@ -1555,6 +1567,7 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call) - struct ncacn_packet *pkt = &call->ack_pkt; - uint32_t extra_flags = 0; - struct dcesrv_auth *auth = call->auth_state; -+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; - struct dcerpc_ack_ctx *ack_ctx_list = NULL; - struct tevent_req *subreq = NULL; - size_t i; -@@ -1666,9 +1679,11 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call) - return dcesrv_auth_reply(call); - } - -+ cb->auth.become_root(); - subreq = gensec_update_send(call, call->event_ctx, - auth->gensec_security, - call->in_auth_info.credentials); -+ cb->auth.unbecome_root(); - if (subreq == NULL) { - return NT_STATUS_NO_MEMORY; - } -@@ -1683,10 +1698,13 @@ static void dcesrv_alter_done(struct tevent_req *subreq) - tevent_req_callback_data(subreq, - struct dcesrv_call_state); - struct dcesrv_connection *conn = call->conn; -+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; - NTSTATUS status; - -+ cb->auth.become_root(); - status = gensec_update_recv(subreq, call, - &call->out_auth_info->credentials); -+ cb->auth.unbecome_root(); - TALLOC_FREE(subreq); - - status = dcesrv_auth_complete(call, status); -diff --git a/librpc/rpc/dcesrv_core.h b/librpc/rpc/dcesrv_core.h -index d8d5f9030959..0538442e0ce6 100644 ---- a/librpc/rpc/dcesrv_core.h -+++ b/librpc/rpc/dcesrv_core.h -@@ -392,6 +392,8 @@ struct dcesrv_context_callbacks { - struct gensec_security **out, - void *private_data); - void *private_data; -+ void (*become_root)(void); -+ void (*unbecome_root)(void); - } auth; - struct { - NTSTATUS (*find)( -diff --git a/source3/rpc_server/rpc_config.c b/source3/rpc_server/rpc_config.c -index 2f1a01da1c0b..289c4f398409 100644 ---- a/source3/rpc_server/rpc_config.c -+++ b/source3/rpc_server/rpc_config.c -@@ -31,6 +31,8 @@ - static struct dcesrv_context_callbacks srv_callbacks = { - .log.successful_authz = dcesrv_log_successful_authz, - .auth.gensec_prepare = dcesrv_auth_gensec_prepare, -+ .auth.become_root = become_root, -+ .auth.unbecome_root = unbecome_root, - .assoc_group.find = dcesrv_assoc_group_find, - }; - -diff --git a/source4/rpc_server/service_rpc.c b/source4/rpc_server/service_rpc.c -index d8c6746d7815..ebb50f8a7ef3 100644 ---- a/source4/rpc_server/service_rpc.c -+++ b/source4/rpc_server/service_rpc.c -@@ -40,9 +40,19 @@ - #include "../libcli/named_pipe_auth/npa_tstream.h" - #include "samba/process_model.h" - -+static void skip_become_root(void) -+{ -+} -+ -+static void skip_unbecome_root(void) -+{ -+} -+ - static struct dcesrv_context_callbacks srv_callbacks = { - .log.successful_authz = log_successful_dcesrv_authz_event, - .auth.gensec_prepare = dcesrv_gensec_prepare, -+ .auth.become_root = skip_become_root, -+ .auth.unbecome_root = skip_unbecome_root, - .assoc_group.find = dcesrv_assoc_group_find, - }; - --- -2.25.1 - diff --git a/samba-s4u.patch b/samba-s4u.patch index 8e84d96..5d3cb55 100644 --- a/samba-s4u.patch +++ b/samba-s4u.patch @@ -1,4 +1,4 @@ -From 0b196043f08ea4c025f19c4519175a3a73e1d185 Mon Sep 17 00:00:00 2001 +From 5d7ec9a00b6f4c6768c606d37d235415f2006445 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Fri, 27 Sep 2019 18:25:03 +0300 Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support @@ -12,10 +12,10 @@ Pair-Programmed-With: Andreas Schneider 3 files changed, 71 insertions(+), 106 deletions(-) diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c -index f35210669c2..b1c7c5dcc5e 100644 +index 793fe366c35..22534c09974 100644 --- a/source4/kdc/mit-kdb/kdb_samba_policies.c +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c -@@ -195,13 +195,17 @@ static krb5_error_code ks_verify_pac(krb5_context context, +@@ -200,13 +200,17 @@ static krb5_error_code ks_verify_pac(krb5_context context, krb5_keyblock *krbtgt_key, krb5_timestamp authtime, krb5_authdata **tgt_auth_data, @@ -36,7 +36,7 @@ index f35210669c2..b1c7c5dcc5e 100644 mit_ctx = ks_get_context(context); if (mit_ctx == NULL) { -@@ -233,41 +237,43 @@ static krb5_error_code ks_verify_pac(krb5_context context, +@@ -238,41 +242,43 @@ static krb5_error_code ks_verify_pac(krb5_context context, code = krb5_pac_parse(context, authdata[0]->contents, authdata[0]->length, @@ -106,7 +106,7 @@ index f35210669c2..b1c7c5dcc5e 100644 if (code != 0) { goto done; } -@@ -275,17 +281,22 @@ static krb5_error_code ks_verify_pac(krb5_context context, +@@ -280,17 +286,22 @@ static krb5_error_code ks_verify_pac(krb5_context context, code = mit_samba_reget_pac(mit_ctx, context, flags, @@ -133,7 +133,7 @@ index f35210669c2..b1c7c5dcc5e 100644 return code; } -@@ -314,6 +325,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, +@@ -319,6 +330,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, krb5_authdata **pac_auth_data = NULL; krb5_authdata **authdata = NULL; krb5_boolean is_as_req; @@ -141,7 +141,7 @@ index f35210669c2..b1c7c5dcc5e 100644 krb5_error_code code; krb5_pac pac = NULL; krb5_data pac_data; -@@ -325,11 +337,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, +@@ -330,11 +342,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt; krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; @@ -153,7 +153,7 @@ index f35210669c2..b1c7c5dcc5e 100644 is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); /* -@@ -390,6 +397,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, +@@ -395,6 +402,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, ks_client_princ = client->princ; } @@ -170,7 +170,7 @@ index f35210669c2..b1c7c5dcc5e 100644 if (client_entry == NULL) { client_entry = client; } -@@ -454,7 +471,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, +@@ -469,7 +486,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, code = ks_verify_pac(context, flags, @@ -179,7 +179,7 @@ index f35210669c2..b1c7c5dcc5e 100644 client_entry, server, krbtgt, -@@ -494,7 +511,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, +@@ -515,7 +532,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, is_as_req ? "AS-REQ" : "TGS-REQ", client_name); code = krb5_pac_sign(context, pac, authtime, ks_client_princ, @@ -188,7 +188,7 @@ index f35210669c2..b1c7c5dcc5e 100644 if (code != 0) { DBG_ERR("krb5_pac_sign failed: %d\n", code); goto done; -@@ -520,12 +537,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, +@@ -541,12 +558,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, KRB5_AUTHDATA_IF_RELEVANT, authdata, signed_auth_data); @@ -201,7 +201,7 @@ index f35210669c2..b1c7c5dcc5e 100644 done: if (client_entry != NULL && client_entry != client) { ks_free_principal(context, client_entry); -@@ -551,32 +562,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, +@@ -572,32 +583,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, * server; -> delegating service * proxy; -> target principal */ @@ -236,10 +236,10 @@ index f35210669c2..b1c7c5dcc5e 100644 diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c -index 4239332f0d9..acc3cba6254 100644 +index cb72b5de294..03c2c2ea1de 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c -@@ -501,7 +501,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, +@@ -517,7 +517,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, krb5_context context, int flags, @@ -247,7 +247,7 @@ index 4239332f0d9..acc3cba6254 100644 krb5_db_entry *client, krb5_db_entry *server, krb5_db_entry *krbtgt, -@@ -665,7 +664,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, +@@ -689,7 +688,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, context, *pac, server->princ, @@ -256,7 +256,7 @@ index 4239332f0d9..acc3cba6254 100644 deleg_blob); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("Update delegation info failed: %s\n", -@@ -987,41 +986,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, +@@ -1081,41 +1080,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, } int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, @@ -309,10 +309,10 @@ index 4239332f0d9..acc3cba6254 100644 static krb5_error_code mit_samba_change_pwd_error(krb5_context context, diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h -index 636c77ec97c..9cb00c9610e 100644 +index 4431e82a1b2..9370ab533af 100644 --- a/source4/kdc/mit_samba.h +++ b/source4/kdc/mit_samba.h -@@ -56,7 +56,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, +@@ -57,7 +57,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, krb5_context context, int flags, @@ -320,7 +320,7 @@ index 636c77ec97c..9cb00c9610e 100644 krb5_db_entry *client, krb5_db_entry *server, krb5_db_entry *krbtgt, -@@ -73,9 +72,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, +@@ -74,9 +73,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, DATA_BLOB *e_data); int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, @@ -333,10 +333,10 @@ index 636c77ec97c..9cb00c9610e 100644 int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx, char *pwd, -- -2.33.1 +2.37.1 -From 992d38fa35c01f2f0bdb39d387fa29e8eb8d3d37 Mon Sep 17 00:00:00 2001 +From 325912375cf54743ab8ea557172a72b870002e9f Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Fri, 27 Sep 2019 18:35:30 +0300 Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build @@ -350,10 +350,10 @@ Pair-Programmed-With: Andreas Schneider 3 files changed, 185 insertions(+), 13 deletions(-) diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index fff5b4e2a22..791b417d5ba 100644 +index 4321f07ca09..3fd95e47fca 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c -@@ -2694,6 +2694,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, +@@ -2702,6 +2702,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, return 0; } @@ -546,7 +546,7 @@ index fff5b4e2a22..791b417d5ba 100644 #if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA) diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h -index eab67f6d969..b5385c69a33 100644 +index a66b7465530..c8573f52bd9 100644 --- a/lib/krb5_wrap/krb5_samba.h +++ b/lib/krb5_wrap/krb5_samba.h @@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx, @@ -611,66 +611,23 @@ index 544d9d853cc..c14d8c72d8c 100644 ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context, ccache, -- -2.33.1 +2.37.1 -From f1951b501ca0fb3e613f04437c99dc1bbf204609 Mon Sep 17 00:00:00 2001 +From a5713b1558192f24348f7794da84bf65cf78e6ec Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sat, 19 Sep 2020 14:16:20 +0200 Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code --- - source4/heimdal/lib/hdb/hdb.h | 1 + - source4/kdc/db-glue.c | 8 ++++++-- - source4/kdc/mit_samba.c | 3 +++ - source4/kdc/sdb.h | 1 + - 4 files changed, 11 insertions(+), 2 deletions(-) + source4/kdc/mit_samba.c | 3 +++ + 1 file changed, 3 insertions(+) -diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h -index 5ef9d9565f3..dafaffc6c2d 100644 ---- a/source4/heimdal/lib/hdb/hdb.h -+++ b/source4/heimdal/lib/hdb/hdb.h -@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; - #define HDB_F_ALL_KVNOS 2048 /* we want all the keys, live or not */ - #define HDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ - #define HDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ -+#define HDB_F_FORCE_CANON 16384 /* force canonicalition */ - - /* hdb_capability_flags */ - #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1 -diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c -index aff74f2ee71..d16b4c3329a 100644 ---- a/source4/kdc/db-glue.c -+++ b/source4/kdc/db-glue.c -@@ -916,17 +916,21 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, - } - } - -- } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { -+ } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { // was this supposed to be || ? - ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); - if (ret) { - krb5_clear_error_message(context); - goto out; - } -- } else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) { -+ } else if (((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) || (flags & SDB_F_FORCE_CANON)){ - /* - * SDB_F_CANON maps from the canonicalize flag in the - * packet, and has a different meaning between AS-REQ - * and TGS-REQ. We only change the principal in the AS-REQ case -+ * -+ * The SDB_F_FORCE_CANON if for the new MIT kdc code that wants -+ * the canonical name in all lookups, and takes care to canonicalize -+ * only when appropriate. - */ - ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); - if (ret) { diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c -index acc3cba6254..f0b9df8b613 100644 +index 03c2c2ea1de..30fade56531 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c -@@ -224,6 +224,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx, +@@ -232,6 +232,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx, if (kflags & KRB5_KDB_FLAG_CANONICALIZE) { sflags |= SDB_F_CANON; } @@ -680,18 +637,6 @@ index acc3cba6254..f0b9df8b613 100644 if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY | KRB5_KDB_FLAG_INCLUDE_PAC)) { /* -diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h -index c929acccce6..a9115ec23d7 100644 ---- a/source4/kdc/sdb.h -+++ b/source4/kdc/sdb.h -@@ -116,6 +116,7 @@ struct sdb_entry_ex { - #define SDB_F_KVNO_SPECIFIED 128 /* we want a particular KVNO */ - #define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ - #define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ -+#define SDB_F_FORCE_CANON 16384 /* force canonicalition */ - - void sdb_free_entry(struct sdb_entry_ex *e); - void free_sdb_entry(struct sdb_entry *s); -- -2.33.1 +2.37.1 diff --git a/samba-virus_scanner.patch b/samba-virus_scanner.patch deleted file mode 100644 index 6e243da..0000000 --- a/samba-virus_scanner.patch +++ /dev/null @@ -1,597 +0,0 @@ -From 1b14752bebbdecbb7c89c7fe03853bdf4dff6f64 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 9 Feb 2022 16:33:10 +0100 -Subject: [PATCH 1/6] selftest: Do not force -d0 for smbd/nmbd/winbindd - -We have the env variable SERVER_LOG_LEVEL which allows you to change -the log level on the command line. If we force -d0 this will not work. - -make test TESTS="samba" SERVER_LOG_LEVEL=10 - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison -(cherry picked from commit 9693f7ea7383c6a51ab58b7c8255b30206f18a3b) ---- - selftest/target/Samba3.pm | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index b901fd2677a..64a9a791a61 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -2153,7 +2153,7 @@ sub make_bin_cmd - { - my ($self, $binary, $env_vars, $options, $valgrind, $dont_log_stdout) = @_; - -- my @optargs = ("-d0"); -+ my @optargs = (); - if (defined($options)) { - @optargs = split(/ /, $options); - } --- -2.34.1 - - -From 22c2899dfc787736c19857997291c151886b7ac0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 8 Feb 2022 12:07:03 +0100 -Subject: [PATCH 2/6] s3:modules: Implement dummy virus scanner that uses - filename matching -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Jeremy Allison -Reviewed-by: Andreas Schneider -(cherry picked from commit 9f34babec7c6aca3d91f226705d3b3996792e5f1) ---- - source3/modules/vfs_virusfilter.c | 12 +++++ - source3/modules/vfs_virusfilter_common.h | 4 ++ - source3/modules/vfs_virusfilter_dummy.c | 58 ++++++++++++++++++++++++ - source3/modules/wscript_build | 1 + - 4 files changed, 75 insertions(+) - create mode 100644 source3/modules/vfs_virusfilter_dummy.c - -diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c -index 9fafe4e5d41..e6cbee7cd45 100644 ---- a/source3/modules/vfs_virusfilter.c -+++ b/source3/modules/vfs_virusfilter.c -@@ -35,12 +35,14 @@ - - enum virusfilter_scanner_enum { - VIRUSFILTER_SCANNER_CLAMAV, -+ VIRUSFILTER_SCANNER_DUMMY, - VIRUSFILTER_SCANNER_FSAV, - VIRUSFILTER_SCANNER_SOPHOS - }; - - static const struct enum_list scanner_list[] = { - { VIRUSFILTER_SCANNER_CLAMAV, "clamav" }, -+ { VIRUSFILTER_SCANNER_DUMMY, "dummy" }, - { VIRUSFILTER_SCANNER_FSAV, "fsav" }, - { VIRUSFILTER_SCANNER_SOPHOS, "sophos" }, - { -1, NULL } -@@ -199,6 +201,7 @@ static int virusfilter_vfs_connect( - int snum = SNUM(handle->conn); - struct virusfilter_config *config = NULL; - const char *exclude_files = NULL; -+ const char *infected_files = NULL; - const char *temp_quarantine_dir_mode = NULL; - const char *infected_file_command = NULL; - const char *scan_error_command = NULL; -@@ -255,6 +258,12 @@ static int virusfilter_vfs_connect( - set_namearray(&config->exclude_files, exclude_files); - } - -+ infected_files = lp_parm_const_string( -+ snum, "virusfilter", "infected files", NULL); -+ if (infected_files != NULL) { -+ set_namearray(&config->infected_files, infected_files); -+ } -+ - config->cache_entry_limit = lp_parm_int( - snum, "virusfilter", "cache entry limit", 100); - -@@ -537,6 +546,9 @@ static int virusfilter_vfs_connect( - case VIRUSFILTER_SCANNER_CLAMAV: - ret = virusfilter_clamav_init(config); - break; -+ case VIRUSFILTER_SCANNER_DUMMY: -+ ret = virusfilter_dummy_init(config); -+ break; - default: - DBG_ERR("Unhandled scanner %d\n", backend); - return -1; -diff --git a/source3/modules/vfs_virusfilter_common.h b/source3/modules/vfs_virusfilter_common.h -index f71b0b949a7..463a9d74e9c 100644 ---- a/source3/modules/vfs_virusfilter_common.h -+++ b/source3/modules/vfs_virusfilter_common.h -@@ -83,6 +83,9 @@ struct virusfilter_config { - /* Exclude files */ - name_compare_entry *exclude_files; - -+ /* Infected files */ -+ name_compare_entry *infected_files; -+ - /* Scan result cache */ - struct virusfilter_cache *cache; - int cache_entry_limit; -@@ -149,5 +152,6 @@ struct virusfilter_backend { - int virusfilter_sophos_init(struct virusfilter_config *config); - int virusfilter_fsav_init(struct virusfilter_config *config); - int virusfilter_clamav_init(struct virusfilter_config *config); -+int virusfilter_dummy_init(struct virusfilter_config *config); - - #endif /* _VIRUSFILTER_COMMON_H */ -diff --git a/source3/modules/vfs_virusfilter_dummy.c b/source3/modules/vfs_virusfilter_dummy.c -new file mode 100644 -index 00000000000..03405cd6629 ---- /dev/null -+++ b/source3/modules/vfs_virusfilter_dummy.c -@@ -0,0 +1,58 @@ -+/* -+ Samba-VirusFilter VFS modules -+ Dummy scanner with infected files support. -+ Copyright (C) 2022 Pavel Filipenský -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see . -+*/ -+ -+#include "modules/vfs_virusfilter_utils.h" -+ -+static virusfilter_result virusfilter_dummy_scan( -+ struct vfs_handle_struct *handle, -+ struct virusfilter_config *config, -+ const struct files_struct *fsp, -+ char **reportp) -+{ -+ bool ok; -+ -+ DBG_INFO("Scanning file: %s\n", fsp_str_dbg(fsp)); -+ ok = is_in_path(fsp->fsp_name->base_name, -+ config->infected_files, -+ false); -+ return ok ? VIRUSFILTER_RESULT_INFECTED : VIRUSFILTER_RESULT_CLEAN; -+} -+ -+static struct virusfilter_backend_fns virusfilter_backend_dummy = { -+ .connect = NULL, -+ .disconnect = NULL, -+ .scan_init = NULL, -+ .scan = virusfilter_dummy_scan, -+ .scan_end = NULL, -+}; -+ -+int virusfilter_dummy_init(struct virusfilter_config *config) -+{ -+ struct virusfilter_backend *backend = NULL; -+ -+ backend = talloc_zero(config, struct virusfilter_backend); -+ if (backend == NULL) { -+ return -1; -+ } -+ -+ backend->fns = &virusfilter_backend_dummy; -+ backend->name = "dummy"; -+ config->backend = backend; -+ return 0; -+} -diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build -index 40df4539392..ff318c3fa06 100644 ---- a/source3/modules/wscript_build -+++ b/source3/modules/wscript_build -@@ -591,6 +591,7 @@ bld.SAMBA3_MODULE('vfs_virusfilter', - vfs_virusfilter_sophos.c - vfs_virusfilter_fsav.c - vfs_virusfilter_clamav.c -+ vfs_virusfilter_dummy.c - ''', - deps='samba-util VFS_VIRUSFILTER_UTILS', - init_function='', --- -2.34.1 - - -From a813dc2adec352a85ec526ac9a3ec67139b730d3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 8 Feb 2022 22:35:29 +0100 -Subject: [PATCH 3/6] docs-xml:manpages: Document 'dummy' virusfilter and - 'virusfilter:infected files' -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Jeremy Allison -Reviewed-by: Andreas Schneider -(cherry picked from commit 2fd518e5cc63221c162c9b3f8526b9b7c9e34969) ---- - docs-xml/manpages/vfs_virusfilter.8.xml | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/docs-xml/manpages/vfs_virusfilter.8.xml b/docs-xml/manpages/vfs_virusfilter.8.xml -index 329a35af68a..88f91d73a42 100644 ---- a/docs-xml/manpages/vfs_virusfilter.8.xml -+++ b/docs-xml/manpages/vfs_virusfilter.8.xml -@@ -48,6 +48,10 @@ - scanner - clamav, the ClamAV - scanner -+ dummy, dummy scanner used in -+ tests. Checks against the infected files -+ parameter and flags any name that matches as infected. -+ - - - -@@ -264,6 +268,14 @@ - - - -+ -+ virusfilter:infected files = empty -+ -+ Files that virusfilter dummy flags as infected. -+ If this option is not set, the default is empty. -+ -+ -+ - - virusfilter:block access on error = false - --- -2.34.1 - - -From b67c6fe07a506627439c6ffd07e687befbc122ba Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 8 Feb 2022 15:34:56 +0100 -Subject: [PATCH 4/6] selftest: Fix trailing whitespace in Samba3.pm -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Jeremy Allison -Reviewed-by: Andreas Schneider -(cherry picked from commit 547b4c595a8513a4be99177edbaa39ce43840f7a) ---- - selftest/target/Samba3.pm | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 64a9a791a61..7584a0e7ba9 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -188,7 +188,7 @@ sub getlog_env_app($$$) - close(LOG); - - return "" if $out eq $title; -- -+ - return $out; - } - -@@ -2426,7 +2426,7 @@ sub provision($$) - my $nmbdsockdir="$prefix_abs/nmbd"; - unlink($nmbdsockdir); - -- ## -+ ## - ## create the test directory layout - ## - die ("prefix_abs = ''") if $prefix_abs eq ""; -@@ -3290,7 +3290,7 @@ sub provision($$) - unless (open(PASSWD, ">$nss_wrapper_passwd")) { - warn("Unable to open $nss_wrapper_passwd"); - return undef; -- } -+ } - print PASSWD "nobody:x:$uid_nobody:$gid_nobody:nobody gecos:$prefix_abs:/bin/false - $unix_name:x:$unix_uid:$unix_gids[0]:$unix_name gecos:$prefix_abs:/bin/false - pdbtest:x:$uid_pdbtest:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false --- -2.34.1 - - -From b558d8f8be4459fa9e588486984c4cadf65ede12 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 8 Feb 2022 15:35:48 +0100 -Subject: [PATCH 5/6] s3:selftest: Add test for virus scanner -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971 - -Signed-off-by: Pavel Filipenský - -Pair-Programmed-With: Andreas Schneider -Reviewed-by: Jeremy Allison -Reviewed-by: Andreas Schneider -(cherry picked from commit a25c714c34d3e00e0f3c29d2acfa98cf9cdbc544) ---- - selftest/knownfail.d/virus_scanner | 2 + - selftest/target/Samba3.pm | 12 ++ - source3/script/tests/test_virus_scanner.sh | 124 +++++++++++++++++++++ - source3/selftest/tests.py | 9 ++ - 4 files changed, 147 insertions(+) - create mode 100644 selftest/knownfail.d/virus_scanner - create mode 100755 source3/script/tests/test_virus_scanner.sh - -diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner -new file mode 100644 -index 00000000000..6df3fd20627 ---- /dev/null -+++ b/selftest/knownfail.d/virus_scanner -@@ -0,0 +1,2 @@ -+^samba3.blackbox.virus_scanner.check_infected_read # test download infected file ('vfs objects = virusfilter') -+^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter') -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 7584a0e7ba9..c1d0c60d96a 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -1688,6 +1688,9 @@ sub setup_fileserver - my $veto_sharedir="$share_dir/veto"; - push(@dirs,$veto_sharedir); - -+ my $virusfilter_sharedir="$share_dir/virusfilter"; -+ push(@dirs,$virusfilter_sharedir); -+ - my $ip4 = Samba::get_ipv4_addr("FILESERVER"); - my $fileserver_options = " - kernel change notify = yes -@@ -1813,6 +1816,15 @@ sub setup_fileserver - path = $veto_sharedir - delete veto files = yes - -+[virusfilter] -+ path = $virusfilter_sharedir -+ vfs objects = acl_xattr virusfilter -+ virusfilter:scanner = dummy -+ virusfilter:min file size = 0 -+ virusfilter:infected files = *infected* -+ virusfilter:infected file action = rename -+ virusfilter:scan on close = yes -+ - [homes] - comment = Home directories - browseable = No -diff --git a/source3/script/tests/test_virus_scanner.sh b/source3/script/tests/test_virus_scanner.sh -new file mode 100755 -index 00000000000..2234ea6ca89 ---- /dev/null -+++ b/source3/script/tests/test_virus_scanner.sh -@@ -0,0 +1,124 @@ -+#!/bin/sh -+# Copyright (c) 2022 Pavel Filipenský -+# shellcheck disable=1091 -+ -+if [ $# -lt 4 ]; then -+cat <fsp_flags.modified -+ if ! echo "Hello Virus!" > "${sharedir}/infected.txt"; then -+ echo "ERROR: Cannot create ${sharedir}/infected.txt" -+ return 1 -+ fi -+ -+ ${SMBCLIENT} "//${SERVER_IP}/${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/infected.txt ${smbfile}" -+ -+ # check that virusfilter:rename prefix/suffix was added -+ if [ ! -f "${sharedir}/${smbfilerenamed}" ]; then -+ echo "ERROR: ${sharedir}/${smbfilerenamed} is missing." -+ return 1 -+ fi -+ -+ # check that file was not uploaded -+ if [ -f "${sharedir}/infected.upload.txt" ]; then -+ echo "ERROR: {sharedir}/${smbfile} should not exist." -+ return 1 -+ fi -+ -+ return 0 -+} -+ -+check_healthy_read() -+{ -+ rm -rf "${sharedir:?}"/* -+ -+ if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then -+ echo "ERROR: Cannot create ${sharedir}/healthy.txt" -+ return 1 -+ fi -+ -+ ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "get healthy.txt ${sharedir}/healthy.download.txt" -+ -+ if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.download.txt"; then -+ echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.download.txt FAILED" -+ return 1 -+ fi -+ -+ return 0 -+} -+ -+check_healthy_write() -+{ -+ rm -rf "${sharedir:?}"/* -+ -+ if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then -+ echo "ERROR: Cannot create ${sharedir}/healthy.txt" -+ return 1 -+ fi -+ -+ ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/healthy.txt healthy.upload.txt" -+ -+ if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.upload.txt"; then -+ echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.upload.txt FAILED" -+ return 1 -+ fi -+ -+ return 0 -+} -+ -+testit "check_infected_read" check_infected_read || failed=$((failed + 1)) -+testit "check_infected_write" check_infected_write || failed=$((failed + 1)) -+testit "check_healthy_read" check_healthy_read || failed=$((failed + 1)) -+testit "check_healthy_write" check_healthy_write || failed=$((failed + 1)) -+ -+testok "$0" "$failed" -diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py -index 701be011f70..6b146c76381 100755 ---- a/source3/selftest/tests.py -+++ b/source3/selftest/tests.py -@@ -1240,6 +1240,15 @@ plantestsuite("samba3.blackbox.smbXsrv_client_dead_rec", "fileserver:local", - '$SERVER_IP', - "tmp"]) - -+env = 'fileserver' -+plantestsuite("samba3.blackbox.virus_scanner", "%s:local" % (env), -+ [os.path.join(samba3srcdir, -+ "script/tests/test_virus_scanner.sh"), -+ '$SERVER_IP', -+ "virusfilter", -+ '$LOCAL_PATH', -+ smbclient3]) -+ - for env in ['fileserver', 'simpleserver']: - plantestsuite("samba3.blackbox.smbclient.encryption", env, - [os.path.join(samba3srcdir, "script/tests/test_smbclient_encryption.sh"), --- -2.34.1 - - -From 275139352e854c7b01a53014b16673c8c7254fa9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Mon, 7 Feb 2022 23:06:10 +0100 -Subject: [PATCH 6/6] s3:modules: Fix virusfilter_vfs_openat -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971 - -Signed-off-by: Pavel Filipenský - -Pair-Programmed-With: Andreas Schneider -Reviewed-by: Jeremy Allison -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Jeremy Allison -Autobuild-Date(master): Thu Feb 10 22:09:06 UTC 2022 on sn-devel-184 - -(cherry picked from commit 3f1c958f6fa9d2991185f4e281a377a295d09f9c) ---- - selftest/knownfail.d/virus_scanner | 2 -- - source3/modules/vfs_virusfilter.c | 6 +++--- - 2 files changed, 3 insertions(+), 5 deletions(-) - delete mode 100644 selftest/knownfail.d/virus_scanner - -diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner -deleted file mode 100644 -index 6df3fd20627..00000000000 ---- a/selftest/knownfail.d/virus_scanner -+++ /dev/null -@@ -1,2 +0,0 @@ --^samba3.blackbox.virus_scanner.check_infected_read # test download infected file ('vfs objects = virusfilter') --^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter') -diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c -index e6cbee7cd45..d1554967ad1 100644 ---- a/source3/modules/vfs_virusfilter.c -+++ b/source3/modules/vfs_virusfilter.c -@@ -1309,21 +1309,21 @@ static int virusfilter_vfs_openat(struct vfs_handle_struct *handle, - */ - goto virusfilter_vfs_open_next; - } -- ret = S_ISREG(smb_fname->st.st_ex_mode); -+ ret = S_ISREG(sbuf.st_ex_mode); - if (ret == 0) { - DBG_INFO("Not scanned: Directory or special file: %s/%s\n", - cwd_fname, fname); - goto virusfilter_vfs_open_next; - } - if (config->max_file_size > 0 && -- smb_fname->st.st_ex_size > config->max_file_size) -+ sbuf.st_ex_size > config->max_file_size) - { - DBG_INFO("Not scanned: file size > max file size: %s/%s\n", - cwd_fname, fname); - goto virusfilter_vfs_open_next; - } - if (config->min_file_size > 0 && -- smb_fname->st.st_ex_size < config->min_file_size) -+ sbuf.st_ex_size < config->min_file_size) - { - DBG_INFO("Not scanned: file size < min file size: %s/%s\n", - cwd_fname, fname); --- -2.34.1 - diff --git a/samba.spec b/samba.spec index 5741650..4bbf480 100644 --- a/samba.spec +++ b/samba.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.1 # The testsuite is disabled by default. # # To build and run the tests use: @@ -53,7 +52,9 @@ # Build vfs_ceph module and ctdb cepth mutex helper by default on 64bit Fedora %if 0%{?fedora} -%ifarch aarch64 ppc64le s390x x86_64 +# ppc64le excluded pending resolution of https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104172 +#%%ifarch aarch64 ppc64le s390x x86_64 +%ifarch aarch64 s390x x86_64 %bcond_without vfs_cephfs %bcond_without ceph_mutex %else @@ -70,7 +71,7 @@ # Build vfs_gluster module by default on 64bit Fedora %global is_rhgs 0 -%if "%{dist}" == ".el8rhgs" || "%{dist}" == ".el9rhgs" +%if "%{dist}" == ".el7rhgs" || "%{dist}" == ".el8rhgs" %global is_rhgs 1 %endif @@ -133,13 +134,13 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") -%global baserelease 10 +%global baserelease 4 -%global samba_version 4.15.5 +%global samba_version 4.16.4 %global talloc_version 2.3.3 -%global tdb_version 1.4.4 -%global tevent_version 0.11.0 -%global ldb_version 2.4.1 +%global tdb_version 1.4.6 +%global tevent_version 0.12.0 +%global ldb_version 2.5.2 # This should be rc1 or nil %global pre_release %nil @@ -170,7 +171,7 @@ Name: samba Version: %{samba_version} -Release: %{samba_release}%{anolis_release}%{?dist} +Release: %{samba_release}%{?dist} %if 0%{?rhel} Epoch: 0 @@ -204,20 +205,10 @@ Source15: samba.abignore Source201: README.downgrade Patch0: samba-s4u.patch -Patch1: samba-ctdb-etcd-reclock.patch -Patch2: samba-glibc-dns.patch -Patch3: samba-printing-win7.patch -Patch4: samba-disable-systemd-notifications.patch -Patch5: samba-disable-ntlmssp.patch -Patch6: samba-password-change-prompt.patch -Patch7: samba-virus_scanner.patch -Patch8: samba-4-15-fix-autorid.patch -Patch9: samba-4-15-fix-winbind-refresh-tickets.patch -Patch10: samba-4-15-fix-create-local-krb5-conf.patch -Patch11: samba-4-15-username-map.patch -Patch12: samba-4-15-kerberos-clock-skew.patch -Patch13: samba-4-15-smbd-upn.patch -Patch14: CVE-2022-32742-v4-15.patch +# https://gitlab.com/samba-team/samba/-/merge_requests/2477 +Patch1: samba-4.16-waf-crypto.patch +Patch2: CVE-2022-38023-v4-16.patch +Patch3: CVE-2022-38023-for-s3-v4-16.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -339,7 +330,7 @@ BuildRequires: python3-etcd # Add python3-iso8601 to avoid that the # version in Samba is being packaged BuildRequires: python3-iso8601 -BuildRequires: python3-pyasn1 +BuildRequires: python3-pyasn1 >= 0.4.8 BuildRequires: bind BuildRequires: krb5-server >= %{required_mit_krb5} @@ -376,12 +367,18 @@ BuildRequires: lmdb-devel %if %{with dc} || %{with testsuite} BuildRequires: bind BuildRequires: krb5-server >= %{required_mit_krb5} -BuildRequires: ldb-tools BuildRequires: python3-gpg BuildRequires: python3-markdown BuildRequires: python3-setproctitle BuildRequires: python3-cryptography + +%if %{without includelibs} BuildRequires: tdb-tools +BuildRequires: ldb-tools +#endif without includelibs +%endif + +#endif with dc || with testsuite %endif # filter out perl requirements pulled in from examples in the docdir. @@ -440,8 +437,10 @@ SMB/CIFS clients. Summary: Files used by both Samba servers and clients BuildArch: noarch -Requires(post): systemd +Requires(post): (systemd-standalone-tmpfiles or systemd) +%if 0%{?fedora} Recommends: logrotate +%endif Provides: samba4-common = %{samba_depver} Obsoletes: samba4-common < %{samba_depver} @@ -504,6 +503,8 @@ Requires: python3-%{name} = %{samba_depver} # samba-tool needs tdbbackup Requires: tdb-tools %if %{with dc} +# samba-tool needs python3-samba-dc on a full build +Requires: python3-%{name}-dc = %{samba_depver} # samba-tool needs mdb_copy for domain backup or upgrade provision Requires: lmdb %endif @@ -519,6 +520,8 @@ SMB/CIFS clients. %package dc Summary: Samba AD Domain Controller Requires: %{name} = %{samba_depver} +Requires: %{name}-client-libs = %{samba_depver} +Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} Requires: %{name}-dc-provision = %{samba_depver} Requires: %{name}-dc-libs = %{samba_depver} @@ -559,6 +562,7 @@ The samba-dc-provision package provides files to setup a domain controller ### DC-LIBS %package dc-libs Summary: Samba AD Domain Controller Libraries +Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} @@ -574,9 +578,11 @@ link against the SMB, RPC and other protocols. ### DC-BIND %package dc-bind-dlz Summary: Bind DLZ module for Samba AD +Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-common = %{samba_depver} Requires: %{name}-dc-libs = %{samba_depver} Requires: %{name}-dc = %{samba_depver} +Requires: %{name}-libs = %{samba_depver} Requires: bind Provides: bundled(libreplace) @@ -592,6 +598,9 @@ name server related details of Samba AD. Summary: Developer tools for Samba libraries Requires: %{name}-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} +%if %{with dc} +Requires: %{name}-dc-libs = %{samba_depver} +%endif Provides: samba4-devel = %{samba_depver} Obsoletes: samba4-devel < %{samba_depver} @@ -606,6 +615,7 @@ libraries in the Samba suite. %package vfs-cephfs Summary: Samba VFS module for Ceph distributed storage system Requires: %{name} = %{samba_depver} +Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} Provides: bundled(libreplace) @@ -741,6 +751,9 @@ Summary: Samba Python3 libraries Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} +%if %{with dc} +Requires: %{name}-dc-libs = %{samba_depver} +%endif Requires: python3-talloc Requires: python3-tevent Requires: python3-tdb @@ -779,6 +792,8 @@ If you want to run full set of Samba tests, you need to install this package. %if %{with dc} || %{with testsuite} %package -n python3-samba-dc Summary: Samba Python libraries for Samba AD +Requires: %{name}-client-libs = %{samba_depver} +Requires: %{name}-dc-libs = %{samba_depver} Requires: python3-%{name} = %{samba_depver} %description -n python3-samba-dc @@ -1032,6 +1047,7 @@ and use CTDB instead. Summary: CTDB PCP pmda support Requires: ctdb = %{samba_depver} Requires: pcp-libs +Requires: %{name}-client-libs = %{samba_depver} %description -n ctdb-pcp-pmda Performance Co-Pilot (PCP) support for CTDB @@ -1073,6 +1089,11 @@ Support for using an existing CEPH cluster as a mutex helper for CTDB xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - %autosetup -n samba-%{version}%{pre_release} -p1 +# Ensure we rely on GnuTLS and do not build any other crypto code shipping with +# the sources. +rm -rf third_party/{aesni-intel,heimdal} +rm -f lib/crypto/{aes,rijndael}*.c + %build %if %{with includelibs} %global _talloc_lib ,talloc,pytalloc,pytalloc-util @@ -1087,7 +1108,7 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - #endif with includelibs %endif -%global _samba_libraries !zlib,!popt%{_talloc_lib}%{_tevent_lib}%{_tdb_lib}%{_ldb_lib} +%global _samba_libraries !popt%{_talloc_lib}%{_tevent_lib}%{_tdb_lib}%{_ldb_lib} %global _samba_idmap_modules idmap_ad,idmap_rid,idmap_ldap,idmap_hash,idmap_tdb2 %global _samba_pdb_modules pdb_tdbsam,pdb_ldap,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4 @@ -1118,12 +1139,8 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - # TODO: resolve underlinked python modules export python_LDFLAGS="$(echo %{__global_ldflags} | sed -e 's/-Wl,-z,defs//g')" -%ifarch loongarch64 -export LDFLAGS="%{__global_ldflags} -fuse-ld=bfd" -%else # Use the gold linker export LDFLAGS="%{__global_ldflags} -fuse-ld=gold" -%endif %configure \ --enable-fhs \ @@ -1630,7 +1647,17 @@ fi %{_libdir}/samba/vfs/nfs4acl_xattr.so %endif +%dir %{_libexecdir}/samba %{_libexecdir}/samba/samba-bgqd +%{_libexecdir}/samba/samba-dcerpcd +%{_libexecdir}/samba/rpcd_classic +%{_libexecdir}/samba/rpcd_epmapper +%{_libexecdir}/samba/rpcd_fsrvp +%{_libexecdir}/samba/rpcd_lsad +%{_libexecdir}/samba/rpcd_mdssvc +%{_libexecdir}/samba/rpcd_rpcecho +%{_libexecdir}/samba/rpcd_spoolss +%{_libexecdir}/samba/rpcd_winreg %dir %{_datadir}/samba %dir %{_datadir}/samba/mdssvc @@ -1644,6 +1671,7 @@ fi %{_mandir}/man1/smbstatus.1* %{_mandir}/man8/eventlogadm.8* %{_mandir}/man8/samba-bgqd.8* +%{_mandir}/man8/samba-dcerpcd.8* %{_mandir}/man8/smbd.8* %{_mandir}/man8/nmbd.8* %{_mandir}/man8/vfs_acl_tdb.8* @@ -1658,6 +1686,7 @@ fi %{_mandir}/man8/vfs_crossrename.8* %{_mandir}/man8/vfs_default_quota.8* %{_mandir}/man8/vfs_dirsort.8* +%{_mandir}/man8/vfs_expand_msdfs.8* %{_mandir}/man8/vfs_extd_audit.8* %{_mandir}/man8/vfs_fake_perms.8* %{_mandir}/man8/vfs_fileid.8* @@ -1868,7 +1897,6 @@ fi %if %{without libwbclient} %{_libdir}/samba/libwbclient.so.* -%{_libdir}/samba/libwinbind-client-samba4.so #endif without libwbclient %endif @@ -2076,6 +2104,7 @@ fi %{_libdir}/samba/bind9/dlz_bind9_12.so %{_libdir}/samba/bind9/dlz_bind9_14.so %{_libdir}/samba/bind9/dlz_bind9_16.so +%{_libdir}/samba/bind9/dlz_bind9_18.so #endif with dc %endif @@ -2248,6 +2277,9 @@ fi %{_libdir}/samba/libshares-samba4.so %{_libdir}/samba/libsmbpasswdparser-samba4.so %{_libdir}/samba/libxattr-tdb-samba4.so +%{_libdir}/samba/libREG-FULL-samba4.so +%{_libdir}/samba/libRPC-SERVER-LOOP-samba4.so +%{_libdir}/samba/libRPC-WORKER-samba4.so ### LIBSMBCLIENT %if %{with libsmbclient} @@ -2267,7 +2299,6 @@ fi %if %{with libwbclient} %files -n libwbclient %{_libdir}/samba/wbclient/libwbclient.so.* -%{_libdir}/samba/libwinbind-client-samba4.so ### LIBWBCLIENT-DEVEL %files -n libwbclient-devel @@ -2338,7 +2369,11 @@ fi %{python3_sitearch}/samba/__pycache__/drs_utils.*.pyc %{python3_sitearch}/samba/__pycache__/getopt.*.pyc %{python3_sitearch}/samba/__pycache__/gpclass.*.pyc +%{python3_sitearch}/samba/__pycache__/gp_cert_auto_enroll_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/gp_chromium_ext.*.pyc %{python3_sitearch}/samba/__pycache__/gp_ext_loader.*.pyc +%{python3_sitearch}/samba/__pycache__/gp_firefox_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/gp_firewalld_ext.*.pyc %{python3_sitearch}/samba/__pycache__/gp_gnome_settings_ext.*.pyc %{python3_sitearch}/samba/__pycache__/gp_msgs_ext.*.pyc %{python3_sitearch}/samba/__pycache__/gp_scripts_ext.*.pyc @@ -2454,7 +2489,11 @@ fi %{python3_sitearch}/samba/emulate/__init__.py %{python3_sitearch}/samba/emulate/traffic.py %{python3_sitearch}/samba/emulate/traffic_packets.py +%{python3_sitearch}/samba/gp_cert_auto_enroll_ext.py +%{python3_sitearch}/samba/gp_chromium_ext.py %{python3_sitearch}/samba/gp_ext_loader.py +%{python3_sitearch}/samba/gp_firefox_ext.py +%{python3_sitearch}/samba/gp_firewalld_ext.py %{python3_sitearch}/samba/gp_msgs_ext.py %{python3_sitearch}/samba/gp_smb_conf_ext.py %{python3_sitearch}/samba/gp_sudoers_ext.py @@ -2771,6 +2810,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/smbd_base.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smbd_fuzztest.*.pyc %{python3_sitearch}/samba/tests/__pycache__/source.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/source_chars.*.pyc %{python3_sitearch}/samba/tests/__pycache__/strings.*.pyc %{python3_sitearch}/samba/tests/__pycache__/subunitrun.*.pyc %{python3_sitearch}/samba/tests/__pycache__/tdb_util.*.pyc @@ -2939,15 +2979,17 @@ fi %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_base_test.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tgs_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/kpasswd_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/ms_kile_client_principal_lookup_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/pac_align_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/raw_testcase.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_constants.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_pyasn1.*.pyc -%{python3_sitearch}/samba/tests/krb5/__pycache__/rodc_tests*.pyc -%{python3_sitearch}/samba/tests/krb5/__pycache__/salt_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/rodc_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/simple_tests.*.pyc -%{python3_sitearch}/samba/tests/krb5/__pycache__/spn_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/s4u_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/salt_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/spn_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/test_ccache.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/test_idmap_nss.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/test_ldap.*.pyc @@ -2964,26 +3006,28 @@ fi %{python3_sitearch}/samba/tests/krb5/kdc_base_test.py %{python3_sitearch}/samba/tests/krb5/kdc_tests.py %{python3_sitearch}/samba/tests/krb5/kdc_tgs_tests.py +%{python3_sitearch}/samba/tests/krb5/kpasswd_tests.py %{python3_sitearch}/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py +%{python3_sitearch}/samba/tests/krb5/pac_align_tests.py %{python3_sitearch}/samba/tests/krb5/raw_testcase.py %{python3_sitearch}/samba/tests/krb5/rfc4120_constants.py %{python3_sitearch}/samba/tests/krb5/rfc4120_pyasn1.py %{python3_sitearch}/samba/tests/krb5/rodc_tests.py -%{python3_sitearch}/samba/tests/krb5/salt_tests.py %{python3_sitearch}/samba/tests/krb5/simple_tests.py -%{python3_sitearch}/samba/tests/krb5/spn_tests.py -%{python3_sitearch}/samba/tests/krb5/test_ccache.py %{python3_sitearch}/samba/tests/krb5/test_idmap_nss.py +%{python3_sitearch}/samba/tests/krb5/test_ccache.py %{python3_sitearch}/samba/tests/krb5/test_ldap.py %{python3_sitearch}/samba/tests/krb5/test_min_domain_uid.py %{python3_sitearch}/samba/tests/krb5/test_rpc.py %{python3_sitearch}/samba/tests/krb5/test_smb.py %{python3_sitearch}/samba/tests/krb5/s4u_tests.py +%{python3_sitearch}/samba/tests/krb5/salt_tests.py +%{python3_sitearch}/samba/tests/krb5/spn_tests.py %{python3_sitearch}/samba/tests/krb5/xrealm_tests.py %{python3_sitearch}/samba/tests/krb5_credentials.py %{python3_sitearch}/samba/tests/ldap_raw.py -%{python3_sitearch}/samba/tests/ldap_referrals.py %{python3_sitearch}/samba/tests/ldap_spn.py +%{python3_sitearch}/samba/tests/ldap_referrals.py %{python3_sitearch}/samba/tests/ldap_upn_sam_account.py %{python3_sitearch}/samba/tests/libsmb.py %{python3_sitearch}/samba/tests/loadparm.py @@ -3047,6 +3091,7 @@ fi %{python3_sitearch}/samba/tests/samba_tool/__pycache__/help.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/join.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/join_lmdb_size.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/join_member.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/ntacl.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/ou.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/passwordsettings.*.pyc @@ -3083,6 +3128,7 @@ fi %{python3_sitearch}/samba/tests/samba_tool/help.py %{python3_sitearch}/samba/tests/samba_tool/join.py %{python3_sitearch}/samba/tests/samba_tool/join_lmdb_size.py +%{python3_sitearch}/samba/tests/samba_tool/join_member.py %{python3_sitearch}/samba/tests/samba_tool/ntacl.py %{python3_sitearch}/samba/tests/samba_tool/ou.py %{python3_sitearch}/samba/tests/samba_tool/passwordsettings.py @@ -3114,6 +3160,7 @@ fi %{python3_sitearch}/samba/tests/smbd_base.py %{python3_sitearch}/samba/tests/smbd_fuzztest.py %{python3_sitearch}/samba/tests/source.py +%{python3_sitearch}/samba/tests/source_chars.py %{python3_sitearch}/samba/tests/strings.py %{python3_sitearch}/samba/tests/subunitrun.py %{python3_sitearch}/samba/tests/tdb_util.py @@ -3135,7 +3182,6 @@ fi %{_mandir}/man1/masktest.1* %{_mandir}/man1/ndrdump.1* %{_mandir}/man1/smbtorture.1* -%{_mandir}/man1/vfstest.1* %if %{with testsuite} # files to ignore in testsuite mode @@ -4119,24 +4165,45 @@ fi %endif %changelog -* Fri Oct 28 2022 Jacob Wang - 4.15.5-10.0.1 -- Support loongarch64 platform +* Mon Jan 16 2023 Andreas Schneider - 4.16.4-4 +- related: rhbz#2154369 - Add additional patch for CVE-2022-38023 -* Mon Sep 12 2022 Andreas Schneider - 4.15.5-10 -- resolves: rhbz#2126041 - Do not require samba package in python3-samba +* Tue Dec 20 2022 Andreas Schneider - 4.16.4-3 +- resolves: rhbz#2154369 - Fix CVE-2022-38023 -* Fri Sep 09 2022 Andreas Schneider - 4.15.5-9 -- Fix CVE-2022-32742 -- resolves: rhbz#2125552 +* Thu Aug 25 2022 Andreas Schneider - 4.16.4-2 +- resolves: rhbz#2120956 - Do not require samba package in python3-samba + +* Thu Jul 28 2022 Andreas Schneider - 4.16.4-1 +- Rebase to version 4.16.4 +- resolves: rhbz#2108331 - Fix CVE-2022-32742 + +* Mon Jul 18 2022 Pavel Filipenský - 4.16.3-0 +- related: rhbz#2077468 - Rebase Samba to 4.16.3 +- resolves: rhbz#2106672 - The pcap background queue process should not be stopped +- resolves: rhbz#2106263 - Fix crash in rpcd_classic +- resolves: rhbz#2100093 - Fix net ads info returns LDAP server and LDAP server name + +* Tue Jun 14 2022 Pavel Filipenský - 4.16.2-1 +- resolves: rhbz#2084162 - Fix printer displays only after 300 seconds timeout + +* Mon Jun 13 2022 Pavel Filipenský - 4.16.2-0 +- Fix rpminspect abidiff +- related: rhbz#2077468 - Rebase Samba to 4.16.2 + +* Mon May 02 2022 Pavel Filipenský - 4.16.1-0 +- Update to Samba 4.16.1 +- resolves: rhbz#2077468 Rebase Samba to the the latest 4.16.x release * Wed Apr 27 2022 Pavel Filipenský - 4.15.5-8 -- resolves: rhbz#2079303 - Fix username map for unix groups -- resolves: rhbz#2079299 - PAM Kerberos authentication fails with a clock skew error -- resolves: rhbz#2079304 - Fix UPNs handling in lookup_name*() calls +- resolves: rhbz#2070522 - Fix UPNs handling in lookup_name*() calls + +* Wed Apr 20 2022 Pavel Filipenský - 4.15.5-7 +- resolves: rhbz#2076505 - PAM Kerberos authentication fails with a clock skew error -* Wed Mar 16 2022 Andreas Schneider - 4.15.5-5 -- resolves: rhbz#2064325 - Fix 'create krb5 conf = yes` when a KDC has a - single IP address. +* Wed Apr 13 2022 Pavel Filipenský - 4.15.5-6 +- resolves: rhbz#2059151 - Fix username map for unix groups +- resolves: rhbz#2065212 - Fix 'create krb5 conf = yes` when a KDC has a single IP address. * Thu Feb 24 2022 Andreas Schneider - 4.15.5-4 - resolves: rhbz#2057503 - Fix winbind kerberos ticket refresh -- Gitee From 57090b48f4a217b1cd5342fe589dbef7af8f98fa Mon Sep 17 00:00:00 2001 From: songmingliang Date: Tue, 17 May 2022 20:31:31 +0800 Subject: [PATCH 2/2] build: support loongarch64 platform # Conflicts: # samba.spec --- samba.spec | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/samba.spec b/samba.spec index 4bbf480..f1b34e0 100644 --- a/samba.spec +++ b/samba.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 # The testsuite is disabled by default. # # To build and run the tests use: @@ -171,7 +172,7 @@ Name: samba Version: %{samba_version} -Release: %{samba_release}%{?dist} +Release: %{samba_release}%{anolis_release}%{?dist} %if 0%{?rhel} Epoch: 0 @@ -1139,8 +1140,12 @@ rm -f lib/crypto/{aes,rijndael}*.c # TODO: resolve underlinked python modules export python_LDFLAGS="$(echo %{__global_ldflags} | sed -e 's/-Wl,-z,defs//g')" +%ifarch loongarch64 +export LDFLAGS="%{__global_ldflags} -fuse-ld=bfd" +%else # Use the gold linker export LDFLAGS="%{__global_ldflags} -fuse-ld=gold" +%endif %configure \ --enable-fhs \ @@ -4165,6 +4170,9 @@ fi %endif %changelog +* Wed Feb 22 2023 Jacob Wang - 4.16.4-4.0.1 +- Support loongarch64 platform + * Mon Jan 16 2023 Andreas Schneider - 4.16.4-4 - related: rhbz#2154369 - Add additional patch for CVE-2022-38023 -- Gitee