From c026cd1ebb931a694cc83638361de52799420eef Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 9 May 2023 05:38:49 +0000 Subject: [PATCH] import samba-4.17.5-102.el9 --- .gitignore | 2 +- .samba.metadata | 2 +- SOURCES/CVE-2022-38023-for-s3-v4-16.patch | 2413 --------- SOURCES/CVE-2022-38023-v4-16.patch | 4417 ----------------- SOURCES/samba-4.16-waf-crypto.patch | 77 - SOURCES/samba-4.16.4.tar.asc | 16 - SOURCES/samba-4.17.5.tar.asc | 16 + SOURCES/samba-s4u.patch | 642 --- SOURCES/samba-systemd-sysusers.conf | 2 + .../samba-usershares-systemd-sysusers.conf | 2 + SOURCES/usershares.conf.vendor | 3 + SPECS/samba.spec | 559 ++- 12 files changed, 384 insertions(+), 7767 deletions(-) delete mode 100644 SOURCES/CVE-2022-38023-for-s3-v4-16.patch delete mode 100644 SOURCES/CVE-2022-38023-v4-16.patch delete mode 100644 SOURCES/samba-4.16-waf-crypto.patch delete mode 100644 SOURCES/samba-4.16.4.tar.asc create mode 100644 SOURCES/samba-4.17.5.tar.asc delete mode 100644 SOURCES/samba-s4u.patch create mode 100644 SOURCES/samba-systemd-sysusers.conf create mode 100644 SOURCES/samba-usershares-systemd-sysusers.conf create mode 100644 SOURCES/usershares.conf.vendor diff --git a/.gitignore b/.gitignore index a32ae18..db71ada 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/samba-4.16.4.tar.xz +SOURCES/samba-4.17.5.tar.xz SOURCES/samba-pubkey_AA99442FB680B620.gpg diff --git a/.samba.metadata b/.samba.metadata index 620213e..a072d0f 100644 --- a/.samba.metadata +++ b/.samba.metadata @@ -1,2 +1,2 @@ -c943ec2e8b9413cd3465e39481b49872b4486e86 SOURCES/samba-4.16.4.tar.xz +68926a886d20bbd5b4d768d9788d4b5a5ca399e5 SOURCES/samba-4.17.5.tar.xz 971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg diff --git a/SOURCES/CVE-2022-38023-for-s3-v4-16.patch b/SOURCES/CVE-2022-38023-for-s3-v4-16.patch deleted file mode 100644 index 904db99..0000000 --- a/SOURCES/CVE-2022-38023-for-s3-v4-16.patch +++ /dev/null @@ -1,2413 +0,0 @@ -From f7c26ead133ab9b67c6802a2303a22fd98e3c41a Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Wed, 21 Dec 2022 15:53:04 +0100 -Subject: [PATCH 1/9] CVE-2022-38023 s3:rpc_server/netlogon: 'server schannel - != yes' warning to dcesrv_interface_netlogon_bind - -Follow s4 netlogon server changes and move the checks to the RPC bind -hook. Next commits will remove the s3 netr_creds_server_step_check() -function. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Andreas Schneider -(cherry picked from commit 8141eae47aad849741beb138fae866c772e4ec4c) ---- - source3/rpc_server/netlogon/srv_netlog_nt.c | 39 +++++++++++++++------ - 1 file changed, 28 insertions(+), 11 deletions(-) - -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c -index 5906464a9f3..a3853d482df 100644 ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c -@@ -1081,7 +1081,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, - enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; - uint16_t opnum = dce_call->pkt.u.request.opnum; - const char *opname = ""; -- static bool warned_global_once = false; - - if (creds_out != NULL) { - *creds_out = NULL; -@@ -1143,16 +1142,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, - return NT_STATUS_ACCESS_DENIED; - } - -- if (!schannel_global_required && !warned_global_once) { -- /* -- * We want admins to notice their misconfiguration! -- */ -- DBG_ERR("CVE-2020-1472(ZeroLogon): " -- "Please configure 'server schannel = yes', " -- "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n"); -- warned_global_once = true; -- } -- - if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { - DBG_ERR("CVE-2020-1472(ZeroLogon): " - "%s request (opnum[%u]) WITH schannel from " -@@ -2997,5 +2986,33 @@ NTSTATUS _netr_DsrUpdateReadOnlyServerDnsRecords(struct pipes_struct *p, - return NT_STATUS_NOT_IMPLEMENTED; - } - -+/* -+ * Define the bind function that will be used by ndr_netlogon_scompat.c, -+ * included at the bottom of this file. -+ */ -+#define DCESRV_INTERFACE_NETLOGON_BIND(context, iface) \ -+ dcesrv_interface_netlogon_bind(context, iface) -+ -+static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context *context, -+ const struct dcesrv_interface *iface) -+{ -+ struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx; -+ int schannel = lpcfg_server_schannel(lp_ctx); -+ bool schannel_global_required = (schannel == true); -+ static bool warned_global_schannel_once = false; -+ -+ if (!schannel_global_required && !warned_global_schannel_once) { -+ /* -+ * We want admins to notice their misconfiguration! -+ */ -+ D_ERR("CVE-2020-1472(ZeroLogon): " -+ "Please configure 'server schannel = yes' (the default), " -+ "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n"); -+ warned_global_schannel_once = true; -+ } -+ -+ return NT_STATUS_OK; -+} -+ - /* include the generated boilerplate */ - #include "librpc/gen_ndr/ndr_netlogon_scompat.c" --- -2.39.0 - - -From 1790cc254c10dfc0deb5ff84ff18a5f24bfd3f44 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Thu, 22 Dec 2022 16:46:15 +0100 -Subject: [PATCH 2/9] CVE-2022-38023 selftest:Samba3: avoid global 'server - schannel = auto' - -Instead of using the generic deprecated option use the specific -server require schannel:COMPUTERACCOUNT = no in order to allow -legacy tests for pass. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Andreas Schneider -(cherry picked from commit 3cd18690f83d2f85e847fc703ac127b4b04189fc) ---- - selftest/target/Samba3.pm | 16 +++++++++++++++- - 1 file changed, 15 insertions(+), 1 deletion(-) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 0b720a68927..b58f3d45118 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -271,9 +271,23 @@ sub setup_nt4_dc - lanman auth = yes - ntlm auth = yes - raw NTLMv2 auth = yes -- server schannel = auto - rpc start on demand helpers = false - -+ CVE_2020_1472:warn_about_unused_debug_level = 3 -+ server require schannel:schannel0\$ = no -+ server require schannel:schannel1\$ = no -+ server require schannel:schannel2\$ = no -+ server require schannel:schannel3\$ = no -+ server require schannel:schannel4\$ = no -+ server require schannel:schannel5\$ = no -+ server require schannel:schannel6\$ = no -+ server require schannel:schannel7\$ = no -+ server require schannel:schannel8\$ = no -+ server require schannel:schannel9\$ = no -+ server require schannel:schannel10\$ = no -+ server require schannel:schannel11\$ = no -+ server require schannel:torturetest\$ = no -+ - fss: sequence timeout = 1 - check parent directory delete on close = yes - "; --- -2.39.0 - - -From 0e7e7ddbf5524b8aec595227a04cb09599c61a81 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Thu, 5 Jan 2023 18:13:09 +0100 -Subject: [PATCH 3/9] CVE-2022-38023 s4:rpc_server:wscript: Reformat following - pycodestyle - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Andreas Schneider -(cherry picked from commit d9e6b490db3ead7e79bb3ff0c1f9ef8ab8bdc65b) ---- - source4/rpc_server/wscript_build | 290 ++++++++++++++++++------------- - 1 file changed, 168 insertions(+), 122 deletions(-) - -diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build -index 8c756721232..e7bb773d719 100644 ---- a/source4/rpc_server/wscript_build -+++ b/source4/rpc_server/wscript_build -@@ -1,174 +1,220 @@ - #!/usr/bin/env python - - bld.SAMBA_SUBSYSTEM('DCERPC_SHARE', -- source='common/share_info.c', -- autoproto='common/share.h', -- deps='ldb share', -- enabled=bld.CONFIG_SET('WITH_NTVFS_FILESERVER'), -- ) -+ source='common/share_info.c', -+ autoproto='common/share.h', -+ deps='ldb share', -+ enabled=bld.CONFIG_SET('WITH_NTVFS_FILESERVER'), -+ ) - - bld.SAMBA_SUBSYSTEM('DCERPC_COMMON', -- source='common/server_info.c common/forward.c common/loadparm.c', -- autoproto='common/proto.h', -- deps='ldb DCERPC_SHARE', -- enabled=bld.AD_DC_BUILD_IS_ENABLED() -- ) -+ source=''' -+ common/server_info.c -+ common/forward.c -+ common/loadparm.c -+ ''', -+ autoproto='common/proto.h', -+ deps='ldb DCERPC_SHARE', -+ enabled=bld.AD_DC_BUILD_IS_ENABLED() -+ ) - - bld.SAMBA_LIBRARY('dcerpc_server', -- source='dcerpc_server.c', -- pc_files='dcerpc_server.pc', -- deps='LIBCLI_AUTH ndr samba_server_gensec service auth', -- public_deps='dcerpc dcerpc-server-core', -- autoproto='dcerpc_server_proto.h', -- public_headers='dcerpc_server.h', -- vnum='0.0.1', -- enabled=bld.AD_DC_BUILD_IS_ENABLED() -- ) -+ source='dcerpc_server.c', -+ pc_files='dcerpc_server.pc', -+ deps='LIBCLI_AUTH ndr samba_server_gensec service auth', -+ public_deps='dcerpc dcerpc-server-core', -+ autoproto='dcerpc_server_proto.h', -+ public_headers='dcerpc_server.h', -+ vnum='0.0.1', -+ enabled=bld.AD_DC_BUILD_IS_ENABLED() -+ ) - - bld.SAMBA_MODULE('dcerpc_rpcecho', -- source='echo/rpc_echo.c', -- subsystem='dcerpc_server', -- init_function='dcerpc_server_rpcecho_init', -- deps='ndr-standard events' -- ) -+ source='echo/rpc_echo.c', -+ subsystem='dcerpc_server', -+ init_function='dcerpc_server_rpcecho_init', -+ deps='ndr-standard events' -+ ) - - - bld.SAMBA_MODULE('dcerpc_epmapper', -- source='epmapper/rpc_epmapper.c', -- subsystem='dcerpc_server', -- init_function='dcerpc_server_epmapper_init', -- deps='NDR_EPMAPPER' -- ) -+ source='epmapper/rpc_epmapper.c', -+ subsystem='dcerpc_server', -+ init_function='dcerpc_server_epmapper_init', -+ deps='NDR_EPMAPPER' -+ ) - - - bld.SAMBA_MODULE('dcerpc_remote', -- source='remote/dcesrv_remote.c', -- subsystem='dcerpc_server', -- init_function='dcerpc_server_remote_init', -- deps='LIBCLI_SMB ndr-table' -- ) -+ source='remote/dcesrv_remote.c', -+ subsystem='dcerpc_server', -+ init_function='dcerpc_server_remote_init', -+ deps='LIBCLI_SMB ndr-table' -+ ) - - - bld.SAMBA_MODULE('dcerpc_srvsvc', -- source='srvsvc/dcesrv_srvsvc.c srvsvc/srvsvc_ntvfs.c', -- autoproto='srvsvc/proto.h', -- subsystem='dcerpc_server', -- init_function='dcerpc_server_srvsvc_init', -- deps='DCERPC_COMMON NDR_SRVSVC share ntvfs', -- enabled=bld.CONFIG_SET('WITH_NTVFS_FILESERVER') -- ) -+ source='srvsvc/dcesrv_srvsvc.c srvsvc/srvsvc_ntvfs.c', -+ autoproto='srvsvc/proto.h', -+ subsystem='dcerpc_server', -+ init_function='dcerpc_server_srvsvc_init', -+ deps='DCERPC_COMMON NDR_SRVSVC share ntvfs', -+ enabled=bld.CONFIG_SET('WITH_NTVFS_FILESERVER') -+ ) - - - bld.SAMBA_MODULE('dcerpc_wkssvc', -- source='wkssvc/dcesrv_wkssvc.c', -- subsystem='dcerpc_server', -- init_function='dcerpc_server_wkssvc_init', -- deps='DCERPC_COMMON ndr-standard' -- ) -+ source='wkssvc/dcesrv_wkssvc.c', -+ subsystem='dcerpc_server', -+ init_function='dcerpc_server_wkssvc_init', -+ deps='DCERPC_COMMON ndr-standard' -+ ) - - - bld.SAMBA_MODULE('dcerpc_unixinfo', -- source='unixinfo/dcesrv_unixinfo.c', -- subsystem='dcerpc_server', -- init_function='dcerpc_server_unixinfo_init', -- deps='DCERPC_COMMON samdb NDR_UNIXINFO LIBWBCLIENT_OLD' -- ) -+ source='unixinfo/dcesrv_unixinfo.c', -+ subsystem='dcerpc_server', -+ init_function='dcerpc_server_unixinfo_init', -+ deps='DCERPC_COMMON samdb NDR_UNIXINFO LIBWBCLIENT_OLD' -+ ) - - - bld.SAMBA_MODULE('dcesrv_samr', -- source='samr/dcesrv_samr.c samr/samr_password.c', -- autoproto='samr/proto.h', -- subsystem='dcerpc_server', -- init_function='dcerpc_server_samr_init', -- deps='samdb DCERPC_COMMON ndr-standard auth4_sam GNUTLS_HELPERS DCERPC_HELPER' -- ) -+ source='samr/dcesrv_samr.c samr/samr_password.c', -+ autoproto='samr/proto.h', -+ subsystem='dcerpc_server', -+ init_function='dcerpc_server_samr_init', -+ deps=''' -+ samdb -+ DCERPC_COMMON -+ ndr-standard -+ auth4_sam -+ GNUTLS_HELPERS -+ DCERPC_HELPER -+ ''' -+ ) - - - bld.SAMBA_MODULE('dcerpc_winreg', -- source='winreg/rpc_winreg.c', -- subsystem='dcerpc_server', -- init_function='dcerpc_server_winreg_init', -- deps='registry ndr-standard', -- internal_module=True, -- enabled=bld.CONFIG_SET('WITH_NTVFS_FILESERVER') -- ) -+ source='winreg/rpc_winreg.c', -+ subsystem='dcerpc_server', -+ init_function='dcerpc_server_winreg_init', -+ deps='registry ndr-standard', -+ internal_module=True, -+ enabled=bld.CONFIG_SET('WITH_NTVFS_FILESERVER') -+ ) - - - bld.SAMBA_MODULE('dcerpc_netlogon', -- source='netlogon/dcerpc_netlogon.c', -- subsystem='dcerpc_server', -- init_function='dcerpc_server_netlogon_init', -- deps='''DCERPC_COMMON RPC_NDR_IRPC COMMON_SCHANNEL ndr-standard auth4_sam samba-hostconfig DSDB_MODULE_HELPERS -- util_str_escape''' -- ) -+ source='netlogon/dcerpc_netlogon.c', -+ subsystem='dcerpc_server', -+ init_function='dcerpc_server_netlogon_init', -+ deps=''' -+ DCERPC_COMMON -+ RPC_NDR_IRPC -+ COMMON_SCHANNEL -+ ndr-standard -+ auth4_sam -+ samba-hostconfig -+ DSDB_MODULE_HELPERS -+ util_str_escape -+ ''' -+ ) - - - bld.SAMBA_MODULE('dcerpc_lsarpc', -- source='lsa/dcesrv_lsa.c lsa/lsa_init.c lsa/lsa_lookup.c', -- autoproto='lsa/proto.h', -- subsystem='dcerpc_server', -- init_function='dcerpc_server_lsa_init', -- deps='samdb DCERPC_COMMON ndr-standard LIBCLI_AUTH NDR_DSSETUP com_err samba-security UTIL_LSARPC' -- ) -+ source='lsa/dcesrv_lsa.c lsa/lsa_init.c lsa/lsa_lookup.c', -+ autoproto='lsa/proto.h', -+ subsystem='dcerpc_server', -+ init_function='dcerpc_server_lsa_init', -+ deps=''' -+ samdb -+ DCERPC_COMMON -+ ndr-standard -+ LIBCLI_AUTH -+ NDR_DSSETUP -+ com_err -+ samba-security -+ UTIL_LSARPC -+ ''' -+ ) - - - bld.SAMBA_MODULE('dcerpc_backupkey', -- source='backupkey/dcesrv_backupkey.c ', -- autoproto='backupkey/proto.h', -- subsystem='dcerpc_server', -- init_function='dcerpc_server_backupkey_init', -- deps='samdb DCERPC_COMMON NDR_BACKUPKEY RPC_NDR_BACKUPKEY gnutls GNUTLS_HELPERS', -- ) -+ source='backupkey/dcesrv_backupkey.c ', -+ autoproto='backupkey/proto.h', -+ subsystem='dcerpc_server', -+ init_function='dcerpc_server_backupkey_init', -+ deps=''' -+ samdb -+ DCERPC_COMMON -+ NDR_BACKUPKEY -+ RPC_NDR_BACKUPKEY -+ gnutls -+ GNUTLS_HELPERS -+ ''', -+ ) - - - bld.SAMBA_MODULE('dcerpc_drsuapi', -- source='drsuapi/dcesrv_drsuapi.c drsuapi/updaterefs.c drsuapi/getncchanges.c drsuapi/addentry.c drsuapi/writespn.c drsuapi/drsutil.c', -- subsystem='dcerpc_server', -- init_function='dcerpc_server_drsuapi_init', -- deps='samdb DCERPC_COMMON NDR_DRSUAPI samba-security' -- ) -+ source=''' -+ drsuapi/dcesrv_drsuapi.c -+ drsuapi/updaterefs.c -+ drsuapi/getncchanges.c -+ drsuapi/addentry.c -+ drsuapi/writespn.c -+ drsuapi/drsutil.c -+ ''', -+ subsystem='dcerpc_server', -+ init_function='dcerpc_server_drsuapi_init', -+ deps='samdb DCERPC_COMMON NDR_DRSUAPI samba-security' -+ ) - - - bld.SAMBA_MODULE('dcerpc_browser', -- source='browser/dcesrv_browser.c', -- subsystem='dcerpc_server', -- init_function='dcerpc_server_browser_init', -- deps='DCERPC_COMMON NDR_BROWSER' -- ) -+ source='browser/dcesrv_browser.c', -+ subsystem='dcerpc_server', -+ init_function='dcerpc_server_browser_init', -+ deps='DCERPC_COMMON NDR_BROWSER' -+ ) - - bld.SAMBA_MODULE('dcerpc_eventlog', -- source='eventlog/dcesrv_eventlog6.c', -- subsystem='dcerpc_server', -- init_function='dcerpc_server_eventlog6_init', -- deps='DCERPC_COMMON' -- ) -+ source='eventlog/dcesrv_eventlog6.c', -+ subsystem='dcerpc_server', -+ init_function='dcerpc_server_eventlog6_init', -+ deps='DCERPC_COMMON' -+ ) - - bld.SAMBA_MODULE('dcerpc_dnsserver', -- source='dnsserver/dcerpc_dnsserver.c dnsserver/dnsutils.c dnsserver/dnsdata.c dnsserver/dnsdb.c', -- subsystem='dcerpc_server', -- init_function='dcerpc_server_dnsserver_init', -- deps='DCERPC_COMMON dnsserver_common netif' -- ) -+ source=''' -+ dnsserver/dcerpc_dnsserver.c -+ dnsserver/dnsutils.c -+ dnsserver/dnsdata.c -+ dnsserver/dnsdb.c -+ ''', -+ subsystem='dcerpc_server', -+ init_function='dcerpc_server_dnsserver_init', -+ deps='DCERPC_COMMON dnsserver_common netif' -+ ) - - - bld.SAMBA_MODULE('service_dcerpc', -- source='service_rpc.c', -- autoproto='service_rpc.h', -- subsystem='service', -- init_function='server_service_rpc_init', -- internal_module=False, -- deps='dcerpc_server' -- ) -- --bld.SAMBA_BINARY( -- 'test_rpc_dns_server_dnsutils', -- source='tests/rpc_dns_server_dnsutils_test.c', -- deps=''' -- dnsserver_common -- dcerpc_server -- cmocka -- talloc -- ''', -- for_selftest=True, -- enabled=bld.AD_DC_BUILD_IS_ENABLED() --) -+ source='service_rpc.c', -+ autoproto='service_rpc.h', -+ subsystem='service', -+ init_function='server_service_rpc_init', -+ internal_module=False, -+ deps='dcerpc_server' -+ ) -+ -+bld.SAMBA_BINARY('test_rpc_dns_server_dnsutils', -+ source='tests/rpc_dns_server_dnsutils_test.c', -+ deps=''' -+ dnsserver_common -+ dcerpc_server -+ cmocka -+ talloc -+ ''', -+ for_selftest=True, -+ enabled=bld.AD_DC_BUILD_IS_ENABLED() -+ ) --- -2.39.0 - - -From 740422fb6609dac3b0e2c1bb91d61b87e99c64aa Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Thu, 22 Dec 2022 14:03:23 +0100 -Subject: [PATCH 4/9] CVE-2022-38023 s4:rpc_server/netlogon: Move schannel and - credentials check functions to librpc - -Will be used later by s3 netlogon server. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Andreas Schneider -(cherry picked from commit 121e7b0e39478c5291100652ac92c263f406076b) ---- - librpc/rpc/server/netlogon/schannel_util.c | 576 ++++++++++++++++++ - librpc/rpc/server/netlogon/schannel_util.h | 54 ++ - librpc/wscript_build | 12 + - source4/rpc_server/netlogon/dcerpc_netlogon.c | 546 +---------------- - source4/rpc_server/wscript_build | 2 +- - 5 files changed, 644 insertions(+), 546 deletions(-) - create mode 100644 librpc/rpc/server/netlogon/schannel_util.c - create mode 100644 librpc/rpc/server/netlogon/schannel_util.h - -diff --git a/librpc/rpc/server/netlogon/schannel_util.c b/librpc/rpc/server/netlogon/schannel_util.c -new file mode 100644 -index 00000000000..9b2a88a2628 ---- /dev/null -+++ b/librpc/rpc/server/netlogon/schannel_util.c -@@ -0,0 +1,576 @@ -+/* -+ Unix SMB/CIFS implementation. -+ -+ netlogon schannel utility functions -+ -+ Copyright (C) Andrew Bartlett 2004-2008 -+ Copyright (C) Stefan Metzmacher 2005 -+ Copyright (C) Matthias Dieter Wallnöfer 2009-2010 -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see . -+*/ -+ -+#include "includes.h" -+#include "schannel_util.h" -+#include "param/param.h" -+#include "libcli/security/dom_sid.h" -+#include "libcli/auth/schannel.h" -+#include "librpc/rpc/dcesrv_core.h" -+#include "librpc/gen_ndr/ndr_netlogon.h" -+#include "lib/util/util_str_escape.h" -+ -+struct dcesrv_netr_check_schannel_state { -+ struct dom_sid account_sid; -+ enum dcerpc_AuthType auth_type; -+ enum dcerpc_AuthLevel auth_level; -+ -+ bool schannel_global_required; -+ bool schannel_required; -+ bool schannel_explicitly_set; -+ -+ bool seal_global_required; -+ bool seal_required; -+ bool seal_explicitly_set; -+ -+ NTSTATUS result; -+}; -+ -+static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state *dce_call, -+ const struct netlogon_creds_CredentialState *creds, -+ enum dcerpc_AuthType auth_type, -+ enum dcerpc_AuthLevel auth_level, -+ struct dcesrv_netr_check_schannel_state **_s) -+{ -+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; -+ int schannel = lpcfg_server_schannel(lp_ctx); -+ bool schannel_global_required = (schannel == true); -+ bool schannel_required = schannel_global_required; -+ const char *explicit_opt = NULL; -+ bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx); -+ bool require_seal = global_require_seal; -+ const char *explicit_seal_opt = NULL; -+#define DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC (NETLOGON_SERVER_PIPE_STATE_MAGIC+1) -+ struct dcesrv_netr_check_schannel_state *s = NULL; -+ NTSTATUS status; -+ -+ *_s = NULL; -+ -+ s = dcesrv_iface_state_find_conn(dce_call, -+ DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC, -+ struct dcesrv_netr_check_schannel_state); -+ if (s != NULL) { -+ if (!dom_sid_equal(&s->account_sid, creds->sid)) { -+ goto new_state; -+ } -+ if (s->auth_type != auth_type) { -+ goto new_state; -+ } -+ if (s->auth_level != auth_level) { -+ goto new_state; -+ } -+ -+ *_s = s; -+ return NT_STATUS_OK; -+ } -+ -+new_state: -+ TALLOC_FREE(s); -+ s = talloc_zero(dce_call, -+ struct dcesrv_netr_check_schannel_state); -+ if (s == NULL) { -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ s->account_sid = *creds->sid; -+ s->auth_type = auth_type; -+ s->auth_level = auth_level; -+ s->result = NT_STATUS_MORE_PROCESSING_REQUIRED; -+ -+ /* -+ * We don't use lpcfg_parm_bool(), as we -+ * need the explicit_opt pointer in order to -+ * adjust the debug messages. -+ */ -+ explicit_seal_opt = lpcfg_get_parametric(lp_ctx, -+ NULL, -+ "server schannel require seal", -+ creds->account_name); -+ if (explicit_seal_opt != NULL) { -+ require_seal = lp_bool(explicit_seal_opt); -+ } -+ -+ /* -+ * We don't use lpcfg_parm_bool(), as we -+ * need the explicit_opt pointer in order to -+ * adjust the debug messages. -+ */ -+ explicit_opt = lpcfg_get_parametric(lp_ctx, -+ NULL, -+ "server require schannel", -+ creds->account_name); -+ if (explicit_opt != NULL) { -+ schannel_required = lp_bool(explicit_opt); -+ } -+ -+ s->schannel_global_required = schannel_global_required; -+ s->schannel_required = schannel_required; -+ s->schannel_explicitly_set = explicit_opt != NULL; -+ -+ s->seal_global_required = global_require_seal; -+ s->seal_required = require_seal; -+ s->seal_explicitly_set = explicit_seal_opt != NULL; -+ -+ status = dcesrv_iface_state_store_conn(dce_call, -+ DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC, -+ s); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } -+ -+ *_s = s; -+ return NT_STATUS_OK; -+} -+ -+static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_call, -+ struct dcesrv_netr_check_schannel_state *s, -+ const struct netlogon_creds_CredentialState *creds, -+ uint16_t opnum) -+{ -+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; -+ int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL, -+ "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); -+ int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, -+ "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); -+ int CVE_2022_38023_warn_level = lpcfg_parm_int(lp_ctx, NULL, -+ "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR); -+ int CVE_2022_38023_error_level = lpcfg_parm_int(lp_ctx, NULL, -+ "CVE_2022_38023", "error_debug_level", DBGLVL_ERR); -+ TALLOC_CTX *frame = talloc_stackframe(); -+ unsigned int dbg_lvl = DBGLVL_DEBUG; -+ const char *opname = ""; -+ const char *reason = ""; -+ -+ if (opnum < ndr_table_netlogon.num_calls) { -+ opname = ndr_table_netlogon.calls[opnum].name; -+ } -+ -+ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { -+ if (s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -+ reason = "WITH SEALED"; -+ } else if (s->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { -+ reason = "WITH SIGNED"; -+ } else { -+ reason = "WITH INVALID"; -+ dbg_lvl = DBGLVL_ERR; -+ s->result = NT_STATUS_INTERNAL_ERROR; -+ } -+ } else { -+ reason = "WITHOUT"; -+ } -+ -+ if (!NT_STATUS_EQUAL(s->result, NT_STATUS_MORE_PROCESSING_REQUIRED)) { -+ if (!NT_STATUS_IS_OK(s->result)) { -+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); -+ } -+ -+ DEBUG(dbg_lvl, ( -+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " -+ "%s request (opnum[%u]) %s schannel from " -+ "client_account[%s] client_computer_name[%s] %s\n", -+ opname, opnum, reason, -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name), -+ nt_errstr(s->result))); -+ TALLOC_FREE(frame); -+ return s->result; -+ } -+ -+ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL && -+ s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) -+ { -+ s->result = NT_STATUS_OK; -+ -+ if (s->schannel_explicitly_set && !s->schannel_required) { -+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); -+ } else if (!s->schannel_required) { -+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); -+ } -+ if (s->seal_explicitly_set && !s->seal_required) { -+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level); -+ } else if (!s->seal_required) { -+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); -+ } -+ -+ DEBUG(dbg_lvl, ( -+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " -+ "%s request (opnum[%u]) %s schannel from " -+ "client_account[%s] client_computer_name[%s] %s\n", -+ opname, opnum, reason, -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name), -+ nt_errstr(s->result))); -+ -+ if (s->schannel_explicitly_set && !s->schannel_required) { -+ DEBUG(CVE_2020_1472_warn_level, ( -+ "CVE-2020-1472(ZeroLogon): " -+ "Option 'server require schannel:%s = no' not needed for '%s'!\n", -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name))); -+ } -+ -+ if (s->seal_explicitly_set && !s->seal_required) { -+ DEBUG(CVE_2022_38023_warn_level, ( -+ "CVE-2022-38023: " -+ "Option 'server schannel require seal:%s = no' not needed for '%s'!\n", -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name))); -+ } -+ -+ TALLOC_FREE(frame); -+ return s->result; -+ } -+ -+ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { -+ if (s->seal_required) { -+ s->result = NT_STATUS_ACCESS_DENIED; -+ -+ if (s->seal_explicitly_set) { -+ dbg_lvl = DBGLVL_NOTICE; -+ } else { -+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); -+ } -+ if (s->schannel_explicitly_set && !s->schannel_required) { -+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level); -+ } -+ -+ DEBUG(dbg_lvl, ( -+ "CVE-2022-38023: " -+ "%s request (opnum[%u]) %s schannel from " -+ "from client_account[%s] client_computer_name[%s] %s\n", -+ opname, opnum, reason, -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name), -+ nt_errstr(s->result))); -+ if (s->seal_explicitly_set) { -+ D_NOTICE("CVE-2022-38023: Option " -+ "'server schannel require seal:%s = yes' " -+ "rejects access for client.\n", -+ log_escape(frame, creds->account_name)); -+ } else { -+ DEBUG(CVE_2020_1472_error_level, ( -+ "CVE-2022-38023: Check if option " -+ "'server schannel require seal:%s = no' " -+ "might be needed for a legacy client.\n", -+ log_escape(frame, creds->account_name))); -+ } -+ if (s->schannel_explicitly_set && !s->schannel_required) { -+ DEBUG(CVE_2020_1472_warn_level, ( -+ "CVE-2020-1472(ZeroLogon): Option " -+ "'server require schannel:%s = no' " -+ "not needed for '%s'!\n", -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name))); -+ } -+ TALLOC_FREE(frame); -+ return s->result; -+ } -+ -+ s->result = NT_STATUS_OK; -+ -+ if (s->schannel_explicitly_set && !s->schannel_required) { -+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); -+ } else if (!s->schannel_required) { -+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); -+ } -+ if (s->seal_explicitly_set && !s->seal_required) { -+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); -+ } else if (!s->seal_required) { -+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); -+ } -+ -+ DEBUG(dbg_lvl, ( -+ "CVE-2020-1472(ZeroLogon): " -+ "%s request (opnum[%u]) %s schannel from " -+ "client_account[%s] client_computer_name[%s] %s\n", -+ opname, opnum, reason, -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name), -+ nt_errstr(s->result))); -+ if (s->schannel_explicitly_set && !s->schannel_required) { -+ DEBUG(CVE_2020_1472_warn_level, ( -+ "CVE-2020-1472(ZeroLogon): " -+ "Option 'server require schannel:%s = no' not needed for '%s'!\n", -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name))); -+ } -+ if (s->seal_explicitly_set && !s->seal_required) { -+ D_INFO("CVE-2022-38023: " -+ "Option 'server schannel require seal:%s = no' still needed for '%s'!\n", -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name)); -+ } else if (!s->seal_required) { -+ /* -+ * admins should set -+ * server schannel require seal:COMPUTER$ = no -+ * in order to avoid the level 0 messages. -+ * Over time they can switch the global value -+ * to be strict. -+ */ -+ DEBUG(CVE_2022_38023_error_level, ( -+ "CVE-2022-38023: " -+ "Please use 'server schannel require seal:%s = no' " -+ "for '%s' to avoid this warning!\n", -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name))); -+ } -+ -+ TALLOC_FREE(frame); -+ return s->result; -+ } -+ -+ if (s->seal_required) { -+ s->result = NT_STATUS_ACCESS_DENIED; -+ -+ if (s->seal_explicitly_set) { -+ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); -+ } else { -+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); -+ } -+ if (!s->schannel_explicitly_set) { -+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); -+ } else if (s->schannel_required) { -+ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); -+ } -+ -+ DEBUG(dbg_lvl, ( -+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " -+ "%s request (opnum[%u]) %s schannel from " -+ "from client_account[%s] client_computer_name[%s] %s\n", -+ opname, opnum, reason, -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name), -+ nt_errstr(s->result))); -+ if (s->seal_explicitly_set) { -+ D_NOTICE("CVE-2022-38023: Option " -+ "'server schannel require seal:%s = yes' " -+ "rejects access for client.\n", -+ log_escape(frame, creds->account_name)); -+ } else { -+ DEBUG(CVE_2022_38023_error_level, ( -+ "CVE-2022-38023: Check if option " -+ "'server schannel require seal:%s = no' " -+ "might be needed for a legacy client.\n", -+ log_escape(frame, creds->account_name))); -+ } -+ if (!s->schannel_explicitly_set) { -+ DEBUG(CVE_2020_1472_error_level, ( -+ "CVE-2020-1472(ZeroLogon): Check if option " -+ "'server require schannel:%s = no' " -+ "might be needed for a legacy client.\n", -+ log_escape(frame, creds->account_name))); -+ } else if (s->schannel_required) { -+ D_NOTICE("CVE-2022-38023: Option " -+ "'server require schannel:%s = yes' " -+ "also rejects access for client.\n", -+ log_escape(frame, creds->account_name)); -+ } -+ TALLOC_FREE(frame); -+ return s->result; -+ } -+ -+ if (s->schannel_required) { -+ s->result = NT_STATUS_ACCESS_DENIED; -+ -+ if (s->schannel_explicitly_set) { -+ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); -+ } else { -+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); -+ } -+ if (!s->seal_explicitly_set) { -+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); -+ } -+ -+ DEBUG(dbg_lvl, ( -+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " -+ "%s request (opnum[%u]) %s schannel from " -+ "client_account[%s] client_computer_name[%s] %s\n", -+ opname, opnum, reason, -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name), -+ nt_errstr(s->result))); -+ if (s->schannel_explicitly_set) { -+ D_NOTICE("CVE-2020-1472(ZeroLogon): Option " -+ "'server require schannel:%s = yes' " -+ "rejects access for client.\n", -+ log_escape(frame, creds->account_name)); -+ } else { -+ DEBUG(CVE_2020_1472_error_level, ( -+ "CVE-2020-1472(ZeroLogon): Check if option " -+ "'server require schannel:%s = no' " -+ "might be needed for a legacy client.\n", -+ log_escape(frame, creds->account_name))); -+ } -+ if (!s->seal_explicitly_set) { -+ DEBUG(CVE_2022_38023_error_level, ( -+ "CVE-2022-38023: Check if option " -+ "'server schannel require seal:%s = no' " -+ "might be needed for a legacy client.\n", -+ log_escape(frame, creds->account_name))); -+ } -+ TALLOC_FREE(frame); -+ return s->result; -+ } -+ -+ s->result = NT_STATUS_OK; -+ -+ if (s->seal_explicitly_set) { -+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); -+ } else { -+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); -+ } -+ -+ if (s->schannel_explicitly_set) { -+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); -+ } else { -+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); -+ } -+ -+ DEBUG(dbg_lvl, ( -+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " -+ "%s request (opnum[%u]) %s schannel from " -+ "client_account[%s] client_computer_name[%s] %s\n", -+ opname, opnum, reason, -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name), -+ nt_errstr(s->result))); -+ -+ if (s->seal_explicitly_set) { -+ D_INFO("CVE-2022-38023: Option " -+ "'server schannel require seal:%s = no' " -+ "still needed for '%s'!\n", -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name)); -+ } else { -+ /* -+ * admins should set -+ * server schannel require seal:COMPUTER$ = no -+ * in order to avoid the level 0 messages. -+ * Over time they can switch the global value -+ * to be strict. -+ */ -+ DEBUG(CVE_2022_38023_error_level, ( -+ "CVE-2022-38023: Please use " -+ "'server schannel require seal:%s = no' " -+ "for '%s' to avoid this warning!\n", -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name))); -+ } -+ -+ if (s->schannel_explicitly_set) { -+ D_INFO("CVE-2020-1472(ZeroLogon): Option " -+ "'server require schannel:%s = no' " -+ "still needed for '%s'!\n", -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name)); -+ } else { -+ /* -+ * admins should set -+ * server require schannel:COMPUTER$ = no -+ * in order to avoid the level 0 messages. -+ * Over time they can switch the global value -+ * to be strict. -+ */ -+ DEBUG(CVE_2020_1472_error_level, ( -+ "CVE-2020-1472(ZeroLogon): " -+ "Please use 'server require schannel:%s = no' " -+ "for '%s' to avoid this warning!\n", -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name))); -+ } -+ -+ TALLOC_FREE(frame); -+ return s->result; -+} -+ -+NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, -+ const struct netlogon_creds_CredentialState *creds, -+ enum dcerpc_AuthType auth_type, -+ enum dcerpc_AuthLevel auth_level, -+ uint16_t opnum) -+{ -+ struct dcesrv_netr_check_schannel_state *s = NULL; -+ NTSTATUS status; -+ -+ status = dcesrv_netr_check_schannel_get_state(dce_call, -+ creds, -+ auth_type, -+ auth_level, -+ &s); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } -+ -+ status = dcesrv_netr_check_schannel_once(dce_call, s, creds, opnum); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } -+ -+ return NT_STATUS_OK; -+} -+ -+/* -+ * NOTE: The following functions are nearly identical to the ones available in -+ * source3/rpc_server/srv_nelog_nt.c -+ * The reason we keep 2 copies is that they use different structures to -+ * represent the auth_info and the decrpc pipes. -+ */ -+NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call, -+ TALLOC_CTX *mem_ctx, -+ const char *computer_name, -+ struct netr_Authenticator *received_authenticator, -+ struct netr_Authenticator *return_authenticator, -+ struct netlogon_creds_CredentialState **creds_out) -+{ -+ NTSTATUS nt_status; -+ struct netlogon_creds_CredentialState *creds = NULL; -+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; -+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; -+ -+ dcesrv_call_auth_info(dce_call, &auth_type, &auth_level); -+ -+ nt_status = schannel_check_creds_state(mem_ctx, -+ dce_call->conn->dce_ctx->lp_ctx, -+ computer_name, -+ received_authenticator, -+ return_authenticator, -+ &creds); -+ if (!NT_STATUS_IS_OK(nt_status)) { -+ ZERO_STRUCTP(return_authenticator); -+ return nt_status; -+ } -+ -+ nt_status = dcesrv_netr_check_schannel(dce_call, -+ creds, -+ auth_type, -+ auth_level, -+ dce_call->pkt.u.request.opnum); -+ if (!NT_STATUS_IS_OK(nt_status)) { -+ TALLOC_FREE(creds); -+ ZERO_STRUCTP(return_authenticator); -+ return nt_status; -+ } -+ -+ *creds_out = creds; -+ return NT_STATUS_OK; -+} -diff --git a/librpc/rpc/server/netlogon/schannel_util.h b/librpc/rpc/server/netlogon/schannel_util.h -new file mode 100644 -index 00000000000..561e2567e02 ---- /dev/null -+++ b/librpc/rpc/server/netlogon/schannel_util.h -@@ -0,0 +1,54 @@ -+/* -+ Unix SMB/CIFS implementation. -+ -+ netlogon schannel utility functions -+ -+ Copyright (C) Andrew Bartlett 2004-2008 -+ Copyright (C) Stefan Metzmacher 2005 -+ Copyright (C) Matthias Dieter Wallnöfer 2009-2010 -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see . -+*/ -+ -+#ifndef __LIBRPC_RPC_SERVER_NETLOGON_SCHANNEL_UTIL_H__ -+#define __LIBRPC_RPC_SERVER_NETLOGON_SCHANNEL_UTIL_H__ -+ -+#include "replace.h" -+#include -+#include "libcli/util/ntstatus.h" -+ -+#define NETLOGON_SERVER_PIPE_STATE_MAGIC 0x4f555358 -+ -+struct dcesrv_call_state; -+struct netlogon_creds_CredentialState; -+struct netr_Authenticator; -+enum dcerpc_AuthType; -+enum dcerpc_AuthLevel; -+ -+NTSTATUS dcesrv_netr_check_schannel( -+ struct dcesrv_call_state *dce_call, -+ const struct netlogon_creds_CredentialState *creds, -+ enum dcerpc_AuthType auth_type, -+ enum dcerpc_AuthLevel auth_level, -+ uint16_t opnum); -+ -+NTSTATUS dcesrv_netr_creds_server_step_check( -+ struct dcesrv_call_state *dce_call, -+ TALLOC_CTX *mem_ctx, -+ const char *computer_name, -+ struct netr_Authenticator *received_authenticator, -+ struct netr_Authenticator *return_authenticator, -+ struct netlogon_creds_CredentialState **creds_out); -+ -+#endif /* __LIBRPC_RPC_SERVER_NETLOGON_SCHANNEL_UTIL_H__ */ -diff --git a/librpc/wscript_build b/librpc/wscript_build -index b82209b4299..f22ab2eabae 100644 ---- a/librpc/wscript_build -+++ b/librpc/wscript_build -@@ -678,6 +678,18 @@ bld.SAMBA_LIBRARY('dcerpc-pkt-auth', - ''', - deps='dcerpc-binding gensec') - -+bld.SAMBA_SUBSYSTEM('DCERPC_SERVER_NETLOGON', -+ source=''' -+ rpc/server/netlogon/schannel_util.c -+ ''', -+ deps=''' -+ talloc -+ util_str_escape -+ samba-hostconfig -+ NDR_NETLOGON -+ dcerpc-server-core -+ ''') -+ - bld.SAMBA_LIBRARY('dcerpc-server-core', - source=''' - rpc/dcesrv_core.c -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index ddcb8487a56..6a3e044eb9d 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -42,6 +42,7 @@ - #include "librpc/gen_ndr/ndr_irpc.h" - #include "librpc/gen_ndr/ndr_winbind.h" - #include "librpc/gen_ndr/ndr_winbind_c.h" -+#include "librpc/rpc/server/netlogon/schannel_util.h" - #include "lib/socket/netif.h" - #include "lib/util/util_str_escape.h" - #include "lib/param/loadparm.h" -@@ -889,551 +890,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_ca - return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &r3); - } - --struct dcesrv_netr_check_schannel_state { -- struct dom_sid account_sid; -- enum dcerpc_AuthType auth_type; -- enum dcerpc_AuthLevel auth_level; -- -- bool schannel_global_required; -- bool schannel_required; -- bool schannel_explicitly_set; -- -- bool seal_global_required; -- bool seal_required; -- bool seal_explicitly_set; -- -- NTSTATUS result; --}; -- --static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state *dce_call, -- const struct netlogon_creds_CredentialState *creds, -- enum dcerpc_AuthType auth_type, -- enum dcerpc_AuthLevel auth_level, -- struct dcesrv_netr_check_schannel_state **_s) --{ -- struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; -- int schannel = lpcfg_server_schannel(lp_ctx); -- bool schannel_global_required = (schannel == true); -- bool schannel_required = schannel_global_required; -- const char *explicit_opt = NULL; -- bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx); -- bool require_seal = global_require_seal; -- const char *explicit_seal_opt = NULL; --#define DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC (NETLOGON_SERVER_PIPE_STATE_MAGIC+1) -- struct dcesrv_netr_check_schannel_state *s = NULL; -- NTSTATUS status; -- -- *_s = NULL; -- -- s = dcesrv_iface_state_find_conn(dce_call, -- DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC, -- struct dcesrv_netr_check_schannel_state); -- if (s != NULL) { -- if (!dom_sid_equal(&s->account_sid, creds->sid)) { -- goto new_state; -- } -- if (s->auth_type != auth_type) { -- goto new_state; -- } -- if (s->auth_level != auth_level) { -- goto new_state; -- } -- -- *_s = s; -- return NT_STATUS_OK; -- } -- --new_state: -- TALLOC_FREE(s); -- s = talloc_zero(dce_call, -- struct dcesrv_netr_check_schannel_state); -- if (s == NULL) { -- return NT_STATUS_NO_MEMORY; -- } -- -- s->account_sid = *creds->sid; -- s->auth_type = auth_type; -- s->auth_level = auth_level; -- s->result = NT_STATUS_MORE_PROCESSING_REQUIRED; -- -- /* -- * We don't use lpcfg_parm_bool(), as we -- * need the explicit_opt pointer in order to -- * adjust the debug messages. -- */ -- explicit_seal_opt = lpcfg_get_parametric(lp_ctx, -- NULL, -- "server schannel require seal", -- creds->account_name); -- if (explicit_seal_opt != NULL) { -- require_seal = lp_bool(explicit_seal_opt); -- } -- -- /* -- * We don't use lpcfg_parm_bool(), as we -- * need the explicit_opt pointer in order to -- * adjust the debug messages. -- */ -- explicit_opt = lpcfg_get_parametric(lp_ctx, -- NULL, -- "server require schannel", -- creds->account_name); -- if (explicit_opt != NULL) { -- schannel_required = lp_bool(explicit_opt); -- } -- -- s->schannel_global_required = schannel_global_required; -- s->schannel_required = schannel_required; -- s->schannel_explicitly_set = explicit_opt != NULL; -- -- s->seal_global_required = global_require_seal; -- s->seal_required = require_seal; -- s->seal_explicitly_set = explicit_seal_opt != NULL; -- -- status = dcesrv_iface_state_store_conn(dce_call, -- DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC, -- s); -- if (!NT_STATUS_IS_OK(status)) { -- return status; -- } -- -- *_s = s; -- return NT_STATUS_OK; --} -- --static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_call, -- struct dcesrv_netr_check_schannel_state *s, -- const struct netlogon_creds_CredentialState *creds, -- uint16_t opnum) --{ -- struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; -- int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL, -- "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); -- int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, -- "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); -- int CVE_2022_38023_warn_level = lpcfg_parm_int(lp_ctx, NULL, -- "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR); -- int CVE_2022_38023_error_level = lpcfg_parm_int(lp_ctx, NULL, -- "CVE_2022_38023", "error_debug_level", DBGLVL_ERR); -- TALLOC_CTX *frame = talloc_stackframe(); -- unsigned int dbg_lvl = DBGLVL_DEBUG; -- const char *opname = ""; -- const char *reason = ""; -- -- if (opnum < ndr_table_netlogon.num_calls) { -- opname = ndr_table_netlogon.calls[opnum].name; -- } -- -- if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { -- if (s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -- reason = "WITH SEALED"; -- } else if (s->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { -- reason = "WITH SIGNED"; -- } else { -- reason = "WITH INVALID"; -- dbg_lvl = DBGLVL_ERR; -- s->result = NT_STATUS_INTERNAL_ERROR; -- } -- } else { -- reason = "WITHOUT"; -- } -- -- if (!NT_STATUS_EQUAL(s->result, NT_STATUS_MORE_PROCESSING_REQUIRED)) { -- if (!NT_STATUS_IS_OK(s->result)) { -- dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); -- } -- -- DEBUG(dbg_lvl, ( -- "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " -- "%s request (opnum[%u]) %s schannel from " -- "client_account[%s] client_computer_name[%s] %s\n", -- opname, opnum, reason, -- log_escape(frame, creds->account_name), -- log_escape(frame, creds->computer_name), -- nt_errstr(s->result))); -- TALLOC_FREE(frame); -- return s->result; -- } -- -- if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL && -- s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) -- { -- s->result = NT_STATUS_OK; -- -- if (s->schannel_explicitly_set && !s->schannel_required) { -- dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); -- } else if (!s->schannel_required) { -- dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); -- } -- if (s->seal_explicitly_set && !s->seal_required) { -- dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level); -- } else if (!s->seal_required) { -- dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); -- } -- -- DEBUG(dbg_lvl, ( -- "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " -- "%s request (opnum[%u]) %s schannel from " -- "client_account[%s] client_computer_name[%s] %s\n", -- opname, opnum, reason, -- log_escape(frame, creds->account_name), -- log_escape(frame, creds->computer_name), -- nt_errstr(s->result))); -- -- if (s->schannel_explicitly_set && !s->schannel_required) { -- DEBUG(CVE_2020_1472_warn_level, ( -- "CVE-2020-1472(ZeroLogon): " -- "Option 'server require schannel:%s = no' not needed for '%s'!\n", -- log_escape(frame, creds->account_name), -- log_escape(frame, creds->computer_name))); -- } -- -- if (s->seal_explicitly_set && !s->seal_required) { -- DEBUG(CVE_2022_38023_warn_level, ( -- "CVE-2022-38023: " -- "Option 'server schannel require seal:%s = no' not needed for '%s'!\n", -- log_escape(frame, creds->account_name), -- log_escape(frame, creds->computer_name))); -- } -- -- TALLOC_FREE(frame); -- return s->result; -- } -- -- if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { -- if (s->seal_required) { -- s->result = NT_STATUS_ACCESS_DENIED; -- -- if (s->seal_explicitly_set) { -- dbg_lvl = DBGLVL_NOTICE; -- } else { -- dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); -- } -- if (s->schannel_explicitly_set && !s->schannel_required) { -- dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level); -- } -- -- DEBUG(dbg_lvl, ( -- "CVE-2022-38023: " -- "%s request (opnum[%u]) %s schannel from " -- "from client_account[%s] client_computer_name[%s] %s\n", -- opname, opnum, reason, -- log_escape(frame, creds->account_name), -- log_escape(frame, creds->computer_name), -- nt_errstr(s->result))); -- if (s->seal_explicitly_set) { -- D_NOTICE("CVE-2022-38023: Option " -- "'server schannel require seal:%s = yes' " -- "rejects access for client.\n", -- log_escape(frame, creds->account_name)); -- } else { -- DEBUG(CVE_2020_1472_error_level, ( -- "CVE-2022-38023: Check if option " -- "'server schannel require seal:%s = no' " -- "might be needed for a legacy client.\n", -- log_escape(frame, creds->account_name))); -- } -- if (s->schannel_explicitly_set && !s->schannel_required) { -- DEBUG(CVE_2020_1472_warn_level, ( -- "CVE-2020-1472(ZeroLogon): Option " -- "'server require schannel:%s = no' " -- "not needed for '%s'!\n", -- log_escape(frame, creds->account_name), -- log_escape(frame, creds->computer_name))); -- } -- TALLOC_FREE(frame); -- return s->result; -- } -- -- s->result = NT_STATUS_OK; -- -- if (s->schannel_explicitly_set && !s->schannel_required) { -- dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); -- } else if (!s->schannel_required) { -- dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); -- } -- if (s->seal_explicitly_set && !s->seal_required) { -- dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); -- } else if (!s->seal_required) { -- dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); -- } -- -- DEBUG(dbg_lvl, ( -- "CVE-2020-1472(ZeroLogon): " -- "%s request (opnum[%u]) %s schannel from " -- "client_account[%s] client_computer_name[%s] %s\n", -- opname, opnum, reason, -- log_escape(frame, creds->account_name), -- log_escape(frame, creds->computer_name), -- nt_errstr(s->result))); -- if (s->schannel_explicitly_set && !s->schannel_required) { -- DEBUG(CVE_2020_1472_warn_level, ( -- "CVE-2020-1472(ZeroLogon): " -- "Option 'server require schannel:%s = no' not needed for '%s'!\n", -- log_escape(frame, creds->account_name), -- log_escape(frame, creds->computer_name))); -- } -- if (s->seal_explicitly_set && !s->seal_required) { -- D_INFO("CVE-2022-38023: " -- "Option 'server schannel require seal:%s = no' still needed for '%s'!\n", -- log_escape(frame, creds->account_name), -- log_escape(frame, creds->computer_name)); -- } else if (!s->seal_required) { -- /* -- * admins should set -- * server schannel require seal:COMPUTER$ = no -- * in order to avoid the level 0 messages. -- * Over time they can switch the global value -- * to be strict. -- */ -- DEBUG(CVE_2022_38023_error_level, ( -- "CVE-2022-38023: " -- "Please use 'server schannel require seal:%s = no' " -- "for '%s' to avoid this warning!\n", -- log_escape(frame, creds->account_name), -- log_escape(frame, creds->computer_name))); -- } -- -- TALLOC_FREE(frame); -- return s->result; -- } -- -- if (s->seal_required) { -- s->result = NT_STATUS_ACCESS_DENIED; -- -- if (s->seal_explicitly_set) { -- dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); -- } else { -- dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); -- } -- if (!s->schannel_explicitly_set) { -- dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); -- } else if (s->schannel_required) { -- dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); -- } -- -- DEBUG(dbg_lvl, ( -- "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " -- "%s request (opnum[%u]) %s schannel from " -- "from client_account[%s] client_computer_name[%s] %s\n", -- opname, opnum, reason, -- log_escape(frame, creds->account_name), -- log_escape(frame, creds->computer_name), -- nt_errstr(s->result))); -- if (s->seal_explicitly_set) { -- D_NOTICE("CVE-2022-38023: Option " -- "'server schannel require seal:%s = yes' " -- "rejects access for client.\n", -- log_escape(frame, creds->account_name)); -- } else { -- DEBUG(CVE_2022_38023_error_level, ( -- "CVE-2022-38023: Check if option " -- "'server schannel require seal:%s = no' " -- "might be needed for a legacy client.\n", -- log_escape(frame, creds->account_name))); -- } -- if (!s->schannel_explicitly_set) { -- DEBUG(CVE_2020_1472_error_level, ( -- "CVE-2020-1472(ZeroLogon): Check if option " -- "'server require schannel:%s = no' " -- "might be needed for a legacy client.\n", -- log_escape(frame, creds->account_name))); -- } else if (s->schannel_required) { -- D_NOTICE("CVE-2022-38023: Option " -- "'server require schannel:%s = yes' " -- "also rejects access for client.\n", -- log_escape(frame, creds->account_name)); -- } -- TALLOC_FREE(frame); -- return s->result; -- } -- -- if (s->schannel_required) { -- s->result = NT_STATUS_ACCESS_DENIED; -- -- if (s->schannel_explicitly_set) { -- dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); -- } else { -- dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); -- } -- if (!s->seal_explicitly_set) { -- dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); -- } -- -- DEBUG(dbg_lvl, ( -- "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " -- "%s request (opnum[%u]) %s schannel from " -- "client_account[%s] client_computer_name[%s] %s\n", -- opname, opnum, reason, -- log_escape(frame, creds->account_name), -- log_escape(frame, creds->computer_name), -- nt_errstr(s->result))); -- if (s->schannel_explicitly_set) { -- D_NOTICE("CVE-2020-1472(ZeroLogon): Option " -- "'server require schannel:%s = yes' " -- "rejects access for client.\n", -- log_escape(frame, creds->account_name)); -- } else { -- DEBUG(CVE_2020_1472_error_level, ( -- "CVE-2020-1472(ZeroLogon): Check if option " -- "'server require schannel:%s = no' " -- "might be needed for a legacy client.\n", -- log_escape(frame, creds->account_name))); -- } -- if (!s->seal_explicitly_set) { -- DEBUG(CVE_2022_38023_error_level, ( -- "CVE-2022-38023: Check if option " -- "'server schannel require seal:%s = no' " -- "might be needed for a legacy client.\n", -- log_escape(frame, creds->account_name))); -- } -- TALLOC_FREE(frame); -- return s->result; -- } -- -- s->result = NT_STATUS_OK; -- -- if (s->seal_explicitly_set) { -- dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); -- } else { -- dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); -- } -- -- if (s->schannel_explicitly_set) { -- dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); -- } else { -- dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); -- } -- -- DEBUG(dbg_lvl, ( -- "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " -- "%s request (opnum[%u]) %s schannel from " -- "client_account[%s] client_computer_name[%s] %s\n", -- opname, opnum, reason, -- log_escape(frame, creds->account_name), -- log_escape(frame, creds->computer_name), -- nt_errstr(s->result))); -- -- if (s->seal_explicitly_set) { -- D_INFO("CVE-2022-38023: Option " -- "'server schannel require seal:%s = no' " -- "still needed for '%s'!\n", -- log_escape(frame, creds->account_name), -- log_escape(frame, creds->computer_name)); -- } else { -- /* -- * admins should set -- * server schannel require seal:COMPUTER$ = no -- * in order to avoid the level 0 messages. -- * Over time they can switch the global value -- * to be strict. -- */ -- DEBUG(CVE_2022_38023_error_level, ( -- "CVE-2022-38023: Please use " -- "'server schannel require seal:%s = no' " -- "for '%s' to avoid this warning!\n", -- log_escape(frame, creds->account_name), -- log_escape(frame, creds->computer_name))); -- } -- -- if (s->schannel_explicitly_set) { -- D_INFO("CVE-2020-1472(ZeroLogon): Option " -- "'server require schannel:%s = no' " -- "still needed for '%s'!\n", -- log_escape(frame, creds->account_name), -- log_escape(frame, creds->computer_name)); -- } else { -- /* -- * admins should set -- * server require schannel:COMPUTER$ = no -- * in order to avoid the level 0 messages. -- * Over time they can switch the global value -- * to be strict. -- */ -- DEBUG(CVE_2020_1472_error_level, ( -- "CVE-2020-1472(ZeroLogon): " -- "Please use 'server require schannel:%s = no' " -- "for '%s' to avoid this warning!\n", -- log_escape(frame, creds->account_name), -- log_escape(frame, creds->computer_name))); -- } -- -- TALLOC_FREE(frame); -- return s->result; --} -- --static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, -- const struct netlogon_creds_CredentialState *creds, -- enum dcerpc_AuthType auth_type, -- enum dcerpc_AuthLevel auth_level, -- uint16_t opnum) --{ -- struct dcesrv_netr_check_schannel_state *s = NULL; -- NTSTATUS status; -- -- status = dcesrv_netr_check_schannel_get_state(dce_call, -- creds, -- auth_type, -- auth_level, -- &s); -- if (!NT_STATUS_IS_OK(status)) { -- return status; -- } -- -- status = dcesrv_netr_check_schannel_once(dce_call, s, creds, opnum); -- if (!NT_STATUS_IS_OK(status)) { -- return status; -- } -- -- return NT_STATUS_OK; --} -- --/* -- * NOTE: The following functions are nearly identical to the ones available in -- * source3/rpc_server/srv_nelog_nt.c -- * The reason we keep 2 copies is that they use different structures to -- * represent the auth_info and the decrpc pipes. -- */ --static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call, -- TALLOC_CTX *mem_ctx, -- const char *computer_name, -- struct netr_Authenticator *received_authenticator, -- struct netr_Authenticator *return_authenticator, -- struct netlogon_creds_CredentialState **creds_out) --{ -- NTSTATUS nt_status; -- struct netlogon_creds_CredentialState *creds = NULL; -- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; -- enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; -- -- dcesrv_call_auth_info(dce_call, &auth_type, &auth_level); -- -- nt_status = schannel_check_creds_state(mem_ctx, -- dce_call->conn->dce_ctx->lp_ctx, -- computer_name, -- received_authenticator, -- return_authenticator, -- &creds); -- if (!NT_STATUS_IS_OK(nt_status)) { -- ZERO_STRUCTP(return_authenticator); -- return nt_status; -- } -- -- nt_status = dcesrv_netr_check_schannel(dce_call, -- creds, -- auth_type, -- auth_level, -- dce_call->pkt.u.request.opnum); -- if (!NT_STATUS_IS_OK(nt_status)) { -- TALLOC_FREE(creds); -- ZERO_STRUCTP(return_authenticator); -- return nt_status; -- } -- -- *creds_out = creds; -- return NT_STATUS_OK; --} -- - /* - Change the machine account password for the currently connected - client. Supplies only the NT#. -diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build -index e7bb773d719..0e44a3c2bae 100644 ---- a/source4/rpc_server/wscript_build -+++ b/source4/rpc_server/wscript_build -@@ -118,10 +118,10 @@ bld.SAMBA_MODULE('dcerpc_netlogon', - samba-hostconfig - DSDB_MODULE_HELPERS - util_str_escape -+ DCERPC_SERVER_NETLOGON - ''' - ) - -- - bld.SAMBA_MODULE('dcerpc_lsarpc', - source='lsa/dcesrv_lsa.c lsa/lsa_init.c lsa/lsa_lookup.c', - autoproto='lsa/proto.h', --- -2.39.0 - - -From 1a1f5c53c217b5336464885a70e7eef94dd0ad5f Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Thu, 22 Dec 2022 16:30:26 +0100 -Subject: [PATCH 5/9] CVE-2022-38023 s3:rpc_server/netlogon: Use - dcesrv_netr_creds_server_step_check() - -After s3 and s4 rpc servers merge we can avoid duplicated code. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Andreas Schneider -(cherry picked from commit 25300d354c80995997d552581cd91dddaf4bbf48) ---- - librpc/rpc/server/netlogon/schannel_util.c | 6 - - selftest/target/Samba3.pm | 14 ++ - source3/rpc_server/netlogon/srv_netlog_nt.c | 201 +++++--------------- - source3/rpc_server/wscript_build | 2 +- - 4 files changed, 58 insertions(+), 165 deletions(-) - -diff --git a/librpc/rpc/server/netlogon/schannel_util.c b/librpc/rpc/server/netlogon/schannel_util.c -index 9b2a88a2628..b14497b13ce 100644 ---- a/librpc/rpc/server/netlogon/schannel_util.c -+++ b/librpc/rpc/server/netlogon/schannel_util.c -@@ -529,12 +529,6 @@ NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, - return NT_STATUS_OK; - } - --/* -- * NOTE: The following functions are nearly identical to the ones available in -- * source3/rpc_server/srv_nelog_nt.c -- * The reason we keep 2 copies is that they use different structures to -- * represent the auth_info and the decrpc pipes. -- */ - NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call, - TALLOC_CTX *mem_ctx, - const char *computer_name, -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index b58f3d45118..75256db675c 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -288,6 +288,20 @@ sub setup_nt4_dc - server require schannel:schannel11\$ = no - server require schannel:torturetest\$ = no - -+ server schannel require seal:schannel0\$ = no -+ server schannel require seal:schannel1\$ = no -+ server schannel require seal:schannel2\$ = no -+ server schannel require seal:schannel3\$ = no -+ server schannel require seal:schannel4\$ = no -+ server schannel require seal:schannel5\$ = no -+ server schannel require seal:schannel6\$ = no -+ server schannel require seal:schannel7\$ = no -+ server schannel require seal:schannel8\$ = no -+ server schannel require seal:schannel9\$ = no -+ server schannel require seal:schannel10\$ = no -+ server schannel require seal:schannel11\$ = no -+ server schannel require seal:torturetest\$ = no -+ - fss: sequence timeout = 1 - check parent directory delete on close = yes - "; -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c -index a3853d482df..8e0ea522b6d 100644 ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c -@@ -51,6 +51,7 @@ - #include "libsmb/dsgetdcname.h" - #include "lib/util/util_str_escape.h" - #include "source3/lib/substitute.h" -+#include "librpc/rpc/server/netlogon/schannel_util.h" - - extern userdom_struct current_user_info; - -@@ -1061,129 +1062,6 @@ NTSTATUS _netr_ServerAuthenticate2(struct pipes_struct *p, - return _netr_ServerAuthenticate3(p, &a); - } - --/************************************************************************* -- *************************************************************************/ -- --static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, -- TALLOC_CTX *mem_ctx, -- const char *computer_name, -- struct netr_Authenticator *received_authenticator, -- struct netr_Authenticator *return_authenticator, -- struct netlogon_creds_CredentialState **creds_out) --{ -- struct dcesrv_call_state *dce_call = p->dce_call; -- NTSTATUS status; -- bool schannel_global_required = (lp_server_schannel() == true) ? true:false; -- bool schannel_required = schannel_global_required; -- const char *explicit_opt = NULL; -- struct loadparm_context *lp_ctx; -- struct netlogon_creds_CredentialState *creds = NULL; -- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; -- uint16_t opnum = dce_call->pkt.u.request.opnum; -- const char *opname = ""; -- -- if (creds_out != NULL) { -- *creds_out = NULL; -- } -- -- if (opnum < ndr_table_netlogon.num_calls) { -- opname = ndr_table_netlogon.calls[opnum].name; -- } -- -- dcesrv_call_auth_info(dce_call, &auth_type, NULL); -- -- lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers()); -- if (lp_ctx == NULL) { -- DEBUG(0, ("loadparm_init_s3 failed\n")); -- return NT_STATUS_INTERNAL_ERROR; -- } -- -- status = schannel_check_creds_state(mem_ctx, lp_ctx, -- computer_name, received_authenticator, -- return_authenticator, &creds); -- talloc_unlink(mem_ctx, lp_ctx); -- -- if (!NT_STATUS_IS_OK(status)) { -- ZERO_STRUCTP(return_authenticator); -- return status; -- } -- -- /* -- * We don't use lp_parm_bool(), as we -- * need the explicit_opt pointer in order to -- * adjust the debug messages. -- */ -- -- explicit_opt = lp_parm_const_string(GLOBAL_SECTION_SNUM, -- "server require schannel", -- creds->account_name, -- NULL); -- if (explicit_opt != NULL) { -- schannel_required = lp_bool(explicit_opt); -- } -- -- if (schannel_required) { -- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { -- *creds_out = creds; -- return NT_STATUS_OK; -- } -- -- DBG_ERR("CVE-2020-1472(ZeroLogon): " -- "%s request (opnum[%u]) without schannel from " -- "client_account[%s] client_computer_name[%s]\n", -- opname, opnum, -- log_escape(mem_ctx, creds->account_name), -- log_escape(mem_ctx, creds->computer_name)); -- DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " -- "'server require schannel:%s = no' is needed! \n", -- log_escape(mem_ctx, creds->account_name)); -- TALLOC_FREE(creds); -- ZERO_STRUCTP(return_authenticator); -- return NT_STATUS_ACCESS_DENIED; -- } -- -- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { -- DBG_ERR("CVE-2020-1472(ZeroLogon): " -- "%s request (opnum[%u]) WITH schannel from " -- "client_account[%s] client_computer_name[%s]\n", -- opname, opnum, -- log_escape(mem_ctx, creds->account_name), -- log_escape(mem_ctx, creds->computer_name)); -- DBG_ERR("CVE-2020-1472(ZeroLogon): " -- "Option 'server require schannel:%s = no' not needed!?\n", -- log_escape(mem_ctx, creds->account_name)); -- -- *creds_out = creds; -- return NT_STATUS_OK; -- } -- -- if (explicit_opt != NULL) { -- DBG_INFO("CVE-2020-1472(ZeroLogon): " -- "%s request (opnum[%u]) without schannel from " -- "client_account[%s] client_computer_name[%s]\n", -- opname, opnum, -- log_escape(mem_ctx, creds->account_name), -- log_escape(mem_ctx, creds->computer_name)); -- DBG_INFO("CVE-2020-1472(ZeroLogon): " -- "Option 'server require schannel:%s = no' still needed!\n", -- log_escape(mem_ctx, creds->account_name)); -- } else { -- DBG_ERR("CVE-2020-1472(ZeroLogon): " -- "%s request (opnum[%u]) without schannel from " -- "client_account[%s] client_computer_name[%s]\n", -- opname, opnum, -- log_escape(mem_ctx, creds->account_name), -- log_escape(mem_ctx, creds->computer_name)); -- DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " -- "'server require schannel:%s = no' might be needed!\n", -- log_escape(mem_ctx, creds->account_name)); -- } -- -- *creds_out = creds; -- return NT_STATUS_OK; --} -- -- - /************************************************************************* - *************************************************************************/ - -@@ -1429,11 +1307,12 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p, - DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__)); - - become_root(); -- status = netr_creds_server_step_check(p, p->mem_ctx, -- r->in.computer_name, -- r->in.credential, -- r->out.return_authenticator, -- &creds); -+ status = dcesrv_netr_creds_server_step_check(p->dce_call, -+ p->mem_ctx, -+ r->in.computer_name, -+ r->in.credential, -+ r->out.return_authenticator, -+ &creds); - unbecome_root(); - - if (!NT_STATUS_IS_OK(status)) { -@@ -1493,11 +1372,12 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p, - bool ok; - - become_root(); -- status = netr_creds_server_step_check(p, p->mem_ctx, -- r->in.computer_name, -- r->in.credential, -- r->out.return_authenticator, -- &creds); -+ status = dcesrv_netr_creds_server_step_check(p->dce_call, -+ p->mem_ctx, -+ r->in.computer_name, -+ r->in.credential, -+ r->out.return_authenticator, -+ &creds); - unbecome_root(); - - if (!NT_STATUS_IS_OK(status)) { -@@ -1644,11 +1524,12 @@ NTSTATUS _netr_LogonSamLogoff(struct pipes_struct *p, - struct netlogon_creds_CredentialState *creds; - - become_root(); -- status = netr_creds_server_step_check(p, p->mem_ctx, -- r->in.computer_name, -- r->in.credential, -- r->out.return_authenticator, -- &creds); -+ status = dcesrv_netr_creds_server_step_check(p->dce_call, -+ p->mem_ctx, -+ r->in.computer_name, -+ r->in.credential, -+ r->out.return_authenticator, -+ &creds); - unbecome_root(); - - return status; -@@ -2061,11 +1942,12 @@ NTSTATUS _netr_LogonSamLogonWithFlags(struct pipes_struct *p, - } - - become_root(); -- status = netr_creds_server_step_check(p, p->mem_ctx, -- r->in.computer_name, -- r->in.credential, -- &return_authenticator, -- &creds); -+ status = dcesrv_netr_creds_server_step_check(p->dce_call, -+ p->mem_ctx, -+ r->in.computer_name, -+ r->in.credential, -+ &return_authenticator, -+ &creds); - unbecome_root(); - if (!NT_STATUS_IS_OK(status)) { - return status; -@@ -2411,11 +2293,12 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p, - NTSTATUS status; - - become_root(); -- status = netr_creds_server_step_check(p, p->mem_ctx, -- r->in.computer_name, -- r->in.credential, -- r->out.return_authenticator, -- &creds); -+ status = dcesrv_netr_creds_server_step_check(p->dce_call, -+ p->mem_ctx, -+ r->in.computer_name, -+ r->in.credential, -+ r->out.return_authenticator, -+ &creds); - unbecome_root(); - if (!NT_STATUS_IS_OK(status)) { - return status; -@@ -2775,11 +2658,12 @@ NTSTATUS _netr_GetForestTrustInformation(struct pipes_struct *p, - /* TODO: check server name */ - - become_root(); -- status = netr_creds_server_step_check(p, p->mem_ctx, -- r->in.computer_name, -- r->in.credential, -- r->out.return_authenticator, -- &creds); -+ status = dcesrv_netr_creds_server_step_check(p->dce_call, -+ p->mem_ctx, -+ r->in.computer_name, -+ r->in.credential, -+ r->out.return_authenticator, -+ &creds); - unbecome_root(); - if (!NT_STATUS_IS_OK(status)) { - return status; -@@ -2878,11 +2762,12 @@ NTSTATUS _netr_ServerGetTrustInfo(struct pipes_struct *p, - /* TODO: check server name */ - - become_root(); -- status = netr_creds_server_step_check(p, p->mem_ctx, -- r->in.computer_name, -- r->in.credential, -- r->out.return_authenticator, -- &creds); -+ status = dcesrv_netr_creds_server_step_check(p->dce_call, -+ p->mem_ctx, -+ r->in.computer_name, -+ r->in.credential, -+ r->out.return_authenticator, -+ &creds); - unbecome_root(); - if (!NT_STATUS_IS_OK(status)) { - return status; -diff --git a/source3/rpc_server/wscript_build b/source3/rpc_server/wscript_build -index 83ceca2a45c..341df41a321 100644 ---- a/source3/rpc_server/wscript_build -+++ b/source3/rpc_server/wscript_build -@@ -174,7 +174,7 @@ bld.SAMBA3_SUBSYSTEM('RPC_NETDFS', - - bld.SAMBA3_SUBSYSTEM('RPC_NETLOGON', - source='''netlogon/srv_netlog_nt.c''', -- deps='LIBCLI_AUTH') -+ deps='LIBCLI_AUTH DCERPC_SERVER_NETLOGON') - - bld.SAMBA3_SUBSYSTEM('RPC_NTSVCS', - source='''ntsvcs/srv_ntsvcs_nt.c''', --- -2.39.0 - - -From 5e8a9c85fe9cd28727c284a7fa5465db00a16cac Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Thu, 22 Dec 2022 09:29:04 +0100 -Subject: [PATCH 6/9] CVE-2022-38023 s3:rpc_server/netlogon: make sure all - _netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel() - -Some checks are also required for _netr_LogonSamLogonEx(). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Andreas Schneider -(cherry picked from commit ca07f4340ce58a7e940a1123888b7409176412f7) ---- - source3/rpc_server/netlogon/srv_netlog_nt.c | 45 +++++++++++++-------- - 1 file changed, 28 insertions(+), 17 deletions(-) - -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c -index 8e0ea522b6d..ba2680668ed 100644 ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c -@@ -1632,6 +1632,11 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, - struct auth_serversupplied_info *server_info = NULL; - struct auth_context *auth_context = NULL; - const char *fn; -+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; -+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; -+ uint16_t opnum = dce_call->pkt.u.request.opnum; -+ -+ dcesrv_call_auth_info(dce_call, &auth_type, &auth_level); - - #ifdef DEBUG_PASSWORD - logon = netlogon_creds_shallow_copy_logon(p->mem_ctx, -@@ -1642,15 +1647,37 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, - } - #endif - -- switch (dce_call->pkt.u.request.opnum) { -+ switch (opnum) { - case NDR_NETR_LOGONSAMLOGON: - fn = "_netr_LogonSamLogon"; -+ /* -+ * Already called netr_check_schannel() via -+ * netr_creds_server_step_check() -+ */ - break; - case NDR_NETR_LOGONSAMLOGONWITHFLAGS: - fn = "_netr_LogonSamLogonWithFlags"; -+ /* -+ * Already called netr_check_schannel() via -+ * netr_creds_server_step_check() -+ */ - break; - case NDR_NETR_LOGONSAMLOGONEX: - fn = "_netr_LogonSamLogonEx"; -+ -+ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { -+ return NT_STATUS_ACCESS_DENIED; -+ } -+ -+ status = dcesrv_netr_check_schannel(p->dce_call, -+ creds, -+ auth_type, -+ auth_level, -+ opnum); -+ if (NT_STATUS_IS_ERR(status)) { -+ return status; -+ } -+ - break; - default: - return NT_STATUS_INTERNAL_ERROR; -@@ -1881,10 +1908,6 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, - r->out.validation->sam3); - break; - case 6: { -- enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; -- -- dcesrv_call_auth_info(dce_call, NULL, &auth_level); -- - /* Only allow this if the pipe is protected. */ - if (auth_level < DCERPC_AUTH_LEVEL_PRIVACY) { - DEBUG(0,("netr_Validation6: client %s not using privacy for netlogon\n", -@@ -1997,8 +2020,6 @@ NTSTATUS _netr_LogonSamLogon(struct pipes_struct *p, - NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p, - struct netr_LogonSamLogonEx *r) - { -- struct dcesrv_call_state *dce_call = p->dce_call; -- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; - NTSTATUS status; - struct netlogon_creds_CredentialState *creds = NULL; - struct loadparm_context *lp_ctx; -@@ -2010,16 +2031,6 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p, - return status; - } - -- /* Only allow this if the pipe is protected. */ -- -- dcesrv_call_auth_info(dce_call, &auth_type, NULL); -- -- if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { -- DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n", -- get_remote_machine_name() )); -- return NT_STATUS_INVALID_PARAMETER; -- } -- - lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers()); - if (lp_ctx == NULL) { - DEBUG(0, ("loadparm_init_s3 failed\n")); --- -2.39.0 - - -From f4682b16e9e5bdc4decf6c9d02388d540482b6a7 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Thu, 22 Dec 2022 11:05:33 +0100 -Subject: [PATCH 7/9] CVE-2022-38023 s3:rpc_server/netlogon: Check for global - "server schannel require seal" - -By default we'll now require schannel connections with privacy/sealing/encryption. - -But we allow exceptions for specific computer/trust accounts. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Andreas Schneider -(cherry picked from commit a0b97e262318dc56fe663da89b0ee3172b2e7848) ---- - source3/rpc_server/netlogon/srv_netlog_nt.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c -index ba2680668ed..a6f56a5ca21 100644 ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c -@@ -2895,7 +2895,9 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context - struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx; - int schannel = lpcfg_server_schannel(lp_ctx); - bool schannel_global_required = (schannel == true); -+ bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx); - static bool warned_global_schannel_once = false; -+ static bool warned_global_seal_once = false; - - if (!schannel_global_required && !warned_global_schannel_once) { - /* -@@ -2907,6 +2909,16 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context - warned_global_schannel_once = true; - } - -+ if (!global_require_seal && !warned_global_seal_once) { -+ /* -+ * We want admins to notice their misconfiguration! -+ */ -+ D_ERR("CVE-2022-38023 (and others): " -+ "Please configure 'server schannel require seal = yes' (the default), " -+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); -+ warned_global_seal_once = true; -+ } -+ - return NT_STATUS_OK; - } - --- -2.39.0 - - -From 5ddca0370de470bf1c532a6883e0b9fa0dedf6c4 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Mon, 9 Jan 2023 12:17:48 +0100 -Subject: [PATCH 8/9] CVE-2022-38023 docs-xml/smbdotconf: The "server schannel - require seal[:COMPUTERACCOUNT]" options are also honoured by s3 netlogon - server. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Andreas Schneider -(cherry picked from commit 02fba22b8c9e9b33ab430555ef45500c45eaa9d1) ---- - docs-xml/smbdotconf/security/serverschannelrequireseal.xml | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml -index d4620d1252d..0bec67d2519 100644 ---- a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml -+++ b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml -@@ -12,9 +12,8 @@ - - - -- This option controls whether the netlogon server (currently -- only in 'active directory domain controller' mode), will -- reject the usage of netlogon secure channel without privacy/enryption. -+ This option controls whether the netlogon server, will reject the usage -+ of netlogon secure channel without privacy/enryption. - - - --- -2.39.0 - - -From 2cb3ecb5c258fd23ca2f1fd2635be90336a0d7e0 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Thu, 22 Dec 2022 16:32:40 +0100 -Subject: [PATCH 9/9] CVE-2022-38023 s3:rpc_server/netlogon: Avoid unnecessary - loadparm_context allocations - -After s3 and s4 rpc servers merge the loadparm_context is available in -the dcesrv_context structure. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Mon Jan 9 15:17:14 UTC 2023 on sn-devel-184 - -(cherry picked from commit 56837f3d3169a02d0d92bd085d9c8250415ce29b) ---- - source3/rpc_server/netlogon/srv_netlog_nt.c | 21 ++------------------- - 1 file changed, 2 insertions(+), 19 deletions(-) - -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c -index a6f56a5ca21..7d17ab79f3d 100644 ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c -@@ -880,7 +880,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p, - * so use a copy to avoid destroying the client values. */ - uint32_t in_neg_flags = *r->in.negotiate_flags; - const char *fn; -- struct loadparm_context *lp_ctx; -+ struct loadparm_context *lp_ctx = p->dce_call->conn->dce_ctx->lp_ctx; - struct dom_sid sid; - struct samr_Password mach_pwd; - struct netlogon_creds_CredentialState *creds; -@@ -1009,20 +1009,11 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p, - goto out; - } - -- lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers()); -- if (lp_ctx == NULL) { -- DEBUG(10, ("loadparm_init_s3 failed\n")); -- status = NT_STATUS_INTERNAL_ERROR; -- goto out; -- } -- - /* Store off the state so we can continue after client disconnect. */ - become_root(); - status = schannel_save_creds_state(p->mem_ctx, lp_ctx, creds); - unbecome_root(); - -- talloc_unlink(p->mem_ctx, lp_ctx); -- - if (!NT_STATUS_IS_OK(status)) { - ZERO_STRUCTP(r->out.return_credentials); - goto out; -@@ -2022,7 +2013,7 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p, - { - NTSTATUS status; - struct netlogon_creds_CredentialState *creds = NULL; -- struct loadparm_context *lp_ctx; -+ struct loadparm_context *lp_ctx = p->dce_call->conn->dce_ctx->lp_ctx; - - *r->out.authoritative = true; - -@@ -2031,18 +2022,10 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p, - return status; - } - -- lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers()); -- if (lp_ctx == NULL) { -- DEBUG(0, ("loadparm_init_s3 failed\n")); -- return NT_STATUS_INTERNAL_ERROR; -- } -- - become_root(); - status = schannel_get_creds_state(p->mem_ctx, lp_ctx, - r->in.computer_name, &creds); - unbecome_root(); -- talloc_unlink(p->mem_ctx, lp_ctx); -- - if (!NT_STATUS_IS_OK(status)) { - return status; - } --- -2.39.0 - diff --git a/SOURCES/CVE-2022-38023-v4-16.patch b/SOURCES/CVE-2022-38023-v4-16.patch deleted file mode 100644 index 54e0604..0000000 --- a/SOURCES/CVE-2022-38023-v4-16.patch +++ /dev/null @@ -1,4417 +0,0 @@ -From e39dcc08705f0bf59a57ad835821cef41ec8b1e6 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Tue, 6 Dec 2022 16:00:36 +0100 -Subject: [PATCH 01/30] CVE-2022-38023 docs-xml: improve wording for several - options: "takes precedence" -> "overrides" - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Ralph Boehme -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -(cherry picked from commit 8ec62694a94c346e6ba8f3144a417c9984a1c8b9) ---- - docs-xml/smbdotconf/logon/rejectmd5clients.xml | 2 +- - docs-xml/smbdotconf/security/serverschannel.xml | 2 +- - docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 2 +- - docs-xml/smbdotconf/winbind/requirestrongkey.xml | 2 +- - 4 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml -index 41684ef10805..0bb9f6f6c8ec 100644 ---- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml -+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml -@@ -10,7 +10,7 @@ - You can set this to yes if all domain members support aes. - This will prevent downgrade attacks. - -- This option takes precedence to the 'allow nt4 crypto' option. -+ This option overrides the 'allow nt4 crypto' option. - - - no -diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml -index b682d086f76b..79e4e73a95c9 100644 ---- a/docs-xml/smbdotconf/security/serverschannel.xml -+++ b/docs-xml/smbdotconf/security/serverschannel.xml -@@ -59,7 +59,7 @@ - See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 - - -- This option takes precedence to the option. -+ This option overrides the option. - - - server require schannel:LEGACYCOMPUTER1$ = no -diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml -index 37656293aa47..151b4676c57b 100644 ---- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml -+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml -@@ -15,7 +15,7 @@ - The behavior can be controlled per netbios domain - by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option. - -- This option takes precedence to the option. -+ This option overrides the option. - - - no -diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml -index 4db62bfb02db..b17620ec8f1d 100644 ---- a/docs-xml/smbdotconf/winbind/requirestrongkey.xml -+++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml -@@ -19,7 +19,7 @@ - - This option yields precedence to the option. - -- This option takes precedence to the option. -+ This option overrides the option. - - - yes --- -2.34.1 - - -From 75fcaa4792afde7599d23316788ce8bbf780fe8a Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Tue, 6 Dec 2022 16:05:26 +0100 -Subject: [PATCH 02/30] CVE-2022-38023 docs-xml: improve wording for several - options: "yields precedence" -> "is over-riden" - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Ralph Boehme -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -(cherry picked from commit 830e865ba5648f6520bc552ffd71b61f754b8251) ---- - docs-xml/smbdotconf/logon/allownt4crypto.xml | 2 +- - docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml | 2 +- - docs-xml/smbdotconf/security/clientschannel.xml | 2 +- - docs-xml/smbdotconf/security/serverschannel.xml | 2 +- - docs-xml/smbdotconf/winbind/requirestrongkey.xml | 2 +- - 5 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml -index 03dc8fa93f72..06afcef73b1b 100644 ---- a/docs-xml/smbdotconf/logon/allownt4crypto.xml -+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml -@@ -18,7 +18,7 @@ - - "allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks. - -- This option yields precedence to the 'reject md5 clients' option. -+ This option is over-ridden by the 'reject md5 clients' option. - - - no -diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml -index 03531adbfb36..8bccab391cc2 100644 ---- a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml -+++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml -@@ -15,7 +15,7 @@ - The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc, - winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option. - -- This option yields precedence to the implementation specific restrictions. -+ This option is over-ridden by the implementation specific restrictions. - E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY. - The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY. - -diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml -index 5b07da95050c..d124ad481818 100644 ---- a/docs-xml/smbdotconf/security/clientschannel.xml -+++ b/docs-xml/smbdotconf/security/clientschannel.xml -@@ -23,7 +23,7 @@ - Note that for active directory domains this is hardcoded to - yes. - -- This option yields precedence to the option. -+ This option is over-ridden by the option. - - yes - auto -diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml -index 79e4e73a95c9..3e66df1c2032 100644 ---- a/docs-xml/smbdotconf/security/serverschannel.xml -+++ b/docs-xml/smbdotconf/security/serverschannel.xml -@@ -23,7 +23,7 @@ - If you still have legacy domain members use the option. - - -- This option yields precedence to the option. -+ This option is over-ridden by the option. - - - -diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml -index b17620ec8f1d..9c1c1d7af148 100644 ---- a/docs-xml/smbdotconf/winbind/requirestrongkey.xml -+++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml -@@ -17,7 +17,7 @@ - - Note for active directory domain this option is hardcoded to 'yes' - -- This option yields precedence to the option. -+ This option is over-ridden by the option. - - This option overrides the option. - --- -2.34.1 - - -From cbf7cf691860d92c1890009b639a1fd495cf1cf2 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 30 Nov 2022 14:46:59 +0100 -Subject: [PATCH 03/30] CVE-2022-38023 libcli/auth: pass lp_ctx to - netlogon_creds_cli_set_global_db() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit 992f39a2c8a58301ceeb965f401e29cd64c5a209) ---- - libcli/auth/netlogon_creds_cli.c | 3 ++- - libcli/auth/netlogon_creds_cli.h | 2 +- - source3/rpc_client/cli_netlogon.c | 2 +- - source3/utils/destroy_netlogon_creds_cli.c | 2 +- - 4 files changed, 5 insertions(+), 4 deletions(-) - -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c -index e92a042c0120..030191174dca 100644 ---- a/libcli/auth/netlogon_creds_cli.c -+++ b/libcli/auth/netlogon_creds_cli.c -@@ -202,7 +202,8 @@ static NTSTATUS netlogon_creds_cli_context_common( - - static struct db_context *netlogon_creds_cli_global_db; - --NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db) -+NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, -+ struct db_context **db) - { - if (netlogon_creds_cli_global_db != NULL) { - return NT_STATUS_INVALID_PARAMETER_MIX; -diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h -index 6f40a46aa0a6..d10197c2d2af 100644 ---- a/libcli/auth/netlogon_creds_cli.h -+++ b/libcli/auth/netlogon_creds_cli.h -@@ -31,7 +31,7 @@ struct messaging_context; - struct dcerpc_binding_handle; - struct db_context; - --NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db); -+NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, struct db_context **db); - NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx); - void netlogon_creds_cli_close_global_db(void); - -diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c -index 50dae9d7f3eb..18664e8b91af 100644 ---- a/source3/rpc_client/cli_netlogon.c -+++ b/source3/rpc_client/cli_netlogon.c -@@ -76,7 +76,7 @@ NTSTATUS rpccli_pre_open_netlogon_creds(void) - return NT_STATUS_NO_MEMORY; - } - -- status = netlogon_creds_cli_set_global_db(&global_db); -+ status = netlogon_creds_cli_set_global_db(lp_ctx, &global_db); - TALLOC_FREE(frame); - if (!NT_STATUS_IS_OK(status)) { - return status; -diff --git a/source3/utils/destroy_netlogon_creds_cli.c b/source3/utils/destroy_netlogon_creds_cli.c -index f28cad527dfb..a2e1952e434c 100644 ---- a/source3/utils/destroy_netlogon_creds_cli.c -+++ b/source3/utils/destroy_netlogon_creds_cli.c -@@ -82,7 +82,7 @@ int main(int argc, const char *argv[]) - goto done; - } - -- status = netlogon_creds_cli_set_global_db(&global_db); -+ status = netlogon_creds_cli_set_global_db(lp_ctx, &global_db); - if (!NT_STATUS_IS_OK(status)) { - fprintf(stderr, - "netlogon_creds_cli_set_global_db failed: %s\n", --- -2.34.1 - - -From 2c4f9869b208cfd969607248420e36e3bd4aecfa Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 30 Nov 2022 14:47:33 +0100 -Subject: [PATCH 04/30] CVE-2022-38023 libcli/auth: add/use - netlogon_creds_cli_warn_options() - -This warns the admin about insecure options - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme - -(similar to commit 7e7adf86e59e8a673fbe87de46cef0d62221e800) -[jsutton@samba.org Replaced call to tevent_cached_getpid() with one to - getpid()] ---- - libcli/auth/netlogon_creds_cli.c | 66 ++++++++++++++++++++++++++++++++ - libcli/auth/netlogon_creds_cli.h | 2 + - 2 files changed, 68 insertions(+) - -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c -index 030191174dca..3794d8b6b6ef 100644 ---- a/libcli/auth/netlogon_creds_cli.c -+++ b/libcli/auth/netlogon_creds_cli.c -@@ -205,6 +205,8 @@ static struct db_context *netlogon_creds_cli_global_db; - NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, - struct db_context **db) - { -+ netlogon_creds_cli_warn_options(lp_ctx); -+ - if (netlogon_creds_cli_global_db != NULL) { - return NT_STATUS_INVALID_PARAMETER_MIX; - } -@@ -219,6 +221,8 @@ NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx) - struct db_context *global_db; - int hash_size, tdb_flags; - -+ netlogon_creds_cli_warn_options(lp_ctx); -+ - if (netlogon_creds_cli_global_db != NULL) { - return NT_STATUS_OK; - } -@@ -259,6 +263,68 @@ void netlogon_creds_cli_close_global_db(void) - TALLOC_FREE(netlogon_creds_cli_global_db); - } - -+void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx) -+{ -+ bool global_reject_md5_servers = lpcfg_reject_md5_servers(lp_ctx); -+ bool global_require_strong_key = lpcfg_require_strong_key(lp_ctx); -+ int global_client_schannel = lpcfg_client_schannel(lp_ctx); -+ bool global_seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx); -+ static bool warned_global_reject_md5_servers = false; -+ static bool warned_global_require_strong_key = false; -+ static bool warned_global_client_schannel = false; -+ static bool warned_global_seal_secure_channel = false; -+ static int warned_global_pid = 0; -+ int current_pid = getpid(); -+ -+ if (warned_global_pid != current_pid) { -+ warned_global_reject_md5_servers = false; -+ warned_global_require_strong_key = false; -+ warned_global_client_schannel = false; -+ warned_global_seal_secure_channel = false; -+ warned_global_pid = current_pid; -+ } -+ -+ if (!global_reject_md5_servers && !warned_global_reject_md5_servers) { -+ /* -+ * We want admins to notice their misconfiguration! -+ */ -+ DBG_ERR("CVE-2022-38023 (and others): " -+ "Please configure 'reject md5 servers = yes' (the default), " -+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); -+ warned_global_reject_md5_servers = true; -+ } -+ -+ if (!global_require_strong_key && !warned_global_require_strong_key) { -+ /* -+ * We want admins to notice their misconfiguration! -+ */ -+ DBG_ERR("CVE-2022-38023 (and others): " -+ "Please configure 'require strong key = yes' (the default), " -+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); -+ warned_global_require_strong_key = true; -+ } -+ -+ if (global_client_schannel != true && !warned_global_client_schannel) { -+ /* -+ * We want admins to notice their misconfiguration! -+ */ -+ DBG_ERR("CVE-2022-38023 (and others): " -+ "Please configure 'client schannel = yes' (the default), " -+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); -+ warned_global_client_schannel = true; -+ } -+ -+ if (!global_seal_secure_channel && !warned_global_seal_secure_channel) { -+ /* -+ * We want admins to notice their misconfiguration! -+ */ -+ DBG_ERR("CVE-2022-38023 (and others): " -+ "Please configure 'winbind sealed pipes = yes' (the default), " -+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); -+ warned_global_seal_secure_channel = true; -+ } -+} -+ - NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx, - struct messaging_context *msg_ctx, - const char *client_account, -diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h -index d10197c2d2af..600242e1aea7 100644 ---- a/libcli/auth/netlogon_creds_cli.h -+++ b/libcli/auth/netlogon_creds_cli.h -@@ -35,6 +35,8 @@ NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, struc - NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx); - void netlogon_creds_cli_close_global_db(void); - -+void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx); -+ - NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx, - struct messaging_context *msg_ctx, - const char *client_account, --- -2.34.1 - - -From 558c68e0915885ed77b3d02e52d93f4c64a0e20e Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 30 Nov 2022 16:16:05 +0100 -Subject: [PATCH 05/30] CVE-2022-38023 s3:net: add and use - net_warn_member_options() helper - -This makes sure domain member related 'net' commands print warnings -about unsecure smb.conf options. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit 1fdf1d55a5dd550bdb16d037b5dc995c33c1a67a) ---- - source3/utils/net.c | 6 ++++++ - source3/utils/net_ads.c | 14 ++++++++++++++ - source3/utils/net_dom.c | 2 ++ - source3/utils/net_join.c | 2 ++ - source3/utils/net_offlinejoin.c | 2 ++ - source3/utils/net_proto.h | 2 ++ - source3/utils/net_rpc.c | 10 ++++++++++ - source3/utils/net_util.c | 14 ++++++++++++++ - 8 files changed, 52 insertions(+) - -diff --git a/source3/utils/net.c b/source3/utils/net.c -index e1e14743c117..b96d7f5d9d48 100644 ---- a/source3/utils/net.c -+++ b/source3/utils/net.c -@@ -85,6 +85,8 @@ enum netr_SchannelType get_sec_channel_type(const char *param) - - static int net_changetrustpw(struct net_context *c, int argc, const char **argv) - { -+ net_warn_member_options(); -+ - if (net_ads_check_our_domain(c) == 0) - return net_ads_changetrustpw(c, argc, argv); - -@@ -112,6 +114,8 @@ static int net_primarytrust_dumpinfo(struct net_context *c, int argc, - return 1; - } - -+ net_warn_member_options(); -+ - if (c->opt_stdin) { - set_line_buffering(stdin); - set_line_buffering(stdout); -@@ -193,6 +197,8 @@ static int net_changesecretpw(struct net_context *c, int argc, - return 1; - } - -+ net_warn_member_options(); -+ - if(c->opt_force) { - struct secrets_domain_info1 *info = NULL; - struct secrets_domain_info1_change *prev = NULL; -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c -index d666f7fc3ec9..cc0d4a0d966c 100644 ---- a/source3/utils/net_ads.c -+++ b/source3/utils/net_ads.c -@@ -1306,6 +1306,8 @@ static int net_ads_status(struct net_context *c, int argc, const char **argv) - return 0; - } - -+ net_warn_member_options(); -+ - if (!ADS_ERR_OK(ads_startup(c, true, &ads))) { - return -1; - } -@@ -1447,6 +1449,8 @@ static NTSTATUS net_ads_join_ok(struct net_context *c) - return NT_STATUS_ACCESS_DENIED; - } - -+ net_warn_member_options(); -+ - net_use_krb_machine_account(c); - - get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip); -@@ -1477,6 +1481,8 @@ int net_ads_testjoin(struct net_context *c, int argc, const char **argv) - return 0; - } - -+ net_warn_member_options(); -+ - /* Display success or failure */ - status = net_ads_join_ok(c); - if (!NT_STATUS_IS_OK(status)) { -@@ -1571,6 +1577,8 @@ int net_ads_join(struct net_context *c, int argc, const char **argv) - if (c->display_usage) - return net_ads_join_usage(c, argc, argv); - -+ net_warn_member_options(); -+ - if (!modify_config) { - - werr = check_ads_config(); -@@ -2505,6 +2513,8 @@ int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv) - return -1; - } - -+ net_warn_member_options(); -+ - net_use_krb_machine_account(c); - - use_in_memory_ccache(); -@@ -2778,6 +2788,8 @@ static int net_ads_keytab_add(struct net_context *c, - return 0; - } - -+ net_warn_member_options(); -+ - d_printf(_("Processing principals to add...\n")); - - if (!c->opt_user_specified && c->opt_password == NULL) { -@@ -2822,6 +2834,8 @@ static int net_ads_keytab_create(struct net_context *c, int argc, const char **a - return 0; - } - -+ net_warn_member_options(); -+ - if (!c->opt_user_specified && c->opt_password == NULL) { - net_use_krb_machine_account(c); - } -diff --git a/source3/utils/net_dom.c b/source3/utils/net_dom.c -index 13e65a933142..4b48e1566bc8 100644 ---- a/source3/utils/net_dom.c -+++ b/source3/utils/net_dom.c -@@ -154,6 +154,8 @@ static int net_dom_join(struct net_context *c, int argc, const char **argv) - return net_dom_usage(c, argc, argv); - } - -+ net_warn_member_options(); -+ - if (c->opt_host) { - server_name = c->opt_host; - } -diff --git a/source3/utils/net_join.c b/source3/utils/net_join.c -index 1493dff74d7b..f67f08f79a81 100644 ---- a/source3/utils/net_join.c -+++ b/source3/utils/net_join.c -@@ -39,6 +39,8 @@ int net_join(struct net_context *c, int argc, const char **argv) - return 0; - } - -+ net_warn_member_options(); -+ - if (net_ads_check_our_domain(c) == 0) { - if (net_ads_join(c, argc, argv) == 0) - return 0; -diff --git a/source3/utils/net_offlinejoin.c b/source3/utils/net_offlinejoin.c -index 03e5df0eace9..0cfd5fdfe235 100644 ---- a/source3/utils/net_offlinejoin.c -+++ b/source3/utils/net_offlinejoin.c -@@ -49,6 +49,8 @@ int net_offlinejoin(struct net_context *c, int argc, const char **argv) - return -1; - } - -+ net_warn_member_options(); -+ - status = libnetapi_net_init(&c->netapi_ctx); - if (status != 0) { - return -1; -diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h -index b6ff639a0941..42096ba218d5 100644 ---- a/source3/utils/net_proto.h -+++ b/source3/utils/net_proto.h -@@ -442,6 +442,8 @@ int net_run_function(struct net_context *c, int argc, const char **argv, - const char *whoami, struct functable *table); - void net_display_usage_from_functable(struct functable *table); - -+void net_warn_member_options(void); -+ - const char *net_share_type_str(int num_type); - - NTSTATUS net_scan_dc(struct net_context *c, -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c -index 97c0158d612f..16a541413d2e 100644 ---- a/source3/utils/net_rpc.c -+++ b/source3/utils/net_rpc.c -@@ -371,6 +371,8 @@ static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv) - return 0; - } - -+ net_warn_member_options(); -+ - mem_ctx = talloc_init("net_rpc_oldjoin"); - if (!mem_ctx) { - return -1; -@@ -490,6 +492,8 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv) - return 0; - } - -+ net_warn_member_options(); -+ - mem_ctx = talloc_init("net_rpc_testjoin"); - if (!mem_ctx) { - return -1; -@@ -564,6 +568,8 @@ static int net_rpc_join_newstyle(struct net_context *c, int argc, const char **a - return 0; - } - -+ net_warn_member_options(); -+ - mem_ctx = talloc_init("net_rpc_join_newstyle"); - if (!mem_ctx) { - return -1; -@@ -685,6 +691,8 @@ int net_rpc_join(struct net_context *c, int argc, const char **argv) - return -1; - } - -+ net_warn_member_options(); -+ - if (strlen(lp_netbios_name()) > 15) { - d_printf(_("Our netbios name can be at most 15 chars long, " - "\"%s\" is %u chars long\n"), -@@ -815,6 +823,8 @@ int net_rpc_info(struct net_context *c, int argc, const char **argv) - return 0; - } - -+ net_warn_member_options(); -+ - return run_rpc_command(c, NULL, &ndr_table_samr, - NET_FLAGS_PDC, rpc_info_internals, - argc, argv); -diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c -index 298d9a64dc0c..f3b7755063bf 100644 ---- a/source3/utils/net_util.c -+++ b/source3/utils/net_util.c -@@ -31,6 +31,7 @@ - #include "libsmb/libsmb.h" - #include "lib/param/param.h" - #include "auth/gensec/gensec.h" -+#include "libcli/auth/netlogon_creds_cli.h" - #include "lib/cmdline/cmdline.h" - - NTSTATUS net_rpc_lookup_name(struct net_context *c, -@@ -478,6 +479,19 @@ void net_display_usage_from_functable(struct functable *table) - } - } - -+void net_warn_member_options(void) -+{ -+ TALLOC_CTX *frame = talloc_stackframe(); -+ struct loadparm_context *lp_ctx = NULL; -+ -+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers()); -+ if (lp_ctx != NULL) { -+ netlogon_creds_cli_warn_options(lp_ctx); -+ } -+ -+ TALLOC_FREE(frame); -+} -+ - const char *net_share_type_str(int num_type) - { - switch(num_type) { --- -2.34.1 - - -From 9172fa1fe342a13c773d14c73ffcaa9f9561cdc7 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 30 Nov 2022 14:59:36 +0100 -Subject: [PATCH 06/30] CVE-2022-38023 s3:winbindd: also allow per domain - "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN" - -This avoids advising insecure defaults for the global options. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit d60828f6391307a59abaa02b72b6a8acf66b2fef) ---- - source3/winbindd/winbindd_cm.c | 41 +++++++++++++++++++++++++++------- - 1 file changed, 33 insertions(+), 8 deletions(-) - -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c -index 6c6dd88a5aa4..5532e0cd0cc8 100644 ---- a/source3/winbindd/winbindd_cm.c -+++ b/source3/winbindd/winbindd_cm.c -@@ -2431,6 +2431,8 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, - bool retry = false; /* allow one retry attempt for expired session */ - const char *remote_name = NULL; - const struct sockaddr_storage *remote_sockaddr = NULL; -+ bool sealed_pipes = true; -+ bool strong_key = true; - - if (sid_check_is_our_sam(&domain->sid)) { - if (domain->rodc == false || need_rw_dc == false) { -@@ -2610,14 +2612,24 @@ retry: - - anonymous: - -+ sealed_pipes = lp_winbind_sealed_pipes(); -+ sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes", -+ domain->name, -+ sealed_pipes); -+ strong_key = lp_require_strong_key(); -+ strong_key = lp_parm_bool(-1, "require strong key", -+ domain->name, -+ strong_key); -+ - /* Finally fall back to anonymous. */ -- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { -+ if (sealed_pipes || strong_key) { - status = NT_STATUS_DOWNGRADE_DETECTED; - DEBUG(1, ("Unwilling to make SAMR connection to domain %s " - "without connection level security, " -- "must set 'winbind sealed pipes = false' and " -- "'require strong key = false' to proceed: %s\n", -- domain->name, nt_errstr(status))); -+ "must set 'winbind sealed pipes:%s = false' and " -+ "'require strong key:%s = false' to proceed: %s\n", -+ domain->name, domain->name, domain->name, -+ nt_errstr(status))); - goto done; - } - status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr, -@@ -2774,6 +2786,8 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, - bool retry = false; /* allow one retry attempt for expired session */ - const char *remote_name = NULL; - const struct sockaddr_storage *remote_sockaddr = NULL; -+ bool sealed_pipes = true; -+ bool strong_key = true; - - retry: - result = init_dc_connection_rpc(domain, false); -@@ -2935,13 +2949,24 @@ retry: - goto done; - } - -- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { -+ sealed_pipes = lp_winbind_sealed_pipes(); -+ sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes", -+ domain->name, -+ sealed_pipes); -+ strong_key = lp_require_strong_key(); -+ strong_key = lp_parm_bool(-1, "require strong key", -+ domain->name, -+ strong_key); -+ -+ /* Finally fall back to anonymous. */ -+ if (sealed_pipes || strong_key) { - result = NT_STATUS_DOWNGRADE_DETECTED; - DEBUG(1, ("Unwilling to make LSA connection to domain %s " - "without connection level security, " -- "must set 'winbind sealed pipes = false' and " -- "'require strong key = false' to proceed: %s\n", -- domain->name, nt_errstr(result))); -+ "must set 'winbind sealed pipes:%s = false' and " -+ "'require strong key:%s = false' to proceed: %s\n", -+ domain->name, domain->name, domain->name, -+ nt_errstr(result))); - goto done; - } - --- -2.34.1 - - -From 434812f94ee12bdb55dbe8072702426f85610c02 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 24 Nov 2022 18:22:23 +0100 -Subject: [PATCH 07/30] CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 - servers' default to yes - -AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no -reason to allow md5 servers by default. - -Note the change in netlogon_creds_cli_context_global() is only cosmetic, -but avoids confusion while reading the code. Check with: - - git show -U35 libcli/auth/netlogon_creds_cli.c - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit 1c6c1129905d0c7a60018e7bf0f17a0fd198a584) ---- - docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 7 +++++-- - lib/param/loadparm.c | 1 + - libcli/auth/netlogon_creds_cli.c | 4 ++-- - source3/param/loadparm.c | 1 + - 4 files changed, 9 insertions(+), 4 deletions(-) - -diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml -index 151b4676c57b..3bc4eaf7b02e 100644 ---- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml -+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml -@@ -13,10 +13,13 @@ - This will prevent downgrade attacks. - - The behavior can be controlled per netbios domain -- by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option. -+ by using 'reject md5 servers:NETBIOSDOMAIN = no' as option. -+ -+ The default changed from 'no' to 'yes, with the patches for CVE-2022-38023, -+ see https://bugzilla.samba.org/show_bug.cgi?id=15240 - - This option overrides the option. - - --no -+yes - -diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c -index d6d845391e6f..e953499efba3 100644 ---- a/lib/param/loadparm.c -+++ b/lib/param/loadparm.c -@@ -2666,6 +2666,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) - lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True"); - lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "False"); - lpcfg_do_global_parameter(lp_ctx, "require strong key", "True"); -+ lpcfg_do_global_parameter(lp_ctx, "reject md5 servers", "True"); - lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR); - lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR); - lpcfg_do_global_parameter_var(lp_ctx, "gpo update command", "%s/samba-gpupdate", dyn_SCRIPTSBINDIR); -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c -index 3794d8b6b6ef..ca5619d38703 100644 ---- a/libcli/auth/netlogon_creds_cli.c -+++ b/libcli/auth/netlogon_creds_cli.c -@@ -341,8 +341,8 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx, - const char *client_computer; - uint32_t proposed_flags; - uint32_t required_flags = 0; -- bool reject_md5_servers = false; -- bool require_strong_key = false; -+ bool reject_md5_servers = true; -+ bool require_strong_key = true; - int require_sign_or_seal = true; - bool seal_secure_channel = true; - enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c -index 21e061939e3e..91747e09eccd 100644 ---- a/source3/param/loadparm.c -+++ b/source3/param/loadparm.c -@@ -664,6 +664,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) - Globals.client_schannel = true; - Globals.winbind_sealed_pipes = true; - Globals.require_strong_key = true; -+ Globals.reject_md5_servers = true; - Globals.server_schannel = true; - Globals.read_raw = true; - Globals.write_raw = true; --- -2.34.1 - - -From 8ccaf7d47ad13313c7a80ac5f857425080d5fbab Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 6 Dec 2022 10:56:29 +0100 -Subject: [PATCH 08/30] CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel - != yes' warning to dcesrv_interface_netlogon_bind - -This will simplify the following changes. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit e060ea5b3edbe3cba492062c9605f88fae212ee0) ---- - source4/rpc_server/netlogon/dcerpc_netlogon.c | 26 +++++++++++-------- - 1 file changed, 15 insertions(+), 11 deletions(-) - -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index cfd6d148b0a3..f63c3981f749 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -63,6 +63,21 @@ - static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context *context, - const struct dcesrv_interface *iface) - { -+ struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx; -+ int schannel = lpcfg_server_schannel(lp_ctx); -+ bool schannel_global_required = (schannel == true); -+ static bool warned_global_schannel_once = false; -+ -+ if (!schannel_global_required && !warned_global_schannel_once) { -+ /* -+ * We want admins to notice their misconfiguration! -+ */ -+ D_ERR("CVE-2020-1472(ZeroLogon): " -+ "Please configure 'server schannel = yes' (the default), " -+ "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n"); -+ warned_global_schannel_once = true; -+ } -+ - return dcesrv_interface_bind_reject_connect(context, iface); - } - -@@ -630,7 +645,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; - uint16_t opnum = dce_call->pkt.u.request.opnum; - const char *opname = ""; -- static bool warned_global_once = false; - - if (opnum < ndr_table_netlogon.num_calls) { - opname = ndr_table_netlogon.calls[opnum].name; -@@ -682,16 +696,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - return NT_STATUS_ACCESS_DENIED; - } - -- if (!schannel_global_required && !warned_global_once) { -- /* -- * We want admins to notice their misconfiguration! -- */ -- DBG_ERR("CVE-2020-1472(ZeroLogon): " -- "Please configure 'server schannel = yes', " -- "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n"); -- warned_global_once = true; -- } -- - if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { - DBG_ERR("CVE-2020-1472(ZeroLogon): " - "%s request (opnum[%u]) WITH schannel from " --- -2.34.1 - - -From 268d1ac2f8ce3fb92a3433ada5e229d23c18c4f6 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 12 Dec 2022 14:03:50 +0100 -Subject: [PATCH 09/30] CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx - variable to dcesrv_netr_creds_server_step_check() - -This will simplify the following changes. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit 7baabbe9819cd5a2714e7ea4e57a0c23062c0150) ---- - source4/rpc_server/netlogon/dcerpc_netlogon.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index f63c3981f749..43dcd7271729 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -636,8 +636,9 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - struct netr_Authenticator *return_authenticator, - struct netlogon_creds_CredentialState **creds_out) - { -+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; - NTSTATUS nt_status; -- int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx); -+ int schannel = lpcfg_server_schannel(lp_ctx); - bool schannel_global_required = (schannel == true); - bool schannel_required = schannel_global_required; - const char *explicit_opt = NULL; -@@ -653,7 +654,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - dcesrv_call_auth_info(dce_call, &auth_type, NULL); - - nt_status = schannel_check_creds_state(mem_ctx, -- dce_call->conn->dce_ctx->lp_ctx, -+ lp_ctx, - computer_name, - received_authenticator, - return_authenticator, -@@ -668,7 +669,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - * need the explicit_opt pointer in order to - * adjust the debug messages. - */ -- explicit_opt = lpcfg_get_parametric(dce_call->conn->dce_ctx->lp_ctx, -+ explicit_opt = lpcfg_get_parametric(lp_ctx, - NULL, - "server require schannel", - creds->account_name); --- -2.34.1 - - -From e4d8f31296ab5f2013585039a6e47c1a4b826ea8 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 12 Dec 2022 14:03:50 +0100 -Subject: [PATCH 10/30] CVE-2022-38023 s4:rpc_server/netlogon: add - talloc_stackframe() to dcesrv_netr_creds_server_step_check() - -This will simplify the following changes. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit 0e6a2ba83ef1be3c6a0f5514c21395121621a145) ---- - source4/rpc_server/netlogon/dcerpc_netlogon.c | 32 +++++++++++-------- - 1 file changed, 19 insertions(+), 13 deletions(-) - -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index 43dcd7271729..95fd1526d5a5 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -637,6 +637,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - struct netlogon_creds_CredentialState **creds_out) - { - struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; -+ TALLOC_CTX *frame = talloc_stackframe(); - NTSTATUS nt_status; - int schannel = lpcfg_server_schannel(lp_ctx); - bool schannel_global_required = (schannel == true); -@@ -680,6 +681,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - if (schannel_required) { - if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { - *creds_out = creds; -+ TALLOC_FREE(frame); - return NT_STATUS_OK; - } - -@@ -687,13 +689,15 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - "%s request (opnum[%u]) without schannel from " - "client_account[%s] client_computer_name[%s]\n", - opname, opnum, -- log_escape(mem_ctx, creds->account_name), -- log_escape(mem_ctx, creds->computer_name)); -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name)); - DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " -- "'server require schannel:%s = no' is needed! \n", -- log_escape(mem_ctx, creds->account_name)); -+ "'server require schannel:%s = no' " -+ "might be needed for a legacy client.\n", -+ log_escape(frame, creds->account_name)); - TALLOC_FREE(creds); - ZERO_STRUCTP(return_authenticator); -+ TALLOC_FREE(frame); - return NT_STATUS_ACCESS_DENIED; - } - -@@ -702,13 +706,14 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - "%s request (opnum[%u]) WITH schannel from " - "client_account[%s] client_computer_name[%s]\n", - opname, opnum, -- log_escape(mem_ctx, creds->account_name), -- log_escape(mem_ctx, creds->computer_name)); -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name)); - DBG_ERR("CVE-2020-1472(ZeroLogon): " - "Option 'server require schannel:%s = no' not needed!?\n", -- log_escape(mem_ctx, creds->account_name)); -+ log_escape(frame, creds->account_name)); - - *creds_out = creds; -+ TALLOC_FREE(frame); - return NT_STATUS_OK; - } - -@@ -718,24 +723,25 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - "%s request (opnum[%u]) without schannel from " - "client_account[%s] client_computer_name[%s]\n", - opname, opnum, -- log_escape(mem_ctx, creds->account_name), -- log_escape(mem_ctx, creds->computer_name)); -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name)); - DBG_INFO("CVE-2020-1472(ZeroLogon): " - "Option 'server require schannel:%s = no' still needed!\n", -- log_escape(mem_ctx, creds->account_name)); -+ log_escape(frame, creds->account_name)); - } else { - DBG_ERR("CVE-2020-1472(ZeroLogon): " - "%s request (opnum[%u]) without schannel from " - "client_account[%s] client_computer_name[%s]\n", - opname, opnum, -- log_escape(mem_ctx, creds->account_name), -- log_escape(mem_ctx, creds->computer_name)); -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name)); - DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " - "'server require schannel:%s = no' might be needed!\n", -- log_escape(mem_ctx, creds->account_name)); -+ log_escape(frame, creds->account_name)); - } - - *creds_out = creds; -+ TALLOC_FREE(frame); - return NT_STATUS_OK; - } - --- -2.34.1 - - -From 4e129119e3a2e1bfca623eb11d721329e53fba17 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 30 Nov 2022 12:37:03 +0100 -Subject: [PATCH 11/30] CVE-2022-38023 s4:rpc_server/netlogon: re-order - checking in dcesrv_netr_creds_server_step_check() - -This will simplify the following changes. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit ec62151a2fb49ecbeaa3bf924f49a956832b735e) ---- - source4/rpc_server/netlogon/dcerpc_netlogon.c | 41 +++++++++---------- - 1 file changed, 19 insertions(+), 22 deletions(-) - -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index 95fd1526d5a5..33063942e161 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -678,13 +678,27 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - schannel_required = lp_bool(explicit_opt); - } - -- if (schannel_required) { -- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { -- *creds_out = creds; -- TALLOC_FREE(frame); -- return NT_STATUS_OK; -+ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { -+ if (!schannel_required) { -+ DBG_ERR("CVE-2020-1472(ZeroLogon): " -+ "%s request (opnum[%u]) WITH schannel from " -+ "client_account[%s] client_computer_name[%s]\n", -+ opname, opnum, -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name)); -+ } -+ if (explicit_opt != NULL && !schannel_required) { -+ DBG_ERR("CVE-2020-1472(ZeroLogon): " -+ "Option 'server require schannel:%s = no' not needed!?\n", -+ log_escape(frame, creds->account_name)); - } - -+ *creds_out = creds; -+ TALLOC_FREE(frame); -+ return NT_STATUS_OK; -+ } -+ -+ if (schannel_required) { - DBG_ERR("CVE-2020-1472(ZeroLogon): " - "%s request (opnum[%u]) without schannel from " - "client_account[%s] client_computer_name[%s]\n", -@@ -701,23 +715,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - return NT_STATUS_ACCESS_DENIED; - } - -- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { -- DBG_ERR("CVE-2020-1472(ZeroLogon): " -- "%s request (opnum[%u]) WITH schannel from " -- "client_account[%s] client_computer_name[%s]\n", -- opname, opnum, -- log_escape(frame, creds->account_name), -- log_escape(frame, creds->computer_name)); -- DBG_ERR("CVE-2020-1472(ZeroLogon): " -- "Option 'server require schannel:%s = no' not needed!?\n", -- log_escape(frame, creds->account_name)); -- -- *creds_out = creds; -- TALLOC_FREE(frame); -- return NT_STATUS_OK; -- } -- -- - if (explicit_opt != NULL) { - DBG_INFO("CVE-2020-1472(ZeroLogon): " - "%s request (opnum[%u]) without schannel from " --- -2.34.1 - - -From 200da32d3573912098d68fd9b72f491317feb506 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 30 Nov 2022 12:37:03 +0100 -Subject: [PATCH 12/30] CVE-2022-38023 s4:rpc_server/netlogon: improve - CVE-2020-1472(ZeroLogon) debug messages - -In order to avoid generating useless debug messages during make test, -we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3' -and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings. - -Review with: git show -w - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit 16ee03efc194d9c1c2c746f63236b977a419918d) ---- - source4/rpc_server/netlogon/dcerpc_netlogon.c | 147 +++++++++++++----- - 1 file changed, 106 insertions(+), 41 deletions(-) - -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index 33063942e161..3c77d1302993 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -644,15 +644,34 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - bool schannel_required = schannel_global_required; - const char *explicit_opt = NULL; - struct netlogon_creds_CredentialState *creds = NULL; -+ int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL, -+ "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); -+ int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, -+ "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); -+ unsigned int dbg_lvl = DBGLVL_DEBUG; - enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; -+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; - uint16_t opnum = dce_call->pkt.u.request.opnum; - const char *opname = ""; -+ const char *reason = ""; - - if (opnum < ndr_table_netlogon.num_calls) { - opname = ndr_table_netlogon.calls[opnum].name; - } - -- dcesrv_call_auth_info(dce_call, &auth_type, NULL); -+ dcesrv_call_auth_info(dce_call, &auth_type, &auth_level); -+ -+ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { -+ if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -+ reason = "WITH SEALED"; -+ } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { -+ reason = "WITH SIGNED"; -+ } else { -+ smb_panic("Schannel without SIGN/SEAL"); -+ } -+ } else { -+ reason = "WITHOUT"; -+ } - - nt_status = schannel_check_creds_state(mem_ctx, - lp_ctx, -@@ -679,62 +698,108 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - } - - if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { -- if (!schannel_required) { -- DBG_ERR("CVE-2020-1472(ZeroLogon): " -- "%s request (opnum[%u]) WITH schannel from " -- "client_account[%s] client_computer_name[%s]\n", -- opname, opnum, -- log_escape(frame, creds->account_name), -- log_escape(frame, creds->computer_name)); -+ nt_status = NT_STATUS_OK; -+ -+ if (explicit_opt != NULL && !schannel_required) { -+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); -+ } else if (!schannel_required) { -+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); - } -+ -+ DEBUG(dbg_lvl, ( -+ "CVE-2020-1472(ZeroLogon): " -+ "%s request (opnum[%u]) %s schannel from " -+ "client_account[%s] client_computer_name[%s] %s\n", -+ opname, opnum, reason, -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name), -+ nt_errstr(nt_status))); -+ - if (explicit_opt != NULL && !schannel_required) { -- DBG_ERR("CVE-2020-1472(ZeroLogon): " -- "Option 'server require schannel:%s = no' not needed!?\n", -- log_escape(frame, creds->account_name)); -+ DEBUG(CVE_2020_1472_warn_level, ( -+ "CVE-2020-1472(ZeroLogon): " -+ "Option 'server require schannel:%s = no' not needed for '%s'!\n", -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name))); - } - - *creds_out = creds; - TALLOC_FREE(frame); -- return NT_STATUS_OK; -+ return nt_status; - } - - if (schannel_required) { -- DBG_ERR("CVE-2020-1472(ZeroLogon): " -- "%s request (opnum[%u]) without schannel from " -- "client_account[%s] client_computer_name[%s]\n", -- opname, opnum, -- log_escape(frame, creds->account_name), -- log_escape(frame, creds->computer_name)); -- DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " -- "'server require schannel:%s = no' " -- "might be needed for a legacy client.\n", -- log_escape(frame, creds->account_name)); -+ nt_status = NT_STATUS_ACCESS_DENIED; -+ -+ if (explicit_opt != NULL) { -+ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); -+ } else { -+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); -+ } -+ -+ DEBUG(dbg_lvl, ( -+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " -+ "%s request (opnum[%u]) %s schannel from " -+ "client_account[%s] client_computer_name[%s] %s\n", -+ opname, opnum, reason, -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name), -+ nt_errstr(nt_status))); -+ if (explicit_opt != NULL) { -+ D_NOTICE("CVE-2020-1472(ZeroLogon): Option " -+ "'server require schannel:%s = yes' " -+ "rejects access for client.\n", -+ log_escape(frame, creds->account_name)); -+ } else { -+ DEBUG(CVE_2020_1472_error_level, ( -+ "CVE-2020-1472(ZeroLogon): Check if option " -+ "'server require schannel:%s = no' " -+ "might be needed for a legacy client.\n", -+ log_escape(frame, creds->account_name))); -+ } - TALLOC_FREE(creds); - ZERO_STRUCTP(return_authenticator); - TALLOC_FREE(frame); -- return NT_STATUS_ACCESS_DENIED; -+ return nt_status; - } - -+ nt_status = NT_STATUS_OK; -+ - if (explicit_opt != NULL) { -- DBG_INFO("CVE-2020-1472(ZeroLogon): " -- "%s request (opnum[%u]) without schannel from " -- "client_account[%s] client_computer_name[%s]\n", -- opname, opnum, -- log_escape(frame, creds->account_name), -- log_escape(frame, creds->computer_name)); -- DBG_INFO("CVE-2020-1472(ZeroLogon): " -- "Option 'server require schannel:%s = no' still needed!\n", -- log_escape(frame, creds->account_name)); -+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); - } else { -- DBG_ERR("CVE-2020-1472(ZeroLogon): " -- "%s request (opnum[%u]) without schannel from " -- "client_account[%s] client_computer_name[%s]\n", -- opname, opnum, -- log_escape(frame, creds->account_name), -- log_escape(frame, creds->computer_name)); -- DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " -- "'server require schannel:%s = no' might be needed!\n", -- log_escape(frame, creds->account_name)); -+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); -+ } -+ -+ DEBUG(dbg_lvl, ( -+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " -+ "%s request (opnum[%u]) %s schannel from " -+ "client_account[%s] client_computer_name[%s] %s\n", -+ opname, opnum, reason, -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name), -+ nt_errstr(nt_status))); -+ -+ if (explicit_opt != NULL) { -+ D_INFO("CVE-2020-1472(ZeroLogon): Option " -+ "'server require schannel:%s = no' " -+ "still needed for '%s'!\n", -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name)); -+ } else { -+ /* -+ * admins should set -+ * server require schannel:COMPUTER$ = no -+ * in order to avoid the level 0 messages. -+ * Over time they can switch the global value -+ * to be strict. -+ */ -+ DEBUG(CVE_2020_1472_error_level, ( -+ "CVE-2020-1472(ZeroLogon): " -+ "Please use 'server require schannel:%s = no' " -+ "for '%s' to avoid this warning!\n", -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name))); - } - - *creds_out = creds; --- -2.34.1 - - -From 0038d0302c807bc76b073de3aeed13a29c1fc458 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 30 Nov 2022 12:26:01 +0100 -Subject: [PATCH 13/30] CVE-2022-38023 selftest:Samba4: avoid global 'server - schannel = auto' - -Instead of using the generic deprecated option use the specific -server require schannel:COMPUTERACCOUNT = no in order to allow -legacy tests for pass. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit 63c96ea6c02981795e67336401143f2a8836992c) ---- - selftest/target/Samba4.pm | 40 ++++++++++++++++++++++++++++++++++++--- - 1 file changed, 37 insertions(+), 3 deletions(-) - -diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm -index b004042738a7..d26022466c66 100755 ---- a/selftest/target/Samba4.pm -+++ b/selftest/target/Samba4.pm -@@ -1616,10 +1616,27 @@ sub provision_ad_dc_ntvfs($$$) - dsdb event notification = true - dsdb password event notification = true - dsdb group change notification = true -- server schannel = auto - # override the new SMB2 only default - client min protocol = CORE - server min protocol = LANMAN1 -+ -+ CVE_2020_1472:warn_about_unused_debug_level = 3 -+ server require schannel:schannel0\$ = no -+ server require schannel:schannel1\$ = no -+ server require schannel:schannel2\$ = no -+ server require schannel:schannel3\$ = no -+ server require schannel:schannel4\$ = no -+ server require schannel:schannel5\$ = no -+ server require schannel:schannel6\$ = no -+ server require schannel:schannel7\$ = no -+ server require schannel:schannel8\$ = no -+ server require schannel:schannel9\$ = no -+ server require schannel:schannel10\$ = no -+ server require schannel:schannel11\$ = no -+ server require schannel:torturetest\$ = no -+ -+ # needed for 'samba.tests.auth_log' tests -+ server require schannel:LOCALDC\$ = no - "; - push (@{$extra_provision_options}, "--use-ntvfs"); - my $ret = $self->provision($prefix, -@@ -1968,8 +1985,22 @@ sub provision_ad_dc($$$$$$$) - lpq cache time = 0 - print notify backchannel = yes - -- server schannel = auto -- auth event notification = true -+ CVE_2020_1472:warn_about_unused_debug_level = 3 -+ server require schannel:schannel0\$ = no -+ server require schannel:schannel1\$ = no -+ server require schannel:schannel2\$ = no -+ server require schannel:schannel3\$ = no -+ server require schannel:schannel4\$ = no -+ server require schannel:schannel5\$ = no -+ server require schannel:schannel6\$ = no -+ server require schannel:schannel7\$ = no -+ server require schannel:schannel8\$ = no -+ server require schannel:schannel9\$ = no -+ server require schannel:schannel10\$ = no -+ server require schannel:schannel11\$ = no -+ server require schannel:torturetest\$ = no -+ -+ auth event notification = true - dsdb event notification = true - dsdb password event notification = true - dsdb group change notification = true -@@ -2658,6 +2689,9 @@ sub setup_ad_dc_smb1 - [global] - client min protocol = CORE - server min protocol = LANMAN1 -+ -+ # needed for 'samba.tests.auth_log' tests -+ server require schannel:ADDCSMB1\$ = no - "; - return _setup_ad_dc($self, $path, $conf_opts, "addcsmb1", "addom2.samba.example.com"); - } --- -2.34.1 - - -From 76855044472bf75f75a204e0fe411b457478363c Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 28 Nov 2022 15:02:13 +0100 -Subject: [PATCH 14/30] CVE-2022-38023 s4:torture: use - NETLOGON_NEG_SUPPORTS_AES by default - -For generic tests we should use the best available features. - -And AES will be required by default soon. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit cfd55a22cda113fbb2bfa373b54091dde1ea6e66) ---- - source4/torture/ntp/ntp_signd.c | 2 +- - source4/torture/rpc/lsa.c | 4 ++-- - source4/torture/rpc/netlogon.c | 24 ++++++++++++------------ - source4/torture/rpc/samba3rpc.c | 15 ++++++++++++--- - 4 files changed, 27 insertions(+), 18 deletions(-) - -diff --git a/source4/torture/ntp/ntp_signd.c b/source4/torture/ntp/ntp_signd.c -index 124c9604871b..6d482bfdee16 100644 ---- a/source4/torture/ntp/ntp_signd.c -+++ b/source4/torture/ntp/ntp_signd.c -@@ -70,7 +70,7 @@ static bool test_ntp_signd(struct torture_context *tctx, - uint32_t rid; - const char *machine_name; - const struct samr_Password *pwhash = cli_credentials_get_nt_hash(credentials, mem_ctx); -- uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; -+ uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; - - struct sign_request sign_req; - struct signed_reply signed_reply; -diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c -index d430ee571081..d22546862d5b 100644 ---- a/source4/torture/rpc/lsa.c -+++ b/source4/torture/rpc/lsa.c -@@ -4408,7 +4408,7 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p, - torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b"); - - ok = check_pw_with_ServerAuthenticate3(p1, tctx, -- NETLOGON_NEG_AUTH2_ADS_FLAGS, -+ NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, - server_name, - incoming_creds, &creds); - torture_assert_int_equal(tctx, ok, expected_result, -@@ -4505,7 +4505,7 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p, - torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b"); - - ok = check_pw_with_ServerAuthenticate3(p2, tctx, -- NETLOGON_NEG_AUTH2_ADS_FLAGS, -+ NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, - server_name, - incoming_creds, &creds); - torture_assert(tctx, ok, "check_pw_with_ServerAuthenticate3 with changed password"); -diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c -index 11f950d3aab4..2803dd13b467 100644 ---- a/source4/torture/rpc/netlogon.c -+++ b/source4/torture/rpc/netlogon.c -@@ -191,7 +191,7 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx, - - /* This allows the tests to continue against the more fussy windows 2008 */ - if (NT_STATUS_EQUAL(a.out.result, NT_STATUS_DOWNGRADE_DETECTED)) { -- return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, -+ return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, - credentials, - cli_credentials_get_secure_channel_type(credentials), - creds_out); -@@ -431,7 +431,7 @@ bool test_SetupCredentialsDowngrade(struct torture_context *tctx, - "ServerAuthenticate3 failed"); - torture_assert_ntstatus_equal(tctx, a.out.result, NT_STATUS_DOWNGRADE_DETECTED, "ServerAuthenticate3 should have failed"); - -- negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; -+ negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; - creds = netlogon_creds_client_init(tctx, a.in.account_name, - a.in.computer_name, - a.in.secure_channel_type, -@@ -498,7 +498,7 @@ static bool test_ServerReqChallenge( - const char *machine_name; - struct dcerpc_binding_handle *b = p->binding_handle; - struct netr_ServerAuthenticate2 a; -- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; -+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; - uint32_t out_negotiate_flags = 0; - const struct samr_Password *mach_password = NULL; - enum netr_SchannelType sec_chan_type = 0; -@@ -570,7 +570,7 @@ static bool test_ServerReqChallenge_zero_challenge( - const char *machine_name; - struct dcerpc_binding_handle *b = p->binding_handle; - struct netr_ServerAuthenticate2 a; -- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; -+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; - uint32_t out_negotiate_flags = 0; - const struct samr_Password *mach_password = NULL; - enum netr_SchannelType sec_chan_type = 0; -@@ -647,7 +647,7 @@ static bool test_ServerReqChallenge_5_repeats( - const char *machine_name; - struct dcerpc_binding_handle *b = p->binding_handle; - struct netr_ServerAuthenticate2 a; -- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; -+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; - uint32_t out_negotiate_flags = 0; - const struct samr_Password *mach_password = NULL; - enum netr_SchannelType sec_chan_type = 0; -@@ -731,7 +731,7 @@ static bool test_ServerReqChallenge_4_repeats( - const char *machine_name; - struct dcerpc_binding_handle *b = p->binding_handle; - struct netr_ServerAuthenticate2 a; -- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; -+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; - uint32_t out_negotiate_flags = 0; - const struct samr_Password *mach_password = NULL; - enum netr_SchannelType sec_chan_type = 0; -@@ -1527,7 +1527,7 @@ static bool test_SetPassword2_all_zeros( - struct netr_CryptPassword new_password; - struct dcerpc_pipe *p = NULL; - struct dcerpc_binding_handle *b = NULL; -- uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; -+ uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; /* no AES desired here */ - - if (!test_SetupCredentials2( - p1, -@@ -1603,7 +1603,7 @@ static bool test_SetPassword2_maximum_length_password( - struct netr_CryptPassword new_password; - struct dcerpc_pipe *p = NULL; - struct dcerpc_binding_handle *b = NULL; -- uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; -+ uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; - DATA_BLOB new_random_pass = data_blob_null; - - if (!test_SetupCredentials2( -@@ -1686,7 +1686,7 @@ static bool test_SetPassword2_all_zero_password( - struct netr_CryptPassword new_password; - struct dcerpc_pipe *p = NULL; - struct dcerpc_binding_handle *b = NULL; -- uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; -+ uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; /* no AES desired here */ - - if (!test_SetupCredentials2( - p1, -@@ -4046,7 +4046,7 @@ static bool test_netr_GetForestTrustInformation(struct torture_context *tctx, - struct dcerpc_pipe *p = NULL; - struct dcerpc_binding_handle *b = NULL; - -- if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, -+ if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, - machine_credentials, &creds)) { - return false; - } -@@ -4985,7 +4985,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx, - - torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n"); - -- if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, -+ if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, - machine_credentials, &creds)) { - return false; - } -@@ -5560,7 +5560,7 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx, - - torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT); - -- if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, -+ if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, - machine_credentials, &creds)) { - return false; - } -diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c -index ff5dc1d68003..ee8dac67dfa8 100644 ---- a/source4/torture/rpc/samba3rpc.c -+++ b/source4/torture/rpc/samba3rpc.c -@@ -1071,7 +1071,7 @@ static bool auth2(struct torture_context *tctx, - goto done; - } - -- negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; -+ negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; - E_md4hash(cli_credentials_get_password(wks_cred), mach_pw.hash); - - a.in.server_name = talloc_asprintf( -@@ -1260,10 +1260,19 @@ static bool schan(struct torture_context *tctx, - E_md4hash(cli_credentials_get_password(user_creds), - pinfo.ntpassword.hash); - -- netlogon_creds_arcfour_crypt(creds_state, pinfo.ntpassword.hash, 16); -- - logon.password = &pinfo; - -+ /* -+ * We don't use this here: -+ * -+ * netlogon_creds_encrypt_samlogon_logon(creds_state, -+ * NetlogonInteractiveInformation, -+ * &logon); -+ * -+ * in order to detect bugs -+ */ -+ netlogon_creds_aes_encrypt(creds_state, pinfo.ntpassword.hash, 16); -+ - r.in.logon_level = NetlogonInteractiveInformation; - r.in.logon = &logon; - r.out.return_authenticator = &return_authenticator; --- -2.34.1 - - -From 5a6eba6e6bf3cd87a5875634d82335b216bf1069 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 25 Nov 2022 09:54:17 +0100 -Subject: [PATCH 15/30] CVE-2022-38023 s4:rpc_server/netlogon: split out - dcesrv_netr_ServerAuthenticate3_check_downgrade() - -We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no', -which means we'll need the downgrade detection in more places. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit b6339fd1dcbe903e73efeea074ab0bd04ef83561) ---- - source4/rpc_server/netlogon/dcerpc_netlogon.c | 114 ++++++++++-------- - 1 file changed, 67 insertions(+), 47 deletions(-) - -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index 3c77d1302993..87e4bbe00f2d 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -125,6 +125,67 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal - return NT_STATUS_OK; - } - -+static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade( -+ struct dcesrv_call_state *dce_call, -+ struct netr_ServerAuthenticate3 *r, -+ struct netlogon_server_pipe_state *pipe_state, -+ uint32_t negotiate_flags, -+ NTSTATUS orig_status) -+{ -+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; -+ bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx); -+ bool reject_des_client = !allow_nt4_crypto; -+ bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx); -+ -+ if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { -+ reject_des_client = false; -+ } -+ -+ if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { -+ reject_des_client = false; -+ reject_md5_client = false; -+ } -+ -+ if (reject_des_client || reject_md5_client) { -+ /* -+ * Here we match Windows 2012 and return no flags. -+ */ -+ *r->out.negotiate_flags = 0; -+ return NT_STATUS_DOWNGRADE_DETECTED; -+ } -+ -+ /* -+ * This talloc_free is important to prevent re-use of the -+ * challenge. We have to delay it this far due to NETApp -+ * servers per: -+ * https://bugzilla.samba.org/show_bug.cgi?id=11291 -+ */ -+ TALLOC_FREE(pipe_state); -+ -+ /* -+ * At this point we must also cleanup the TDB cache -+ * entry, if we fail the client needs to call -+ * netr_ServerReqChallenge again. -+ * -+ * Note: this handles a non existing record just fine, -+ * the r->in.computer_name might not be the one used -+ * in netr_ServerReqChallenge(), but we are trying to -+ * just tidy up the normal case to prevent re-use. -+ */ -+ schannel_delete_challenge(dce_call->conn->dce_ctx->lp_ctx, -+ r->in.computer_name); -+ -+ /* -+ * According to Microsoft (see bugid #6099) -+ * Windows 7 looks at the negotiate_flags -+ * returned in this structure *even if the -+ * call fails with access denied! -+ */ -+ *r->out.negotiate_flags = negotiate_flags; -+ -+ return orig_status; -+} -+ - /* - * Do the actual processing of a netr_ServerAuthenticate3 message. - * called from dcesrv_netr_ServerAuthenticate3, which handles the logging. -@@ -152,11 +213,9 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( - "objectSid", "samAccountName", NULL}; - uint32_t server_flags = 0; - uint32_t negotiate_flags = 0; -- bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(dce_call->conn->dce_ctx->lp_ctx); -- bool reject_des_client = !allow_nt4_crypto; -- bool reject_md5_client = lpcfg_reject_md5_clients(dce_call->conn->dce_ctx->lp_ctx); - - ZERO_STRUCTP(r->out.return_credentials); -+ *r->out.negotiate_flags = 0; - *r->out.rid = 0; - - pipe_state = dcesrv_iface_state_find_conn(dce_call, -@@ -243,52 +302,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( - - negotiate_flags = *r->in.negotiate_flags & server_flags; - -- if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { -- reject_des_client = false; -- } -- -- if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { -- reject_des_client = false; -- reject_md5_client = false; -- } -- -- if (reject_des_client || reject_md5_client) { -- /* -- * Here we match Windows 2012 and return no flags. -- */ -- *r->out.negotiate_flags = 0; -- return NT_STATUS_DOWNGRADE_DETECTED; -+ nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade( -+ dce_call, r, pipe_state, negotiate_flags, -+ NT_STATUS_OK); -+ if (!NT_STATUS_IS_OK(nt_status)) { -+ return nt_status; - } - -- /* -- * This talloc_free is important to prevent re-use of the -- * challenge. We have to delay it this far due to NETApp -- * servers per: -- * https://bugzilla.samba.org/show_bug.cgi?id=11291 -- */ -- TALLOC_FREE(pipe_state); -- -- /* -- * At this point we must also cleanup the TDB cache -- * entry, if we fail the client needs to call -- * netr_ServerReqChallenge again. -- * -- * Note: this handles a non existing record just fine, -- * the r->in.computer_name might not be the one used -- * in netr_ServerReqChallenge(), but we are trying to -- * just tidy up the normal case to prevent re-use. -- */ -- schannel_delete_challenge(dce_call->conn->dce_ctx->lp_ctx, -- r->in.computer_name); -- -- /* -- * According to Microsoft (see bugid #6099) -- * Windows 7 looks at the negotiate_flags -- * returned in this structure *even if the -- * call fails with access denied! -- */ -- *r->out.negotiate_flags = negotiate_flags; -- - switch (r->in.secure_channel_type) { - case SEC_CHAN_WKSTA: - case SEC_CHAN_DNS_DOMAIN: --- -2.34.1 - - -From 267a886bcdf3b502d83a3470e9d5b51191210153 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 25 Nov 2022 10:10:33 +0100 -Subject: [PATCH 16/30] CVE-2022-38023 s4:rpc_server/netlogon: require aes if - weak crypto is disabled - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit 4c7f84798acd1e3218209d66d1a92e9f42954d51) ---- - source4/rpc_server/netlogon/dcerpc_netlogon.c | 9 +++++++++ - source4/torture/rpc/netlogon_crypto.c | 2 +- - 2 files changed, 10 insertions(+), 1 deletion(-) - -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index 87e4bbe00f2d..4141cc40687f 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -137,6 +137,15 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade( - bool reject_des_client = !allow_nt4_crypto; - bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx); - -+ /* -+ * If weak cryto is disabled, do not announce that we support RC4. -+ */ -+ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) { -+ /* Without RC4 and DES we require AES */ -+ reject_des_client = true; -+ reject_md5_client = true; -+ } -+ - if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { - reject_des_client = false; - } -diff --git a/source4/torture/rpc/netlogon_crypto.c b/source4/torture/rpc/netlogon_crypto.c -index 05beb2b77b3b..85844604ee27 100644 ---- a/source4/torture/rpc/netlogon_crypto.c -+++ b/source4/torture/rpc/netlogon_crypto.c -@@ -150,7 +150,7 @@ static bool test_ServerAuth3Crypto(struct dcerpc_pipe *p, - force_client_rc4) { - torture_assert_ntstatus_equal(tctx, - a.out.result, -- NT_STATUS_ACCESS_DENIED, -+ NT_STATUS_DOWNGRADE_DETECTED, - "Unexpected status code"); - return false; - } --- -2.34.1 - - -From 2b4abfc0bf48e89cd93f97f9afcff23e932f427b Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 24 Nov 2022 18:26:18 +0100 -Subject: [PATCH 17/30] CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 - clients' default to yes - -AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0, -so there's no reason to allow md5 clients by default. -However some third party domain members may need it. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit c8e53394b98b128ed460a6111faf05dfbad980d1) ---- - docs-xml/smbdotconf/logon/rejectmd5clients.xml | 11 ++++++++--- - lib/param/loadparm.c | 1 + - selftest/target/Samba4.pm | 4 ++++ - source3/param/loadparm.c | 1 + - 4 files changed, 14 insertions(+), 3 deletions(-) - -diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml -index 0bb9f6f6c8ec..edcbe02e99a3 100644 ---- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml -+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml -@@ -7,11 +7,16 @@ - only in 'active directory domain controller' mode), will - reject clients which does not support NETLOGON_NEG_SUPPORTS_AES. - -- You can set this to yes if all domain members support aes. -- This will prevent downgrade attacks. -+ Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows -+ starting with Server 2008R2 and Windows 7, it's available in Samba -+ starting with 4.0, however third party domain members like NetApp ONTAP -+ still uses RC4 (HMAC-MD5), see https://www.samba.org/samba/security/CVE-2022-38023.html for more details. -+ -+ The default changed from 'no' to 'yes', with the patches for CVE-2022-38023, -+ see https://bugzilla.samba.org/show_bug.cgi?id=15240 - - This option overrides the 'allow nt4 crypto' option. - - --no -+yes - -diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c -index e953499efba3..2b644ee97c02 100644 ---- a/lib/param/loadparm.c -+++ b/lib/param/loadparm.c -@@ -2725,6 +2725,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) - lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template"); - - lpcfg_do_global_parameter(lp_ctx, "server schannel", "True"); -+ lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True"); - - lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True"); - -diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm -index d26022466c66..fb63bbeff059 100755 ---- a/selftest/target/Samba4.pm -+++ b/selftest/target/Samba4.pm -@@ -1620,6 +1620,8 @@ sub provision_ad_dc_ntvfs($$$) - client min protocol = CORE - server min protocol = LANMAN1 - -+ reject md5 clients = no -+ - CVE_2020_1472:warn_about_unused_debug_level = 3 - server require schannel:schannel0\$ = no - server require schannel:schannel1\$ = no -@@ -1985,6 +1987,8 @@ sub provision_ad_dc($$$$$$$) - lpq cache time = 0 - print notify backchannel = yes - -+ reject md5 clients = no -+ - CVE_2020_1472:warn_about_unused_debug_level = 3 - server require schannel:schannel0\$ = no - server require schannel:schannel1\$ = no -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c -index 91747e09eccd..28ce4de6dd67 100644 ---- a/source3/param/loadparm.c -+++ b/source3/param/loadparm.c -@@ -666,6 +666,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) - Globals.require_strong_key = true; - Globals.reject_md5_servers = true; - Globals.server_schannel = true; -+ Globals.reject_md5_clients = true; - Globals.read_raw = true; - Globals.write_raw = true; - Globals.null_passwords = false; --- -2.34.1 - - -From d05bde2dfe40483b9f31a94a8d475f628f7aa1e3 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 25 Nov 2022 10:31:08 +0100 -Subject: [PATCH 18/30] CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade - check until we found the account in our SAM - -We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no', -which means we'll need use the account name from our SAM. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit b09f51eefc311bbb1525efd1dc7b9a837f7ec3c2) ---- - source4/rpc_server/netlogon/dcerpc_netlogon.c | 76 +++++++++++++------ - 1 file changed, 53 insertions(+), 23 deletions(-) - -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index 4141cc40687f..e39a530fd7f5 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -311,13 +311,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( - - negotiate_flags = *r->in.negotiate_flags & server_flags; - -- nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade( -- dce_call, r, pipe_state, negotiate_flags, -- NT_STATUS_OK); -- if (!NT_STATUS_IS_OK(nt_status)) { -- return nt_status; -- } -- - switch (r->in.secure_channel_type) { - case SEC_CHAN_WKSTA: - case SEC_CHAN_DNS_DOMAIN: -@@ -326,16 +319,22 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( - case SEC_CHAN_RODC: - break; - case SEC_CHAN_NULL: -- return NT_STATUS_INVALID_PARAMETER; -+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( -+ dce_call, r, pipe_state, negotiate_flags, -+ NT_STATUS_INVALID_PARAMETER); - default: - DEBUG(1, ("Client asked for an invalid secure channel type: %d\n", - r->in.secure_channel_type)); -- return NT_STATUS_INVALID_PARAMETER; -+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( -+ dce_call, r, pipe_state, negotiate_flags, -+ NT_STATUS_INVALID_PARAMETER); - } - - sam_ctx = dcesrv_samdb_connect_as_system(mem_ctx, dce_call); - if (sam_ctx == NULL) { -- return NT_STATUS_INVALID_SYSTEM_SERVICE; -+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( -+ dce_call, r, pipe_state, negotiate_flags, -+ NT_STATUS_INVALID_SYSTEM_SERVICE); - } - - if (r->in.secure_channel_type == SEC_CHAN_DOMAIN || -@@ -364,16 +363,22 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( - encoded_name = ldb_binary_encode_string(mem_ctx, - r->in.account_name); - if (encoded_name == NULL) { -- return NT_STATUS_NO_MEMORY; -+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( -+ dce_call, r, pipe_state, negotiate_flags, -+ NT_STATUS_NO_MEMORY); - } - - len = strlen(encoded_name); - if (len < 2) { -- return NT_STATUS_NO_TRUST_SAM_ACCOUNT; -+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( -+ dce_call, r, pipe_state, negotiate_flags, -+ NT_STATUS_NO_TRUST_SAM_ACCOUNT); - } - - if (require_trailer && encoded_name[len - 1] != trailer) { -- return NT_STATUS_NO_TRUST_SAM_ACCOUNT; -+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( -+ dce_call, r, pipe_state, negotiate_flags, -+ NT_STATUS_NO_TRUST_SAM_ACCOUNT); - } - encoded_name[len - 1] = '\0'; - -@@ -391,30 +396,42 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( - "but there's no tdo for [%s] => [%s] \n", - log_escape(mem_ctx, r->in.account_name), - encoded_name)); -- return NT_STATUS_NO_TRUST_SAM_ACCOUNT; -+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( -+ dce_call, r, pipe_state, negotiate_flags, -+ NT_STATUS_NO_TRUST_SAM_ACCOUNT); - } - if (!NT_STATUS_IS_OK(nt_status)) { -- return nt_status; -+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( -+ dce_call, r, pipe_state, negotiate_flags, -+ nt_status); - } - - nt_status = dsdb_trust_get_incoming_passwords(tdo_msg, mem_ctx, - &curNtHash, - &prevNtHash); - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) { -- return NT_STATUS_NO_TRUST_SAM_ACCOUNT; -+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( -+ dce_call, r, pipe_state, negotiate_flags, -+ NT_STATUS_NO_TRUST_SAM_ACCOUNT); - } - if (!NT_STATUS_IS_OK(nt_status)) { -- return nt_status; -+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( -+ dce_call, r, pipe_state, negotiate_flags, -+ nt_status); - } - - flatname = ldb_msg_find_attr_as_string(tdo_msg, "flatName", NULL); - if (flatname == NULL) { -- return NT_STATUS_NO_TRUST_SAM_ACCOUNT; -+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( -+ dce_call, r, pipe_state, negotiate_flags, -+ NT_STATUS_NO_TRUST_SAM_ACCOUNT); - } - - *trust_account_for_search = talloc_asprintf(mem_ctx, "%s$", flatname); - if (*trust_account_for_search == NULL) { -- return NT_STATUS_NO_MEMORY; -+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( -+ dce_call, r, pipe_state, negotiate_flags, -+ NT_STATUS_NO_MEMORY); - } - } else { - *trust_account_for_search = r->in.account_name; -@@ -429,14 +446,18 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( - if (num_records == 0) { - DEBUG(3,("Couldn't find user [%s] in samdb.\n", - log_escape(mem_ctx, r->in.account_name))); -- return NT_STATUS_NO_TRUST_SAM_ACCOUNT; -+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( -+ dce_call, r, pipe_state, negotiate_flags, -+ NT_STATUS_NO_TRUST_SAM_ACCOUNT); - } - - if (num_records > 1) { - DEBUG(0,("Found %d records matching user [%s]\n", - num_records, - log_escape(mem_ctx, r->in.account_name))); -- return NT_STATUS_INTERNAL_DB_CORRUPTION; -+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( -+ dce_call, r, pipe_state, negotiate_flags, -+ NT_STATUS_INTERNAL_DB_CORRUPTION); - } - - *trust_account_in_db = ldb_msg_find_attr_as_string(msgs[0], -@@ -445,9 +466,18 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( - if (*trust_account_in_db == NULL) { - DEBUG(0,("No samAccountName returned in record matching user [%s]\n", - r->in.account_name)); -- return NT_STATUS_INTERNAL_DB_CORRUPTION; -+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( -+ dce_call, r, pipe_state, negotiate_flags, -+ NT_STATUS_INTERNAL_DB_CORRUPTION); - } -- -+ -+ nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade( -+ dce_call, r, pipe_state, negotiate_flags, -+ NT_STATUS_OK); -+ if (!NT_STATUS_IS_OK(nt_status)) { -+ return nt_status; -+ } -+ - user_account_control = ldb_msg_find_attr_as_uint(msgs[0], "userAccountControl", 0); - - if (user_account_control & UF_ACCOUNTDISABLE) { --- -2.34.1 - - -From 88c10a23f06376605a29fc9ddb7737868ffad916 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 25 Nov 2022 13:13:36 +0100 -Subject: [PATCH 19/30] CVE-2022-38023 s4:rpc_server/netlogon: add 'server - reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 - crypto:COMPUTERACCOUNT = yes' - -This makes it more flexible when we change the global default to -'reject md5 servers = yes'. - -'allow nt4 crypto = no' is already the default. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit 69b36541606d7064de9648cd54b35adfdf8f0e8f) ---- - source4/rpc_server/netlogon/dcerpc_netlogon.c | 58 ++++++++++++++++++- - 1 file changed, 55 insertions(+), 3 deletions(-) - -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index e39a530fd7f5..f303dc00ada2 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -130,12 +130,48 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade( - struct netr_ServerAuthenticate3 *r, - struct netlogon_server_pipe_state *pipe_state, - uint32_t negotiate_flags, -+ const char *trust_account_in_db, - NTSTATUS orig_status) - { - struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; -- bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx); -- bool reject_des_client = !allow_nt4_crypto; -- bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx); -+ bool global_allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx); -+ bool account_allow_nt4_crypto = global_allow_nt4_crypto; -+ const char *explicit_nt4_opt = NULL; -+ bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx); -+ bool account_reject_md5_client = global_reject_md5_client; -+ const char *explicit_md5_opt = NULL; -+ bool reject_des_client; -+ bool allow_nt4_crypto; -+ bool reject_md5_client; -+ -+ /* -+ * We don't use lpcfg_parm_bool(), as we -+ * need the explicit_opt pointer in order to -+ * adjust the debug messages. -+ */ -+ -+ if (trust_account_in_db != NULL) { -+ explicit_nt4_opt = lpcfg_get_parametric(lp_ctx, -+ NULL, -+ "allow nt4 crypto", -+ trust_account_in_db); -+ } -+ if (explicit_nt4_opt != NULL) { -+ account_allow_nt4_crypto = lp_bool(explicit_nt4_opt); -+ } -+ allow_nt4_crypto = account_allow_nt4_crypto; -+ if (trust_account_in_db != NULL) { -+ explicit_md5_opt = lpcfg_get_parametric(lp_ctx, -+ NULL, -+ "server reject md5 schannel", -+ trust_account_in_db); -+ } -+ if (explicit_md5_opt != NULL) { -+ account_reject_md5_client = lp_bool(explicit_md5_opt); -+ } -+ reject_md5_client = account_reject_md5_client; -+ -+ reject_des_client = !allow_nt4_crypto; - - /* - * If weak cryto is disabled, do not announce that we support RC4. -@@ -321,12 +357,14 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( - case SEC_CHAN_NULL: - return dcesrv_netr_ServerAuthenticate3_check_downgrade( - dce_call, r, pipe_state, negotiate_flags, -+ NULL, /* trust_account_in_db */ - NT_STATUS_INVALID_PARAMETER); - default: - DEBUG(1, ("Client asked for an invalid secure channel type: %d\n", - r->in.secure_channel_type)); - return dcesrv_netr_ServerAuthenticate3_check_downgrade( - dce_call, r, pipe_state, negotiate_flags, -+ NULL, /* trust_account_in_db */ - NT_STATUS_INVALID_PARAMETER); - } - -@@ -334,6 +372,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( - if (sam_ctx == NULL) { - return dcesrv_netr_ServerAuthenticate3_check_downgrade( - dce_call, r, pipe_state, negotiate_flags, -+ NULL, /* trust_account_in_db */ - NT_STATUS_INVALID_SYSTEM_SERVICE); - } - -@@ -365,6 +404,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( - if (encoded_name == NULL) { - return dcesrv_netr_ServerAuthenticate3_check_downgrade( - dce_call, r, pipe_state, negotiate_flags, -+ NULL, /* trust_account_in_db */ - NT_STATUS_NO_MEMORY); - } - -@@ -372,12 +412,14 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( - if (len < 2) { - return dcesrv_netr_ServerAuthenticate3_check_downgrade( - dce_call, r, pipe_state, negotiate_flags, -+ NULL, /* trust_account_in_db */ - NT_STATUS_NO_TRUST_SAM_ACCOUNT); - } - - if (require_trailer && encoded_name[len - 1] != trailer) { - return dcesrv_netr_ServerAuthenticate3_check_downgrade( - dce_call, r, pipe_state, negotiate_flags, -+ NULL, /* trust_account_in_db */ - NT_STATUS_NO_TRUST_SAM_ACCOUNT); - } - encoded_name[len - 1] = '\0'; -@@ -398,11 +440,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( - encoded_name)); - return dcesrv_netr_ServerAuthenticate3_check_downgrade( - dce_call, r, pipe_state, negotiate_flags, -+ NULL, /* trust_account_in_db */ - NT_STATUS_NO_TRUST_SAM_ACCOUNT); - } - if (!NT_STATUS_IS_OK(nt_status)) { - return dcesrv_netr_ServerAuthenticate3_check_downgrade( - dce_call, r, pipe_state, negotiate_flags, -+ NULL, /* trust_account_in_db */ - nt_status); - } - -@@ -412,11 +456,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) { - return dcesrv_netr_ServerAuthenticate3_check_downgrade( - dce_call, r, pipe_state, negotiate_flags, -+ NULL, /* trust_account_in_db */ - NT_STATUS_NO_TRUST_SAM_ACCOUNT); - } - if (!NT_STATUS_IS_OK(nt_status)) { - return dcesrv_netr_ServerAuthenticate3_check_downgrade( - dce_call, r, pipe_state, negotiate_flags, -+ NULL, /* trust_account_in_db */ - nt_status); - } - -@@ -424,6 +470,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( - if (flatname == NULL) { - return dcesrv_netr_ServerAuthenticate3_check_downgrade( - dce_call, r, pipe_state, negotiate_flags, -+ NULL, /* trust_account_in_db */ - NT_STATUS_NO_TRUST_SAM_ACCOUNT); - } - -@@ -431,6 +478,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( - if (*trust_account_for_search == NULL) { - return dcesrv_netr_ServerAuthenticate3_check_downgrade( - dce_call, r, pipe_state, negotiate_flags, -+ NULL, /* trust_account_in_db */ - NT_STATUS_NO_MEMORY); - } - } else { -@@ -448,6 +496,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( - log_escape(mem_ctx, r->in.account_name))); - return dcesrv_netr_ServerAuthenticate3_check_downgrade( - dce_call, r, pipe_state, negotiate_flags, -+ NULL, /* trust_account_in_db */ - NT_STATUS_NO_TRUST_SAM_ACCOUNT); - } - -@@ -457,6 +506,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( - log_escape(mem_ctx, r->in.account_name))); - return dcesrv_netr_ServerAuthenticate3_check_downgrade( - dce_call, r, pipe_state, negotiate_flags, -+ NULL, /* trust_account_in_db */ - NT_STATUS_INTERNAL_DB_CORRUPTION); - } - -@@ -468,11 +518,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( - r->in.account_name)); - return dcesrv_netr_ServerAuthenticate3_check_downgrade( - dce_call, r, pipe_state, negotiate_flags, -+ NULL, /* trust_account_in_db */ - NT_STATUS_INTERNAL_DB_CORRUPTION); - } - - nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade( - dce_call, r, pipe_state, negotiate_flags, -+ *trust_account_in_db, - NT_STATUS_OK); - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; --- -2.34.1 - - -From b8f6e9fa3e218add0b2ca4fb14bcb9b5167ab8f5 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 25 Nov 2022 13:31:14 +0100 -Subject: [PATCH 20/30] CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 - crypto:COMPUTERACCOUNT = no" - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit bd429d025981b445bf63935063e8e302bfab3f9b) ---- - docs-xml/smbdotconf/logon/allownt4crypto.xml | 76 +++++++++++++++++++- - 1 file changed, 74 insertions(+), 2 deletions(-) - -diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml -index 06afcef73b1b..bbd03a42db74 100644 ---- a/docs-xml/smbdotconf/logon/allownt4crypto.xml -+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml -@@ -1,11 +1,18 @@ - - -+ -+ This option is deprecated and will be removed in future, -+ as it is a security problem if not set to "no" (which will be -+ the hardcoded behavior in future). -+ -+ - This option controls whether the netlogon server (currently - only in 'active directory domain controller' mode), will -- reject clients which does not support NETLOGON_NEG_STRONG_KEYS -+ reject clients which do not support NETLOGON_NEG_STRONG_KEYS - nor NETLOGON_NEG_SUPPORTS_AES. - - This option was added with Samba 4.2.0. It may lock out clients -@@ -18,8 +25,73 @@ - - "allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks. - -- This option is over-ridden by the 'reject md5 clients' option. -+ Avoid using this option! Use explicit 'yes' instead! -+ Which is available with the patches for -+ CVE-2022-38023 -+ see https://bugzilla.samba.org/show_bug.cgi?id=15240 -+ -+ -+ Samba will log an error in the log files at log level 0 -+ if legacy a client is rejected or allowed without an explicit, -+ 'yes' option -+ for the client. The message will indicate -+ the explicit 'yes' -+ line to be added, if the legacy client software requires it. (The log level can be adjusted with -+ '1' -+ in order to complain only at a higher log level). -+ -+ -+ This allows admins to use "yes" only for a short grace period, -+ in order to collect the explicit -+ 'yes' options. -+ -+ This option is over-ridden by the 'yes' option. - - - no - -+ -+ -+ -+ -+ If you still have legacy domain members which required 'allow nt4 crypto = yes', -+ it is possible to specify an explicit exception per computer account -+ by using 'allow nt4 crypto:COMPUTERACCOUNT = yes' as option. -+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of -+ the computer account (including the trailing '$' sign). -+ -+ -+ -+ Samba will log a complaint in the log files at log level 0 -+ about the security problem if the option is set to "yes", -+ but the related computer does not require it. -+ (The log level can be adjusted with -+ '1' -+ in order to complain only at a higher log level). -+ -+ -+ -+ Samba will log a warning in the log files at log level 5, -+ if a setting is still needed for the specified computer account. -+ -+ -+ -+ See CVE-2022-38023, -+ https://bugzilla.samba.org/show_bug.cgi?id=15240. -+ -+ -+ This option overrides the option. -+ -+ This option is over-ridden by the 'yes' option. -+ -+ -+ allow nt4 crypto:LEGACYCOMPUTER1$ = yes -+ allow nt4 crypto:NASBOX$ = yes -+ allow nt4 crypto:LEGACYCOMPUTER2$ = yes -+ -+ -+ -+ --- -2.34.1 - - -From 16895f56b2f35dda0df54b1b416d7fac05965fcc Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 25 Nov 2022 14:02:11 +0100 -Subject: [PATCH 21/30] CVE-2022-38023 docs-xml/smbdotconf: document "server - reject md5 schannel:COMPUTERACCOUNT" - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit 2ad302b42254e3c2800aaf11669fe2e6d55fa8a1) ---- - docs-xml/smbdotconf/logon/allownt4crypto.xml | 13 ++- - .../smbdotconf/logon/rejectmd5clients.xml | 96 ++++++++++++++++++- - 2 files changed, 103 insertions(+), 6 deletions(-) - -diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml -index bbd03a42db74..ee63e6cc2453 100644 ---- a/docs-xml/smbdotconf/logon/allownt4crypto.xml -+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml -@@ -45,7 +45,9 @@ - in order to collect the explicit - 'yes' options. - -- This option is over-ridden by the 'yes' option. -+ This option is over-ridden by the effective value of 'yes' from -+ the '' -+ and/or '' options. - - - no -@@ -85,12 +87,19 @@ - - This option overrides the option. - -- This option is over-ridden by the 'yes' option. -+ This option is over-ridden by the effective value of 'yes' from -+ the '' -+ and/or '' options. -+ Which means 'yes' -+ is only useful in combination with 'no' - - - allow nt4 crypto:LEGACYCOMPUTER1$ = yes -+ server reject md5 schannel:LEGACYCOMPUTER1$ = no - allow nt4 crypto:NASBOX$ = yes -+ server reject md5 schannel:NASBOX$ = no - allow nt4 crypto:LEGACYCOMPUTER2$ = yes -+ server reject md5 schannel:LEGACYCOMPUTER2$ = no - - - -diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml -index edcbe02e99a3..fe7701d92772 100644 ---- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml -+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml -@@ -1,8 +1,15 @@ - - -+ -+ This option is deprecated and will be removed in a future release, -+ as it is a security problem if not set to "yes" (which will be -+ the hardcoded behavior in the future). -+ -+ - This option controls whether the netlogon server (currently - only in 'active directory domain controller' mode), will - reject clients which does not support NETLOGON_NEG_SUPPORTS_AES. -@@ -10,13 +17,94 @@ - Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows - starting with Server 2008R2 and Windows 7, it's available in Samba - starting with 4.0, however third party domain members like NetApp ONTAP -- still uses RC4 (HMAC-MD5), see https://www.samba.org/samba/security/CVE-2022-38023.html for more details. -+ still uses RC4 (HMAC-MD5), see -+ https://www.samba.org/samba/security/CVE-2022-38023.html -+ for more details. -+ -+ -+ The default changed from 'no' to 'yes', with the patches for -+ CVE-2022-38023 -+ see https://bugzilla.samba.org/show_bug.cgi?id=15240. -+ -+ -+ Avoid using this option! Use an explicit per machine account -+ '' instead! -+ Which is available with the patches for -+ CVE-2022-38023 -+ see https://bugzilla.samba.org/show_bug.cgi?id=15240. -+ - -- The default changed from 'no' to 'yes', with the patches for CVE-2022-38023, -- see https://bugzilla.samba.org/show_bug.cgi?id=15240 -+ -+ Samba will log an error in the log files at log level 0 -+ if legacy a client is rejected or allowed without an explicit, -+ 'no' option -+ for the client. The message will indicate -+ the explicit 'no' -+ line to be added, if the legacy client software requires it. (The log level can be adjusted with -+ '1' -+ in order to complain only at a higher log level). -+ - -- This option overrides the 'allow nt4 crypto' option. -+ This allows admins to use "no" only for a short grace period, -+ in order to collect the explicit -+ 'no' options. -+ -+ When set to 'yes' this option overrides the -+ '' and -+ '' options and implies -+ 'no'. -+ - - - yes - -+ -+ -+ -+ -+ If you still have legacy domain members or trusted domains, -+ which required "reject md5 clients = no" before, -+ it is possible to specify an explicit exception per computer account -+ by setting 'server reject md5 schannel:COMPUTERACCOUNT = no'. -+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of -+ the computer account (including the trailing '$' sign). -+ -+ -+ -+ Samba will log a complaint in the log files at log level 0 -+ about the security problem if the option is set to "no", -+ but the related computer does not require it. -+ (The log level can be adjusted with -+ '1' -+ in order to complain only at a higher log level). -+ -+ -+ -+ Samba will log a warning in the log files at log level 5 -+ if a setting is still needed for the specified computer account. -+ -+ -+ -+ See CVE-2022-38023, -+ https://bugzilla.samba.org/show_bug.cgi?id=15240. -+ -+ -+ This option overrides the option. -+ -+ When set to 'yes' this option overrides the -+ '' and -+ '' options and implies -+ 'no'. -+ -+ -+ -+ server reject md5 schannel:LEGACYCOMPUTER1$ = no -+ server reject md5 schannel:NASBOX$ = no -+ server reject md5 schannel:LEGACYCOMPUTER2$ = no -+ -+ -+ -+ --- -2.34.1 - - -From 71283bb55feb027a94c3795bd1b94217be93c1a6 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 25 Nov 2022 13:13:36 +0100 -Subject: [PATCH 22/30] CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject - md5 servers' and 'allow nt4 crypto' misconfigurations - -This allows the admin to notice what's wrong in order to adjust the -configuration if required. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit 43df4be35950f491864ae8ada05d51b42a556381) ---- - source4/rpc_server/netlogon/dcerpc_netlogon.c | 143 ++++++++++++++++++ - 1 file changed, 143 insertions(+) - -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index f303dc00ada2..5f2f765abe5b 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -64,10 +64,34 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context - const struct dcesrv_interface *iface) - { - struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx; -+ bool global_allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx); -+ bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx); - int schannel = lpcfg_server_schannel(lp_ctx); - bool schannel_global_required = (schannel == true); -+ static bool warned_global_nt4_once = false; -+ static bool warned_global_md5_once = false; - static bool warned_global_schannel_once = false; - -+ if (global_allow_nt4_crypto && !warned_global_nt4_once) { -+ /* -+ * We want admins to notice their misconfiguration! -+ */ -+ D_ERR("CVE-2022-38023 (and others): " -+ "Please configure 'allow nt4 crypto = no' (the default), " -+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); -+ warned_global_nt4_once = true; -+ } -+ -+ if (!global_reject_md5_client && !warned_global_md5_once) { -+ /* -+ * We want admins to notice their misconfiguration! -+ */ -+ D_ERR("CVE-2022-38023: " -+ "Please configure 'reject md5 clients = yes' (the default), " -+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); -+ warned_global_md5_once = true; -+ } -+ - if (!schannel_global_required && !warned_global_schannel_once) { - /* - * We want admins to notice their misconfiguration! -@@ -143,6 +167,12 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade( - bool reject_des_client; - bool allow_nt4_crypto; - bool reject_md5_client; -+ bool need_des = true; -+ bool need_md5 = true; -+ int CVE_2022_38023_warn_level = lpcfg_parm_int(lp_ctx, NULL, -+ "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR); -+ int CVE_2022_38023_error_level = lpcfg_parm_int(lp_ctx, NULL, -+ "CVE_2022_38023", "error_debug_level", DBGLVL_ERR); - - /* - * We don't use lpcfg_parm_bool(), as we -@@ -183,19 +213,84 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade( - } - - if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { -+ need_des = false; - reject_des_client = false; - } - - if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { -+ need_des = false; -+ need_md5 = false; - reject_des_client = false; - reject_md5_client = false; - } - - if (reject_des_client || reject_md5_client) { -+ TALLOC_CTX *frame = talloc_stackframe(); -+ -+ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) { -+ if (CVE_2022_38023_error_level < DBGLVL_NOTICE) { -+ CVE_2022_38023_error_level = DBGLVL_NOTICE; -+ } -+ DEBUG(CVE_2022_38023_error_level, ( -+ "CVE-2022-38023: " -+ "client_account[%s] computer_name[%s] " -+ "schannel_type[%u] " -+ "client_negotiate_flags[0x%x] " -+ "%s%s%s " -+ "NT_STATUS_DOWNGRADE_DETECTED " -+ "WEAK_CRYPTO_DISALLOWED\n", -+ log_escape(frame, r->in.account_name), -+ log_escape(frame, r->in.computer_name), -+ r->in.secure_channel_type, -+ (unsigned)*r->in.negotiate_flags, -+ trust_account_in_db ? "real_account[" : "", -+ trust_account_in_db ? trust_account_in_db : "", -+ trust_account_in_db ? "]" : "")); -+ goto return_downgrade; -+ } -+ -+ DEBUG(CVE_2022_38023_error_level, ( -+ "CVE-2022-38023: " -+ "client_account[%s] computer_name[%s] " -+ "schannel_type[%u] " -+ "client_negotiate_flags[0x%x] " -+ "%s%s%s " -+ "NT_STATUS_DOWNGRADE_DETECTED " -+ "reject_des[%u] reject_md5[%u]\n", -+ log_escape(frame, r->in.account_name), -+ log_escape(frame, r->in.computer_name), -+ r->in.secure_channel_type, -+ (unsigned)*r->in.negotiate_flags, -+ trust_account_in_db ? "real_account[" : "", -+ trust_account_in_db ? trust_account_in_db : "", -+ trust_account_in_db ? "]" : "", -+ reject_des_client, -+ reject_md5_client)); -+ if (trust_account_in_db == NULL) { -+ goto return_downgrade; -+ } -+ -+ if (reject_md5_client && explicit_md5_opt == NULL) { -+ DEBUG(CVE_2022_38023_error_level, ( -+ "CVE-2022-38023: Check if option " -+ "'server reject md5 schannel:%s = no' " -+ "might be needed for a legacy client.\n", -+ trust_account_in_db)); -+ } -+ if (reject_des_client && explicit_nt4_opt == NULL) { -+ DEBUG(CVE_2022_38023_error_level, ( -+ "CVE-2022-38023: Check if option " -+ "'allow nt4 crypto:%s = yes' " -+ "might be needed for a legacy client.\n", -+ trust_account_in_db)); -+ } -+ -+return_downgrade: - /* - * Here we match Windows 2012 and return no flags. - */ - *r->out.negotiate_flags = 0; -+ TALLOC_FREE(frame); - return NT_STATUS_DOWNGRADE_DETECTED; - } - -@@ -228,6 +323,54 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade( - */ - *r->out.negotiate_flags = negotiate_flags; - -+ if (!NT_STATUS_IS_OK(orig_status) || trust_account_in_db == NULL) { -+ return orig_status; -+ } -+ -+ if (global_reject_md5_client && account_reject_md5_client && explicit_md5_opt) { -+ D_INFO("CVE-2022-38023: Check if option " -+ "'server reject md5 schannel:%s = yes' not needed!?\n", -+ trust_account_in_db); -+ } else if (need_md5 && !account_reject_md5_client && explicit_md5_opt) { -+ D_INFO("CVE-2022-38023: Check if option " -+ "'server reject md5 schannel:%s = no' " -+ "still needed for a legacy client.\n", -+ trust_account_in_db); -+ } else if (need_md5 && explicit_md5_opt == NULL) { -+ DEBUG(CVE_2022_38023_error_level, ( -+ "CVE-2022-38023: Check if option " -+ "'server reject md5 schannel:%s = no' " -+ "might be needed for a legacy client.\n", -+ trust_account_in_db)); -+ } else if (!account_reject_md5_client && explicit_md5_opt) { -+ DEBUG(CVE_2022_38023_warn_level, ( -+ "CVE-2022-38023: Check if option " -+ "'server reject md5 schannel:%s = no' not needed!?\n", -+ trust_account_in_db)); -+ } -+ -+ if (!global_allow_nt4_crypto && !account_allow_nt4_crypto && explicit_nt4_opt) { -+ D_INFO("CVE-2022-38023: Check if option " -+ "'allow nt4 crypto:%s = no' not needed!?\n", -+ trust_account_in_db); -+ } else if (need_des && account_allow_nt4_crypto && explicit_nt4_opt) { -+ D_INFO("CVE-2022-38023: Check if option " -+ "'allow nt4 crypto:%s = yes' " -+ "still needed for a legacy client.\n", -+ trust_account_in_db); -+ } else if (need_des && explicit_nt4_opt == NULL) { -+ DEBUG(CVE_2022_38023_error_level, ( -+ "CVE-2022-38023: Check if option " -+ "'allow nt4 crypto:%s = yes' " -+ "might be needed for a legacy client.\n", -+ trust_account_in_db)); -+ } else if (account_allow_nt4_crypto && explicit_nt4_opt) { -+ DEBUG(CVE_2022_38023_warn_level, ( -+ "CVE-2022-38023: Check if option " -+ "'allow nt4 crypto:%s = yes' not needed!?\n", -+ trust_account_in_db)); -+ } -+ - return orig_status; - } - --- -2.34.1 - - -From ab3062a57e170f90bca2d88771559d7c5ea38837 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 30 Nov 2022 14:57:20 +0100 -Subject: [PATCH 23/30] CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 - crypto = yes' and 'reject md5 clients = no' - -Instead of using the generic deprecated option use the specific -allow nt4 crypto:COMPUTERACCOUNT = yes and -server reject md5 schannel:COMPUTERACCOUNT = no -in order to allow legacy tests for pass. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit 7ae3735810c2db32fa50f309f8af3c76ffa29768) ---- - selftest/target/Samba4.pm | 60 ++++++++++++++++++++++++++++++++++----- - 1 file changed, 53 insertions(+), 7 deletions(-) - -diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm -index fb63bbeff059..b61acbf8e57b 100755 ---- a/selftest/target/Samba4.pm -+++ b/selftest/target/Samba4.pm -@@ -1608,7 +1608,6 @@ sub provision_ad_dc_ntvfs($$$) - my $extra_conf_options = "netbios aliases = localDC1-a - server services = +winbind -winbindd - ldap server require strong auth = allow_sasl_over_tls -- allow nt4 crypto = yes - raw NTLMv2 auth = yes - lsa over netlogon = yes - rpc server port = 1027 -@@ -1620,9 +1619,19 @@ sub provision_ad_dc_ntvfs($$$) - client min protocol = CORE - server min protocol = LANMAN1 - -- reject md5 clients = no -- - CVE_2020_1472:warn_about_unused_debug_level = 3 -+ CVE_2022_38023:warn_about_unused_debug_level = 3 -+ allow nt4 crypto:torturetest\$ = yes -+ server reject md5 schannel:schannel2\$ = no -+ server reject md5 schannel:schannel3\$ = no -+ server reject md5 schannel:schannel8\$ = no -+ server reject md5 schannel:schannel9\$ = no -+ server reject md5 schannel:torturetest\$ = no -+ server reject md5 schannel:tests4u2proxywk\$ = no -+ server reject md5 schannel:tests4u2selfbdc\$ = no -+ server reject md5 schannel:tests4u2selfwk\$ = no -+ server reject md5 schannel:torturepacbdc\$ = no -+ server reject md5 schannel:torturepacwksta\$ = no - server require schannel:schannel0\$ = no - server require schannel:schannel1\$ = no - server require schannel:schannel2\$ = no -@@ -1677,6 +1686,13 @@ sub provision_fl2000dc($$) - kdc enable fast = no - spnego:simulate_w2k=yes - ntlmssp_server:force_old_spnego=yes -+ -+ CVE_2022_38023:warn_about_unused_debug_level = 3 -+ server reject md5 schannel:tests4u2proxywk\$ = no -+ server reject md5 schannel:tests4u2selfbdc\$ = no -+ server reject md5 schannel:tests4u2selfwk\$ = no -+ server reject md5 schannel:torturepacbdc\$ = no -+ server reject md5 schannel:torturepacwksta\$ = no - "; - my $extra_provision_options = ["--base-schema=2008_R2"]; - # This environment uses plain text secrets -@@ -1717,11 +1733,23 @@ sub provision_fl2003dc($$$) - my $ip_addr2 = Samba::get_ipv6_addr("fakednsforwarder2"); - - print "PROVISIONING DC WITH FOREST LEVEL 2003...\n"; -- my $extra_conf_options = "allow dns updates = nonsecure and secure -+ my $extra_conf_options = " -+ allow dns updates = nonsecure and secure -+ - kdc enable fast = no - dcesrv:header signing = no - dcesrv:max auth states = 0 -- dns forwarder = $ip_addr1 [$ip_addr2]:54"; -+ -+ dns forwarder = $ip_addr1 [$ip_addr2]:54 -+ -+ CVE_2022_38023:warn_about_unused_debug_level = 3 -+ server reject md5 schannel:tests4u2proxywk\$ = no -+ server reject md5 schannel:tests4u2selfbdc\$ = no -+ server reject md5 schannel:tests4u2selfwk\$ = no -+ server reject md5 schannel:torturepacbdc\$ = no -+ server reject md5 schannel:torturepacwksta\$ = no -+"; -+ - my $extra_provision_options = ["--base-schema=2008_R2"]; - my $ret = $self->provision($prefix, - "domain controller", -@@ -1776,6 +1804,13 @@ sub provision_fl2008r2dc($$$) - ldap server require strong auth = no - # delay by 10 seconds, 10^7 usecs - ldap_server:delay_expire_disconnect = 10000 -+ -+ CVE_2022_38023:warn_about_unused_debug_level = 3 -+ server reject md5 schannel:tests4u2proxywk\$ = no -+ server reject md5 schannel:tests4u2selfbdc\$ = no -+ server reject md5 schannel:tests4u2selfwk\$ = no -+ server reject md5 schannel:torturepacbdc\$ = no -+ server reject md5 schannel:torturepacwksta\$ = no - "; - my $extra_provision_options = ["--base-schema=2008_R2"]; - my $ret = $self->provision($prefix, -@@ -1987,9 +2022,20 @@ sub provision_ad_dc($$$$$$$) - lpq cache time = 0 - print notify backchannel = yes - -- reject md5 clients = no -- - CVE_2020_1472:warn_about_unused_debug_level = 3 -+ CVE_2022_38023:warn_about_unused_debug_level = 3 -+ CVE_2022_38023:error_debug_level = 2 -+ server reject md5 schannel:schannel2\$ = no -+ server reject md5 schannel:schannel3\$ = no -+ server reject md5 schannel:schannel8\$ = no -+ server reject md5 schannel:schannel9\$ = no -+ server reject md5 schannel:torturetest\$ = no -+ server reject md5 schannel:tests4u2proxywk\$ = no -+ server reject md5 schannel:tests4u2selfbdc\$ = no -+ server reject md5 schannel:tests4u2selfwk\$ = no -+ server reject md5 schannel:torturepacbdc\$ = no -+ server reject md5 schannel:torturepacwksta\$ = no -+ server reject md5 schannel:samlogontest\$ = no - server require schannel:schannel0\$ = no - server require schannel:schannel1\$ = no - server require schannel:schannel2\$ = no --- -2.34.1 - - -From 8ab5154b071bc02c540da963cf1c7e15cbf6c63b Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 30 Nov 2022 16:57:24 +0100 -Subject: [PATCH 24/30] CVE-2022-38023 s4:rpc_server/netlogon: split out - dcesrv_netr_check_schannel() function - -This will allow us to reuse the function in other places. -As it will also get some additional checks soon. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit f43dc4f0bd60d4e127b714565147f82435aa4f07) ---- - source4/rpc_server/netlogon/dcerpc_netlogon.c | 84 +++++++++++-------- - 1 file changed, 51 insertions(+), 33 deletions(-) - -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index 5f2f765abe5b..8e952ec2e0c7 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -877,18 +877,11 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_ca - return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &r3); - } - --/* -- * NOTE: The following functions are nearly identical to the ones available in -- * source3/rpc_server/srv_nelog_nt.c -- * The reason we keep 2 copies is that they use different structures to -- * represent the auth_info and the decrpc pipes. -- */ --static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call, -- TALLOC_CTX *mem_ctx, -- const char *computer_name, -- struct netr_Authenticator *received_authenticator, -- struct netr_Authenticator *return_authenticator, -- struct netlogon_creds_CredentialState **creds_out) -+static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, -+ const struct netlogon_creds_CredentialState *creds, -+ enum dcerpc_AuthType auth_type, -+ enum dcerpc_AuthLevel auth_level, -+ uint16_t opnum) - { - struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; - TALLOC_CTX *frame = talloc_stackframe(); -@@ -897,15 +890,11 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - bool schannel_global_required = (schannel == true); - bool schannel_required = schannel_global_required; - const char *explicit_opt = NULL; -- struct netlogon_creds_CredentialState *creds = NULL; - int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL, - "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); - int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, - "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); - unsigned int dbg_lvl = DBGLVL_DEBUG; -- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; -- enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; -- uint16_t opnum = dce_call->pkt.u.request.opnum; - const char *opname = ""; - const char *reason = ""; - -@@ -913,8 +902,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - opname = ndr_table_netlogon.calls[opnum].name; - } - -- dcesrv_call_auth_info(dce_call, &auth_type, &auth_level); -- - if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { - if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { - reason = "WITH SEALED"; -@@ -927,17 +914,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - reason = "WITHOUT"; - } - -- nt_status = schannel_check_creds_state(mem_ctx, -- lp_ctx, -- computer_name, -- received_authenticator, -- return_authenticator, -- &creds); -- if (!NT_STATUS_IS_OK(nt_status)) { -- ZERO_STRUCTP(return_authenticator); -- return nt_status; -- } -- - /* - * We don't use lpcfg_parm_bool(), as we - * need the explicit_opt pointer in order to -@@ -977,7 +953,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - log_escape(frame, creds->computer_name))); - } - -- *creds_out = creds; - TALLOC_FREE(frame); - return nt_status; - } -@@ -1011,8 +986,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - "might be needed for a legacy client.\n", - log_escape(frame, creds->account_name))); - } -- TALLOC_FREE(creds); -- ZERO_STRUCTP(return_authenticator); - TALLOC_FREE(frame); - return nt_status; - } -@@ -1056,11 +1029,56 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - log_escape(frame, creds->computer_name))); - } - -- *creds_out = creds; - TALLOC_FREE(frame); - return NT_STATUS_OK; - } - -+/* -+ * NOTE: The following functions are nearly identical to the ones available in -+ * source3/rpc_server/srv_nelog_nt.c -+ * The reason we keep 2 copies is that they use different structures to -+ * represent the auth_info and the decrpc pipes. -+ */ -+static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call, -+ TALLOC_CTX *mem_ctx, -+ const char *computer_name, -+ struct netr_Authenticator *received_authenticator, -+ struct netr_Authenticator *return_authenticator, -+ struct netlogon_creds_CredentialState **creds_out) -+{ -+ NTSTATUS nt_status; -+ struct netlogon_creds_CredentialState *creds = NULL; -+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; -+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; -+ -+ dcesrv_call_auth_info(dce_call, &auth_type, &auth_level); -+ -+ nt_status = schannel_check_creds_state(mem_ctx, -+ dce_call->conn->dce_ctx->lp_ctx, -+ computer_name, -+ received_authenticator, -+ return_authenticator, -+ &creds); -+ if (!NT_STATUS_IS_OK(nt_status)) { -+ ZERO_STRUCTP(return_authenticator); -+ return nt_status; -+ } -+ -+ nt_status = dcesrv_netr_check_schannel(dce_call, -+ creds, -+ auth_type, -+ auth_level, -+ dce_call->pkt.u.request.opnum); -+ if (!NT_STATUS_IS_OK(nt_status)) { -+ TALLOC_FREE(creds); -+ ZERO_STRUCTP(return_authenticator); -+ return nt_status; -+ } -+ -+ *creds_out = creds; -+ return NT_STATUS_OK; -+} -+ - /* - Change the machine account password for the currently connected - client. Supplies only the NT#. --- -2.34.1 - - -From 875734d5294ff48950a24d6a89be52c916307bc2 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 30 Nov 2022 17:15:36 +0100 -Subject: [PATCH 25/30] CVE-2022-38023 s4:rpc_server/netlogon: make sure all - dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel() - -We'll soon add some additional contraints in dcesrv_netr_check_schannel(), -which are also required for dcesrv_netr_LogonSamLogonEx(). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit 689507457f5e6666488732f91a355a2183fb1662) ---- - source4/rpc_server/netlogon/dcerpc_netlogon.c | 36 +++++++++++++++---- - 1 file changed, 29 insertions(+), 7 deletions(-) - -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index 8e952ec2e0c7..d5bca620b0d4 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -1441,6 +1441,35 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base_call(struct dcesrv_netr_LogonSamL - struct auth_usersupplied_info *user_info = NULL; - NTSTATUS nt_status; - struct tevent_req *subreq = NULL; -+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; -+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; -+ -+ dcesrv_call_auth_info(dce_call, &auth_type, &auth_level); -+ -+ switch (dce_call->pkt.u.request.opnum) { -+ case NDR_NETR_LOGONSAMLOGON: -+ case NDR_NETR_LOGONSAMLOGONWITHFLAGS: -+ /* -+ * These already called dcesrv_netr_check_schannel() -+ * via dcesrv_netr_creds_server_step_check() -+ */ -+ break; -+ case NDR_NETR_LOGONSAMLOGONEX: -+ default: -+ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { -+ return NT_STATUS_ACCESS_DENIED; -+ } -+ -+ nt_status = dcesrv_netr_check_schannel(dce_call, -+ creds, -+ auth_type, -+ auth_level, -+ dce_call->pkt.u.request.opnum); -+ if (!NT_STATUS_IS_OK(nt_status)) { -+ return nt_status; -+ } -+ break; -+ } - - *r->out.authoritative = 1; - -@@ -1789,7 +1818,6 @@ static void dcesrv_netr_LogonSamLogon_base_reply( - static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_LogonSamLogonEx *r) - { -- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; - struct dcesrv_netr_LogonSamLogon_base_state *state; - NTSTATUS nt_status; - -@@ -1827,12 +1855,6 @@ static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, - return nt_status; - } - -- dcesrv_call_auth_info(dce_call, &auth_type, NULL); -- -- if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { -- return NT_STATUS_ACCESS_DENIED; -- } -- - nt_status = dcesrv_netr_LogonSamLogon_base_call(state); - - if (dce_call->state_flags & DCESRV_CALL_STATE_FLAG_ASYNC) { --- -2.34.1 - - -From 9c294a19374d15f04649c62f4e5f8df6a59610a5 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 25 Nov 2022 16:53:35 +0100 -Subject: [PATCH 26/30] CVE-2022-38023 docs-xml/smbdotconf: add "server - schannel require seal[:COMPUTERACCOUNT]" options - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit 7732a4b0bde1d9f98a0371f17d22648495329470) ---- - .../smbdotconf/security/serverschannel.xml | 43 ++++++- - .../security/serverschannelrequireseal.xml | 118 ++++++++++++++++++ - lib/param/loadparm.c | 1 + - source3/param/loadparm.c | 1 + - 4 files changed, 157 insertions(+), 6 deletions(-) - create mode 100644 docs-xml/smbdotconf/security/serverschannelrequireseal.xml - -diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml -index 3e66df1c2032..42a657912cac 100644 ---- a/docs-xml/smbdotconf/security/serverschannel.xml -+++ b/docs-xml/smbdotconf/security/serverschannel.xml -@@ -12,19 +12,37 @@ - the hardcoded behavior in future). - - -- -- Samba will complain in the log files at log level 0, -- about the security problem if the option is not set to "yes". -+ Avoid using this option! Use explicit 'no' instead! - -+ -+ -+ Samba will log an error in the log files at log level 0 -+ if legacy a client is rejected or allowed without an explicit, -+ 'no' option -+ for the client. The message will indicate -+ the explicit 'no' -+ line to be added, if the legacy client software requires it. (The log level can be adjusted with -+ '1' -+ in order to complain only at a higher log level). -+ -+ - -- See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 -+ This allows admins to use "auto" only for a short grace period, -+ in order to collect the explicit -+ 'no' options. - - -- If you still have legacy domain members use the option. -+ -+ See CVE-2020-1472(ZeroLogon), -+ https://bugzilla.samba.org/show_bug.cgi?id=14497. - - - This option is over-ridden by the option. - -+ This option is over-ridden by the effective value of 'yes' from -+ the '' -+ and/or '' options. -+ - - - yes -@@ -48,6 +66,9 @@ - about the security problem if the option is not set to "no", - but the related computer is actually using the netlogon - secure channel (schannel) feature. -+ (The log level can be adjusted with -+ '1' -+ in order to complain only at a higher log level). - - - -@@ -56,15 +77,25 @@ - - - -- See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 -+ See CVE-2020-1472(ZeroLogon), -+ https://bugzilla.samba.org/show_bug.cgi?id=14497. - - - This option overrides the option. - -+ This option is over-ridden by the effective value of 'yes' from -+ the '' -+ and/or '' options. -+ Which means 'no' -+ is only useful in combination with 'no' -+ - - server require schannel:LEGACYCOMPUTER1$ = no -+ server require schannel seal:LEGACYCOMPUTER1$ = no - server require schannel:NASBOX$ = no -+ server require schannel seal:NASBOX$ = no - server require schannel:LEGACYCOMPUTER2$ = no -+ server require schannel seal:LEGACYCOMPUTER2$ = no - - - -diff --git a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml -new file mode 100644 -index 000000000000..d4620d1252dd ---- /dev/null -+++ b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml -@@ -0,0 +1,118 @@ -+ -+ -+ -+ -+ This option is deprecated and will be removed in future, -+ as it is a security problem if not set to "yes" (which will be -+ the hardcoded behavior in future). -+ -+ -+ -+ This option controls whether the netlogon server (currently -+ only in 'active directory domain controller' mode), will -+ reject the usage of netlogon secure channel without privacy/enryption. -+ -+ -+ -+ The option is modelled after the registry key available on Windows. -+ -+ -+ -+ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSeal=2 -+ -+ -+ -+ Avoid using this option! Use the per computer account specific option -+ '' instead! -+ Which is available with the patches for -+ CVE-2022-38023 -+ see https://bugzilla.samba.org/show_bug.cgi?id=15240. -+ -+ -+ -+ Samba will log an error in the log files at log level 0 -+ if legacy a client is rejected or allowed without an explicit, -+ 'no' option -+ for the client. The message will indicate -+ the explicit 'no' -+ line to be added, if the legacy client software requires it. (The log level can be adjusted with -+ '1' -+ in order to complain only at a higher log level). -+ -+ -+ This allows admins to use "no" only for a short grace period, -+ in order to collect the explicit -+ 'no' options. -+ -+ -+ When set to 'yes' this option overrides the -+ '' and -+ '' options and implies -+ 'yes'. -+ -+ -+ -+ This option is over-ridden by the option. -+ -+ -+ -+ -+yes -+ -+ -+ -+ -+ -+ -+ If you still have legacy domain members, which required "server schannel require seal = no" before, -+ it is possible to specify explicit exception per computer account -+ by using 'server schannel require seal:COMPUTERACCOUNT = no' as option. -+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of -+ the computer account (including the trailing '$' sign). -+ -+ -+ -+ Samba will log a complaint in the log files at log level 0 -+ about the security problem if the option is set to "no", -+ but the related computer does not require it. -+ (The log level can be adjusted with -+ '1' -+ in order to complain only at a higher log level). -+ -+ -+ -+ Samba will warn in the log files at log level 5, -+ if a setting is still needed for the specified computer account. -+ -+ -+ -+ See CVE-2022-38023, -+ https://bugzilla.samba.org/show_bug.cgi?id=15240. -+ -+ -+ -+ This option overrides the '' option. -+ -+ -+ -+ When set to 'yes' this option overrides the -+ '' and -+ '' options and implies -+ 'yes'. -+ -+ -+ -+ server require schannel seal:LEGACYCOMPUTER1$ = no -+ server require schannel seal:NASBOX$ = no -+ server require schannel seal:LEGACYCOMPUTER2$ = no -+ -+ -+ -+ -diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c -index 2b644ee97c02..2b1eec5c4a12 100644 ---- a/lib/param/loadparm.c -+++ b/lib/param/loadparm.c -@@ -2725,6 +2725,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) - lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template"); - - lpcfg_do_global_parameter(lp_ctx, "server schannel", "True"); -+ lpcfg_do_global_parameter(lp_ctx, "server schannel require seal", "True"); - lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True"); - - lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True"); -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c -index 28ce4de6dd67..443b63a1cf46 100644 ---- a/source3/param/loadparm.c -+++ b/source3/param/loadparm.c -@@ -666,6 +666,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) - Globals.require_strong_key = true; - Globals.reject_md5_servers = true; - Globals.server_schannel = true; -+ Globals.server_schannel_require_seal = true; - Globals.reject_md5_clients = true; - Globals.read_raw = true; - Globals.write_raw = true; --- -2.34.1 - - -From 422a2c9adcc39edb4a9ea3da435a7b53822f6ccc Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 2 Dec 2022 14:31:26 +0100 -Subject: [PATCH 27/30] CVE-2022-38023 s4:rpc_server/netlogon: add a per - connection cache to dcesrv_netr_check_schannel() - -It's enough to warn the admin once per connection. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit 3c57608e1109c1d6e8bb8fbad2ef0b5d79d00e1a) ---- - source4/rpc_server/netlogon/dcerpc_netlogon.c | 193 ++++++++++++++---- - 1 file changed, 153 insertions(+), 40 deletions(-) - -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index d5bca620b0d4..624c8d407242 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -877,23 +877,105 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_ca - return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &r3); - } - --static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, -- const struct netlogon_creds_CredentialState *creds, -- enum dcerpc_AuthType auth_type, -- enum dcerpc_AuthLevel auth_level, -- uint16_t opnum) -+struct dcesrv_netr_check_schannel_state { -+ struct dom_sid account_sid; -+ enum dcerpc_AuthType auth_type; -+ enum dcerpc_AuthLevel auth_level; -+ -+ bool schannel_global_required; -+ bool schannel_required; -+ bool schannel_explicitly_set; -+ -+ NTSTATUS result; -+}; -+ -+static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state *dce_call, -+ const struct netlogon_creds_CredentialState *creds, -+ enum dcerpc_AuthType auth_type, -+ enum dcerpc_AuthLevel auth_level, -+ struct dcesrv_netr_check_schannel_state **_s) - { - struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; -- TALLOC_CTX *frame = talloc_stackframe(); -- NTSTATUS nt_status; - int schannel = lpcfg_server_schannel(lp_ctx); - bool schannel_global_required = (schannel == true); - bool schannel_required = schannel_global_required; - const char *explicit_opt = NULL; -+#define DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC (NETLOGON_SERVER_PIPE_STATE_MAGIC+1) -+ struct dcesrv_netr_check_schannel_state *s = NULL; -+ NTSTATUS status; -+ -+ *_s = NULL; -+ -+ s = dcesrv_iface_state_find_conn(dce_call, -+ DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC, -+ struct dcesrv_netr_check_schannel_state); -+ if (s != NULL) { -+ if (!dom_sid_equal(&s->account_sid, creds->sid)) { -+ goto new_state; -+ } -+ if (s->auth_type != auth_type) { -+ goto new_state; -+ } -+ if (s->auth_level != auth_level) { -+ goto new_state; -+ } -+ -+ *_s = s; -+ return NT_STATUS_OK; -+ } -+ -+new_state: -+ TALLOC_FREE(s); -+ s = talloc_zero(dce_call, -+ struct dcesrv_netr_check_schannel_state); -+ if (s == NULL) { -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ s->account_sid = *creds->sid; -+ s->auth_type = auth_type; -+ s->auth_level = auth_level; -+ s->result = NT_STATUS_MORE_PROCESSING_REQUIRED; -+ -+ /* -+ * We don't use lpcfg_parm_bool(), as we -+ * need the explicit_opt pointer in order to -+ * adjust the debug messages. -+ */ -+ explicit_opt = lpcfg_get_parametric(lp_ctx, -+ NULL, -+ "server require schannel", -+ creds->account_name); -+ if (explicit_opt != NULL) { -+ schannel_required = lp_bool(explicit_opt); -+ } -+ -+ s->schannel_global_required = schannel_global_required; -+ s->schannel_required = schannel_required; -+ s->schannel_explicitly_set = explicit_opt != NULL; -+ -+ status = dcesrv_iface_state_store_conn(dce_call, -+ DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC, -+ s); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } -+ -+ *_s = s; -+ return NT_STATUS_OK; -+} -+ -+static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_call, -+ struct dcesrv_netr_check_schannel_state *s, -+ const struct netlogon_creds_CredentialState *creds, -+ uint16_t opnum) -+{ -+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; - int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL, - "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); - int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, - "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); -+ TALLOC_CTX *frame = talloc_stackframe(); - unsigned int dbg_lvl = DBGLVL_DEBUG; - const char *opname = ""; - const char *reason = ""; -@@ -902,37 +984,43 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, - opname = ndr_table_netlogon.calls[opnum].name; - } - -- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { -- if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -+ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { -+ if (s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { - reason = "WITH SEALED"; -- } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { -+ } else if (s->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { - reason = "WITH SIGNED"; - } else { -- smb_panic("Schannel without SIGN/SEAL"); -+ reason = "WITH INVALID"; -+ dbg_lvl = DBGLVL_ERR; -+ s->result = NT_STATUS_INTERNAL_ERROR; - } - } else { - reason = "WITHOUT"; - } - -- /* -- * We don't use lpcfg_parm_bool(), as we -- * need the explicit_opt pointer in order to -- * adjust the debug messages. -- */ -- explicit_opt = lpcfg_get_parametric(lp_ctx, -- NULL, -- "server require schannel", -- creds->account_name); -- if (explicit_opt != NULL) { -- schannel_required = lp_bool(explicit_opt); -+ if (!NT_STATUS_EQUAL(s->result, NT_STATUS_MORE_PROCESSING_REQUIRED)) { -+ if (!NT_STATUS_IS_OK(s->result)) { -+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); -+ } -+ -+ DEBUG(dbg_lvl, ( -+ "CVE-2020-1472(ZeroLogon): " -+ "%s request (opnum[%u]) %s schannel from " -+ "client_account[%s] client_computer_name[%s] %s\n", -+ opname, opnum, reason, -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name), -+ nt_errstr(s->result))); -+ TALLOC_FREE(frame); -+ return s->result; - } - -- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { -- nt_status = NT_STATUS_OK; -+ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { -+ s->result = NT_STATUS_OK; - -- if (explicit_opt != NULL && !schannel_required) { -+ if (s->schannel_explicitly_set && !s->schannel_required) { - dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); -- } else if (!schannel_required) { -+ } else if (!s->schannel_required) { - dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); - } - -@@ -943,9 +1031,8 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, - opname, opnum, reason, - log_escape(frame, creds->account_name), - log_escape(frame, creds->computer_name), -- nt_errstr(nt_status))); -- -- if (explicit_opt != NULL && !schannel_required) { -+ nt_errstr(s->result))); -+ if (s->schannel_explicitly_set && !s->schannel_required) { - DEBUG(CVE_2020_1472_warn_level, ( - "CVE-2020-1472(ZeroLogon): " - "Option 'server require schannel:%s = no' not needed for '%s'!\n", -@@ -954,13 +1041,13 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, - } - - TALLOC_FREE(frame); -- return nt_status; -+ return s->result; - } - -- if (schannel_required) { -- nt_status = NT_STATUS_ACCESS_DENIED; -+ if (s->schannel_required) { -+ s->result = NT_STATUS_ACCESS_DENIED; - -- if (explicit_opt != NULL) { -+ if (s->schannel_explicitly_set) { - dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); - } else { - dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); -@@ -973,8 +1060,8 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, - opname, opnum, reason, - log_escape(frame, creds->account_name), - log_escape(frame, creds->computer_name), -- nt_errstr(nt_status))); -- if (explicit_opt != NULL) { -+ nt_errstr(s->result))); -+ if (s->schannel_explicitly_set) { - D_NOTICE("CVE-2020-1472(ZeroLogon): Option " - "'server require schannel:%s = yes' " - "rejects access for client.\n", -@@ -987,12 +1074,12 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, - log_escape(frame, creds->account_name))); - } - TALLOC_FREE(frame); -- return nt_status; -+ return s->result; - } - -- nt_status = NT_STATUS_OK; -+ s->result = NT_STATUS_OK; - -- if (explicit_opt != NULL) { -+ if (s->schannel_explicitly_set) { - dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); - } else { - dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); -@@ -1005,9 +1092,9 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, - opname, opnum, reason, - log_escape(frame, creds->account_name), - log_escape(frame, creds->computer_name), -- nt_errstr(nt_status))); -+ nt_errstr(s->result))); - -- if (explicit_opt != NULL) { -+ if (s->schannel_explicitly_set) { - D_INFO("CVE-2020-1472(ZeroLogon): Option " - "'server require schannel:%s = no' " - "still needed for '%s'!\n", -@@ -1030,6 +1117,32 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, - } - - TALLOC_FREE(frame); -+ return s->result; -+} -+ -+static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, -+ const struct netlogon_creds_CredentialState *creds, -+ enum dcerpc_AuthType auth_type, -+ enum dcerpc_AuthLevel auth_level, -+ uint16_t opnum) -+{ -+ struct dcesrv_netr_check_schannel_state *s = NULL; -+ NTSTATUS status; -+ -+ status = dcesrv_netr_check_schannel_get_state(dce_call, -+ creds, -+ auth_type, -+ auth_level, -+ &s); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } -+ -+ status = dcesrv_netr_check_schannel_once(dce_call, s, creds, opnum); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } -+ - return NT_STATUS_OK; - } - --- -2.34.1 - - -From 78d79aade1f07776266e22829a53a594bb2968b8 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 25 Nov 2022 14:05:30 +0100 -Subject: [PATCH 28/30] CVE-2022-38023 s4:rpc_server/netlogon: implement - "server schannel require seal[:COMPUTERACCOUNT]" - -By default we'll now require schannel connections with -privacy/sealing/encryption. - -But we allow exceptions for specific computer/trust accounts. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit b3ed90a0541a271a7c6d4bee1201fa47adc3c0c1) ---- - selftest/target/Samba4.pm | 28 ++ - source4/rpc_server/netlogon/dcerpc_netlogon.c | 244 +++++++++++++++++- - 2 files changed, 271 insertions(+), 1 deletion(-) - -diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm -index b61acbf8e57b..087860b9ebdd 100755 ---- a/selftest/target/Samba4.pm -+++ b/selftest/target/Samba4.pm -@@ -1645,9 +1645,23 @@ sub provision_ad_dc_ntvfs($$$) - server require schannel:schannel10\$ = no - server require schannel:schannel11\$ = no - server require schannel:torturetest\$ = no -+ server schannel require seal:schannel0\$ = no -+ server schannel require seal:schannel1\$ = no -+ server schannel require seal:schannel2\$ = no -+ server schannel require seal:schannel3\$ = no -+ server schannel require seal:schannel4\$ = no -+ server schannel require seal:schannel5\$ = no -+ server schannel require seal:schannel6\$ = no -+ server schannel require seal:schannel7\$ = no -+ server schannel require seal:schannel8\$ = no -+ server schannel require seal:schannel9\$ = no -+ server schannel require seal:schannel10\$ = no -+ server schannel require seal:schannel11\$ = no -+ server schannel require seal:torturetest\$ = no - - # needed for 'samba.tests.auth_log' tests - server require schannel:LOCALDC\$ = no -+ server schannel require seal:LOCALDC\$ = no - "; - push (@{$extra_provision_options}, "--use-ntvfs"); - my $ret = $self->provision($prefix, -@@ -2049,6 +2063,19 @@ sub provision_ad_dc($$$$$$$) - server require schannel:schannel10\$ = no - server require schannel:schannel11\$ = no - server require schannel:torturetest\$ = no -+ server schannel require seal:schannel0\$ = no -+ server schannel require seal:schannel1\$ = no -+ server schannel require seal:schannel2\$ = no -+ server schannel require seal:schannel3\$ = no -+ server schannel require seal:schannel4\$ = no -+ server schannel require seal:schannel5\$ = no -+ server schannel require seal:schannel6\$ = no -+ server schannel require seal:schannel7\$ = no -+ server schannel require seal:schannel8\$ = no -+ server schannel require seal:schannel9\$ = no -+ server schannel require seal:schannel10\$ = no -+ server schannel require seal:schannel11\$ = no -+ server schannel require seal:torturetest\$ = no - - auth event notification = true - dsdb event notification = true -@@ -2742,6 +2769,7 @@ sub setup_ad_dc_smb1 - - # needed for 'samba.tests.auth_log' tests - server require schannel:ADDCSMB1\$ = no -+ server schannel require seal:ADDCSMB1\$ = no - "; - return _setup_ad_dc($self, $path, $conf_opts, "addcsmb1", "addom2.samba.example.com"); - } -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index 624c8d407242..ddcb8487a56d 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -68,9 +68,11 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context - bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx); - int schannel = lpcfg_server_schannel(lp_ctx); - bool schannel_global_required = (schannel == true); -+ bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx); - static bool warned_global_nt4_once = false; - static bool warned_global_md5_once = false; - static bool warned_global_schannel_once = false; -+ static bool warned_global_seal_once = false; - - if (global_allow_nt4_crypto && !warned_global_nt4_once) { - /* -@@ -102,6 +104,16 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context - warned_global_schannel_once = true; - } - -+ if (!global_require_seal && !warned_global_seal_once) { -+ /* -+ * We want admins to notice their misconfiguration! -+ */ -+ D_ERR("CVE-2022-38023 (and others): " -+ "Please configure 'server schannel require seal = yes' (the default), " -+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); -+ warned_global_seal_once = true; -+ } -+ - return dcesrv_interface_bind_reject_connect(context, iface); - } - -@@ -886,6 +898,10 @@ struct dcesrv_netr_check_schannel_state { - bool schannel_required; - bool schannel_explicitly_set; - -+ bool seal_global_required; -+ bool seal_required; -+ bool seal_explicitly_set; -+ - NTSTATUS result; - }; - -@@ -900,6 +916,9 @@ static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state *d - bool schannel_global_required = (schannel == true); - bool schannel_required = schannel_global_required; - const char *explicit_opt = NULL; -+ bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx); -+ bool require_seal = global_require_seal; -+ const char *explicit_seal_opt = NULL; - #define DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC (NETLOGON_SERVER_PIPE_STATE_MAGIC+1) - struct dcesrv_netr_check_schannel_state *s = NULL; - NTSTATUS status; -@@ -937,6 +956,19 @@ new_state: - s->auth_level = auth_level; - s->result = NT_STATUS_MORE_PROCESSING_REQUIRED; - -+ /* -+ * We don't use lpcfg_parm_bool(), as we -+ * need the explicit_opt pointer in order to -+ * adjust the debug messages. -+ */ -+ explicit_seal_opt = lpcfg_get_parametric(lp_ctx, -+ NULL, -+ "server schannel require seal", -+ creds->account_name); -+ if (explicit_seal_opt != NULL) { -+ require_seal = lp_bool(explicit_seal_opt); -+ } -+ - /* - * We don't use lpcfg_parm_bool(), as we - * need the explicit_opt pointer in order to -@@ -954,6 +986,10 @@ new_state: - s->schannel_required = schannel_required; - s->schannel_explicitly_set = explicit_opt != NULL; - -+ s->seal_global_required = global_require_seal; -+ s->seal_required = require_seal; -+ s->seal_explicitly_set = explicit_seal_opt != NULL; -+ - status = dcesrv_iface_state_store_conn(dce_call, - DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC, - s); -@@ -975,6 +1011,10 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca - "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); - int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, - "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); -+ int CVE_2022_38023_warn_level = lpcfg_parm_int(lp_ctx, NULL, -+ "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR); -+ int CVE_2022_38023_error_level = lpcfg_parm_int(lp_ctx, NULL, -+ "CVE_2022_38023", "error_debug_level", DBGLVL_ERR); - TALLOC_CTX *frame = talloc_stackframe(); - unsigned int dbg_lvl = DBGLVL_DEBUG; - const char *opname = ""; -@@ -1004,18 +1044,107 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca - } - - DEBUG(dbg_lvl, ( -- "CVE-2020-1472(ZeroLogon): " -+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " -+ "%s request (opnum[%u]) %s schannel from " -+ "client_account[%s] client_computer_name[%s] %s\n", -+ opname, opnum, reason, -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name), -+ nt_errstr(s->result))); -+ TALLOC_FREE(frame); -+ return s->result; -+ } -+ -+ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL && -+ s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) -+ { -+ s->result = NT_STATUS_OK; -+ -+ if (s->schannel_explicitly_set && !s->schannel_required) { -+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); -+ } else if (!s->schannel_required) { -+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); -+ } -+ if (s->seal_explicitly_set && !s->seal_required) { -+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level); -+ } else if (!s->seal_required) { -+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); -+ } -+ -+ DEBUG(dbg_lvl, ( -+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " - "%s request (opnum[%u]) %s schannel from " - "client_account[%s] client_computer_name[%s] %s\n", - opname, opnum, reason, - log_escape(frame, creds->account_name), - log_escape(frame, creds->computer_name), - nt_errstr(s->result))); -+ -+ if (s->schannel_explicitly_set && !s->schannel_required) { -+ DEBUG(CVE_2020_1472_warn_level, ( -+ "CVE-2020-1472(ZeroLogon): " -+ "Option 'server require schannel:%s = no' not needed for '%s'!\n", -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name))); -+ } -+ -+ if (s->seal_explicitly_set && !s->seal_required) { -+ DEBUG(CVE_2022_38023_warn_level, ( -+ "CVE-2022-38023: " -+ "Option 'server schannel require seal:%s = no' not needed for '%s'!\n", -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name))); -+ } -+ - TALLOC_FREE(frame); - return s->result; - } - - if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { -+ if (s->seal_required) { -+ s->result = NT_STATUS_ACCESS_DENIED; -+ -+ if (s->seal_explicitly_set) { -+ dbg_lvl = DBGLVL_NOTICE; -+ } else { -+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); -+ } -+ if (s->schannel_explicitly_set && !s->schannel_required) { -+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level); -+ } -+ -+ DEBUG(dbg_lvl, ( -+ "CVE-2022-38023: " -+ "%s request (opnum[%u]) %s schannel from " -+ "from client_account[%s] client_computer_name[%s] %s\n", -+ opname, opnum, reason, -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name), -+ nt_errstr(s->result))); -+ if (s->seal_explicitly_set) { -+ D_NOTICE("CVE-2022-38023: Option " -+ "'server schannel require seal:%s = yes' " -+ "rejects access for client.\n", -+ log_escape(frame, creds->account_name)); -+ } else { -+ DEBUG(CVE_2020_1472_error_level, ( -+ "CVE-2022-38023: Check if option " -+ "'server schannel require seal:%s = no' " -+ "might be needed for a legacy client.\n", -+ log_escape(frame, creds->account_name))); -+ } -+ if (s->schannel_explicitly_set && !s->schannel_required) { -+ DEBUG(CVE_2020_1472_warn_level, ( -+ "CVE-2020-1472(ZeroLogon): Option " -+ "'server require schannel:%s = no' " -+ "not needed for '%s'!\n", -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name))); -+ } -+ TALLOC_FREE(frame); -+ return s->result; -+ } -+ - s->result = NT_STATUS_OK; - - if (s->schannel_explicitly_set && !s->schannel_required) { -@@ -1023,6 +1152,11 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca - } else if (!s->schannel_required) { - dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); - } -+ if (s->seal_explicitly_set && !s->seal_required) { -+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); -+ } else if (!s->seal_required) { -+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); -+ } - - DEBUG(dbg_lvl, ( - "CVE-2020-1472(ZeroLogon): " -@@ -1039,7 +1173,77 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca - log_escape(frame, creds->account_name), - log_escape(frame, creds->computer_name))); - } -+ if (s->seal_explicitly_set && !s->seal_required) { -+ D_INFO("CVE-2022-38023: " -+ "Option 'server schannel require seal:%s = no' still needed for '%s'!\n", -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name)); -+ } else if (!s->seal_required) { -+ /* -+ * admins should set -+ * server schannel require seal:COMPUTER$ = no -+ * in order to avoid the level 0 messages. -+ * Over time they can switch the global value -+ * to be strict. -+ */ -+ DEBUG(CVE_2022_38023_error_level, ( -+ "CVE-2022-38023: " -+ "Please use 'server schannel require seal:%s = no' " -+ "for '%s' to avoid this warning!\n", -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name))); -+ } -+ -+ TALLOC_FREE(frame); -+ return s->result; -+ } -+ -+ if (s->seal_required) { -+ s->result = NT_STATUS_ACCESS_DENIED; -+ -+ if (s->seal_explicitly_set) { -+ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); -+ } else { -+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); -+ } -+ if (!s->schannel_explicitly_set) { -+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); -+ } else if (s->schannel_required) { -+ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); -+ } - -+ DEBUG(dbg_lvl, ( -+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " -+ "%s request (opnum[%u]) %s schannel from " -+ "from client_account[%s] client_computer_name[%s] %s\n", -+ opname, opnum, reason, -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name), -+ nt_errstr(s->result))); -+ if (s->seal_explicitly_set) { -+ D_NOTICE("CVE-2022-38023: Option " -+ "'server schannel require seal:%s = yes' " -+ "rejects access for client.\n", -+ log_escape(frame, creds->account_name)); -+ } else { -+ DEBUG(CVE_2022_38023_error_level, ( -+ "CVE-2022-38023: Check if option " -+ "'server schannel require seal:%s = no' " -+ "might be needed for a legacy client.\n", -+ log_escape(frame, creds->account_name))); -+ } -+ if (!s->schannel_explicitly_set) { -+ DEBUG(CVE_2020_1472_error_level, ( -+ "CVE-2020-1472(ZeroLogon): Check if option " -+ "'server require schannel:%s = no' " -+ "might be needed for a legacy client.\n", -+ log_escape(frame, creds->account_name))); -+ } else if (s->schannel_required) { -+ D_NOTICE("CVE-2022-38023: Option " -+ "'server require schannel:%s = yes' " -+ "also rejects access for client.\n", -+ log_escape(frame, creds->account_name)); -+ } - TALLOC_FREE(frame); - return s->result; - } -@@ -1052,6 +1256,9 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca - } else { - dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); - } -+ if (!s->seal_explicitly_set) { -+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); -+ } - - DEBUG(dbg_lvl, ( - "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " -@@ -1073,12 +1280,25 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca - "might be needed for a legacy client.\n", - log_escape(frame, creds->account_name))); - } -+ if (!s->seal_explicitly_set) { -+ DEBUG(CVE_2022_38023_error_level, ( -+ "CVE-2022-38023: Check if option " -+ "'server schannel require seal:%s = no' " -+ "might be needed for a legacy client.\n", -+ log_escape(frame, creds->account_name))); -+ } - TALLOC_FREE(frame); - return s->result; - } - - s->result = NT_STATUS_OK; - -+ if (s->seal_explicitly_set) { -+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); -+ } else { -+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); -+ } -+ - if (s->schannel_explicitly_set) { - dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); - } else { -@@ -1094,6 +1314,28 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca - log_escape(frame, creds->computer_name), - nt_errstr(s->result))); - -+ if (s->seal_explicitly_set) { -+ D_INFO("CVE-2022-38023: Option " -+ "'server schannel require seal:%s = no' " -+ "still needed for '%s'!\n", -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name)); -+ } else { -+ /* -+ * admins should set -+ * server schannel require seal:COMPUTER$ = no -+ * in order to avoid the level 0 messages. -+ * Over time they can switch the global value -+ * to be strict. -+ */ -+ DEBUG(CVE_2022_38023_error_level, ( -+ "CVE-2022-38023: Please use " -+ "'server schannel require seal:%s = no' " -+ "for '%s' to avoid this warning!\n", -+ log_escape(frame, creds->account_name), -+ log_escape(frame, creds->computer_name))); -+ } -+ - if (s->schannel_explicitly_set) { - D_INFO("CVE-2020-1472(ZeroLogon): Option " - "'server require schannel:%s = no' " --- -2.34.1 - - -From 8a9aed5d0dab28a20004ed6cc73f2472b11fbd41 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 30 Nov 2022 15:13:47 +0100 -Subject: [PATCH 29/30] CVE-2022-38023 testparm: warn about server/client - schannel != yes - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit f964c0c357214637f80d0089723b9b11d1b38f7e) ---- - source3/utils/testparm.c | 20 +++++++++++++++++--- - 1 file changed, 17 insertions(+), 3 deletions(-) - -diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c -index 27a8bc1fb8e8..b3ddd48b3f1d 100644 ---- a/source3/utils/testparm.c -+++ b/source3/utils/testparm.c -@@ -598,11 +598,25 @@ static int do_global_checks(void) - ret = 1; - } - -- if (!lp_server_schannel()) { -+ if (lp_server_schannel() != true) { /* can be 'auto' */ - fprintf(stderr, -- "WARNING: You have configured 'server schannel = no'. " -+ "WARNING: You have not configured " -+ "'server schannel = yes' (the default). " - "Your server is vulernable to \"ZeroLogon\" " -- "(CVE-2020-1472)\n\n"); -+ "(CVE-2020-1472)\n" -+ "If required use individual " -+ "'server require schannel:COMPUTERACCOUNT$ = no' " -+ "options\n\n"); -+ } -+ if (lp_client_schannel() != true) { /* can be 'auto' */ -+ fprintf(stderr, -+ "WARNING: You have not configured " -+ "'client schannel = yes' (the default). " -+ "Your server is vulernable to \"ZeroLogon\" " -+ "(CVE-2020-1472)\n" -+ "If required use individual " -+ "'client schannel:NETBIOSDOMAIN = no' " -+ "options\n\n"); - } - - return ret; --- -2.34.1 - - -From a3e10bf4b8fc328167e7219337742bf12eb41111 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 6 Dec 2022 13:36:17 +0100 -Subject: [PATCH 30/30] CVE-2022-38023 testparm: warn about unsecure schannel - related options - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme -(cherry picked from commit 4d540473c3d43d048a30dd63efaeae9ff87b2aeb) ---- - source3/utils/testparm.c | 61 ++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 61 insertions(+) - -diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c -index b3ddd48b3f1d..02ef3de83ae5 100644 ---- a/source3/utils/testparm.c -+++ b/source3/utils/testparm.c -@@ -608,6 +608,37 @@ static int do_global_checks(void) - "'server require schannel:COMPUTERACCOUNT$ = no' " - "options\n\n"); - } -+ if (lp_allow_nt4_crypto()) { -+ fprintf(stderr, -+ "WARNING: You have not configured " -+ "'allow nt4 crypto = no' (the default). " -+ "Your server is vulernable to " -+ "CVE-2022-38023 and others!\n" -+ "If required use individual " -+ "'allow nt4 crypto:COMPUTERACCOUNT$ = yes' " -+ "options\n\n"); -+ } -+ if (!lp_reject_md5_clients()) { -+ fprintf(stderr, -+ "WARNING: You have not configured " -+ "'reject md5 clients = yes' (the default). " -+ "Your server is vulernable to " -+ "CVE-2022-38023!\n" -+ "If required use individual " -+ "'server reject md5 schannel:COMPUTERACCOUNT$ = yes' " -+ "options\n\n"); -+ } -+ if (!lp_server_schannel_require_seal()) { -+ fprintf(stderr, -+ "WARNING: You have not configured " -+ "'server schannel require seal = yes' (the default). " -+ "Your server is vulernable to " -+ "CVE-2022-38023!\n" -+ "If required use individual " -+ "'server schannel require seal:COMPUTERACCOUNT$ = no' " -+ "options\n\n"); -+ } -+ - if (lp_client_schannel() != true) { /* can be 'auto' */ - fprintf(stderr, - "WARNING: You have not configured " -@@ -618,6 +649,36 @@ static int do_global_checks(void) - "'client schannel:NETBIOSDOMAIN = no' " - "options\n\n"); - } -+ if (!lp_reject_md5_servers()) { -+ fprintf(stderr, -+ "WARNING: You have not configured " -+ "'reject md5 servers = yes' (the default). " -+ "Your server is vulernable to " -+ "CVE-2022-38023\n" -+ "If required use individual " -+ "'reject md5 servers:NETBIOSDOMAIN = no' " -+ "options\n\n"); -+ } -+ if (!lp_require_strong_key()) { -+ fprintf(stderr, -+ "WARNING: You have not configured " -+ "'require strong key = yes' (the default). " -+ "Your server is vulernable to " -+ "CVE-2022-38023\n" -+ "If required use individual " -+ "'require strong key:NETBIOSDOMAIN = no' " -+ "options\n\n"); -+ } -+ if (!lp_winbind_sealed_pipes()) { -+ fprintf(stderr, -+ "WARNING: You have not configured " -+ "'winbind sealed pipes = yes' (the default). " -+ "Your server is vulernable to " -+ "CVE-2022-38023\n" -+ "If required use individual " -+ "'winbind sealed pipes:NETBIOSDOMAIN = no' " -+ "options\n\n"); -+ } - - return ret; - } --- -2.34.1 - diff --git a/SOURCES/samba-4.16-waf-crypto.patch b/SOURCES/samba-4.16-waf-crypto.patch deleted file mode 100644 index 337be97..0000000 --- a/SOURCES/samba-4.16-waf-crypto.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 41d3efebcf6abab9119f9b0f97c86c1c48739fee Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 4 Apr 2022 11:24:04 +0200 -Subject: [PATCH 1/2] waf: Check for GnuTLS earlier - -As GnuTLS is an essential part we need to check for it early so we can react on -GnuTLS features in other wscripts. - -Signed-off-by: Andreas Schneider ---- - wscript | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/wscript b/wscript -index d8220b35095..5b85d9a1682 100644 ---- a/wscript -+++ b/wscript -@@ -189,6 +189,8 @@ def configure(conf): - conf.RECURSE('dynconfig') - conf.RECURSE('selftest') - -+ conf.PROCESS_SEPARATE_RULE('system_gnutls') -+ - conf.CHECK_CFG(package='zlib', minversion='1.2.3', - args='--cflags --libs', - mandatory=True) -@@ -297,8 +299,6 @@ def configure(conf): - if not conf.CONFIG_GET('KRB5_VENDOR'): - conf.PROCESS_SEPARATE_RULE('embedded_heimdal') - -- conf.PROCESS_SEPARATE_RULE('system_gnutls') -- - conf.RECURSE('source4/dsdb/samdb/ldb_modules') - conf.RECURSE('source4/ntvfs/sysdep') - conf.RECURSE('lib/util') --- -2.35.1 - - -From 63701a28116afc1550c23cb5f7b9d6e366fd1270 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 4 Apr 2022 11:25:31 +0200 -Subject: [PATCH 2/2] third_party:waf: Do not recurse in aesni-intel if GnuTLS - provides the cipher - -Signed-off-by: Andreas Schneider ---- - third_party/wscript | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/third_party/wscript b/third_party/wscript -index 1f4bc1ce1d7..a17c15bcaa7 100644 ---- a/third_party/wscript -+++ b/third_party/wscript -@@ -5,7 +5,8 @@ from waflib import Options - def configure(conf): - conf.RECURSE('cmocka') - conf.RECURSE('popt') -- conf.RECURSE('aesni-intel') -+ if not conf.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'): -+ conf.RECURSE('aesni-intel') - if conf.CONFIG_GET('ENABLE_SELFTEST'): - conf.RECURSE('socket_wrapper') - conf.RECURSE('nss_wrapper') -@@ -18,7 +19,8 @@ def configure(conf): - def build(bld): - bld.RECURSE('cmocka') - bld.RECURSE('popt') -- bld.RECURSE('aesni-intel') -+ if not bld.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'): -+ bld.RECURSE('aesni-intel') - if bld.CONFIG_GET('SOCKET_WRAPPER'): - bld.RECURSE('socket_wrapper') - if bld.CONFIG_GET('NSS_WRAPPER'): --- -2.35.1 - diff --git a/SOURCES/samba-4.16.4.tar.asc b/SOURCES/samba-4.16.4.tar.asc deleted file mode 100644 index 96aba0e..0000000 --- a/SOURCES/samba-4.16.4.tar.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmLg520ACgkQqplEL7aA -tiBsuA//ZqQhoz1unYEMk6tqu528xGweYd488gjdKkszWPCI5NmGbmvN/tbhUIc3 -WbJO8oPEFN81+a0b7nsKxpgDt8IR00rx4mA3A5rh+Z1PTbUWpjBxchTsXZsEaDaE -dA/pRes+rzDpjLg2VWAd+5SDwy1d5ZfZ+gX/qntfpgYLqiBfJNJJPxCEFqnG1IUF -xaWwKQNuduq89Wr3LabSCjx4IMQEABr8VN+WZG5JhmKBaad1I5tOBOFypLS0iKUX -bGsMr3itdKFvYmAFM2ZbY/Q7DZb5GIUvNOqyRcBYQe33tqS2GYjEHS0tbXoNP5l2 -gQcs3FiebX6Bi4I6EoFL380LLG1zskCV5xRtGIvrW7SOKCnkaswuxlHEQSVWFc0A -2aZmT7RaKYwtm+0kD+Fq3PWBwPvLBgiCP9oohfOgqrW9VnIJNbyCyJcBbK8snS0a -KIfr+hM+ccNBVhmpFWRjA0WkVW9d9/tcDFN63nTQJkZg4cXZboMVO7fjmo4U1oJK -qIVU5Xr0e5TXLNWguvr6t03CUvtfgBHMYFrHRX4HJTN7Z3m4WxAYt+jspIavQP/S -muj4g/INYmjZmBG2f9mign6Tt3MtOtHlymMFAJ1t1e+9B5v1dkmO4T6ffqbDgvg5 -bnAFUM5+bzW81DGJNbITDSNBU7PokwP4cQBNTVtgK38DW4BiPO8= -=6kYO ------END PGP SIGNATURE----- diff --git a/SOURCES/samba-4.17.5.tar.asc b/SOURCES/samba-4.17.5.tar.asc new file mode 100644 index 0000000..6d0b732 --- /dev/null +++ b/SOURCES/samba-4.17.5.tar.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmPSvJEACgkQqplEL7aA +tiDXbA//bPY+2A4y8zPJLibWjRtmv76xTgj1EJMZoC5d7+5PXQfuVhVULGYrxriF +MIF4CtTnMDk20mihnQb03csGpZGvqfBKbZg6jYolqeTmwRDgKXf9dxLxYYBGswPN +JXiF/ZvDQzEorrsz24o7i9Pe44IXpdf7+3RjIXhKjCa2vFQibTndGRhYb0UYiR9S +DELp6V/rmV9/BrYWVhHVnuzROzNWsrXIyu1GPNRWdX6ptJmjq6f8wZUP0NODYsBP +e0+BpXwob795tDSAMBnbnp7ZsHRYgB2/iWDTe19MF5LjHCcPwRWmzfZjiWQuz11D +kg7RUmlTkpU0mrToM+Uyg3Lhc8sayojDTHkIuIPBTuirdKuyP5Zov1wCaPuvf8Ew +LCQlQsC2AVeko8xY7P5ieXrmsfncoKR23S0MaKM6oNXooMJcNFnemMvCsOGGeGCi +HJa1whPdI5Cj3zLB5X35UNMmauS7qWyyj3lS2horg8L/iIQ3R3q+0Xkd5VmX1BXz +EhVDvOnb1F7E9HFlxhZRJFufpnHrGZX6ZYe6BqP8oU092UUU5JMeIqe20wG/dAtX +B91QhITdPDnM4KrSbch9i+BKW1xD8srRXu4yqMTZp6X6dPh6lnzVn6vj4uKNCMwz +2qLa3Rl+cRON1uTeFJXSTHg/diHjKriu3+bCqm0RlHAFLMtvudk= +=gZl3 +-----END PGP SIGNATURE----- diff --git a/SOURCES/samba-s4u.patch b/SOURCES/samba-s4u.patch deleted file mode 100644 index 5d3cb55..0000000 --- a/SOURCES/samba-s4u.patch +++ /dev/null @@ -1,642 +0,0 @@ -From 5d7ec9a00b6f4c6768c606d37d235415f2006445 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Fri, 27 Sep 2019 18:25:03 +0300 -Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support - -Signed-off-by: Isaac Boukris -Pair-Programmed-With: Andreas Schneider ---- - source4/kdc/mit-kdb/kdb_samba_policies.c | 124 +++++++++++------------ - source4/kdc/mit_samba.c | 47 ++------- - source4/kdc/mit_samba.h | 6 +- - 3 files changed, 71 insertions(+), 106 deletions(-) - -diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c -index 793fe366c35..22534c09974 100644 ---- a/source4/kdc/mit-kdb/kdb_samba_policies.c -+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c -@@ -200,13 +200,17 @@ static krb5_error_code ks_verify_pac(krb5_context context, - krb5_keyblock *krbtgt_key, - krb5_timestamp authtime, - krb5_authdata **tgt_auth_data, -- krb5_pac *pac) -+ krb5_pac *out_pac) - { - struct mit_samba_context *mit_ctx; - krb5_authdata **authdata = NULL; -- krb5_pac ipac = NULL; -- DATA_BLOB logon_data = { NULL, 0 }; -+ krb5_keyblock *header_server_key = NULL; -+ krb5_key_data *impersonator_kd = NULL; -+ krb5_keyblock impersonator_key = {0}; - krb5_error_code code; -+ krb5_pac pac; -+ -+ *out_pac = NULL; - - mit_ctx = ks_get_context(context); - if (mit_ctx == NULL) { -@@ -238,41 +242,43 @@ static krb5_error_code ks_verify_pac(krb5_context context, - code = krb5_pac_parse(context, - authdata[0]->contents, - authdata[0]->length, -- &ipac); -+ &pac); - if (code != 0) { - goto done; - } - -- /* TODO: verify this is correct -- * -- * In the constrained delegation case, the PAC is from a service -- * ticket rather than a TGT; we must verify the server and KDC -- * signatures to assert that the server did not forge the PAC. -+ /* -+ * For constrained delegation in MIT version < 1.18 we aren't provided -+ * with the 2nd ticket server key to verify the PAC. -+ * We can workaround that by fetching the key from the client db entry, -+ * which is the impersonator account in that version. -+ * TODO: use the provided entry in the new 1.18 version. - */ - if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) { -- code = krb5_pac_verify(context, -- ipac, -- authtime, -- client_princ, -- server_key, -- krbtgt_key); -+ /* The impersonator must be local. */ -+ if (client == NULL) { -+ code = KRB5KDC_ERR_BADOPTION; -+ goto done; -+ } -+ /* Fetch and decrypt 2nd ticket server's current key. */ -+ code = krb5_dbe_find_enctype(context, client, -1, -1, 0, -+ &impersonator_kd); -+ if (code != 0) { -+ goto done; -+ } -+ code = krb5_dbe_decrypt_key_data(context, NULL, -+ impersonator_kd, -+ &impersonator_key, NULL); -+ if (code != 0) { -+ goto done; -+ } -+ header_server_key = &impersonator_key; - } else { -- code = krb5_pac_verify(context, -- ipac, -- authtime, -- client_princ, -- krbtgt_key, -- NULL); -- } -- if (code != 0) { -- goto done; -+ header_server_key = krbtgt_key; - } - -- /* check and update PAC */ -- code = krb5_pac_parse(context, -- authdata[0]->contents, -- authdata[0]->length, -- pac); -+ code = krb5_pac_verify(context, pac, authtime, client_princ, -+ header_server_key, NULL); - if (code != 0) { - goto done; - } -@@ -280,17 +286,22 @@ static krb5_error_code ks_verify_pac(krb5_context context, - code = mit_samba_reget_pac(mit_ctx, - context, - flags, -- client_princ, - client, - server, - krbtgt, - krbtgt_key, -- pac); -+ &pac); -+ if (code != 0) { -+ goto done; -+ } -+ -+ *out_pac = pac; -+ pac = NULL; - - done: -+ krb5_free_keyblock_contents(context, &impersonator_key); - krb5_free_authdata(context, authdata); -- krb5_pac_free(context, ipac); -- free(logon_data.data); -+ krb5_pac_free(context, pac); - - return code; - } -@@ -319,6 +330,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - krb5_authdata **pac_auth_data = NULL; - krb5_authdata **authdata = NULL; - krb5_boolean is_as_req; -+ krb5_const_principal pac_client; - krb5_error_code code; - krb5_pac pac = NULL; - krb5_data pac_data; -@@ -330,11 +342,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt; - krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; - -- /* FIXME: We don't support S4U yet */ -- if (flags & KRB5_KDB_FLAGS_S4U) { -- return KRB5_KDB_DBTYPE_NOSUP; -- } -- - is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); - - /* -@@ -395,6 +402,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - ks_client_princ = client->princ; - } - -+ /* In protocol transition, we are currently not provided with the tgt -+ * client name to verify the PAC, we could probably skip the name -+ * verification and just verify the signatures, but since we don't -+ * support cross-realm nor aliases, we can just use server->princ */ -+ if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) { -+ pac_client = server->princ; -+ } else { -+ pac_client = ks_client_princ; -+ } -+ - if (client_entry == NULL) { - client_entry = client; - } -@@ -469,7 +486,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - - code = ks_verify_pac(context, - flags, -- ks_client_princ, -+ pac_client, - client_entry, - server, - krbtgt, -@@ -515,7 +532,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - is_as_req ? "AS-REQ" : "TGS-REQ", - client_name); - code = krb5_pac_sign(context, pac, authtime, ks_client_princ, -- server_key, krbtgt_key, &pac_data); -+ server_key, krbtgt_key, &pac_data); - if (code != 0) { - DBG_ERR("krb5_pac_sign failed: %d\n", code); - goto done; -@@ -541,12 +558,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - KRB5_AUTHDATA_IF_RELEVANT, - authdata, - signed_auth_data); -- if (code != 0) { -- goto done; -- } -- -- code = 0; -- - done: - if (client_entry != NULL && client_entry != client) { - ks_free_principal(context, client_entry); -@@ -572,32 +583,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, - * server; -> delegating service - * proxy; -> target principal - */ -- krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server); -- -- char *target_name = NULL; -- bool is_enterprise; -- krb5_error_code code; - - mit_ctx = ks_get_context(context); - if (mit_ctx == NULL) { - return KRB5_KDB_DBNOTINITED; - } - -- code = krb5_unparse_name(context, proxy, &target_name); -- if (code) { -- goto done; -- } -- -- is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL); -- -- code = mit_samba_check_s4u2proxy(mit_ctx, -- delegating_service, -- target_name, -- is_enterprise); -- --done: -- free(target_name); -- return code; -+ return mit_samba_check_s4u2proxy(mit_ctx, server, proxy); - } - - -diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c -index cb72b5de294..03c2c2ea1de 100644 ---- a/source4/kdc/mit_samba.c -+++ b/source4/kdc/mit_samba.c -@@ -517,7 +517,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, - krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, - krb5_context context, - int flags, -- krb5_const_principal client_principal, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, -@@ -689,7 +688,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, - context, - *pac, - server->princ, -- discard_const(client_principal), -+ client->princ, - deleg_blob); - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(0, ("Update delegation info failed: %s\n", -@@ -1081,41 +1080,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, - } - - int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, -- krb5_db_entry *kentry, -- const char *target_name, -- bool is_nt_enterprise_name) -+ const krb5_db_entry *server, -+ krb5_const_principal target_principal) - { --#if 1 -- /* -- * This is disabled because mit_samba_update_pac_data() does not handle -- * S4U_DELEGATION_INFO -- */ -- -- return KRB5KDC_ERR_BADOPTION; --#else -- krb5_principal target_principal; -- int flags = 0; -- int ret; -- -- if (is_nt_enterprise_name) { -- flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE; -- } -- -- ret = krb5_parse_name_flags(ctx->context, target_name, -- flags, &target_principal); -- if (ret) { -- return ret; -- } -- -- ret = samba_kdc_check_s4u2proxy(ctx->context, -- ctx->db_ctx, -- skdc_entry, -- target_principal); -- -- krb5_free_principal(ctx->context, target_principal); -- -- return ret; --#endif -+ struct samba_kdc_entry *server_skdc_entry = -+ talloc_get_type_abort(server->e_data, -+ struct samba_kdc_entry); -+ -+ return samba_kdc_check_s4u2proxy(ctx->context, -+ ctx->db_ctx, -+ server_skdc_entry, -+ target_principal); - } - - static krb5_error_code mit_samba_change_pwd_error(krb5_context context, -diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h -index 4431e82a1b2..9370ab533af 100644 ---- a/source4/kdc/mit_samba.h -+++ b/source4/kdc/mit_samba.h -@@ -57,7 +57,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, - krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, - krb5_context context, - int flags, -- krb5_const_principal client_principal, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, -@@ -74,9 +73,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, - DATA_BLOB *e_data); - - int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, -- krb5_db_entry *kentry, -- const char *target_name, -- bool is_nt_enterprise_name); -+ const krb5_db_entry *server, -+ krb5_const_principal target_principal); - - int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx, - char *pwd, --- -2.37.1 - - -From 325912375cf54743ab8ea557172a72b870002e9f Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Fri, 27 Sep 2019 18:35:30 +0300 -Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build - -Signed-off-by: Isaac Boukris -Pair-Programmed-With: Andreas Schneider ---- - lib/krb5_wrap/krb5_samba.c | 185 ++++++++++++++++++++++++++ - lib/krb5_wrap/krb5_samba.h | 2 - - source4/auth/kerberos/kerberos_util.c | 11 -- - 3 files changed, 185 insertions(+), 13 deletions(-) - -diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index 4321f07ca09..3fd95e47fca 100644 ---- a/lib/krb5_wrap/krb5_samba.c -+++ b/lib/krb5_wrap/krb5_samba.c -@@ -2702,6 +2702,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, - - return 0; - } -+ -+#else /* MIT */ -+ -+static bool princ_compare_no_dollar(krb5_context ctx, -+ krb5_principal a, -+ krb5_principal b) -+{ -+ bool cmp; -+ krb5_principal mod = NULL; -+ -+ if (a->length == 1 && b->length == 1 && -+ a->data[0].length != 0 && b->data[0].length != 0 && -+ a->data[0].data[a->data[0].length -1] != -+ b->data[0].data[b->data[0].length -1]) { -+ if (a->data[0].data[a->data[0].length -1] == '$') { -+ mod = a; -+ mod->data[0].length--; -+ } else if (b->data[0].data[b->data[0].length -1] == '$') { -+ mod = b; -+ mod->data[0].length--; -+ } -+ } -+ -+ cmp = krb5_principal_compare_flags(ctx, a, b, -+ KRB5_PRINCIPAL_COMPARE_CASEFOLD); -+ -+ if (mod != NULL) { -+ mod->data[0].length++; -+ } -+ -+ return cmp; -+} -+ -+krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, -+ krb5_ccache store_cc, -+ krb5_principal init_principal, -+ const char *init_password, -+ krb5_principal impersonate_principal, -+ const char *self_service, -+ const char *target_service, -+ krb5_get_init_creds_opt *krb_options, -+ time_t *expire_time, -+ time_t *kdc_time) -+{ -+ krb5_error_code code; -+ krb5_principal self_princ = NULL; -+ krb5_principal target_princ = NULL; -+ krb5_creds *store_creds; -+ krb5_creds *s4u2self_creds = NULL; -+ krb5_creds *s4u2proxy_creds = NULL; -+ krb5_creds init_creds = {0}; -+ krb5_creds mcreds = {0}; -+ krb5_flags options = KRB5_GC_NO_STORE; -+ krb5_ccache tmp_cc; -+ bool s4u2proxy; -+ -+ code = krb5_cc_new_unique(ctx, "MEMORY", NULL, &tmp_cc); -+ if (code != 0) { -+ return code; -+ } -+ -+ code = krb5_get_init_creds_password(ctx, &init_creds, -+ init_principal, -+ init_password, -+ NULL, NULL, -+ 0, -+ NULL, -+ krb_options); -+ if (code != 0) { -+ goto done; -+ } -+ -+ code = krb5_cc_initialize(ctx, tmp_cc, init_creds.client); -+ if (code != 0) { -+ goto done; -+ } -+ -+ code = krb5_cc_store_cred(ctx, tmp_cc, &init_creds); -+ if (code != 0) { -+ goto done; -+ } -+ -+ /* -+ * Check if we also need S4U2Proxy or if S4U2Self is -+ * enough in order to get a ticket for the target. -+ */ -+ if (target_service == NULL) { -+ s4u2proxy = false; -+ } else if (strcmp(target_service, self_service) == 0) { -+ s4u2proxy = false; -+ } else { -+ s4u2proxy = true; -+ } -+ -+ code = krb5_parse_name(ctx, self_service, &self_princ); -+ if (code != 0) { -+ goto done; -+ } -+ -+ /* MIT lacks aliases support in S4U, for S4U2Self we require the tgt -+ * client and the request server to be the same principal name. */ -+ if (!princ_compare_no_dollar(ctx, init_creds.client, self_princ)) { -+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; -+ goto done; -+ } -+ -+ mcreds.client = impersonate_principal; -+ mcreds.server = init_creds.client; -+ -+ code = krb5_get_credentials_for_user(ctx, options, tmp_cc, &mcreds, -+ NULL, &s4u2self_creds); -+ if (code != 0) { -+ goto done; -+ } -+ -+ if (s4u2proxy) { -+ code = krb5_parse_name(ctx, target_service, &target_princ); -+ if (code != 0) { -+ goto done; -+ } -+ -+ mcreds.client = init_creds.client; -+ mcreds.server = target_princ; -+ mcreds.second_ticket = s4u2self_creds->ticket; -+ -+ code = krb5_get_credentials(ctx, options | -+ KRB5_GC_CONSTRAINED_DELEGATION, -+ tmp_cc, &mcreds, &s4u2proxy_creds); -+ if (code != 0) { -+ goto done; -+ } -+ -+ /* Check KDC support of S4U2Proxy extension */ -+ if (!krb5_principal_compare(ctx, s4u2self_creds->client, -+ s4u2proxy_creds->client)) { -+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; -+ goto done; -+ } -+ -+ store_creds = s4u2proxy_creds; -+ } else { -+ store_creds = s4u2self_creds;; -+ -+ /* We need to save the ticket with the requested server name -+ * or the caller won't be able to find it in cache. */ -+ if (!krb5_principal_compare(ctx, self_princ, -+ store_creds->server)) { -+ krb5_free_principal(ctx, store_creds->server); -+ store_creds->server = NULL; -+ code = krb5_copy_principal(ctx, self_princ, -+ &store_creds->server); -+ if (code != 0) { -+ goto done; -+ } -+ } -+ } -+ -+ code = krb5_cc_initialize(ctx, store_cc, store_creds->client); -+ if (code != 0) { -+ goto done; -+ } -+ -+ code = krb5_cc_store_cred(ctx, store_cc, store_creds); -+ if (code != 0) { -+ goto done; -+ } -+ -+ if (expire_time) { -+ *expire_time = (time_t) store_creds->times.endtime; -+ } -+ -+ if (kdc_time) { -+ *kdc_time = (time_t) store_creds->times.starttime; -+ } -+ -+done: -+ krb5_cc_destroy(ctx, tmp_cc); -+ krb5_free_cred_contents(ctx, &init_creds); -+ krb5_free_creds(ctx, s4u2self_creds); -+ krb5_free_creds(ctx, s4u2proxy_creds); -+ krb5_free_principal(ctx, self_princ); -+ krb5_free_principal(ctx, target_princ); -+ -+ return code; -+} - #endif - - #if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA) -diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h -index a66b7465530..c8573f52bd9 100644 ---- a/lib/krb5_wrap/krb5_samba.h -+++ b/lib/krb5_wrap/krb5_samba.h -@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx, - krb5_get_init_creds_opt *krb_options, - time_t *expire_time, - time_t *kdc_time); --#ifdef SAMBA4_USES_HEIMDAL - krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, - krb5_ccache store_cc, - krb5_principal init_principal, -@@ -263,7 +262,6 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, - krb5_get_init_creds_opt *krb_options, - time_t *expire_time, - time_t *kdc_time); --#endif - - #if defined(HAVE_KRB5_MAKE_PRINCIPAL) - #define smb_krb5_make_principal krb5_make_principal -diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c -index 544d9d853cc..c14d8c72d8c 100644 ---- a/source4/auth/kerberos/kerberos_util.c -+++ b/source4/auth/kerberos/kerberos_util.c -@@ -234,9 +234,7 @@ done: - { - krb5_error_code ret; - const char *password; --#ifdef SAMBA4_USES_HEIMDAL - const char *self_service; --#endif - const char *target_service; - time_t kdc_time = 0; - krb5_principal princ; -@@ -268,9 +266,7 @@ done: - return ret; - } - --#ifdef SAMBA4_USES_HEIMDAL - self_service = cli_credentials_get_self_service(credentials); --#endif - target_service = cli_credentials_get_target_service(credentials); - - password = cli_credentials_get_password(credentials); -@@ -331,7 +327,6 @@ done: - #endif - if (password) { - if (impersonate_principal) { --#ifdef SAMBA4_USES_HEIMDAL - ret = smb_krb5_kinit_s4u2_ccache(smb_krb5_context->krb5_context, - ccache, - princ, -@@ -342,12 +337,6 @@ done: - krb_options, - NULL, - &kdc_time); --#else -- talloc_free(mem_ctx); -- (*error_string) = "INTERNAL error: s4u2 ops " -- "are not supported with MIT build yet"; -- return EINVAL; --#endif - } else { - ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context, - ccache, --- -2.37.1 - - -From a5713b1558192f24348f7794da84bf65cf78e6ec Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Sat, 19 Sep 2020 14:16:20 +0200 -Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code - ---- - source4/kdc/mit_samba.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c -index 03c2c2ea1de..30fade56531 100644 ---- a/source4/kdc/mit_samba.c -+++ b/source4/kdc/mit_samba.c -@@ -232,6 +232,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx, - if (kflags & KRB5_KDB_FLAG_CANONICALIZE) { - sflags |= SDB_F_CANON; - } -+#if KRB5_KDB_API_VERSION >= 10 -+ sflags |= SDB_F_FORCE_CANON; -+#endif - if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY | - KRB5_KDB_FLAG_INCLUDE_PAC)) { - /* --- -2.37.1 - diff --git a/SOURCES/samba-systemd-sysusers.conf b/SOURCES/samba-systemd-sysusers.conf new file mode 100644 index 0000000..60ad7a5 --- /dev/null +++ b/SOURCES/samba-systemd-sysusers.conf @@ -0,0 +1,2 @@ +#Type Name ID +g printadmin - diff --git a/SOURCES/samba-usershares-systemd-sysusers.conf b/SOURCES/samba-usershares-systemd-sysusers.conf new file mode 100644 index 0000000..33f8fcb --- /dev/null +++ b/SOURCES/samba-usershares-systemd-sysusers.conf @@ -0,0 +1,2 @@ +#Type Name ID +g usershares - diff --git a/SOURCES/usershares.conf.vendor b/SOURCES/usershares.conf.vendor new file mode 100644 index 0000000..38a7885 --- /dev/null +++ b/SOURCES/usershares.conf.vendor @@ -0,0 +1,3 @@ +[global] + usershare max shares = 100 + usershare allow guests = yes diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 131e90f..dc69bc8 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -134,14 +134,9 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") -%global baserelease 103 - -%global samba_version 4.16.4 -%global talloc_version 2.3.3 -%global tdb_version 1.4.6 -%global tevent_version 0.12.0 -%global ldb_version 2.5.2 -# This should be rc1 or nil +%global samba_version 4.17.5 +%global baserelease 102 +# This should be rc1 or %%nil %global pre_release %nil %global samba_release %{baserelease} @@ -149,6 +144,37 @@ %global samba_release 0.%{baserelease}.%{pre_release} %endif + +# If one of those versions change, we need to make sure we rebuilt or adapt +# projects comsuming those. This is e.g. sssd, openchange, evolution-mapi, ... +%global libdcerpc_binding_so_version 0 +%global libdcerpc_server_core_so_version 0 +%global libdcerpc_so_version 0 +%global libndr_krb5pac_so_version 0 +%global libndr_nbt_so_version 0 +%global libndr_so_version 3 +%global libndr_standard_so_version 0 +%global libnetapi_so_version 1 +%global libsamba_credentials_so_version 1 +%global libsamba_errors_so_version 1 +%global libsamba_hostconfig_so_version 0 +%global libsamba_passdb_so_version 0 +%global libsamba_util_so_version 0 +%global libsamdb_so_version 0 +%global libsmbconf_so_version 0 +%global libsmbldap_so_version 2 +%global libtevent_util_so_version 0 + +%global libsmbclient_so_version 0 +%global libwbclient_so_version 0 + +%global talloc_version 2.3.4 +%global tdb_version 1.4.7 +%global tevent_version 0.13.0 +%global ldb_version 2.6.1 + +%global required_mit_krb5 1.20.1 + # This is a network daemon, do a hardened build # Enables PIE and full RELRO protection %global _hardened_build 1 @@ -165,25 +191,23 @@ %global libwbc_alternatives_suffix -64 %endif -%global required_mit_krb5 1.19 - %global _systemd_extra "Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba" +# Make a copy of this variable to prevent repeated evaluation of the +# embedded shell command. Avoid recursive macro definition if undefined. +%{?python3_sitearch: %global python3_sitearch %{python3_sitearch}} + Name: samba Version: %{samba_version} Release: %{samba_release}%{?dist} -%if 0%{?rhel} -Epoch: 0 -%else +%if 0%{?fedora} Epoch: 2 +%else +Epoch: 0 %endif -%if 0%{?epoch} > 0 %global samba_depver %{epoch}:%{version}-%{release} -%else -%global samba_depver %{version}-%{release} -%endif Summary: Server and Client software to interoperate with Windows machines License: GPLv3+ and LGPLv3+ @@ -200,20 +224,14 @@ Source11: smb.conf.vendor Source12: smb.conf.example Source13: pam_winbind.conf Source14: samba.pamd -Source15: samba.abignore +Source15: usershares.conf.vendor +Source16: samba-systemd-sysusers.conf +Source17: samba-usershares-systemd-sysusers.conf Source201: README.downgrade - -Patch0: samba-s4u.patch -# https://gitlab.com/samba-team/samba/-/merge_requests/2477 -Patch1: samba-4.16-waf-crypto.patch -Patch2: CVE-2022-38023-v4-16.patch -Patch3: CVE-2022-38023-for-s3-v4-16.patch +Source202: samba.abignore Requires(pre): /usr/sbin/groupadd -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd Requires(pre): %{name}-common = %{samba_depver} Requires: %{name}-common = %{samba_depver} @@ -221,6 +239,8 @@ Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-common-tools = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} +Requires: %{name}-dcerpc = %{samba_depver} +Requires: libnetapi = %{samba_depver} %if %{with libwbclient} Requires(post): libwbclient = %{samba_depver} Requires: libwbclient = %{samba_depver} @@ -286,14 +306,17 @@ BuildRequires: perl-generators BuildRequires: perl(Archive::Tar) BuildRequires: perl(Test::More) BuildRequires: popt-devel +BuildRequires: python3-cryptography BuildRequires: python3-devel BuildRequires: python3-dns +BuildRequires: python3-requests BuildRequires: python3-setuptools BuildRequires: quota-devel BuildRequires: readline-devel BuildRequires: rpcgen BuildRequires: rpcsvc-proto-devel BuildRequires: sed +BuildRequires: systemd-rpm-macros BuildRequires: libtasn1-devel # We need asn1Parser BuildRequires: libtasn1-tools @@ -326,17 +349,6 @@ BuildRequires: librados-devel BuildRequires: python3-etcd %endif -%if %{with dc} || %{with testsuite} -# Add python3-iso8601 to avoid that the -# version in Samba is being packaged -BuildRequires: python3-iso8601 -BuildRequires: python3-pyasn1 >= 0.4.8 - -BuildRequires: bind -BuildRequires: krb5-server >= %{required_mit_krb5} -#endif with dc -%endif - # pidl requirements BuildRequires: perl(ExtUtils::MakeMaker) BuildRequires: perl(FindBin) @@ -367,10 +379,15 @@ BuildRequires: lmdb-devel %if %{with dc} || %{with testsuite} BuildRequires: bind BuildRequires: krb5-server >= %{required_mit_krb5} +%if 0%{?fedora} || 0%{?rhel} >= 9 +BuildRequires: python3-dateutil +%else +BuildRequires: python3-iso8601 +%endif BuildRequires: python3-gpg BuildRequires: python3-markdown +BuildRequires: python3-pyasn1 >= 0.4.8 BuildRequires: python3-setproctitle -BuildRequires: python3-cryptography %if %{without includelibs} BuildRequires: tdb-tools @@ -490,30 +507,52 @@ SMB/CIFS clients. ### COMMON-TOOLS %package common-tools -Summary: Tools for Samba servers and clients +Summary: Tools for Samba clients Requires: samba-common-libs = %{samba_depver} Requires: samba-client-libs = %{samba_depver} Requires: samba-libs = %{samba_depver} +Requires: samba-ldb-ldap-modules = %{samba_depver} +Requires: libnetapi = %{samba_depver} %if %{with libwbclient} Requires: libwbclient = %{samba_depver} %endif +Provides: bundled(libreplace) + +%description common-tools +The samba-common-tools package contains tools for SMB/CIFS clients. + +### SAMBA-TOOLS +%package tools +Summary: Tools for Samba servers # samba-tool needs python3-samba Requires: python3-%{name} = %{samba_depver} # samba-tool needs tdbbackup Requires: tdb-tools -%if %{with dc} -# samba-tool needs python3-samba-dc on a full build +# samba-tool needs python3-samba-dc also on non-dc build Requires: python3-%{name}-dc = %{samba_depver} +%if %{with dc} # samba-tool needs mdb_copy for domain backup or upgrade provision Requires: lmdb %endif -Provides: bundled(libreplace) +%description tools +The samba-tools package contains tools for Samba servers +and for GPO management on domain members. -%description common-tools -The samba-common-tools package contains tools for Samba servers and -SMB/CIFS clients. +### RPC +%package dcerpc +Summary: DCE RPC binaries +Requires: samba-common-libs = %{samba_depver} +Requires: samba-client-libs = %{samba_depver} +Requires: samba-libs = %{samba_depver} +Requires: libnetapi = %{samba_depver} +%if %{with libwbclient} +Requires: libwbclient = %{samba_depver} +%endif + +%description dcerpc +The samba-dcerpc package contains binaries that serve DCERPC over named pipes. ### DC %if %{with dc} || %{with testsuite} @@ -522,6 +561,7 @@ Summary: Samba AD Domain Controller Requires: %{name} = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} +Requires: %{name}-common-tools = %{samba_depver} Requires: %{name}-libs = %{samba_depver} Requires: %{name}-dc-provision = %{samba_depver} Requires: %{name}-dc-libs = %{samba_depver} @@ -559,6 +599,9 @@ BuildArch: noarch %description dc-provision The samba-dc-provision package provides files to setup a domain controller +#endif with dc || with testsuite +%endif + ### DC-LIBS %package dc-libs Summary: Samba AD Domain Controller Libraries @@ -575,6 +618,7 @@ Provides: bundled(libreplace) The %{name}-dc-libs package contains the libraries needed by the DC to link against the SMB, RPC and other protocols. +%if %{with dc} || %{with testsuite} ### DC-BIND %package dc-bind-dlz Summary: Bind DLZ module for Samba AD @@ -601,6 +645,7 @@ Requires: %{name}-client-libs = %{samba_depver} %if %{with dc} Requires: %{name}-dc-libs = %{samba_depver} %endif +Requires: libnetapi = %{samba_depver} Provides: samba4-devel = %{samba_depver} Obsoletes: samba4-devel < %{samba_depver} @@ -663,6 +708,22 @@ Provides: bundled(libreplace) Samba VFS module for GlusterFS integration. %endif +### GPUPDATE +%if %{with dc} +%package gpupdate +Summary: Samba GPO support for clients +Requires: cepces +Requires: certmonger +Requires: %{name}-ldb-ldap-modules = %{samba_depver} +Requires: python3-%{name} = %{samba_depver} + +%description gpupdate +This package provides the samba-gpupdate tool to apply Group Policy Objects +(GPO) on Samba clients. + +# /with dc +%endif + ### KRB5-PRINTING %package krb5-printing Summary: Samba CUPS backend for printing with Kerberos @@ -678,6 +739,16 @@ If you need Kerberos for print jobs to a printer connection to cups via the SMB backend, then you need to install that package. It will allow cups to access the Kerberos credentials cache of the user issuing the print job. +### LDB-LDAP-MODULES +%package ldb-ldap-modules +Summary: Samba ldap modules for ldb +Requires: %{name}-client-libs = %{samba_depver} +Requires: %{name}-common-libs = %{samba_depver} + +%description ldb-ldap-modules +This package contains the ldb ldap modules required by samba-tool and +samba-gpupdate. + ### LIBS %package libs Summary: Samba libraries @@ -696,6 +767,25 @@ Provides: bundled(libreplace) The %{name}-libs package contains the libraries needed by programs that link against the SMB, RPC and other protocols provided by the Samba suite. +### LIBNETAPI +%package -n libnetapi +Summary: The NETAPI library +Requires(pre): %{name}-common = %{samba_depver} +Requires: %{name}-common = %{samba_depver} +Requires: %{name}-common-libs = %{samba_depver} +Requires: %{name}-client-libs = %{samba_depver} + +%description -n libnetapi +This contains the NETAPI library from the Samba suite. + +%package -n libnetapi-devel +Summary: Developer tools for the NETAPI library +Requires: libnetapi = %{samba_depver} + +%description -n libnetapi-devel +The libnetapi-devel package contains the header files and libraries needed to +develop programs that link against the NETAPI library in the Samba suite. + ### LIBSMBCLIENT %if %{with libsmbclient} %package -n libsmbclient @@ -751,14 +841,14 @@ Summary: Samba Python3 libraries Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} -%if %{with dc} Requires: %{name}-dc-libs = %{samba_depver} -%endif +Requires: python3-cryptography +Requires: python3-dns +Requires: python3-ldb +Requires: python3-requests Requires: python3-talloc -Requires: python3-tevent Requires: python3-tdb -Requires: python3-ldb -Requires: python3-dns +Requires: python3-tevent %if %{with libsmbclient} Requires: libsmbclient = %{samba_depver} %endif @@ -789,7 +879,6 @@ Requires: %{name}-libs = %{samba_depver} The python3-%{name}-test package contains the Python libraries used by the test suite of Samba. If you want to run full set of Samba tests, you need to install this package. -%if %{with dc} || %{with testsuite} %package -n python3-samba-dc Summary: Samba Python libraries for Samba AD Requires: %{name}-client-libs = %{samba_depver} @@ -799,7 +888,6 @@ Requires: python3-%{name} = %{samba_depver} %description -n python3-samba-dc The python3-%{name}-dc package contains the Python libraries needed by programs to manage Samba AD. -%endif ### PIDL %package pidl @@ -832,6 +920,7 @@ Requires: %{name}-test-libs = %{samba_depver} Requires: %{name}-dc-libs = %{samba_depver} %endif Requires: %{name}-libs = %{samba_depver} +Requires: libnetapi = %{samba_depver} %if %{with libsmbclient} Requires: libsmbclient = %{samba_depver} %endif @@ -868,6 +957,17 @@ Provides: bundled(libreplace) %description test-libs %{name}-test-libs provides libraries required by the testing tools. +### USERSHARES +%package usershares +Summary: Provides support for non-root user shares +Requires: %{name} = %{samba_depver} +Requires: %{name}-common-tools = %{samba_depver} + +%description usershares +Installing this package will provide a configuration file, group and +directories to support non-root user shares. You can configure them +as a user using the `net usershare` command. + ### WINBIND %package winbind Summary: Samba winbind @@ -881,11 +981,13 @@ Requires(post): %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} Requires(post): %{name}-libs = %{samba_depver} Requires: %{name}-winbind-modules = %{samba_depver} +Recommends: %{name}-tools = %{samba_depver} %if %{with libwbclient} Requires(post): libwbclient = %{samba_depver} Requires: libwbclient = %{samba_depver} %endif +Requires: %{name}-dcerpc = %{samba_depver} Provides: samba4-winbind = %{samba_depver} Obsoletes: samba4-winbind < %{samba_depver} @@ -987,6 +1089,7 @@ Summary: A Clustered Database based on Samba's Trivial Database (TDB) Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} +Requires: %{name}-winbind-clients = %{samba_depver} Requires: coreutils # for ps and killall @@ -1086,7 +1189,11 @@ Support for using an existing CEPH cluster as a mutex helper for CTDB %prep +%if 0%{?fedora} || 0%{?rhel} >= 9 +xzcat %{SOURCE0} | %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data=- +%else xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - +%endif %autosetup -n samba-%{version}%{pre_release} -p1 # Ensure we rely on GnuTLS and do not build any other crypto code shipping with @@ -1192,6 +1299,9 @@ export LDFLAGS="%{__global_ldflags} -fuse-ld=gold" --systemd-smb-extra=%{_systemd_extra} \ --systemd-nmb-extra=%{_systemd_extra} \ --systemd-winbind-extra=%{_systemd_extra} \ +%if %{with clustering} + --systemd-ctdb-extra=%{_systemd_extra} \ +%endif --systemd-samba-extra=%{_systemd_extra} # Do not use %%make_build, make is just a wrapper around waf in Samba! @@ -1215,6 +1325,7 @@ install -d -m 0755 %{buildroot}/var/lib/samba/lock install -d -m 0755 %{buildroot}/var/lib/samba/private install -d -m 0755 %{buildroot}/var/lib/samba/scripts install -d -m 0755 %{buildroot}/var/lib/samba/sysvol +install -d -m 0755 %{buildroot}/var/lib/samba/usershares install -d -m 0755 %{buildroot}/var/lib/samba/winbindd_privileged install -d -m 0755 %{buildroot}/var/log/samba/old install -d -m 0755 %{buildroot}/run/samba @@ -1242,6 +1353,7 @@ install -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/logrotate.d/samba install -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/samba/smb.conf install -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/samba/smb.conf.example +install -m 0644 %{SOURCE15} %{buildroot}%{_sysconfdir}/samba/usershares.conf install -d -m 0755 %{buildroot}%{_sysconfdir}/security install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/security/pam_winbind.conf @@ -1264,6 +1376,10 @@ echo "d /run/samba 755 root root" > %{buildroot}%{_tmpfilesdir}/samba.conf echo "d /run/ctdb 755 root root" > %{buildroot}%{_tmpfilesdir}/ctdb.conf %endif +install -d -m 0755 %{buildroot}%{_sysusersdir} +install -m 0644 %{SOURCE16} %{buildroot}%{_sysusersdir}/samba.conf +install -m 0644 %{SOURCE17} %{buildroot}%{_sysusersdir}/samba-usershares.conf + install -d -m 0755 %{buildroot}%{_sysconfdir}/sysconfig install -m 0644 packaging/systemd/samba.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/samba %if %{with clustering} @@ -1277,10 +1393,6 @@ install -m 0644 ctdb/config/ctdb.conf %{buildroot}%{_sysconfdir}/ctdb/ctdb.conf install -m 0644 %{SOURCE201} packaging/README.downgrade -%if %{with clustering} -install -m 0644 ctdb/config/ctdb.service %{buildroot}%{_unitdir} -%endif - # NetworkManager online/offline script install -d -m 0755 %{buildroot}%{_prefix}/lib/NetworkManager/dispatcher.d/ install -m 0755 packaging/NetworkManager/30-winbind-systemd \ @@ -1292,62 +1404,10 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so %if %{without dc} && %{without testsuite} for i in \ - %{_libdir}/samba/libdfs-server-ad-samba4.so \ - %{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so \ - %{_libdir}/samba/libscavenge-dns-records-samba4.so \ %{_mandir}/man8/samba.8 \ %{_mandir}/man8/samba_downgrade_db.8 \ %{_mandir}/man8/samba-gpupdate.8 \ - %{_libdir}/samba/ldb/ildap.so \ - %{_libdir}/samba/ldb/ldbsamba_extensions.so \ %{_unitdir}/samba.service \ - %{python3_sitearch}/samba/dcerpc/dnsserver.*.so \ - %{python3_sitearch}/samba/dnsserver.py \ - %{python3_sitearch}/samba/domain_update.py \ - %{python3_sitearch}/samba/forest_update.py \ - %{python3_sitearch}/samba/kcc/__init__.py \ - %{python3_sitearch}/samba/kcc/debug.py \ - %{python3_sitearch}/samba/kcc/graph.py \ - %{python3_sitearch}/samba/kcc/graph_utils.py \ - %{python3_sitearch}/samba/kcc/kcc_utils.py \ - %{python3_sitearch}/samba/kcc/ldif_import_export.py \ - %{python3_sitearch}/samba/kcc/__pycache__/__init__.*.pyc \ - %{python3_sitearch}/samba/kcc/__pycache__/debug.*.pyc \ - %{python3_sitearch}/samba/kcc/__pycache__/graph.*.pyc \ - %{python3_sitearch}/samba/kcc/__pycache__/graph_utils.*.pyc \ - %{python3_sitearch}/samba/kcc/__pycache__/kcc_utils.*.pyc \ - %{python3_sitearch}/samba/kcc/__pycache__/ldif_import_export.*.pyc \ - %{python3_sitearch}/samba/ms_forest_updates_markdown.py \ - %{python3_sitearch}/samba/ms_schema_markdown.py \ - %{python3_sitearch}/samba/provision/__init__.py \ - %{python3_sitearch}/samba/provision/backend.py \ - %{python3_sitearch}/samba/provision/common.py \ - %{python3_sitearch}/samba/provision/kerberos_implementation.py \ - %{python3_sitearch}/samba/provision/kerberos.py \ - %{python3_sitearch}/samba/provision/sambadns.py \ - %{python3_sitearch}/samba/provision/__pycache__/__init__.*.pyc \ - %{python3_sitearch}/samba/provision/__pycache__/backend.*.pyc \ - %{python3_sitearch}/samba/provision/__pycache__/common.*.pyc \ - %{python3_sitearch}/samba/provision/__pycache__/kerberos_implementation.*.pyc \ - %{python3_sitearch}/samba/provision/__pycache__/kerberos.*.pyc \ - %{python3_sitearch}/samba/provision/__pycache__/sambadns.*.pyc \ - %{python3_sitearch}/samba/__pycache__/domain_update.*.pyc \ - %{python3_sitearch}/samba/__pycache__/forest_update.*.pyc \ - %{python3_sitearch}/samba/__pycache__/ms_forest_updates_markdown.*.pyc \ - %{python3_sitearch}/samba/__pycache__/ms_schema_markdown.*.pyc \ - %{python3_sitearch}/samba/__pycache__/remove_dc.*.pyc \ - %{python3_sitearch}/samba/__pycache__/schema.*.pyc \ - %{python3_sitearch}/samba/__pycache__/uptodateness.*.pyc \ - %{python3_sitearch}/samba/remove_dc.py \ - %{python3_sitearch}/samba/samdb.py \ - %{python3_sitearch}/samba/schema.py \ - %{python3_sitearch}/samba/third_party/iso8601/__init__.py \ - %{python3_sitearch}/samba/third_party/iso8601/__pycache__/__init__.*.pyc \ - %{python3_sitearch}/samba/third_party/iso8601/__pycache__/iso8601.*.pyc \ - %{python3_sitearch}/samba/third_party/iso8601/__pycache__/test_iso8601.*.pyc \ - %{python3_sitearch}/samba/third_party/iso8601/iso8601.py \ - %{python3_sitearch}/samba/third_party/iso8601/test_iso8601.py \ - %{python3_sitearch}/samba/uptodateness.py \ %{_sbindir}/samba-gpupdate \ ; do rm -f %{buildroot}$i @@ -1430,7 +1490,11 @@ export WINBINDD_DONT_LOG_STDOUT=1 %systemd_postun_with_restart nmb.service %pre common +%if 0%{?fedora} || 0%{?rhel} > 8 +%sysusers_create_compat %{SOURCE16} +%else getent group printadmin >/dev/null || groupadd -r printadmin || : +%endif %post common %{?ldconfig} @@ -1538,6 +1602,13 @@ fi %ldconfig_scriptlets test +%pre usershares +%if 0%{?fedora} || 0%{?rhel} > 8 +%sysusers_create_compat %{SOURCE17} +%else +getent group usershares >/dev/null || groupadd -r usershares || : +%endif + %pre winbind /usr/sbin/groupadd -g 88 wbpriv >/dev/null 2>&1 || : @@ -1649,15 +1720,6 @@ fi %dir %{_libexecdir}/samba %{_libexecdir}/samba/samba-bgqd -%{_libexecdir}/samba/samba-dcerpcd -%{_libexecdir}/samba/rpcd_classic -%{_libexecdir}/samba/rpcd_epmapper -%{_libexecdir}/samba/rpcd_fsrvp -%{_libexecdir}/samba/rpcd_lsad -%{_libexecdir}/samba/rpcd_mdssvc -%{_libexecdir}/samba/rpcd_rpcecho -%{_libexecdir}/samba/rpcd_spoolss -%{_libexecdir}/samba/rpcd_winreg %dir %{_datadir}/samba %dir %{_datadir}/samba/mdssvc @@ -1671,7 +1733,6 @@ fi %{_mandir}/man1/smbstatus.1* %{_mandir}/man8/eventlogadm.8* %{_mandir}/man8/samba-bgqd.8* -%{_mandir}/man8/samba-dcerpcd.8* %{_mandir}/man8/smbd.8* %{_mandir}/man8/nmbd.8* %{_mandir}/man8/vfs_acl_tdb.8* @@ -1796,23 +1857,22 @@ fi ### CLIENT-LIBS %files client-libs -%{_libdir}/libdcerpc-binding.so.* -%{_libdir}/libdcerpc-server-core.so.* -%{_libdir}/libdcerpc.so.* -%{_libdir}/libndr-krb5pac.so.* -%{_libdir}/libndr-nbt.so.* -%{_libdir}/libndr-standard.so.* -%{_libdir}/libndr.so.* -%{_libdir}/libnetapi.so.* -%{_libdir}/libsamba-credentials.so.* -%{_libdir}/libsamba-errors.so.* -%{_libdir}/libsamba-hostconfig.so.* -%{_libdir}/libsamba-passdb.so.* -%{_libdir}/libsamba-util.so.* -%{_libdir}/libsamdb.so.* -%{_libdir}/libsmbconf.so.* -%{_libdir}/libsmbldap.so.* -%{_libdir}/libtevent-util.so.* +%{_libdir}/libdcerpc-binding.so.%{libdcerpc_binding_so_version}* +%{_libdir}/libdcerpc-server-core.so.%{libdcerpc_server_core_so_version}* +%{_libdir}/libdcerpc.so.%{libdcerpc_so_version}* +%{_libdir}/libndr-krb5pac.so.%{libndr_krb5pac_so_version}* +%{_libdir}/libndr-nbt.so.%{libndr_nbt_so_version}* +%{_libdir}/libndr-standard.so.%{libndr_standard_so_version}* +%{_libdir}/libndr.so.%{libndr_so_version}* +%{_libdir}/libsamba-credentials.so.%{libsamba_credentials_so_version}* +%{_libdir}/libsamba-errors.so.%{libsamba_errors_so_version}* +%{_libdir}/libsamba-hostconfig.so.%{libsamba_hostconfig_so_version}* +%{_libdir}/libsamba-passdb.so.%{libsamba_passdb_so_version}* +%{_libdir}/libsamba-util.so.%{libsamba_util_so_version}* +%{_libdir}/libsamdb.so.%{libsamdb_so_version}* +%{_libdir}/libsmbconf.so.%{libsmbconf_so_version}* +%{_libdir}/libsmbldap.so.%{libsmbldap_so_version}* +%{_libdir}/libtevent-util.so.%{libtevent_util_so_version}* %dir %{_libdir}/samba %{_libdir}/samba/libCHARSET3-samba4.so @@ -1901,7 +1961,7 @@ fi %endif %if %{without libsmbclient} -%{_libdir}/samba/libsmbclient.so.* +%{_libdir}/samba/libsmbclient.so.%{libsmbclient_so_version}* %{_mandir}/man7/libsmbclient.7* #endif without libsmbclient %endif @@ -1931,6 +1991,7 @@ fi ### COMMON %files common %{_tmpfilesdir}/samba.conf +%{_sysusersdir}/samba.conf %dir %{_sysconfdir}/logrotate.d/ %config(noreplace) %{_sysconfdir}/logrotate.d/samba %attr(0700,root,root) %dir /var/log/samba @@ -1950,7 +2011,7 @@ fi %{_mandir}/man5/smbpasswd.5* %{_mandir}/man7/samba.7* -### COMMON-libs +### COMMON-LIBS %files common-libs # common libraries %{_libdir}/samba/libcmdline-samba4.so @@ -1962,11 +2023,11 @@ fi %{_libdir}/samba/pdb/smbpasswd.so %{_libdir}/samba/pdb/tdbsam.so +### COMMON-TOOLS %files common-tools %{_bindir}/net %{_bindir}/pdbedit %{_bindir}/profiles -%{_bindir}/samba-tool %{_bindir}/smbcontrol %{_bindir}/smbpasswd %{_bindir}/testparm @@ -1975,9 +2036,27 @@ fi %{_mandir}/man1/testparm.1* %{_mandir}/man8/net.8* %{_mandir}/man8/pdbedit.8* -%{_mandir}/man8/samba-tool.8* %{_mandir}/man8/smbpasswd.8* +### TOOLS +%files tools +%{_bindir}/samba-tool +%{_mandir}/man8/samba-tool.8* + +### RPC +%files dcerpc +%dir %{_libexecdir}/samba +%{_libexecdir}/samba/samba-dcerpcd +%{_libexecdir}/samba/rpcd_classic +%{_libexecdir}/samba/rpcd_epmapper +%{_libexecdir}/samba/rpcd_fsrvp +%{_libexecdir}/samba/rpcd_lsad +%{_libexecdir}/samba/rpcd_mdssvc +%{_libexecdir}/samba/rpcd_rpcecho +%{_libexecdir}/samba/rpcd_spoolss +%{_libexecdir}/samba/rpcd_winreg +%{_mandir}/man8/samba-dcerpcd.8* + ### DC %if %{with dc} || %{with testsuite} %files dc @@ -1985,7 +2064,6 @@ fi %{_sbindir}/samba %{_sbindir}/samba_dnsupdate %{_sbindir}/samba_downgrade_db -%{_sbindir}/samba-gpupdate %{_sbindir}/samba_kcc %{_sbindir}/samba_spnupdate %{_sbindir}/samba_upgradedns @@ -1993,7 +2071,6 @@ fi %{_libdir}/krb5/plugins/kdb/samba.so %{_libdir}/samba/auth/samba4.so -%{_libdir}/samba/libpac-samba4.so %dir %{_libdir}/samba/gensec %{_libdir}/samba/gensec/krb5.so %{_libdir}/samba/ldb/acl.so @@ -2010,10 +2087,8 @@ fi %{_libdir}/samba/ldb/extended_dn_out.so %{_libdir}/samba/ldb/extended_dn_store.so %{_libdir}/samba/ldb/group_audit_log.so -%{_libdir}/samba/ldb/ildap.so %{_libdir}/samba/ldb/instancetype.so %{_libdir}/samba/ldb/lazy_commit.so -%{_libdir}/samba/ldb/ldbsamba_extensions.so %{_libdir}/samba/ldb/linked_attributes.so %{_libdir}/samba/ldb/new_partition.so %{_libdir}/samba/ldb/objectclass.so @@ -2048,7 +2123,6 @@ fi %dir /var/lib/samba/sysvol %{_mandir}/man8/samba.8* %{_mandir}/man8/samba_downgrade_db.8* -%{_mandir}/man8/samba-gpupdate.8* %dir %{_datadir}/samba/admx %{_datadir}/samba/admx/samba.admx %dir %{_datadir}/samba/admx/en-US @@ -2058,9 +2132,15 @@ fi %license source4/setup/ad-schema/licence.txt %{_datadir}/samba/setup +#endif with dc || with testsuite +%endif ### DC-LIBS %files dc-libs +%{_libdir}/samba/libauth4-samba4.so + +%if %{with dc} || %{with testsuite} %{_libdir}/samba/libdb-glue-samba4.so +%{_libdir}/samba/libpac-samba4.so %{_libdir}/samba/libprocess-model-samba4.so %{_libdir}/samba/libservice-samba4.so @@ -2158,7 +2238,6 @@ fi %{_includedir}/samba-4.0/ndr/ndr_krb5pac.h %{_includedir}/samba-4.0/ndr/ndr_svcctl.h %{_includedir}/samba-4.0/ndr/ndr_nbt.h -%{_includedir}/samba-4.0/netapi.h %{_includedir}/samba-4.0/param.h %{_includedir}/samba-4.0/passdb.h %{_includedir}/samba-4.0/policy.h @@ -2199,7 +2278,6 @@ fi %{_libdir}/libndr-nbt.so %{_libdir}/libndr-standard.so %{_libdir}/libndr.so -%{_libdir}/libnetapi.so %{_libdir}/libsamba-credentials.so %{_libdir}/libsamba-errors.so %{_libdir}/libsamba-hostconfig.so @@ -2213,7 +2291,6 @@ fi %{_libdir}/pkgconfig/ndr_krb5pac.pc %{_libdir}/pkgconfig/ndr_nbt.pc %{_libdir}/pkgconfig/ndr_standard.pc -%{_libdir}/pkgconfig/netapi.pc %{_libdir}/pkgconfig/samba-credentials.pc %{_libdir}/pkgconfig/samba-hostconfig.pc %{_libdir}/pkgconfig/samba-util.pc @@ -2260,17 +2337,28 @@ fi %{_mandir}/man8/vfs_glusterfs.8* %endif +### GPUPDATE +%if %{with dc} +%files gpupdate +%{_mandir}/man8/samba-gpupdate.8* +%{_sbindir}/samba-gpupdate +%endif + ### KRB5-PRINTING %files krb5-printing %attr(0700,root,root) %{_libexecdir}/samba/smbspool_krb5_wrapper %{_mandir}/man8/smbspool_krb5_wrapper.8* +### LDB-LDAP-MODULES +%files ldb-ldap-modules +%{_libdir}/samba/ldb/ldbsamba_extensions.so +%{_libdir}/samba/ldb/ildap.so + ### LIBS %files libs %{_libdir}/libdcerpc-samr.so.* %{_libdir}/samba/libLIBWBCLIENT-OLD-samba4.so -%{_libdir}/samba/libauth4-samba4.so %{_libdir}/samba/libauth-unix-token-samba4.so %{_libdir}/samba/libdcerpc-samba4.so %{_libdir}/samba/libdnsserver-common-samba4.so @@ -2281,6 +2369,16 @@ fi %{_libdir}/samba/libRPC-SERVER-LOOP-samba4.so %{_libdir}/samba/libRPC-WORKER-samba4.so +### LIBNETAPI +%files -n libnetapi +%{_libdir}/libnetapi.so.%{libnetapi_so_version}* + +### LIBNETAPI-DEVEL +%files -n libnetapi-devel +%{_includedir}/samba-4.0/netapi.h +%{_libdir}/libnetapi.so +%{_libdir}/pkgconfig/netapi.pc + ### LIBSMBCLIENT %if %{with libsmbclient} %files -n libsmbclient @@ -2298,7 +2396,7 @@ fi ### LIBWBCLIENT %if %{with libwbclient} %files -n libwbclient -%{_libdir}/samba/wbclient/libwbclient.so.* +%{_libdir}/samba/wbclient/libwbclient.so.%{libwbclient_so_version}* ### LIBWBCLIENT-DEVEL %files -n libwbclient-devel @@ -2368,18 +2466,6 @@ fi %{python3_sitearch}/samba/__pycache__/dnsresolver.*.pyc %{python3_sitearch}/samba/__pycache__/drs_utils.*.pyc %{python3_sitearch}/samba/__pycache__/getopt.*.pyc -%{python3_sitearch}/samba/__pycache__/gpclass.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_cert_auto_enroll_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_chromium_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_ext_loader.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_firefox_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_firewalld_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_gnome_settings_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_msgs_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_scripts_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_sec_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_smb_conf_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_sudoers_ext.*.pyc %{python3_sitearch}/samba/__pycache__/graph.*.pyc %{python3_sitearch}/samba/__pycache__/hostconfig.*.pyc %{python3_sitearch}/samba/__pycache__/idmap.*.pyc @@ -2397,14 +2483,6 @@ fi %{python3_sitearch}/samba/__pycache__/trust_utils.*.pyc %{python3_sitearch}/samba/__pycache__/upgrade.*.pyc %{python3_sitearch}/samba/__pycache__/upgradehelpers.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_access_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_files_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_issue_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_motd_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_openssh_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_startup_scripts_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_sudoers_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_symlink_ext.*.pyc %{python3_sitearch}/samba/__pycache__/xattr.*.pyc %{python3_sitearch}/samba/_glue.*.so %{python3_sitearch}/samba/_ldb.*.so @@ -2466,11 +2544,6 @@ fi %{python3_sitearch}/samba/dsdb_dns.*.so %{python3_sitearch}/samba/gensec.*.so %{python3_sitearch}/samba/getopt.py -%{python3_sitearch}/samba/gpclass.py -%{python3_sitearch}/samba/gp_gnome_settings_ext.py -%{python3_sitearch}/samba/gp_scripts_ext.py -%{python3_sitearch}/samba/gp_sec_ext.py -%{python3_sitearch}/samba/gpo.*.so %{python3_sitearch}/samba/graph.py %{python3_sitearch}/samba/hostconfig.py %{python3_sitearch}/samba/idmap.py @@ -2489,14 +2562,57 @@ fi %{python3_sitearch}/samba/emulate/__init__.py %{python3_sitearch}/samba/emulate/traffic.py %{python3_sitearch}/samba/emulate/traffic_packets.py -%{python3_sitearch}/samba/gp_cert_auto_enroll_ext.py -%{python3_sitearch}/samba/gp_chromium_ext.py -%{python3_sitearch}/samba/gp_ext_loader.py -%{python3_sitearch}/samba/gp_firefox_ext.py -%{python3_sitearch}/samba/gp_firewalld_ext.py -%{python3_sitearch}/samba/gp_msgs_ext.py -%{python3_sitearch}/samba/gp_smb_conf_ext.py -%{python3_sitearch}/samba/gp_sudoers_ext.py +%dir %{python3_sitearch}/samba/gp +%dir %{python3_sitearch}/samba/gp/__pycache__ +%{python3_sitearch}/samba/gp/__pycache__/gpclass.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_centrify_crontab_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_centrify_sudoers_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_cert_auto_enroll_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_chromium_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_ext_loader.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_firefox_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_firewalld_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_gnome_settings_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_msgs_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_scripts_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_sec_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_smb_conf_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_sudoers_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_access_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_files_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_issue_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_motd_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_openssh_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_startup_scripts_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_sudoers_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_symlink_ext.*.pyc +%{python3_sitearch}/samba/gp/gpclass.py +%{python3_sitearch}/samba/gp/gp_gnome_settings_ext.py +%{python3_sitearch}/samba/gp/gp_scripts_ext.py +%{python3_sitearch}/samba/gp/gp_sec_ext.py +%{python3_sitearch}/samba/gp/gp_centrify_crontab_ext.py +%{python3_sitearch}/samba/gp/gp_centrify_sudoers_ext.py +%{python3_sitearch}/samba/gp/gp_cert_auto_enroll_ext.py +%{python3_sitearch}/samba/gp/gp_chromium_ext.py +%{python3_sitearch}/samba/gp/gp_ext_loader.py +%{python3_sitearch}/samba/gp/gp_firefox_ext.py +%{python3_sitearch}/samba/gp/gp_firewalld_ext.py +%{python3_sitearch}/samba/gp/gp_msgs_ext.py +%{python3_sitearch}/samba/gp/gp_smb_conf_ext.py +%{python3_sitearch}/samba/gp/gp_sudoers_ext.py +%dir %{python3_sitearch}/samba/gp/util +%dir %{python3_sitearch}/samba/gp/util/__pycache__ +%{python3_sitearch}/samba/gp/util/__pycache__/logging.*.pyc +%{python3_sitearch}/samba/gp/util/logging.py +%{python3_sitearch}/samba/gp/vgp_access_ext.py +%{python3_sitearch}/samba/gp/vgp_files_ext.py +%{python3_sitearch}/samba/gp/vgp_issue_ext.py +%{python3_sitearch}/samba/gp/vgp_motd_ext.py +%{python3_sitearch}/samba/gp/vgp_openssh_ext.py +%{python3_sitearch}/samba/gp/vgp_startup_scripts_ext.py +%{python3_sitearch}/samba/gp/vgp_sudoers_ext.py +%{python3_sitearch}/samba/gp/vgp_symlink_ext.py +%{python3_sitearch}/samba/gpo.*.so %dir %{python3_sitearch}/samba/gp_parse %{python3_sitearch}/samba/gp_parse/__init__.py %dir %{python3_sitearch}/samba/gp_parse/__pycache__ @@ -2591,9 +2707,11 @@ fi %{python3_sitearch}/samba/samba3/mdscli.*.so %{python3_sitearch}/samba/samba3/param.*.so %{python3_sitearch}/samba/samba3/passdb.*.so +%{python3_sitearch}/samba/samba3/smbconf.*.so %{python3_sitearch}/samba/samba3/smbd.*.so %{python3_sitearch}/samba/sd_utils.py %{python3_sitearch}/samba/sites.py +%{python3_sitearch}/samba/smbconf.*.so %{python3_sitearch}/samba/subnets.py %dir %{python3_sitearch}/samba/subunit %{python3_sitearch}/samba/subunit/__init__.py @@ -2605,14 +2723,6 @@ fi %{python3_sitearch}/samba/trust_utils.py %{python3_sitearch}/samba/upgrade.py %{python3_sitearch}/samba/upgradehelpers.py -%{python3_sitearch}/samba/vgp_access_ext.py -%{python3_sitearch}/samba/vgp_files_ext.py -%{python3_sitearch}/samba/vgp_issue_ext.py -%{python3_sitearch}/samba/vgp_motd_ext.py -%{python3_sitearch}/samba/vgp_openssh_ext.py -%{python3_sitearch}/samba/vgp_startup_scripts_ext.py -%{python3_sitearch}/samba/vgp_sudoers_ext.py -%{python3_sitearch}/samba/vgp_symlink_ext.py %{python3_sitearch}/samba/werror.*.so %{python3_sitearch}/samba/xattr.py %{python3_sitearch}/samba/xattr_native.*.so @@ -2642,7 +2752,6 @@ fi %{_libdir}/libsamba-policy.*.so %{_libdir}/pkgconfig/samba-policy.*.pc -%if %{with dc} || %{with testsuite} %files -n python3-%{name}-dc %{python3_sitearch}/samba/samdb.py %{python3_sitearch}/samba/schema.py @@ -2658,7 +2767,9 @@ fi %{python3_sitearch}/samba/__pycache__/uptodateness.*.pyc %{python3_sitearch}/samba/dcerpc/dnsserver.*.so +%if %{with dc} || %{with testsuite} %{python3_sitearch}/samba/dckeytab.*.so +%endif %{python3_sitearch}/samba/domain_update.py %{python3_sitearch}/samba/forest_update.py %{python3_sitearch}/samba/ms_forest_updates_markdown.py @@ -2699,7 +2810,6 @@ fi %{python3_sitearch}/samba/remove_dc.py %{python3_sitearch}/samba/uptodateness.py -%endif %files -n python3-%{name}-test %dir %{python3_sitearch}/samba/tests @@ -2758,6 +2868,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/ldap_spn.*.pyc %{python3_sitearch}/samba/tests/__pycache__/ldap_upn_sam_account.*.pyc %{python3_sitearch}/samba/tests/__pycache__/loadparm.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/logfiles.*.pyc %{python3_sitearch}/samba/tests/__pycache__/libsmb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/lsa_string.*.pyc %{python3_sitearch}/samba/tests/__pycache__/messaging.*.pyc @@ -2775,6 +2886,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/ntlm_auth_krb5.*.pyc %{python3_sitearch}/samba/tests/__pycache__/pam_winbind.*.pyc %{python3_sitearch}/samba/tests/__pycache__/pam_winbind_chauthtok.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/pam_winbind_setcred.*.pyc %{python3_sitearch}/samba/tests/__pycache__/pam_winbind_warn_pwd_expire.*.pyc %{python3_sitearch}/samba/tests/__pycache__/param.*.pyc %{python3_sitearch}/samba/tests/__pycache__/password_hash.*.pyc @@ -2805,7 +2917,9 @@ fi %{python3_sitearch}/samba/tests/__pycache__/sddl.*.pyc %{python3_sitearch}/samba/tests/__pycache__/security.*.pyc %{python3_sitearch}/samba/tests/__pycache__/segfault.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/sid_strings.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smb.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/smbconf.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smb-notify.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smbd_base.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smbd_fuzztest.*.pyc @@ -2840,6 +2954,7 @@ fi %{python3_sitearch}/samba/tests/blackbox/__pycache__/downgradedatabase.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/mdsearch.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/ndrdump.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/netads_dns.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/netads_json.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/samba_dnsupdate.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcacls.*.pyc @@ -2856,6 +2971,7 @@ fi %{python3_sitearch}/samba/tests/blackbox/downgradedatabase.py %{python3_sitearch}/samba/tests/blackbox/mdsearch.py %{python3_sitearch}/samba/tests/blackbox/ndrdump.py +%{python3_sitearch}/samba/tests/blackbox/netads_dns.py %{python3_sitearch}/samba/tests/blackbox/netads_json.py %{python3_sitearch}/samba/tests/blackbox/samba_dnsupdate.py %{python3_sitearch}/samba/tests/blackbox/smbcacls.py @@ -2974,14 +3090,18 @@ fi %{python3_sitearch}/samba/tests/krb5/__pycache__/as_canonicalization_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/as_req_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/compatability_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/etype_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/fast_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kcrypto.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_base_test.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tgs_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kpasswd_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/lockout_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/ms_kile_client_principal_lookup_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/nt_hash_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/pac_align_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/protected_users_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/raw_testcase.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_constants.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_pyasn1.*.pyc @@ -3001,14 +3121,18 @@ fi %{python3_sitearch}/samba/tests/krb5/as_canonicalization_tests.py %{python3_sitearch}/samba/tests/krb5/as_req_tests.py %{python3_sitearch}/samba/tests/krb5/compatability_tests.py +%{python3_sitearch}/samba/tests/krb5/etype_tests.py %{python3_sitearch}/samba/tests/krb5/fast_tests.py %{python3_sitearch}/samba/tests/krb5/kcrypto.py %{python3_sitearch}/samba/tests/krb5/kdc_base_test.py %{python3_sitearch}/samba/tests/krb5/kdc_tests.py %{python3_sitearch}/samba/tests/krb5/kdc_tgs_tests.py %{python3_sitearch}/samba/tests/krb5/kpasswd_tests.py +%{python3_sitearch}/samba/tests/krb5/lockout_tests.py %{python3_sitearch}/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py +%{python3_sitearch}/samba/tests/krb5/nt_hash_tests.py %{python3_sitearch}/samba/tests/krb5/pac_align_tests.py +%{python3_sitearch}/samba/tests/krb5/protected_users_tests.py %{python3_sitearch}/samba/tests/krb5/raw_testcase.py %{python3_sitearch}/samba/tests/krb5/rfc4120_constants.py %{python3_sitearch}/samba/tests/krb5/rfc4120_pyasn1.py @@ -3031,6 +3155,7 @@ fi %{python3_sitearch}/samba/tests/ldap_upn_sam_account.py %{python3_sitearch}/samba/tests/libsmb.py %{python3_sitearch}/samba/tests/loadparm.py +%{python3_sitearch}/samba/tests/logfiles.py %{python3_sitearch}/samba/tests/lsa_string.py %{python3_sitearch}/samba/tests/messaging.py %{python3_sitearch}/samba/tests/ndr.py @@ -3047,6 +3172,7 @@ fi %{python3_sitearch}/samba/tests/ntlm_auth_krb5.py %{python3_sitearch}/samba/tests/pam_winbind.py %{python3_sitearch}/samba/tests/pam_winbind_chauthtok.py +%{python3_sitearch}/samba/tests/pam_winbind_setcred.py %{python3_sitearch}/samba/tests/pam_winbind_warn_pwd_expire.py %{python3_sitearch}/samba/tests/param.py %{python3_sitearch}/samba/tests/password_hash.py @@ -3155,7 +3281,9 @@ fi %{python3_sitearch}/samba/tests/sddl.py %{python3_sitearch}/samba/tests/security.py %{python3_sitearch}/samba/tests/segfault.py +%{python3_sitearch}/samba/tests/sid_strings.py %{python3_sitearch}/samba/tests/smb.py +%{python3_sitearch}/samba/tests/smbconf.py %{python3_sitearch}/samba/tests/smb-notify.py %{python3_sitearch}/samba/tests/smbd_base.py %{python3_sitearch}/samba/tests/smbd_fuzztest.py @@ -3198,6 +3326,12 @@ fi %{_libdir}/samba/libdsdb-module-samba4.so %endif +### USERSHARES +%files usershares +%config(noreplace) %{_sysconfdir}/samba/usershares.conf +%attr(1770,root,usershares) %dir /var/lib/samba/usershares +%{_sysusersdir}/samba-usershares.conf + ### WINBIND %files winbind %{_libdir}/samba/idmap @@ -3276,7 +3410,6 @@ fi %config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/50.rquotad.check %{_sbindir}/ctdbd -%{_sbindir}/ctdbd_wrapper %{_bindir}/ctdb %{_bindir}/ctdb_diagnostics %{_bindir}/ltdbtool @@ -3309,7 +3442,6 @@ fi %{_mandir}/man1/onnode.1.gz %{_mandir}/man1/ltdbtool.1.gz %{_mandir}/man1/ping_pong.1.gz -%{_mandir}/man1/ctdbd_wrapper.1.gz %{_mandir}/man5/ctdb.conf.5.gz %{_mandir}/man5/ctdb-script.options.5.gz %{_mandir}/man5/ctdb.sysconfig.5.gz @@ -4165,12 +4297,39 @@ fi %endif %changelog -* Mon Jan 16 2023 Andreas Schneider - 4.16.4-103 -- related: rhbz#2154372 - Add additional patches for CVE-2022-38023 +* Wed Feb 15 2023 Pavel Filipenský - 4.17.5-102 +- resolves: rhbz#2169980 - Fix winbind memory leak +- resolves: rhbz#2156056 - Fix Samba shares not accessible issue + +* Mon Feb 13 2023 Pavel Filipenský - 4.17.5-101 +- resolves: rhbz#2168534 - Create package samba-tools + +* Fri Jan 27 2023 Pavel Filipenský - 4.17.5-100 +- related: rhbz#2131993 - Update to version 4.17.5 + +* Thu Dec 22 2022 Pavel Filipenský - 4.17.4-102 +- related: rhbz#2131993 - Create package dc-libs also for 'non-dc build' + +* Wed Dec 21 2022 Pavel Filipenský - 4.17.4-101 +- related: rhbz#2131993 - Rebuild for MIT Kerberos 1.20.1 + +* Mon Dec 19 2022 Pavel Filipenský - 4.17.4-100 +- related: rhbz#2131993 - Update to version 4.17.4 +- resolves: rhbz#2154373 - Fix CVE-2022-38023 +- resolves: rhbz#2143196 - Fix %U include directive for share listing (netshareenum) +- resolves: rhbz#2114884 - Fix id command to return new groups after successful user login +- resolves: rhbz#2154885 - Fix Winbind to retrieve user groups from Active Directory + +* Wed Nov 02 2022 Pavel Filipenský - 4.17.2-103 +- Always add epoch to samba_depver to fix osci.brew-build.rpmdeplint.functional +- related: rhbz#2131993 + +* Wed Oct 26 2022 Andreas Schneider - 4.17.2-102 +- Fix CVE-2022-1615 GnuTLS gnutls_rnd() can fail and give predictable random values +- resolves: rhbz#2126175 -* Tue Dec 20 2022 Andreas Schneider - 4.16.4-102 -- Fix CVE-2022-38023 -- resolves: rhbz#2154372 +* Wed Oct 26 2022 Andreas Schneider - 4.17.2-101 +- resolves: rhbz#2131993 - Update to version 4.17.2 * Thu Aug 25 2022 Andreas Schneider - 4.16.4-101 - resolves: rhbz#2121317 - Do not require samba package in python3-samba