import samba-4.17.5-3.el8_8

1 year ago · fba19100f4
parent 469730a155
commit fba19100f4
3 changed files with 805 additions and 1 deletions
--- a/SOURCES/CVE-2023-3347-signing-4.17-01.patch
+++ b/SOURCES/CVE-2023-3347-signing-4.17-01.patch
@ -0,0 +1,441 @@
 From 2c987aa203f12390c51810e4fbca6a176180a8b1 Mon Sep 17 00:00:00 2001
 From: Ralph Boehme <slow@samba.org>
 Date: Tue, 20 Jun 2023 12:46:31 +0200
 Subject: [PATCH 1/5] CVE-2023-3347: CI: add a test for server-side mandatory
 signing
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
 Signed-off-by: Ralph Boehme <slow@samba.org>
 ---
 .../samba3.smb2.session-require-signing       |  1 +
 selftest/target/Samba3.pm                     |  1 +
 source3/selftest/tests.py                     |  2 +
 source4/torture/smb2/session.c                | 64 +++++++++++++++++++
 source4/torture/smb2/smb2.c                   |  1 +
 5 files changed, 69 insertions(+)
 create mode 100644 selftest/knownfail.d/samba3.smb2.session-require-signing
 diff --git a/selftest/knownfail.d/samba3.smb2.session-require-signing b/selftest/knownfail.d/samba3.smb2.session-require-signing
 new file mode 100644
 index 000000000000..53b7a7022a83
 --- /dev/null
 +++ b/selftest/knownfail.d/samba3.smb2.session-require-signing
@@ -0,0 +1 @@
 +^samba3.smb2.session-require-signing.bug15397
 diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
 index 9c590547c943..3336c5b8e97c 100755
 --- a/selftest/target/Samba3.pm
 +++ b/selftest/target/Samba3.pm
@@ -1294,6 +1294,7 @@ sub setup_ad_member_idmap_rid
 	# values required for tests to succeed
 	create krb5 conf = no
         map to guest = bad user
 +	server signing = required
 ";
 	my $ret = $self->provision(
 diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
 index 04349c1f1f75..887bf6d52933 100755
 --- a/source3/selftest/tests.py
 +++ b/source3/selftest/tests.py
@@ -938,6 +938,8 @@ tests = base + raw + smb2 + rpc + unix + local + rap + nbt + idmap + vfs
         # Certain tests fail when run against ad_member with MIT kerberos because the private krb5.conf overrides the provisioned lib/krb5.conf,
         # ad_member_idmap_rid sets "create krb5.conf = no"
         plansmbtorture4testsuite(t, "ad_member_idmap_rid", '//$SERVER/tmp -k yes -U$DC_USERNAME@$REALM%$DC_PASSWORD', 'krb5')
 +    elif t == "smb2.session-require-signing":
 +        plansmbtorture4testsuite(t, "ad_member_idmap_rid", '//$SERVER_IP/tmp -U$DC_USERNAME@$REALM%$DC_PASSWORD')
     elif t == "rpc.lsa":
         plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD', 'over ncacn_np ')
         plansmbtorture4testsuite(t, "nt4_dc", 'ncacn_ip_tcp:$SERVER_IP -U$USERNAME%$PASSWORD', 'over ncacn_ip_tcp ')
 diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c
 index 92f9e638ff47..e417008cad7a 100644
 --- a/source4/torture/smb2/session.c
 +++ b/source4/torture/smb2/session.c
@@ -5498,3 +5498,67 @@ struct torture_suite *torture_smb2_session_init(TALLOC_CTX *ctx)
 	return suite;
 }
 +
 +static bool test_session_require_sign_bug15397(struct torture_context *tctx,
 +					       struct smb2_tree *_tree)
 +{
 +	const char *host = torture_setting_string(tctx, "host", NULL);
 +	const char *share = torture_setting_string(tctx, "share", NULL);
 +	struct cli_credentials *_creds = samba_cmdline_get_creds();
 +	struct cli_credentials *creds = NULL;
 +	struct smbcli_options options;
 +	struct smb2_tree *tree = NULL;
 +	uint8_t security_mode;
 +	NTSTATUS status;
 +	bool ok = true;
 +
 +	/*
 +	 * Setup our own connection so we can control the signing flags
 +	 */
 +
 +	creds = cli_credentials_shallow_copy(tctx, _creds);
 +	torture_assert(tctx, creds != NULL, "cli_credentials_shallow_copy");
 +
 +	options = _tree->session->transport->options;
 +	options.client_guid = GUID_random();
 +	options.signing = SMB_SIGNING_IF_REQUIRED;
 +
 +	status = smb2_connect(tctx,
 +			      host,
 +			      lpcfg_smb_ports(tctx->lp_ctx),
 +			      share,
 +			      lpcfg_resolve_context(tctx->lp_ctx),
 +			      creds,
 +			      &tree,
 +			      tctx->ev,
 +			      &options,
 +			      lpcfg_socket_options(tctx->lp_ctx),
 +			      lpcfg_gensec_settings(tctx, tctx->lp_ctx));
 +	torture_assert_ntstatus_ok_goto(tctx, status, ok, done,
 +					"smb2_connect failed");
 +
 +	security_mode = smb2cli_session_security_mode(tree->session->smbXcli);
 +
 +	torture_assert_int_equal_goto(
 +		tctx,
 +		security_mode,
 +		SMB2_NEGOTIATE_SIGNING_REQUIRED | SMB2_NEGOTIATE_SIGNING_ENABLED,
 +		ok,
 +		done,
 +		"Signing not required");
 +
 +done:
 +	return ok;
 +}
 +
 +struct torture_suite *torture_smb2_session_req_sign_init(TALLOC_CTX *ctx)
 +{
 +	struct torture_suite *suite =
 +	    torture_suite_create(ctx, "session-require-signing");
 +
 +	torture_suite_add_1smb2_test(suite, "bug15397",
 +				     test_session_require_sign_bug15397);
 +
 +	suite->description = talloc_strdup(suite, "SMB2-SESSION require signing tests");
 +	return suite;
 +}
 diff --git a/source4/torture/smb2/smb2.c b/source4/torture/smb2/smb2.c
 index c717db50b70c..8621f09d820c 100644
 --- a/source4/torture/smb2/smb2.c
 +++ b/source4/torture/smb2/smb2.c
@@ -189,6 +189,7 @@ NTSTATUS torture_smb2_init(TALLOC_CTX *ctx)
 	torture_suite_add_suite(suite, torture_smb2_sharemode_init(suite));
 	torture_suite_add_1smb2_test(suite, "hold-oplock", test_smb2_hold_oplock);
 	torture_suite_add_suite(suite, torture_smb2_session_init(suite));
 +	torture_suite_add_suite(suite, torture_smb2_session_req_sign_init(suite));
 	torture_suite_add_suite(suite, torture_smb2_replay_init(suite));
 	torture_suite_add_simple_test(suite, "dosmode", torture_smb2_dosmode);
 	torture_suite_add_simple_test(suite, "async_dosmode", torture_smb2_async_dosmode);
 -- 
 2.40.0
 From dfde1691d336fe658857e576cec0debd3a2450b9 Mon Sep 17 00:00:00 2001
 From: Ralph Boehme <slow@samba.org>
 Date: Wed, 21 Jun 2023 15:06:12 +0200
 Subject: [PATCH 2/5] CVE-2023-3347: smbd: pass lp_ctx to
 smb[1|2]_srv_init_signing()
 No change in behaviour.
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
 Signed-off-by: Ralph Boehme <slow@samba.org>
 ---
 source3/smbd/proto.h        |  3 ++-
 source3/smbd/smb1_signing.c | 10 ++--------
 source3/smbd/smb1_signing.h |  3 ++-
 source3/smbd/smb2_signing.c | 25 +++++++++++++++----------
 4 files changed, 21 insertions(+), 20 deletions(-)
 diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
 index c4a330145151..67cc5e8a380a 100644
 --- a/source3/smbd/proto.h
 +++ b/source3/smbd/proto.h
@@ -52,7 +52,8 @@ struct dcesrv_context;
 /* The following definitions come from smbd/smb2_signing.c */
 -bool smb2_srv_init_signing(struct smbXsrv_connection *conn);
 +bool smb2_srv_init_signing(struct loadparm_context *lp_ctx,
 +			   struct smbXsrv_connection *conn);
 bool srv_init_signing(struct smbXsrv_connection *conn);
 /* The following definitions come from smbd/aio.c  */
 diff --git a/source3/smbd/smb1_signing.c b/source3/smbd/smb1_signing.c
 index 6bcb0629c4f0..aa3027d53182 100644
 --- a/source3/smbd/smb1_signing.c
 +++ b/source3/smbd/smb1_signing.c
@@ -170,18 +170,13 @@ static void smbd_shm_signing_free(TALLOC_CTX *mem_ctx, void *ptr)
  Called by server negprot when signing has been negotiated.
 ************************************************************/
 -bool smb1_srv_init_signing(struct smbXsrv_connection *conn)
 +bool smb1_srv_init_signing(struct loadparm_context *lp_ctx,
 +			   struct smbXsrv_connection *conn)
 {
 	bool allowed = true;
 	bool desired;
 	bool mandatory = false;
 -	struct loadparm_context *lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers());
 -	if (lp_ctx == NULL) {
 -		DEBUG(10, ("loadparm_init_s3 failed\n"));
 -		return false;
 -	}
 -
 	/*
 	 * if the client and server allow signing,
 	 * we desire to use it.
@@ -195,7 +190,6 @@ bool smb1_srv_init_signing(struct smbXsrv_connection *conn)
 	 */
 	desired = lpcfg_server_signing_allowed(lp_ctx, &mandatory);
 -	talloc_unlink(conn, lp_ctx);
 	if (lp_async_smb_echo_handler()) {
 		struct smbd_shm_signing *s;
 diff --git a/source3/smbd/smb1_signing.h b/source3/smbd/smb1_signing.h
 index 56c59c5bbc21..26f60420dfa8 100644
 --- a/source3/smbd/smb1_signing.h
 +++ b/source3/smbd/smb1_signing.h
@@ -33,4 +33,5 @@ bool smb1_srv_is_signing_negotiated(struct smbXsrv_connection *conn);
 void smb1_srv_set_signing(struct smbXsrv_connection *conn,
 		     const DATA_BLOB user_session_key,
 		     const DATA_BLOB response);
 -bool smb1_srv_init_signing(struct smbXsrv_connection *conn);
 +bool smb1_srv_init_signing(struct loadparm_context *lp_ctx,
 +			   struct smbXsrv_connection *conn);
 diff --git a/source3/smbd/smb2_signing.c b/source3/smbd/smb2_signing.c
 index 4691ef4d6130..c1f876f9cd74 100644
 --- a/source3/smbd/smb2_signing.c
 +++ b/source3/smbd/smb2_signing.c
@@ -26,32 +26,37 @@
 #include "lib/param/param.h"
 #include "smb2_signing.h"
 -bool smb2_srv_init_signing(struct smbXsrv_connection *conn)
 +bool smb2_srv_init_signing(struct loadparm_context *lp_ctx,
 +			   struct smbXsrv_connection *conn)
 {
 -	struct loadparm_context *lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers());
 -	if (lp_ctx == NULL) {
 -		DBG_DEBUG("loadparm_init_s3 failed\n");
 -		return false;
 -	}
 -
 	/*
 	 * For SMB2 all we need to know is if signing is mandatory.
 	 * It is always allowed and desired, whatever the smb.conf says.
 	 */
 	(void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
 -	talloc_unlink(conn, lp_ctx);
 	return true;
 }
 bool srv_init_signing(struct smbXsrv_connection *conn)
 {
 +	struct loadparm_context *lp_ctx = NULL;
 +	bool ok;
 +
 +	lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers());
 +	if (lp_ctx == NULL) {
 +		DBG_DEBUG("loadparm_init_s3 failed\n");
 +		return false;
 +	}
 +
 #if defined(WITH_SMB1SERVER)
 	if (conn->protocol >= PROTOCOL_SMB2_02) {
 #endif
 -		return smb2_srv_init_signing(conn);
 +		ok = smb2_srv_init_signing(lp_ctx, conn);
 #if defined(WITH_SMB1SERVER)
 	} else {
 -		return smb1_srv_init_signing(conn);
 +		ok = smb1_srv_init_signing(lp_ctx, conn);
 	}
 #endif
 +	talloc_unlink(conn, lp_ctx);
 +	return ok;
 }
 -- 
 2.40.0
 From fd5f7d15869b67c41f681539348f7917a8c2fc0c Mon Sep 17 00:00:00 2001
 From: Ralph Boehme <slow@samba.org>
 Date: Wed, 21 Jun 2023 15:10:58 +0200
 Subject: [PATCH 3/5] CVE-2023-3347: smbd: inline smb2_srv_init_signing() code
 in srv_init_signing()
 It's now a one-line function, imho the overall code is simpler if that code is
 just inlined.
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
 Signed-off-by: Ralph Boehme <slow@samba.org>
 ---
 source3/smbd/proto.h        |  2 --
 source3/smbd/smb2_signing.c | 19 ++++++-------------
 2 files changed, 6 insertions(+), 15 deletions(-)
 diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
 index 67cc5e8a380a..8075f4e567e3 100644
 --- a/source3/smbd/proto.h
 +++ b/source3/smbd/proto.h
@@ -52,8 +52,6 @@ struct dcesrv_context;
 /* The following definitions come from smbd/smb2_signing.c */
 -bool smb2_srv_init_signing(struct loadparm_context *lp_ctx,
 -			   struct smbXsrv_connection *conn);
 bool srv_init_signing(struct smbXsrv_connection *conn);
 /* The following definitions come from smbd/aio.c  */
 diff --git a/source3/smbd/smb2_signing.c b/source3/smbd/smb2_signing.c
 index c1f876f9cd74..ef4a54d57107 100644
 --- a/source3/smbd/smb2_signing.c
 +++ b/source3/smbd/smb2_signing.c
@@ -26,21 +26,10 @@
 #include "lib/param/param.h"
 #include "smb2_signing.h"
 -bool smb2_srv_init_signing(struct loadparm_context *lp_ctx,
 -			   struct smbXsrv_connection *conn)
 -{
 -	/*
 -	 * For SMB2 all we need to know is if signing is mandatory.
 -	 * It is always allowed and desired, whatever the smb.conf says.
 -	 */
 -	(void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
 -	return true;
 -}
 -
 bool srv_init_signing(struct smbXsrv_connection *conn)
 {
 	struct loadparm_context *lp_ctx = NULL;
 -	bool ok;
 +	bool ok = true;
 	lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers());
 	if (lp_ctx == NULL) {
@@ -51,7 +40,11 @@ bool srv_init_signing(struct smbXsrv_connection *conn)
 #if defined(WITH_SMB1SERVER)
 	if (conn->protocol >= PROTOCOL_SMB2_02) {
 #endif
 -		ok = smb2_srv_init_signing(lp_ctx, conn);
 +		/*
 +		 * For SMB2 all we need to know is if signing is mandatory.
 +		 * It is always allowed and desired, whatever the smb.conf says.
 +		 */
 +		(void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
 #if defined(WITH_SMB1SERVER)
 	} else {
 		ok = smb1_srv_init_signing(lp_ctx, conn);
 -- 
 2.40.0
 From afe8b8d4f55ac330683645dad149a1691c15e2bd Mon Sep 17 00:00:00 2001
 From: Ralph Boehme <slow@samba.org>
 Date: Tue, 20 Jun 2023 18:13:23 +0200
 Subject: [PATCH 4/5] CVE-2023-3347: smbd: remove comment in
 smbd_smb2_request_process_negprot()
 This is just going to bitrot. Anyone who's interested can just grep for
 "signing_mandatory" and look up what it does.
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
 Signed-off-by: Ralph Boehme <slow@samba.org>
 ---
 source3/smbd/smb2_negprot.c | 6 ------
 1 file changed, 6 deletions(-)
 diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c
 index baddbecaade9..685a1460cef4 100644
 --- a/source3/smbd/smb2_negprot.c
 +++ b/source3/smbd/smb2_negprot.c
@@ -361,12 +361,6 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
 	}
 	security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
 -	/*
 -	 * We use xconn->smb2.signing_mandatory set up via
 -	 * srv_init_signing() -> smb2_srv_init_signing().
 -	 * This calls lpcfg_server_signing_allowed() to get the correct
 -	 * defaults, e.g. signing_required for an ad_dc.
 -	 */
 	if (xconn->smb2.signing_mandatory) {
 		security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
 	}
 -- 
 2.40.0
 From d01483dba47134ee1cc959d3e52ef2af1b1221d8 Mon Sep 17 00:00:00 2001
 From: Ralph Boehme <slow@samba.org>
 Date: Tue, 20 Jun 2023 15:33:02 +0200
 Subject: [PATCH 5/5] CVE-2023-3347: smbd: fix "server signing = mandatory"
 This was broken by commit 1f3f6e20dc086a36de52bffd0bc36e15fb19e1c6 because when
 calling srv_init_signing() very early after accepting the connection in
 smbd_add_connection(), conn->protocol is still PROTOCOL_NONE.
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
 Signed-off-by: Ralph Boehme <slow@samba.org>
 ---
 .../samba3.smb2.session-require-signing       |  1 -
 source3/smbd/smb2_signing.c                   | 19 ++++++++-----------
 2 files changed, 8 insertions(+), 12 deletions(-)
 delete mode 100644 selftest/knownfail.d/samba3.smb2.session-require-signing
 diff --git a/selftest/knownfail.d/samba3.smb2.session-require-signing b/selftest/knownfail.d/samba3.smb2.session-require-signing
 deleted file mode 100644
 index 53b7a7022a83..000000000000
 --- a/selftest/knownfail.d/samba3.smb2.session-require-signing
 +++ /dev/null
@@ -1 +0,0 @@
 -^samba3.smb2.session-require-signing.bug15397
 diff --git a/source3/smbd/smb2_signing.c b/source3/smbd/smb2_signing.c
 index ef4a54d57107..73d07380dfa1 100644
 --- a/source3/smbd/smb2_signing.c
 +++ b/source3/smbd/smb2_signing.c
@@ -37,19 +37,16 @@ bool srv_init_signing(struct smbXsrv_connection *conn)
 		return false;
 	}
 +	/*
 +	 * For SMB2 all we need to know is if signing is mandatory.
 +	 * It is always allowed and desired, whatever the smb.conf says.
 +	 */
 +	(void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
 +
 #if defined(WITH_SMB1SERVER)
 -	if (conn->protocol >= PROTOCOL_SMB2_02) {
 -#endif
 -		/*
 -		 * For SMB2 all we need to know is if signing is mandatory.
 -		 * It is always allowed and desired, whatever the smb.conf says.
 -		 */
 -		(void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
 -#if defined(WITH_SMB1SERVER)
 -	} else {
 -		ok = smb1_srv_init_signing(lp_ctx, conn);
 -	}
 +	ok = smb1_srv_init_signing(lp_ctx, conn);
 #endif
 +
 	talloc_unlink(conn, lp_ctx);
 	return ok;
 }
 -- 
 2.40.0
--- a/SOURCES/samba-4.17-fix-netlogon-capability-level2.patch
+++ b/SOURCES/samba-4.17-fix-netlogon-capability-level2.patch
@ -0,0 +1,356 @@
 From 5a0951ffae8e030dfabad6f6eac9d2b48aba7a5b Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Sat, 15 Jul 2023 17:20:32 +0200
 Subject: [PATCH 1/4] netlogon.idl: add support for netr_LogonGetCapabilities
 response level 2
 We don't have any documentation about this yet, but tests against
 a Windows Server 2022 patched with KB5028166 revealed that
 the response for query_level=2 is exactly the same as
 for querey_level=1.
 Until we know the reason for query_level=2 we won't
 use it as client nor support it in the server, but
 we want ndrdump to work.
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
 Signed-off-by: Stefan Metzmacher <metze@samba.org>
 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 (cherry picked from commit 5f87888ed53320538cf773d64868390d8641a40e)
 ---
 librpc/idl/netlogon.idl | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl
 index e563e114900b..c77151af26b1 100644
 --- a/librpc/idl/netlogon.idl
 +++ b/librpc/idl/netlogon.idl
@@ -1241,6 +1241,7 @@ interface netlogon
 	/* Function 0x15 */
 	typedef [switch_type(uint32)] union {
 		[case(1)] netr_NegotiateFlags server_capabilities;
 +		[case(2)] netr_NegotiateFlags server_capabilities;
 	} netr_Capabilities;
 	NTSTATUS netr_LogonGetCapabilities(
 -- 
 2.34.1
 From c28a4312122189740a6e02f1a9e4394d6c9c7f2e Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Sat, 15 Jul 2023 17:25:05 +0200
 Subject: [PATCH 2/4] s4:torture/rpc: let rpc.schannel also check
 netr_LogonGetCapabilities with different levels
 The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG
 for unsupported query_levels, we allow it to work with servers
 with or without support for query_level=2.
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
 Signed-off-by: Stefan Metzmacher <metze@samba.org>
 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 (cherry picked from commit 404ce08e9088968311c714e756f5d58ce2cef715)
 ---
 .../knownfail.d/netr_LogonGetCapabilities     |  3 +
 source4/torture/rpc/netlogon.c                | 77 ++++++++++++++++++-
 2 files changed, 79 insertions(+), 1 deletion(-)
 create mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities
 diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
 new file mode 100644
 index 000000000000..30aadf3bb9d5
 --- /dev/null
 +++ b/selftest/knownfail.d/netr_LogonGetCapabilities
@@ -0,0 +1,3 @@
 +^samba3.rpc.schannel.*\.schannel\(nt4_dc
 +^samba3.rpc.schannel.*\.schannel\(ad_dc
 +^samba4.rpc.schannel.*\.schannel\(ad_dc
 diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
 index 1f068eb78265..a3d190f13dd8 100644
 --- a/source4/torture/rpc/netlogon.c
 +++ b/source4/torture/rpc/netlogon.c
@@ -2056,8 +2056,47 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
 	r.out.capabilities = &capabilities;
 	r.out.return_authenticator = &return_auth;
 -	torture_comment(tctx, "Testing LogonGetCapabilities\n");
 +	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=0\n");
 +	r.in.query_level = 0;
 +	ZERO_STRUCT(return_auth);
 +
 +	/*
 +	 * we need to operate on a temporary copy of creds
 +	 * because dcerpc_netr_LogonGetCapabilities with
 +	 * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
 +	 * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
 +	 * without looking a the authenticator.
 +	 */
 +	tmp_creds = *creds;
 +	netlogon_creds_client_authenticator(&tmp_creds, &auth);
 +
 +	status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
 +	torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
 +				      "LogonGetCapabilities query_level=0 failed");
 +
 +	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=3\n");
 +
 +	r.in.query_level = 3;
 +	ZERO_STRUCT(return_auth);
 +
 +	/*
 +	 * we need to operate on a temporary copy of creds
 +	 * because dcerpc_netr_LogonGetCapabilities with
 +	 * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
 +	 * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
 +	 * without looking a the authenticator.
 +	 */
 +	tmp_creds = *creds;
 +	netlogon_creds_client_authenticator(&tmp_creds, &auth);
 +
 +	status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
 +	torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
 +				      "LogonGetCapabilities query_level=0 failed");
 +
 +	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=1\n");
 +
 +	r.in.query_level = 1;
 	ZERO_STRUCT(return_auth);
 	/*
@@ -2077,6 +2116,42 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
 	*creds = tmp_creds;
 +	torture_assert(tctx, netlogon_creds_client_check(creds,
 +							 &r.out.return_authenticator->cred),
 +		       "Credential chaining failed");
 +
 +	torture_assert_int_equal(tctx, creds->negotiate_flags,
 +				 capabilities.server_capabilities,
 +				 "negotiate flags");
 +
 +	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=2\n");
 +
 +	r.in.query_level = 2;
 +	ZERO_STRUCT(return_auth);
 +
 +	/*
 +	 * we need to operate on a temporary copy of creds
 +	 * because dcerpc_netr_LogonGetCapabilities with
 +	 * an query level 2 may returns DCERPC_NCA_S_FAULT_INVALID_TAG
 +	 * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
 +	 * without looking a the authenticator.
 +	 */
 +	tmp_creds = *creds;
 +	netlogon_creds_client_authenticator(&tmp_creds, &auth);
 +
 +	status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
 +	if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE)) {
 +		/*
 +		 * an server without KB5028166 returns
 +		 * DCERPC_NCA_S_FAULT_INVALID_TAG =>
 +		 * NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
 +		 */
 +		return true;
 +	}
 +	torture_assert_ntstatus_ok(tctx, status, "LogonGetCapabilities query_level=2 failed");
 +
 +	*creds = tmp_creds;
 +
 	torture_assert(tctx, netlogon_creds_client_check(creds,
 							 &r.out.return_authenticator->cred),
 		       "Credential chaining failed");
 -- 
 2.34.1
 From 4c4c630fe99c253f3400fc7a4542178eba9d0aa7 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Sat, 15 Jul 2023 16:11:48 +0200
 Subject: [PATCH 3/4] s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for
 invalid netr_LogonGetCapabilities levels
 This is important as Windows clients with KB5028166 seem to
 call netr_LogonGetCapabilities with query_level=2 after
 a call with query_level=1.
 An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
 for query_level values other than 1.
 While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
 later fails to marshall the response, which results
 in DCERPC_FAULT_BAD_STUB_DATA instead.
 Because we don't have any documentation for level 2 yet,
 we just try to behave like an unpatched server and
 generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
 DCERPC_FAULT_BAD_STUB_DATA.
 Which allows patched Windows clients to keep working
 against a Samba DC.
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
 Signed-off-by: Stefan Metzmacher <metze@samba.org>
 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 (cherry picked from commit d5f1097b6220676d56ed5fc6707acf667b704518)
 ---
 .../knownfail.d/netr_LogonGetCapabilities     |  2 --
 source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++++++++++++---
 2 files changed, 24 insertions(+), 6 deletions(-)
 diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
 index 30aadf3bb9d5..99c7ac711ede 100644
 --- a/selftest/knownfail.d/netr_LogonGetCapabilities
 +++ b/selftest/knownfail.d/netr_LogonGetCapabilities
@@ -1,3 +1 @@
 ^samba3.rpc.schannel.*\.schannel\(nt4_dc
 -^samba3.rpc.schannel.*\.schannel\(ad_dc
 -^samba4.rpc.schannel.*\.schannel\(ad_dc
 diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
 index 314b469a718a..e203e04143d7 100644
 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
 +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -2359,6 +2359,30 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
 	struct netlogon_creds_CredentialState *creds;
 	NTSTATUS status;
 +	switch (r->in.query_level) {
 +	case 1:
 +		break;
 +	case 2:
 +		/*
 +		 * Until we know the details behind KB5028166
 +		 * just return DCERPC_NCA_S_FAULT_INVALID_TAG
 +		 * like an unpatched Windows Server.
 +		 */
 +		FALL_THROUGH;
 +	default:
 +		/*
 +		 * There would not be a way to marshall the
 +		 * the response. Which would mean our final
 +		 * ndr_push would fail an we would return
 +		 * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
 +		 *
 +		 * But it's important to match a Windows server
 +		 * especially before KB5028166, see also our bug #15418
 +		 * Otherwise Windows client would stop talking to us.
 +		 */
 +		DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG);
 +	}
 +
 	status = dcesrv_netr_creds_server_step_check(dce_call,
 						     mem_ctx,
 						     r->in.computer_name,
@@ -2370,10 +2394,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
 	}
 	NT_STATUS_NOT_OK_RETURN(status);
 -	if (r->in.query_level != 1) {
 -		return NT_STATUS_NOT_SUPPORTED;
 -	}
 -
 	r->out.capabilities->server_capabilities = creds->negotiate_flags;
 	return NT_STATUS_OK;
 -- 
 2.34.1
 From 44fb6686eee8f1c8767eee6a26edc215dccbc766 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Sat, 15 Jul 2023 16:11:48 +0200
 Subject: [PATCH 4/4] s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for
 invalid netr_LogonGetCapabilities levels
 This is important as Windows clients with KB5028166 seem to
 call netr_LogonGetCapabilities with query_level=2 after
 a call with query_level=1.
 An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
 for query_level values other than 1.
 While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
 later fails to marshall the response, which results
 in DCERPC_FAULT_BAD_STUB_DATA instead.
 Because we don't have any documentation for level 2 yet,
 we just try to behave like an unpatched server and
 generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
 DCERPC_FAULT_BAD_STUB_DATA.
 Which allows patched Windows clients to keep working
 against a Samba DC.
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
 Signed-off-by: Stefan Metzmacher <metze@samba.org>
 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
 Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224
 (cherry picked from commit dfeabce44fbb78083fbbb2aa634fc4172cf83db9)
 ---
 .../knownfail.d/netr_LogonGetCapabilities     |  1 -
 source3/rpc_server/netlogon/srv_netlog_nt.c   | 29 ++++++++++++++++---
 2 files changed, 25 insertions(+), 5 deletions(-)
 delete mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities
 diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
 deleted file mode 100644
 index 99c7ac711ede..000000000000
 --- a/selftest/knownfail.d/netr_LogonGetCapabilities
 +++ /dev/null
@@ -1 +0,0 @@
 -^samba3.rpc.schannel.*\.schannel\(nt4_dc
 diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
 index 83318fff7532..c91eeed06b8d 100644
 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c
 +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -2286,6 +2286,31 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
 	struct netlogon_creds_CredentialState *creds;
 	NTSTATUS status;
 +	switch (r->in.query_level) {
 +	case 1:
 +		break;
 +	case 2:
 +		/*
 +		 * Until we know the details behind KB5028166
 +		 * just return DCERPC_NCA_S_FAULT_INVALID_TAG
 +		 * like an unpatched Windows Server.
 +		 */
 +		FALL_THROUGH;
 +	default:
 +		/*
 +		 * There would not be a way to marshall the
 +		 * the response. Which would mean our final
 +		 * ndr_push would fail an we would return
 +		 * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
 +		 *
 +		 * But it's important to match a Windows server
 +		 * especially before KB5028166, see also our bug #15418
 +		 * Otherwise Windows client would stop talking to us.
 +		 */
 +		p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG;
 +		return NT_STATUS_NOT_SUPPORTED;
 +	}
 +
 	become_root();
 	status = dcesrv_netr_creds_server_step_check(p->dce_call,
 						p->mem_ctx,
@@ -2298,10 +2323,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
 		return status;
 	}
 -	if (r->in.query_level != 1) {
 -		return NT_STATUS_NOT_SUPPORTED;
 -	}
 -
 	r->out.capabilities->server_capabilities = creds->negotiate_flags;
 	return NT_STATUS_OK;
 -- 
 2.34.1
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@ -135,7 +135,7 @@
 %define samba_requires_eq()  %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
 %global samba_version 4.17.5
-%global baserelease 2
+%global baserelease 3
 # This should be rc1 or %%nil
 %global pre_release %nil
@ -231,6 +231,9 @@ Source17:       samba-usershares-systemd-sysusers.conf
 Source201:      README.downgrade
 Source202:      samba.abignore
 Patch0:         samba-4.17-fix-netlogon-capability-level2.patch
 Patch1:         CVE-2023-3347-signing-4.17-01.patch
 Requires(pre): /usr/sbin/groupadd
 Requires(pre): %{name}-common = %{samba_depver}
@ -4300,6 +4303,10 @@ fi
 * Wed Jul 26 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 2:4.17.5-2
 - Rebuilt for MSVSphere 8.8
 * Tue Jul 18 2023 Andreas Schneider <asn@redhat.com> - 4.17.5-3
 - resolves: rhbz#2223515 - Fix CVE-2023-3347 - SMB2 packet signing not enforced
 - resolves: rhbz#2223601 - Fix netlogon capabilities level 2
 * Wed Feb 15 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.17.5-2
 - resolves: rhbz#2169339 - Fix winbind memory leak
 - resolves: rhbz#2152899 - Fix Samba shares not accessible issue