rpms / samba

Clone
Source Code
GIT

Blame master-netlogongetcaps.patch

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 main master private-gd-master private-gd-rawhide private-gd-rawhide-4.17.0rc1 rawhide
  1.   64ef2ec2d2cc5d47909984b72d2a0f7df902215e
  2.   master-netlogongetcaps.patch
Blob History Raw
Günther Deschner 64ef2ec 
From 5f87888ed53320538cf773d64868390d8641a40e Mon Sep 17 00:00:00 2001
Günther Deschner 64ef2ec 
From: Stefan Metzmacher <metze@samba.org>
Günther Deschner 64ef2ec 
Date: Sat, 15 Jul 2023 17:20:32 +0200
Günther Deschner 64ef2ec 
Subject: [PATCH 1/4] netlogon.idl: add support for netr_LogonGetCapabilities
Günther Deschner 64ef2ec 
 response level 2
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
We don't have any documentation about this yet, but tests against
Günther Deschner 64ef2ec 
a Windows Server 2022 patched with KB5028166 revealed that
Günther Deschner 64ef2ec 
the response for query_level=2 is exactly the same as
Günther Deschner 64ef2ec 
for querey_level=1.
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
Until we know the reason for query_level=2 we won't
Günther Deschner 64ef2ec 
use it as client nor support it in the server, but
Günther Deschner 64ef2ec 
we want ndrdump to work.
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner 64ef2ec 
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Günther Deschner 64ef2ec 
---
Günther Deschner 64ef2ec 
 librpc/idl/netlogon.idl | 1 +
Günther Deschner 64ef2ec 
 1 file changed, 1 insertion(+)
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl
Günther Deschner 64ef2ec 
index 48a8c8f9310..85dd73ee7e4 100644
Günther Deschner 64ef2ec 
--- a/librpc/idl/netlogon.idl
Günther Deschner 64ef2ec 
+++ b/librpc/idl/netlogon.idl
Günther Deschner 64ef2ec 
@@ -1236,6 +1236,7 @@ interface netlogon
Günther Deschner 64ef2ec 
 	/* Function 0x15 */
Günther Deschner 64ef2ec 
 	typedef [switch_type(uint32)] union {
Günther Deschner 64ef2ec 
 		[case(1)] netr_NegotiateFlags server_capabilities;
Günther Deschner 64ef2ec 
+		[case(2)] netr_NegotiateFlags server_capabilities;
Günther Deschner 64ef2ec 
 	} netr_Capabilities;
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
 	NTSTATUS netr_LogonGetCapabilities(
Günther Deschner 64ef2ec 
--
Günther Deschner 64ef2ec 
2.41.0
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
From 404ce08e9088968311c714e756f5d58ce2cef715 Mon Sep 17 00:00:00 2001
Günther Deschner 64ef2ec 
From: Stefan Metzmacher <metze@samba.org>
Günther Deschner 64ef2ec 
Date: Sat, 15 Jul 2023 17:25:05 +0200
Günther Deschner 64ef2ec 
Subject: [PATCH 2/4] s4:torture/rpc: let rpc.schannel also check
Günther Deschner 64ef2ec 
 netr_LogonGetCapabilities with different levels
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG
Günther Deschner 64ef2ec 
for unsupported query_levels, we allow it to work with servers
Günther Deschner 64ef2ec 
with or without support for query_level=2.
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner 64ef2ec 
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Günther Deschner 64ef2ec 
---
Günther Deschner 64ef2ec 
 .../knownfail.d/netr_LogonGetCapabilities     |  3 +
Günther Deschner 64ef2ec 
 source4/torture/rpc/netlogon.c                | 77 ++++++++++++++++++-
Günther Deschner 64ef2ec 
 2 files changed, 79 insertions(+), 1 deletion(-)
Günther Deschner 64ef2ec 
 create mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
Günther Deschner 64ef2ec 
new file mode 100644
Günther Deschner 64ef2ec 
index 00000000000..30aadf3bb9d
Günther Deschner 64ef2ec 
--- /dev/null
Günther Deschner 64ef2ec 
+++ b/selftest/knownfail.d/netr_LogonGetCapabilities
Günther Deschner 64ef2ec 
@@ -0,0 +1,3 @@
Günther Deschner 64ef2ec 
+^samba3.rpc.schannel.*\.schannel\(nt4_dc
Günther Deschner 64ef2ec 
+^samba3.rpc.schannel.*\.schannel\(ad_dc
Günther Deschner 64ef2ec 
+^samba4.rpc.schannel.*\.schannel\(ad_dc
Günther Deschner 64ef2ec 
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
Günther Deschner 64ef2ec 
index 1f068eb7826..a3d190f13dd 100644
Günther Deschner 64ef2ec 
--- a/source4/torture/rpc/netlogon.c
Günther Deschner 64ef2ec 
+++ b/source4/torture/rpc/netlogon.c
Günther Deschner 64ef2ec 
@@ -2056,8 +2056,47 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
Günther Deschner 64ef2ec 
 	r.out.capabilities = &capabilities;
Günther Deschner 64ef2ec 
 	r.out.return_authenticator = &return_auth;
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
-	torture_comment(tctx, "Testing LogonGetCapabilities\n");
Günther Deschner 64ef2ec 
+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=0\n");
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
+	r.in.query_level = 0;
Günther Deschner 64ef2ec 
+	ZERO_STRUCT(return_auth);
Günther Deschner 64ef2ec 
+
Günther Deschner 64ef2ec 
+	/*
Günther Deschner 64ef2ec 
+	 * we need to operate on a temporary copy of creds
Günther Deschner 64ef2ec 
+	 * because dcerpc_netr_LogonGetCapabilities with
Günther Deschner 64ef2ec 
+	 * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
Günther Deschner 64ef2ec 
+	 * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
Günther Deschner 64ef2ec 
+	 * without looking a the authenticator.
Günther Deschner 64ef2ec 
+	 */
Günther Deschner 64ef2ec 
+	tmp_creds = *creds;
Günther Deschner 64ef2ec 
+	netlogon_creds_client_authenticator(&tmp_creds, &auth);
Günther Deschner 64ef2ec 
+
Günther Deschner 64ef2ec 
+	status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
Günther Deschner 64ef2ec 
+	torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
Günther Deschner 64ef2ec 
+				      "LogonGetCapabilities query_level=0 failed");
Günther Deschner 64ef2ec 
+
Günther Deschner 64ef2ec 
+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=3\n");
Günther Deschner 64ef2ec 
+
Günther Deschner 64ef2ec 
+	r.in.query_level = 3;
Günther Deschner 64ef2ec 
+	ZERO_STRUCT(return_auth);
Günther Deschner 64ef2ec 
+
Günther Deschner 64ef2ec 
+	/*
Günther Deschner 64ef2ec 
+	 * we need to operate on a temporary copy of creds
Günther Deschner 64ef2ec 
+	 * because dcerpc_netr_LogonGetCapabilities with
Günther Deschner 64ef2ec 
+	 * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
Günther Deschner 64ef2ec 
+	 * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
Günther Deschner 64ef2ec 
+	 * without looking a the authenticator.
Günther Deschner 64ef2ec 
+	 */
Günther Deschner 64ef2ec 
+	tmp_creds = *creds;
Günther Deschner 64ef2ec 
+	netlogon_creds_client_authenticator(&tmp_creds, &auth);
Günther Deschner 64ef2ec 
+
Günther Deschner 64ef2ec 
+	status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
Günther Deschner 64ef2ec 
+	torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
Günther Deschner 64ef2ec 
+				      "LogonGetCapabilities query_level=0 failed");
Günther Deschner 64ef2ec 
+
Günther Deschner 64ef2ec 
+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=1\n");
Günther Deschner 64ef2ec 
+
Günther Deschner 64ef2ec 
+	r.in.query_level = 1;
Günther Deschner 64ef2ec 
 	ZERO_STRUCT(return_auth);
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
 	/*
Günther Deschner 64ef2ec 
@@ -2077,6 +2116,42 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
 	*creds = tmp_creds;
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
+	torture_assert(tctx, netlogon_creds_client_check(creds,
Günther Deschner 64ef2ec 
+							 &r.out.return_authenticator->cred),
Günther Deschner 64ef2ec 
+		       "Credential chaining failed");
Günther Deschner 64ef2ec 
+
Günther Deschner 64ef2ec 
+	torture_assert_int_equal(tctx, creds->negotiate_flags,
Günther Deschner 64ef2ec 
+				 capabilities.server_capabilities,
Günther Deschner 64ef2ec 
+				 "negotiate flags");
Günther Deschner 64ef2ec 
+
Günther Deschner 64ef2ec 
+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=2\n");
Günther Deschner 64ef2ec 
+
Günther Deschner 64ef2ec 
+	r.in.query_level = 2;
Günther Deschner 64ef2ec 
+	ZERO_STRUCT(return_auth);
Günther Deschner 64ef2ec 
+
Günther Deschner 64ef2ec 
+	/*
Günther Deschner 64ef2ec 
+	 * we need to operate on a temporary copy of creds
Günther Deschner 64ef2ec 
+	 * because dcerpc_netr_LogonGetCapabilities with
Günther Deschner 64ef2ec 
+	 * an query level 2 may returns DCERPC_NCA_S_FAULT_INVALID_TAG
Günther Deschner 64ef2ec 
+	 * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
Günther Deschner 64ef2ec 
+	 * without looking a the authenticator.
Günther Deschner 64ef2ec 
+	 */
Günther Deschner 64ef2ec 
+	tmp_creds = *creds;
Günther Deschner 64ef2ec 
+	netlogon_creds_client_authenticator(&tmp_creds, &auth);
Günther Deschner 64ef2ec 
+
Günther Deschner 64ef2ec 
+	status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
Günther Deschner 64ef2ec 
+	if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE)) {
Günther Deschner 64ef2ec 
+		/*
Günther Deschner 64ef2ec 
+		 * an server without KB5028166 returns
Günther Deschner 64ef2ec 
+		 * DCERPC_NCA_S_FAULT_INVALID_TAG =>
Günther Deschner 64ef2ec 
+		 * NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
Günther Deschner 64ef2ec 
+		 */
Günther Deschner 64ef2ec 
+		return true;
Günther Deschner 64ef2ec 
+	}
Günther Deschner 64ef2ec 
+	torture_assert_ntstatus_ok(tctx, status, "LogonGetCapabilities query_level=2 failed");
Günther Deschner 64ef2ec 
+
Günther Deschner 64ef2ec 
+	*creds = tmp_creds;
Günther Deschner 64ef2ec 
+
Günther Deschner 64ef2ec 
 	torture_assert(tctx, netlogon_creds_client_check(creds,
Günther Deschner 64ef2ec 
 							 &r.out.return_authenticator->cred),
Günther Deschner 64ef2ec 
 		       "Credential chaining failed");
Günther Deschner 64ef2ec 
--
Günther Deschner 64ef2ec 
2.41.0
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
From d5f1097b6220676d56ed5fc6707acf667b704518 Mon Sep 17 00:00:00 2001
Günther Deschner 64ef2ec 
From: Stefan Metzmacher <metze@samba.org>
Günther Deschner 64ef2ec 
Date: Sat, 15 Jul 2023 16:11:48 +0200
Günther Deschner 64ef2ec 
Subject: [PATCH 3/4] s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for
Günther Deschner 64ef2ec 
 invalid netr_LogonGetCapabilities levels
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
This is important as Windows clients with KB5028166 seem to
Günther Deschner 64ef2ec 
call netr_LogonGetCapabilities with query_level=2 after
Günther Deschner 64ef2ec 
a call with query_level=1.
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
Günther Deschner 64ef2ec 
for query_level values other than 1.
Günther Deschner 64ef2ec 
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
Günther Deschner 64ef2ec 
later fails to marshall the response, which results
Günther Deschner 64ef2ec 
in DCERPC_FAULT_BAD_STUB_DATA instead.
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
Because we don't have any documentation for level 2 yet,
Günther Deschner 64ef2ec 
we just try to behave like an unpatched server and
Günther Deschner 64ef2ec 
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
Günther Deschner 64ef2ec 
DCERPC_FAULT_BAD_STUB_DATA.
Günther Deschner 64ef2ec 
Which allows patched Windows clients to keep working
Günther Deschner 64ef2ec 
against a Samba DC.
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner 64ef2ec 
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Günther Deschner 64ef2ec 
---
Günther Deschner 64ef2ec 
 .../knownfail.d/netr_LogonGetCapabilities     |  2 --
Günther Deschner 64ef2ec 
 source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++++++++++++---
Günther Deschner 64ef2ec 
 2 files changed, 24 insertions(+), 6 deletions(-)
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
Günther Deschner 64ef2ec 
index 30aadf3bb9d..99c7ac711ed 100644
Günther Deschner 64ef2ec 
--- a/selftest/knownfail.d/netr_LogonGetCapabilities
Günther Deschner 64ef2ec 
+++ b/selftest/knownfail.d/netr_LogonGetCapabilities
Günther Deschner 64ef2ec 
@@ -1,3 +1 @@
Günther Deschner 64ef2ec 
 ^samba3.rpc.schannel.*\.schannel\(nt4_dc
Günther Deschner 64ef2ec 
-^samba3.rpc.schannel.*\.schannel\(ad_dc
Günther Deschner 64ef2ec 
-^samba4.rpc.schannel.*\.schannel\(ad_dc
Günther Deschner 64ef2ec 
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
Günther Deschner 64ef2ec 
index 6ccba65d3bf..dc2167f08b2 100644
Günther Deschner 64ef2ec 
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
Günther Deschner 64ef2ec 
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
Günther Deschner 64ef2ec 
@@ -2364,6 +2364,30 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
Günther Deschner 64ef2ec 
 	struct netlogon_creds_CredentialState *creds;
Günther Deschner 64ef2ec 
 	NTSTATUS status;
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
+	switch (r->in.query_level) {
Günther Deschner 64ef2ec 
+	case 1:
Günther Deschner 64ef2ec 
+		break;
Günther Deschner 64ef2ec 
+	case 2:
Günther Deschner 64ef2ec 
+		/*
Günther Deschner 64ef2ec 
+		 * Until we know the details behind KB5028166
Günther Deschner 64ef2ec 
+		 * just return DCERPC_NCA_S_FAULT_INVALID_TAG
Günther Deschner 64ef2ec 
+		 * like an unpatched Windows Server.
Günther Deschner 64ef2ec 
+		 */
Günther Deschner 64ef2ec 
+		FALL_THROUGH;
Günther Deschner 64ef2ec 
+	default:
Günther Deschner 64ef2ec 
+		/*
Günther Deschner 64ef2ec 
+		 * There would not be a way to marshall the
Günther Deschner 64ef2ec 
+		 * the response. Which would mean our final
Günther Deschner 64ef2ec 
+		 * ndr_push would fail an we would return
Günther Deschner 64ef2ec 
+		 * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
Günther Deschner 64ef2ec 
+		 *
Günther Deschner 64ef2ec 
+		 * But it's important to match a Windows server
Günther Deschner 64ef2ec 
+		 * especially before KB5028166, see also our bug #15418
Günther Deschner 64ef2ec 
+		 * Otherwise Windows client would stop talking to us.
Günther Deschner 64ef2ec 
+		 */
Günther Deschner 64ef2ec 
+		DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG);
Günther Deschner 64ef2ec 
+	}
Günther Deschner 64ef2ec 
+
Günther Deschner 64ef2ec 
 	status = dcesrv_netr_creds_server_step_check(dce_call,
Günther Deschner 64ef2ec 
 						     mem_ctx,
Günther Deschner 64ef2ec 
 						     r->in.computer_name,
Günther Deschner 64ef2ec 
@@ -2375,10 +2399,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
Günther Deschner 64ef2ec 
 	}
Günther Deschner 64ef2ec 
 	NT_STATUS_NOT_OK_RETURN(status);
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
-	if (r->in.query_level != 1) {
Günther Deschner 64ef2ec 
-		return NT_STATUS_NOT_SUPPORTED;
Günther Deschner 64ef2ec 
-	}
Günther Deschner 64ef2ec 
-
Günther Deschner 64ef2ec 
 	r->out.capabilities->server_capabilities = creds->negotiate_flags;
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
 	return NT_STATUS_OK;
Günther Deschner 64ef2ec 
--
Günther Deschner 64ef2ec 
2.41.0
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
From dfeabce44fbb78083fbbb2aa634fc4172cf83db9 Mon Sep 17 00:00:00 2001
Günther Deschner 64ef2ec 
From: Stefan Metzmacher <metze@samba.org>
Günther Deschner 64ef2ec 
Date: Sat, 15 Jul 2023 16:11:48 +0200
Günther Deschner 64ef2ec 
Subject: [PATCH 4/4] s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for
Günther Deschner 64ef2ec 
 invalid netr_LogonGetCapabilities levels
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
This is important as Windows clients with KB5028166 seem to
Günther Deschner 64ef2ec 
call netr_LogonGetCapabilities with query_level=2 after
Günther Deschner 64ef2ec 
a call with query_level=1.
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
Günther Deschner 64ef2ec 
for query_level values other than 1.
Günther Deschner 64ef2ec 
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
Günther Deschner 64ef2ec 
later fails to marshall the response, which results
Günther Deschner 64ef2ec 
in DCERPC_FAULT_BAD_STUB_DATA instead.
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
Because we don't have any documentation for level 2 yet,
Günther Deschner 64ef2ec 
we just try to behave like an unpatched server and
Günther Deschner 64ef2ec 
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
Günther Deschner 64ef2ec 
DCERPC_FAULT_BAD_STUB_DATA.
Günther Deschner 64ef2ec 
Which allows patched Windows clients to keep working
Günther Deschner 64ef2ec 
against a Samba DC.
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner 64ef2ec 
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Günther Deschner 64ef2ec 
Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224
Günther Deschner 64ef2ec 
---
Günther Deschner 64ef2ec 
 .../knownfail.d/netr_LogonGetCapabilities     |  1 -
Günther Deschner 64ef2ec 
 source3/rpc_server/netlogon/srv_netlog_nt.c   | 29 ++++++++++++++++---
Günther Deschner 64ef2ec 
 2 files changed, 25 insertions(+), 5 deletions(-)
Günther Deschner 64ef2ec 
 delete mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
Günther Deschner 64ef2ec 
deleted file mode 100644
Günther Deschner 64ef2ec 
index 99c7ac711ed..00000000000
Günther Deschner 64ef2ec 
--- a/selftest/knownfail.d/netr_LogonGetCapabilities
Günther Deschner 64ef2ec 
+++ /dev/null
Günther Deschner 64ef2ec 
@@ -1 +0,0 @@
Günther Deschner 64ef2ec 
-^samba3.rpc.schannel.*\.schannel\(nt4_dc
Günther Deschner 64ef2ec 
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
Günther Deschner 64ef2ec 
index 3ba58e61206..e8aa14167fc 100644
Günther Deschner 64ef2ec 
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
Günther Deschner 64ef2ec 
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
Günther Deschner 64ef2ec 
@@ -2284,6 +2284,31 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
Günther Deschner 64ef2ec 
 	struct netlogon_creds_CredentialState *creds;
Günther Deschner 64ef2ec 
 	NTSTATUS status;
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
+	switch (r->in.query_level) {
Günther Deschner 64ef2ec 
+	case 1:
Günther Deschner 64ef2ec 
+		break;
Günther Deschner 64ef2ec 
+	case 2:
Günther Deschner 64ef2ec 
+		/*
Günther Deschner 64ef2ec 
+		 * Until we know the details behind KB5028166
Günther Deschner 64ef2ec 
+		 * just return DCERPC_NCA_S_FAULT_INVALID_TAG
Günther Deschner 64ef2ec 
+		 * like an unpatched Windows Server.
Günther Deschner 64ef2ec 
+		 */
Günther Deschner 64ef2ec 
+		FALL_THROUGH;
Günther Deschner 64ef2ec 
+	default:
Günther Deschner 64ef2ec 
+		/*
Günther Deschner 64ef2ec 
+		 * There would not be a way to marshall the
Günther Deschner 64ef2ec 
+		 * the response. Which would mean our final
Günther Deschner 64ef2ec 
+		 * ndr_push would fail an we would return
Günther Deschner 64ef2ec 
+		 * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
Günther Deschner 64ef2ec 
+		 *
Günther Deschner 64ef2ec 
+		 * But it's important to match a Windows server
Günther Deschner 64ef2ec 
+		 * especially before KB5028166, see also our bug #15418
Günther Deschner 64ef2ec 
+		 * Otherwise Windows client would stop talking to us.
Günther Deschner 64ef2ec 
+		 */
Günther Deschner 64ef2ec 
+		p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG;
Günther Deschner 64ef2ec 
+		return NT_STATUS_NOT_SUPPORTED;
Günther Deschner 64ef2ec 
+	}
Günther Deschner 64ef2ec 
+
Günther Deschner 64ef2ec 
 	become_root();
Günther Deschner 64ef2ec 
 	status = dcesrv_netr_creds_server_step_check(p->dce_call,
Günther Deschner 64ef2ec 
 						p->mem_ctx,
Günther Deschner 64ef2ec 
@@ -2296,10 +2321,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
Günther Deschner 64ef2ec 
 		return status;
Günther Deschner 64ef2ec 
 	}
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
-	if (r->in.query_level != 1) {
Günther Deschner 64ef2ec 
-		return NT_STATUS_NOT_SUPPORTED;
Günther Deschner 64ef2ec 
-	}
Günther Deschner 64ef2ec 
-
Günther Deschner 64ef2ec 
 	r->out.capabilities->server_capabilities = creds->negotiate_flags;
Günther Deschner 64ef2ec
Günther Deschner 64ef2ec 
 	return NT_STATUS_OK;
Günther Deschner 64ef2ec 
--
Günther Deschner 64ef2ec 
2.41.0
Günther Deschner 64ef2ec
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.