- Fix CVE-2023-3347

- netlogon: add support for netr_LogonGetCapabilities response level 2
2023-08-03 10:47:13 +03:00 · 2023-08-03 10:47:13 +03:00 · bb27d63e76
commit bb27d63e76
parent f16b5f7a86
10 changed files with 808 additions and 2 deletions
--- a/SOURCES/0001-netlogon.idl-add-support-for-netr_LogonGetCapabiliti.patch
+++ b/SOURCES/0001-netlogon.idl-add-support-for-netr_LogonGetCapabiliti.patch
@ -0,0 +1,38 @@
+From 5f87888ed53320538cf773d64868390d8641a40e Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 15 Jul 2023 17:20:32 +0200
+Subject: [PATCH 1/4] netlogon.idl: add support for netr_LogonGetCapabilities
+ response level 2
+
+We don't have any documentation about this yet, but tests against
+a Windows Server 2022 patched with KB5028166 revealed that
+the response for query_level=2 is exactly the same as
+for querey_level=1.
+
+Until we know the reason for query_level=2 we won't
+use it as client nor support it in the server, but
+we want ndrdump to work.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+---
+ librpc/idl/netlogon.idl | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl
+index 48a8c8f9310..85dd73ee7e4 100644
+--- a/librpc/idl/netlogon.idl
+++ b/librpc/idl/netlogon.idl
+@@ -1236,6 +1236,7 @@ interface netlogon
+ 	/* Function 0x15 */
+ 	typedef [switch_type(uint32)] union {
+ 		[case(1)] netr_NegotiateFlags server_capabilities;
+		[case(2)] netr_NegotiateFlags server_capabilities;
+ 	} netr_Capabilities;
+ 
+ 	NTSTATUS netr_LogonGetCapabilities(
+-- 
+2.39.3
+
--- a/SOURCES/0002-s4-torture-rpc-let-rpc.schannel-also-check-netr_Logo.patch
+++ b/SOURCES/0002-s4-torture-rpc-let-rpc.schannel-also-check-netr_Logo.patch
@ -0,0 +1,128 @@
+From 404ce08e9088968311c714e756f5d58ce2cef715 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 15 Jul 2023 17:25:05 +0200
+Subject: [PATCH 2/4] s4:torture/rpc: let rpc.schannel also check
+ netr_LogonGetCapabilities with different levels
+
+The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG
+for unsupported query_levels, we allow it to work with servers
+with or without support for query_level=2.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+---
+ .../knownfail.d/netr_LogonGetCapabilities     |  3 +
+ source4/torture/rpc/netlogon.c                | 77 ++++++++++++++++++-
+ 2 files changed, 79 insertions(+), 1 deletion(-)
+ create mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities
+
+diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
+new file mode 100644
+index 00000000000..30aadf3bb9d
+--- /dev/null
+++ b/selftest/knownfail.d/netr_LogonGetCapabilities
+@@ -0,0 +1,3 @@
+^samba3.rpc.schannel.*\.schannel\(nt4_dc
+^samba3.rpc.schannel.*\.schannel\(ad_dc
+^samba4.rpc.schannel.*\.schannel\(ad_dc
+diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
+index 1f068eb7826..a3d190f13dd 100644
+--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
+@@ -2056,8 +2056,47 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
+ 	r.out.capabilities = &capabilities;
+ 	r.out.return_authenticator = &return_auth;
+ 
+-	torture_comment(tctx, "Testing LogonGetCapabilities\n");
+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=0\n");
+ 
+	r.in.query_level = 0;
+	ZERO_STRUCT(return_auth);
+
+	/*
+	 * we need to operate on a temporary copy of creds
+	 * because dcerpc_netr_LogonGetCapabilities with
+	 * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
+	 * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
+	 * without looking a the authenticator.
+	 */
+	tmp_creds = *creds;
+	netlogon_creds_client_authenticator(&tmp_creds, &auth);
+
+	status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
+	torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
+				      "LogonGetCapabilities query_level=0 failed");
+
+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=3\n");
+
+	r.in.query_level = 3;
+	ZERO_STRUCT(return_auth);
+
+	/*
+	 * we need to operate on a temporary copy of creds
+	 * because dcerpc_netr_LogonGetCapabilities with
+	 * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
+	 * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
+	 * without looking a the authenticator.
+	 */
+	tmp_creds = *creds;
+	netlogon_creds_client_authenticator(&tmp_creds, &auth);
+
+	status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
+	torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
+				      "LogonGetCapabilities query_level=0 failed");
+
+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=1\n");
+
+	r.in.query_level = 1;
+ 	ZERO_STRUCT(return_auth);
+ 
+ 	/*
+@@ -2077,6 +2116,42 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
+ 
+ 	*creds = tmp_creds;
+ 
+	torture_assert(tctx, netlogon_creds_client_check(creds,
+							 &r.out.return_authenticator->cred),
+		       "Credential chaining failed");
+
+	torture_assert_int_equal(tctx, creds->negotiate_flags,
+				 capabilities.server_capabilities,
+				 "negotiate flags");
+
+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=2\n");
+
+	r.in.query_level = 2;
+	ZERO_STRUCT(return_auth);
+
+	/*
+	 * we need to operate on a temporary copy of creds
+	 * because dcerpc_netr_LogonGetCapabilities with
+	 * an query level 2 may returns DCERPC_NCA_S_FAULT_INVALID_TAG
+	 * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
+	 * without looking a the authenticator.
+	 */
+	tmp_creds = *creds;
+	netlogon_creds_client_authenticator(&tmp_creds, &auth);
+
+	status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
+	if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE)) {
+		/*
+		 * an server without KB5028166 returns
+		 * DCERPC_NCA_S_FAULT_INVALID_TAG =>
+		 * NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
+		 */
+		return true;
+	}
+	torture_assert_ntstatus_ok(tctx, status, "LogonGetCapabilities query_level=2 failed");
+
+	*creds = tmp_creds;
+
+ 	torture_assert(tctx, netlogon_creds_client_check(creds,
+ 							 &r.out.return_authenticator->cred),
+ 		       "Credential chaining failed");
+-- 
+2.39.3
+
--- a/SOURCES/0003-s4-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch
+++ b/SOURCES/0003-s4-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch
@ -0,0 +1,89 @@
+From d5f1097b6220676d56ed5fc6707acf667b704518 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 15 Jul 2023 16:11:48 +0200
+Subject: [PATCH 3/4] s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for
+ invalid netr_LogonGetCapabilities levels
+
+This is important as Windows clients with KB5028166 seem to
+call netr_LogonGetCapabilities with query_level=2 after
+a call with query_level=1.
+
+An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
+for query_level values other than 1.
+While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
+later fails to marshall the response, which results
+in DCERPC_FAULT_BAD_STUB_DATA instead.
+
+Because we don't have any documentation for level 2 yet,
+we just try to behave like an unpatched server and
+generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
+DCERPC_FAULT_BAD_STUB_DATA.
+Which allows patched Windows clients to keep working
+against a Samba DC.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+---
+ .../knownfail.d/netr_LogonGetCapabilities     |  2 --
+ source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++++++++++++---
+ 2 files changed, 24 insertions(+), 6 deletions(-)
+
+diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
+index 30aadf3bb9d..99c7ac711ed 100644
+--- a/selftest/knownfail.d/netr_LogonGetCapabilities
+++ b/selftest/knownfail.d/netr_LogonGetCapabilities
+@@ -1,3 +1 @@
+ ^samba3.rpc.schannel.*\.schannel\(nt4_dc
+-^samba3.rpc.schannel.*\.schannel\(ad_dc
+-^samba4.rpc.schannel.*\.schannel\(ad_dc
+diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+index 6ccba65d3bf..dc2167f08b2 100644
+--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+@@ -2364,6 +2364,30 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
+ 	struct netlogon_creds_CredentialState *creds;
+ 	NTSTATUS status;
+ 
+	switch (r->in.query_level) {
+	case 1:
+		break;
+	case 2:
+		/*
+		 * Until we know the details behind KB5028166
+		 * just return DCERPC_NCA_S_FAULT_INVALID_TAG
+		 * like an unpatched Windows Server.
+		 */
+		FALL_THROUGH;
+	default:
+		/*
+		 * There would not be a way to marshall the
+		 * the response. Which would mean our final
+		 * ndr_push would fail an we would return
+		 * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
+		 *
+		 * But it's important to match a Windows server
+		 * especially before KB5028166, see also our bug #15418
+		 * Otherwise Windows client would stop talking to us.
+		 */
+		DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG);
+	}
+
+ 	status = dcesrv_netr_creds_server_step_check(dce_call,
+ 						     mem_ctx,
+ 						     r->in.computer_name,
+@@ -2375,10 +2399,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
+ 	}
+ 	NT_STATUS_NOT_OK_RETURN(status);
+ 
+-	if (r->in.query_level != 1) {
+-		return NT_STATUS_NOT_SUPPORTED;
+-	}
+-
+ 	r->out.capabilities->server_capabilities = creds->negotiate_flags;
+ 
+ 	return NT_STATUS_OK;
+-- 
+2.39.3
+
--- a/SOURCES/0004-s3-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch
+++ b/SOURCES/0004-s3-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch
@ -0,0 +1,93 @@
+From dfeabce44fbb78083fbbb2aa634fc4172cf83db9 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 15 Jul 2023 16:11:48 +0200
+Subject: [PATCH 4/4] s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for
+ invalid netr_LogonGetCapabilities levels
+
+This is important as Windows clients with KB5028166 seem to
+call netr_LogonGetCapabilities with query_level=2 after
+a call with query_level=1.
+
+An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
+for query_level values other than 1.
+While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
+later fails to marshall the response, which results
+in DCERPC_FAULT_BAD_STUB_DATA instead.
+
+Because we don't have any documentation for level 2 yet,
+we just try to behave like an unpatched server and
+generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
+DCERPC_FAULT_BAD_STUB_DATA.
+Which allows patched Windows clients to keep working
+against a Samba DC.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+
+Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
+Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224
+---
+ .../knownfail.d/netr_LogonGetCapabilities     |  1 -
+ source3/rpc_server/netlogon/srv_netlog_nt.c   | 29 ++++++++++++++++---
+ 2 files changed, 25 insertions(+), 5 deletions(-)
+ delete mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities
+
+diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
+deleted file mode 100644
+index 99c7ac711ed..00000000000
+--- a/selftest/knownfail.d/netr_LogonGetCapabilities
+++ /dev/null
+@@ -1 +0,0 @@
+-^samba3.rpc.schannel.*\.schannel\(nt4_dc
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index 3ba58e61206..e8aa14167fc 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -2284,6 +2284,31 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
+ 	struct netlogon_creds_CredentialState *creds;
+ 	NTSTATUS status;
+ 
+	switch (r->in.query_level) {
+	case 1:
+		break;
+	case 2:
+		/*
+		 * Until we know the details behind KB5028166
+		 * just return DCERPC_NCA_S_FAULT_INVALID_TAG
+		 * like an unpatched Windows Server.
+		 */
+		FALL_THROUGH;
+	default:
+		/*
+		 * There would not be a way to marshall the
+		 * the response. Which would mean our final
+		 * ndr_push would fail an we would return
+		 * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
+		 *
+		 * But it's important to match a Windows server
+		 * especially before KB5028166, see also our bug #15418
+		 * Otherwise Windows client would stop talking to us.
+		 */
+		p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG;
+		return NT_STATUS_NOT_SUPPORTED;
+	}
+
+ 	become_root();
+ 	status = dcesrv_netr_creds_server_step_check(p->dce_call,
+ 						p->mem_ctx,
+@@ -2296,10 +2321,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
+ 		return status;
+ 	}
+ 
+-	if (r->in.query_level != 1) {
+-		return NT_STATUS_NOT_SUPPORTED;
+-	}
+-
+ 	r->out.capabilities->server_capabilities = creds->negotiate_flags;
+ 
+ 	return NT_STATUS_OK;
+-- 
+2.39.3
+
--- a/SOURCES/0005-CVE-2023-3347-CI-add-a-test-for-server-side-mandator.patch
+++ b/SOURCES/0005-CVE-2023-3347-CI-add-a-test-for-server-side-mandator.patch
@ -0,0 +1,137 @@
+From a9a2b182df738fd283f820e162d189d20010ad63 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Tue, 20 Jun 2023 12:46:31 +0200
+Subject: [PATCH 1/5] CVE-2023-3347: CI: add a test for server-side mandatory
+ signing
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+---
+ .../samba3.smb2.session-require-signing       |  1 +
+ selftest/target/Samba3.pm                     |  1 +
+ source3/selftest/tests.py                     |  2 +
+ source4/torture/smb2/session.c                | 64 +++++++++++++++++++
+ source4/torture/smb2/smb2.c                   |  1 +
+ 5 files changed, 69 insertions(+)
+ create mode 100644 selftest/knownfail.d/samba3.smb2.session-require-signing
+
+diff --git a/selftest/knownfail.d/samba3.smb2.session-require-signing b/selftest/knownfail.d/samba3.smb2.session-require-signing
+new file mode 100644
+index 00000000000..53b7a7022a8
+--- /dev/null
+++ b/selftest/knownfail.d/samba3.smb2.session-require-signing
+@@ -0,0 +1 @@
+^samba3.smb2.session-require-signing.bug15397
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index d9e17473615..b4c3c130e9a 100755
+--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
+@@ -1294,6 +1294,7 @@ sub setup_ad_member_idmap_rid
+ 	# values required for tests to succeed
+ 	create krb5 conf = no
+         map to guest = bad user
+	server signing = required
+ ";
+ 
+ 	my $ret = $self->provision(
+diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
+index b069630605a..d2b5409d0a9 100755
+--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
+@@ -1097,6 +1097,8 @@ for t in tests:
+         # Certain tests fail when run against ad_member with MIT kerberos because the private krb5.conf overrides the provisioned lib/krb5.conf,
+         # ad_member_idmap_rid sets "create krb5.conf = no"
+         plansmbtorture4testsuite(t, "ad_member_idmap_rid", '//$SERVER/tmp -k yes -U$DC_USERNAME@$REALM%$DC_PASSWORD', 'krb5')
+    elif t == "smb2.session-require-signing":
+        plansmbtorture4testsuite(t, "ad_member_idmap_rid", '//$SERVER_IP/tmp -U$DC_USERNAME@$REALM%$DC_PASSWORD')
+     elif t == "rpc.lsa":
+         plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD', 'over ncacn_np ')
+         plansmbtorture4testsuite(t, "nt4_dc", 'ncacn_ip_tcp:$SERVER_IP -U$USERNAME%$PASSWORD', 'over ncacn_ip_tcp ')
+diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c
+index 51df51542d4..823304f190f 100644
+--- a/source4/torture/smb2/session.c
+++ b/source4/torture/smb2/session.c
+@@ -5498,3 +5498,67 @@ struct torture_suite *torture_smb2_session_init(TALLOC_CTX *ctx)
+ 
+ 	return suite;
+ }
+
+static bool test_session_require_sign_bug15397(struct torture_context *tctx,
+					       struct smb2_tree *_tree)
+{
+	const char *host = torture_setting_string(tctx, "host", NULL);
+	const char *share = torture_setting_string(tctx, "share", NULL);
+	struct cli_credentials *_creds = samba_cmdline_get_creds();
+	struct cli_credentials *creds = NULL;
+	struct smbcli_options options;
+	struct smb2_tree *tree = NULL;
+	uint8_t security_mode;
+	NTSTATUS status;
+	bool ok = true;
+
+	/*
+	 * Setup our own connection so we can control the signing flags
+	 */
+
+	creds = cli_credentials_shallow_copy(tctx, _creds);
+	torture_assert(tctx, creds != NULL, "cli_credentials_shallow_copy");
+
+	options = _tree->session->transport->options;
+	options.client_guid = GUID_random();
+	options.signing = SMB_SIGNING_IF_REQUIRED;
+
+	status = smb2_connect(tctx,
+			      host,
+			      lpcfg_smb_ports(tctx->lp_ctx),
+			      share,
+			      lpcfg_resolve_context(tctx->lp_ctx),
+			      creds,
+			      &tree,
+			      tctx->ev,
+			      &options,
+			      lpcfg_socket_options(tctx->lp_ctx),
+			      lpcfg_gensec_settings(tctx, tctx->lp_ctx));
+	torture_assert_ntstatus_ok_goto(tctx, status, ok, done,
+					"smb2_connect failed");
+
+	security_mode = smb2cli_session_security_mode(tree->session->smbXcli);
+
+	torture_assert_int_equal_goto(
+		tctx,
+		security_mode,
+		SMB2_NEGOTIATE_SIGNING_REQUIRED | SMB2_NEGOTIATE_SIGNING_ENABLED,
+		ok,
+		done,
+		"Signing not required");
+
+done:
+	return ok;
+}
+
+struct torture_suite *torture_smb2_session_req_sign_init(TALLOC_CTX *ctx)
+{
+	struct torture_suite *suite =
+	    torture_suite_create(ctx, "session-require-signing");
+
+	torture_suite_add_1smb2_test(suite, "bug15397",
+				     test_session_require_sign_bug15397);
+
+	suite->description = talloc_strdup(suite, "SMB2-SESSION require signing tests");
+	return suite;
+}
+diff --git a/source4/torture/smb2/smb2.c b/source4/torture/smb2/smb2.c
+index c595b108ce8..5b6477e47bc 100644
+--- a/source4/torture/smb2/smb2.c
+++ b/source4/torture/smb2/smb2.c
+@@ -189,6 +189,7 @@ NTSTATUS torture_smb2_init(TALLOC_CTX *ctx)
+ 	torture_suite_add_suite(suite, torture_smb2_sharemode_init(suite));
+ 	torture_suite_add_1smb2_test(suite, "hold-oplock", test_smb2_hold_oplock);
+ 	torture_suite_add_suite(suite, torture_smb2_session_init(suite));
+	torture_suite_add_suite(suite, torture_smb2_session_req_sign_init(suite));
+ 	torture_suite_add_suite(suite, torture_smb2_replay_init(suite));
+ 	torture_suite_add_simple_test(suite, "dosmode", torture_smb2_dosmode);
+ 	torture_suite_add_simple_test(suite, "async_dosmode", torture_smb2_async_dosmode);
+-- 
+2.39.3
+
--- a/SOURCES/0006-CVE-2023-3347-smbd-pass-lp_ctx-to-smb-1-2-_srv_init_.patch
+++ b/SOURCES/0006-CVE-2023-3347-smbd-pass-lp_ctx-to-smb-1-2-_srv_init_.patch
@ -0,0 +1,131 @@
+From 1662eeeb7a6fc1b955fc0f7f52c7546ba3ac442a Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Wed, 21 Jun 2023 15:06:12 +0200
+Subject: [PATCH 2/5] CVE-2023-3347: smbd: pass lp_ctx to
+ smb[1|2]_srv_init_signing()
+
+No change in behaviour.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+---
+ source3/smbd/proto.h        |  3 ++-
+ source3/smbd/smb1_signing.c | 10 ++--------
+ source3/smbd/smb1_signing.h |  3 ++-
+ source3/smbd/smb2_signing.c | 25 +++++++++++++++----------
+ 4 files changed, 21 insertions(+), 20 deletions(-)
+
+diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
+index a39f0a2edfa..3884617e77b 100644
+--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
+@@ -52,7 +52,8 @@ struct dcesrv_context;
+ 
+ /* The following definitions come from smbd/smb2_signing.c */
+ 
+-bool smb2_srv_init_signing(struct smbXsrv_connection *conn);
+bool smb2_srv_init_signing(struct loadparm_context *lp_ctx,
+			   struct smbXsrv_connection *conn);
+ bool srv_init_signing(struct smbXsrv_connection *conn);
+ 
+ /* The following definitions come from smbd/aio.c  */
+diff --git a/source3/smbd/smb1_signing.c b/source3/smbd/smb1_signing.c
+index 6bcb0629c4f..aa3027d5318 100644
+--- a/source3/smbd/smb1_signing.c
+++ b/source3/smbd/smb1_signing.c
+@@ -170,18 +170,13 @@ static void smbd_shm_signing_free(TALLOC_CTX *mem_ctx, void *ptr)
+  Called by server negprot when signing has been negotiated.
+ ************************************************************/
+ 
+-bool smb1_srv_init_signing(struct smbXsrv_connection *conn)
+bool smb1_srv_init_signing(struct loadparm_context *lp_ctx,
+			   struct smbXsrv_connection *conn)
+ {
+ 	bool allowed = true;
+ 	bool desired;
+ 	bool mandatory = false;
+ 
+-	struct loadparm_context *lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers());
+-	if (lp_ctx == NULL) {
+-		DEBUG(10, ("loadparm_init_s3 failed\n"));
+-		return false;
+-	}
+-
+ 	/*
+ 	 * if the client and server allow signing,
+ 	 * we desire to use it.
+@@ -195,7 +190,6 @@ bool smb1_srv_init_signing(struct smbXsrv_connection *conn)
+ 	 */
+ 
+ 	desired = lpcfg_server_signing_allowed(lp_ctx, &mandatory);
+-	talloc_unlink(conn, lp_ctx);
+ 
+ 	if (lp_async_smb_echo_handler()) {
+ 		struct smbd_shm_signing *s;
+diff --git a/source3/smbd/smb1_signing.h b/source3/smbd/smb1_signing.h
+index 56c59c5bbc2..26f60420dfa 100644
+--- a/source3/smbd/smb1_signing.h
+++ b/source3/smbd/smb1_signing.h
+@@ -33,4 +33,5 @@ bool smb1_srv_is_signing_negotiated(struct smbXsrv_connection *conn);
+ void smb1_srv_set_signing(struct smbXsrv_connection *conn,
+ 		     const DATA_BLOB user_session_key,
+ 		     const DATA_BLOB response);
+-bool smb1_srv_init_signing(struct smbXsrv_connection *conn);
+bool smb1_srv_init_signing(struct loadparm_context *lp_ctx,
+			   struct smbXsrv_connection *conn);
+diff --git a/source3/smbd/smb2_signing.c b/source3/smbd/smb2_signing.c
+index 4691ef4d613..c1f876f9cd7 100644
+--- a/source3/smbd/smb2_signing.c
+++ b/source3/smbd/smb2_signing.c
+@@ -26,32 +26,37 @@
+ #include "lib/param/param.h"
+ #include "smb2_signing.h"
+ 
+-bool smb2_srv_init_signing(struct smbXsrv_connection *conn)
+bool smb2_srv_init_signing(struct loadparm_context *lp_ctx,
+			   struct smbXsrv_connection *conn)
+ {
+-	struct loadparm_context *lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers());
+-	if (lp_ctx == NULL) {
+-		DBG_DEBUG("loadparm_init_s3 failed\n");
+-		return false;
+-	}
+-
+ 	/*
+ 	 * For SMB2 all we need to know is if signing is mandatory.
+ 	 * It is always allowed and desired, whatever the smb.conf says.
+ 	 */
+ 	(void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
+-	talloc_unlink(conn, lp_ctx);
+ 	return true;
+ }
+ 
+ bool srv_init_signing(struct smbXsrv_connection *conn)
+ {
+	struct loadparm_context *lp_ctx = NULL;
+	bool ok;
+
+	lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers());
+	if (lp_ctx == NULL) {
+		DBG_DEBUG("loadparm_init_s3 failed\n");
+		return false;
+	}
+
+ #if defined(WITH_SMB1SERVER)
+ 	if (conn->protocol >= PROTOCOL_SMB2_02) {
+ #endif
+-		return smb2_srv_init_signing(conn);
+		ok = smb2_srv_init_signing(lp_ctx, conn);
+ #if defined(WITH_SMB1SERVER)
+ 	} else {
+-		return smb1_srv_init_signing(conn);
+		ok = smb1_srv_init_signing(lp_ctx, conn);
+ 	}
+ #endif
+	talloc_unlink(conn, lp_ctx);
+	return ok;
+ }
+-- 
+2.39.3
+
--- a/SOURCES/0007-CVE-2023-3347-smbd-inline-smb2_srv_init_signing-code.patch
+++ b/SOURCES/0007-CVE-2023-3347-smbd-inline-smb2_srv_init_signing-code.patch
@ -0,0 +1,73 @@
+From 59131d6c345864dcf1ed3331c52ce35ddc5db2dc Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Wed, 21 Jun 2023 15:10:58 +0200
+Subject: [PATCH 3/5] CVE-2023-3347: smbd: inline smb2_srv_init_signing() code
+ in srv_init_signing()
+
+It's now a one-line function, imho the overall code is simpler if that code is
+just inlined.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+---
+ source3/smbd/proto.h        |  2 --
+ source3/smbd/smb2_signing.c | 19 ++++++-------------
+ 2 files changed, 6 insertions(+), 15 deletions(-)
+
+diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
+index 3884617e77b..78e1b48be09 100644
+--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
+@@ -52,8 +52,6 @@ struct dcesrv_context;
+ 
+ /* The following definitions come from smbd/smb2_signing.c */
+ 
+-bool smb2_srv_init_signing(struct loadparm_context *lp_ctx,
+-			   struct smbXsrv_connection *conn);
+ bool srv_init_signing(struct smbXsrv_connection *conn);
+ 
+ /* The following definitions come from smbd/aio.c  */
+diff --git a/source3/smbd/smb2_signing.c b/source3/smbd/smb2_signing.c
+index c1f876f9cd7..ef4a54d5710 100644
+--- a/source3/smbd/smb2_signing.c
+++ b/source3/smbd/smb2_signing.c
+@@ -26,21 +26,10 @@
+ #include "lib/param/param.h"
+ #include "smb2_signing.h"
+ 
+-bool smb2_srv_init_signing(struct loadparm_context *lp_ctx,
+-			   struct smbXsrv_connection *conn)
+-{
+-	/*
+-	 * For SMB2 all we need to know is if signing is mandatory.
+-	 * It is always allowed and desired, whatever the smb.conf says.
+-	 */
+-	(void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
+-	return true;
+-}
+-
+ bool srv_init_signing(struct smbXsrv_connection *conn)
+ {
+ 	struct loadparm_context *lp_ctx = NULL;
+-	bool ok;
+	bool ok = true;
+ 
+ 	lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers());
+ 	if (lp_ctx == NULL) {
+@@ -51,7 +40,11 @@ bool srv_init_signing(struct smbXsrv_connection *conn)
+ #if defined(WITH_SMB1SERVER)
+ 	if (conn->protocol >= PROTOCOL_SMB2_02) {
+ #endif
+-		ok = smb2_srv_init_signing(lp_ctx, conn);
+		/*
+		 * For SMB2 all we need to know is if signing is mandatory.
+		 * It is always allowed and desired, whatever the smb.conf says.
+		 */
+		(void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
+ #if defined(WITH_SMB1SERVER)
+ 	} else {
+ 		ok = smb1_srv_init_signing(lp_ctx, conn);
+-- 
+2.39.3
+
--- a/SOURCES/0008-CVE-2023-3347-smbd-remove-comment-in-smbd_smb2_reque.patch
+++ b/SOURCES/0008-CVE-2023-3347-smbd-remove-comment-in-smbd_smb2_reque.patch
@ -0,0 +1,36 @@
+From 5a222ac37183ba5dd717d81c7e57f78e59695a67 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Tue, 20 Jun 2023 18:13:23 +0200
+Subject: [PATCH 4/5] CVE-2023-3347: smbd: remove comment in
+ smbd_smb2_request_process_negprot()
+
+This is just going to bitrot. Anyone who's interested can just grep for
+"signing_mandatory" and look up what it does.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+---
+ source3/smbd/smb2_negprot.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c
+index 9d4ce160e5c..885769be24d 100644
+--- a/source3/smbd/smb2_negprot.c
+++ b/source3/smbd/smb2_negprot.c
+@@ -368,12 +368,6 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
+ 	}
+ 
+ 	security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
+-	/*
+-	 * We use xconn->smb2.signing_mandatory set up via
+-	 * srv_init_signing() -> smb2_srv_init_signing().
+-	 * This calls lpcfg_server_signing_allowed() to get the correct
+-	 * defaults, e.g. signing_required for an ad_dc.
+-	 */
+ 	if (xconn->smb2.signing_mandatory) {
+ 		security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
+ 	}
+-- 
+2.39.3
+
--- a/SOURCES/0009-CVE-2023-3347-smbd-fix-server-signing-mandatory.patch
+++ b/SOURCES/0009-CVE-2023-3347-smbd-fix-server-signing-mandatory.patch
@ -0,0 +1,63 @@
+From 9bab902fc50f88869b253c4089d83b3e33a1075a Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Tue, 20 Jun 2023 15:33:02 +0200
+Subject: [PATCH 5/5] CVE-2023-3347: smbd: fix "server signing = mandatory"
+
+This was broken by commit 1f3f6e20dc086a36de52bffd0bc36e15fb19e1c6 because when
+calling srv_init_signing() very early after accepting the connection in
+smbd_add_connection(), conn->protocol is still PROTOCOL_NONE.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+
+Autobuild-User(master): Jule Anger <janger@samba.org>
+Autobuild-Date(master): Fri Jul 21 13:03:09 UTC 2023 on atb-devel-224
+---
+ .../samba3.smb2.session-require-signing       |  1 -
+ source3/smbd/smb2_signing.c                   | 19 ++++++++-----------
+ 2 files changed, 8 insertions(+), 12 deletions(-)
+ delete mode 100644 selftest/knownfail.d/samba3.smb2.session-require-signing
+
+diff --git a/selftest/knownfail.d/samba3.smb2.session-require-signing b/selftest/knownfail.d/samba3.smb2.session-require-signing
+deleted file mode 100644
+index 53b7a7022a8..00000000000
+--- a/selftest/knownfail.d/samba3.smb2.session-require-signing
+++ /dev/null
+@@ -1 +0,0 @@
+-^samba3.smb2.session-require-signing.bug15397
+diff --git a/source3/smbd/smb2_signing.c b/source3/smbd/smb2_signing.c
+index ef4a54d5710..73d07380dfa 100644
+--- a/source3/smbd/smb2_signing.c
+++ b/source3/smbd/smb2_signing.c
+@@ -37,19 +37,16 @@ bool srv_init_signing(struct smbXsrv_connection *conn)
+ 		return false;
+ 	}
+ 
+	/*
+	 * For SMB2 all we need to know is if signing is mandatory.
+	 * It is always allowed and desired, whatever the smb.conf says.
+	 */
+	(void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
+
+ #if defined(WITH_SMB1SERVER)
+-	if (conn->protocol >= PROTOCOL_SMB2_02) {
+-#endif
+-		/*
+-		 * For SMB2 all we need to know is if signing is mandatory.
+-		 * It is always allowed and desired, whatever the smb.conf says.
+-		 */
+-		(void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
+-#if defined(WITH_SMB1SERVER)
+-	} else {
+-		ok = smb1_srv_init_signing(lp_ctx, conn);
+-	}
+	ok = smb1_srv_init_signing(lp_ctx, conn);
+ #endif
+
+ 	talloc_unlink(conn, lp_ctx);
+ 	return ok;
+ }
+-- 
+2.39.3
+
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@ -135,7 +135,7 @@
 %define samba_requires_eq()  %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")

 %global samba_version 4.17.5
-%global baserelease 2
+%global baserelease 3
 # This should be rc1 or %%nil
 %global pre_release %nil

@ -199,7 +199,7 @@

 Name:           samba
 Version:        %{samba_version}
-Release:        %{samba_release}%{?dist}
+Release:        %{samba_release}%{?dist}.alma

 %if 0%{?fedora}
 Epoch:          2
@ -231,6 +231,20 @@ Source17:       samba-usershares-systemd-sysusers.conf
 Source201:      README.downgrade
 Source202:      samba.abignore

+# Patches were taken from upstream and backported
+# https://github.com/samba-team/samba/commit/dfeabce44fbb78083fbbb2aa634fc4172cf83db9
+Patch0001: 0001-netlogon.idl-add-support-for-netr_LogonGetCapabiliti.patch
+Patch0002: 0002-s4-torture-rpc-let-rpc.schannel-also-check-netr_Logo.patch
+Patch0003: 0003-s4-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch
+Patch0004: 0004-s3-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch
+
+# https://github.com/samba-team/samba/commit/9bab902fc50f88869b253c4089d83b3e33a1075a
+Patch0005: 0005-CVE-2023-3347-CI-add-a-test-for-server-side-mandator.patch
+Patch0006: 0006-CVE-2023-3347-smbd-pass-lp_ctx-to-smb-1-2-_srv_init_.patch
+Patch0007: 0007-CVE-2023-3347-smbd-inline-smb2_srv_init_signing-code.patch
+Patch0008: 0008-CVE-2023-3347-smbd-remove-comment-in-smbd_smb2_reque.patch
+Patch0009: 0009-CVE-2023-3347-smbd-fix-server-signing-mandatory.patch 
+
 Requires(pre): /usr/sbin/groupadd

 Requires(pre): %{name}-common = %{samba_depver}
@ -4297,6 +4311,10 @@ fi
 %endif

 %changelog
+* Thu Aug 03 2023 Eduard Abdullin <eabdullin@almalinux.org> - 4.17.5-3.alma
+- Fix CVE-2023-3347
+- netlogon: add support for netr_LogonGetCapabilities response level 2
+
 * Wed Feb 15 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.17.5-2
 - resolves: rhbz#2169339 - Fix winbind memory leak
 - resolves: rhbz#2152899 - Fix Samba shares not accessible issue