94 lines
3.2 KiB
Diff
94 lines
3.2 KiB
Diff
From dfeabce44fbb78083fbbb2aa634fc4172cf83db9 Mon Sep 17 00:00:00 2001
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Date: Sat, 15 Jul 2023 16:11:48 +0200
|
|
Subject: [PATCH 4/4] s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for
|
|
invalid netr_LogonGetCapabilities levels
|
|
|
|
This is important as Windows clients with KB5028166 seem to
|
|
call netr_LogonGetCapabilities with query_level=2 after
|
|
a call with query_level=1.
|
|
|
|
An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
|
|
for query_level values other than 1.
|
|
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
|
|
later fails to marshall the response, which results
|
|
in DCERPC_FAULT_BAD_STUB_DATA instead.
|
|
|
|
Because we don't have any documentation for level 2 yet,
|
|
we just try to behave like an unpatched server and
|
|
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
|
|
DCERPC_FAULT_BAD_STUB_DATA.
|
|
Which allows patched Windows clients to keep working
|
|
against a Samba DC.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
|
|
Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224
|
|
---
|
|
.../knownfail.d/netr_LogonGetCapabilities | 1 -
|
|
source3/rpc_server/netlogon/srv_netlog_nt.c | 29 ++++++++++++++++---
|
|
2 files changed, 25 insertions(+), 5 deletions(-)
|
|
delete mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities
|
|
|
|
diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
|
|
deleted file mode 100644
|
|
index 99c7ac711ed..00000000000
|
|
--- a/selftest/knownfail.d/netr_LogonGetCapabilities
|
|
+++ /dev/null
|
|
@@ -1 +0,0 @@
|
|
-^samba3.rpc.schannel.*\.schannel\(nt4_dc
|
|
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
|
|
index 3ba58e61206..e8aa14167fc 100644
|
|
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
|
|
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
|
|
@@ -2284,6 +2284,31 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
|
|
struct netlogon_creds_CredentialState *creds;
|
|
NTSTATUS status;
|
|
|
|
+ switch (r->in.query_level) {
|
|
+ case 1:
|
|
+ break;
|
|
+ case 2:
|
|
+ /*
|
|
+ * Until we know the details behind KB5028166
|
|
+ * just return DCERPC_NCA_S_FAULT_INVALID_TAG
|
|
+ * like an unpatched Windows Server.
|
|
+ */
|
|
+ FALL_THROUGH;
|
|
+ default:
|
|
+ /*
|
|
+ * There would not be a way to marshall the
|
|
+ * the response. Which would mean our final
|
|
+ * ndr_push would fail an we would return
|
|
+ * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
|
|
+ *
|
|
+ * But it's important to match a Windows server
|
|
+ * especially before KB5028166, see also our bug #15418
|
|
+ * Otherwise Windows client would stop talking to us.
|
|
+ */
|
|
+ p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG;
|
|
+ return NT_STATUS_NOT_SUPPORTED;
|
|
+ }
|
|
+
|
|
become_root();
|
|
status = dcesrv_netr_creds_server_step_check(p->dce_call,
|
|
p->mem_ctx,
|
|
@@ -2296,10 +2321,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
|
|
return status;
|
|
}
|
|
|
|
- if (r->in.query_level != 1) {
|
|
- return NT_STATUS_NOT_SUPPORTED;
|
|
- }
|
|
-
|
|
r->out.capabilities->server_capabilities = creds->negotiate_flags;
|
|
|
|
return NT_STATUS_OK;
|
|
--
|
|
2.39.3
|
|
|