90 lines
3.1 KiB
Diff
90 lines
3.1 KiB
Diff
From d5f1097b6220676d56ed5fc6707acf667b704518 Mon Sep 17 00:00:00 2001
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Date: Sat, 15 Jul 2023 16:11:48 +0200
|
|
Subject: [PATCH 3/4] s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for
|
|
invalid netr_LogonGetCapabilities levels
|
|
|
|
This is important as Windows clients with KB5028166 seem to
|
|
call netr_LogonGetCapabilities with query_level=2 after
|
|
a call with query_level=1.
|
|
|
|
An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
|
|
for query_level values other than 1.
|
|
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
|
|
later fails to marshall the response, which results
|
|
in DCERPC_FAULT_BAD_STUB_DATA instead.
|
|
|
|
Because we don't have any documentation for level 2 yet,
|
|
we just try to behave like an unpatched server and
|
|
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
|
|
DCERPC_FAULT_BAD_STUB_DATA.
|
|
Which allows patched Windows clients to keep working
|
|
against a Samba DC.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
---
|
|
.../knownfail.d/netr_LogonGetCapabilities | 2 --
|
|
source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++++++++++++---
|
|
2 files changed, 24 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
|
|
index 30aadf3bb9d..99c7ac711ed 100644
|
|
--- a/selftest/knownfail.d/netr_LogonGetCapabilities
|
|
+++ b/selftest/knownfail.d/netr_LogonGetCapabilities
|
|
@@ -1,3 +1 @@
|
|
^samba3.rpc.schannel.*\.schannel\(nt4_dc
|
|
-^samba3.rpc.schannel.*\.schannel\(ad_dc
|
|
-^samba4.rpc.schannel.*\.schannel\(ad_dc
|
|
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
index 6ccba65d3bf..dc2167f08b2 100644
|
|
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
@@ -2364,6 +2364,30 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
|
|
struct netlogon_creds_CredentialState *creds;
|
|
NTSTATUS status;
|
|
|
|
+ switch (r->in.query_level) {
|
|
+ case 1:
|
|
+ break;
|
|
+ case 2:
|
|
+ /*
|
|
+ * Until we know the details behind KB5028166
|
|
+ * just return DCERPC_NCA_S_FAULT_INVALID_TAG
|
|
+ * like an unpatched Windows Server.
|
|
+ */
|
|
+ FALL_THROUGH;
|
|
+ default:
|
|
+ /*
|
|
+ * There would not be a way to marshall the
|
|
+ * the response. Which would mean our final
|
|
+ * ndr_push would fail an we would return
|
|
+ * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
|
|
+ *
|
|
+ * But it's important to match a Windows server
|
|
+ * especially before KB5028166, see also our bug #15418
|
|
+ * Otherwise Windows client would stop talking to us.
|
|
+ */
|
|
+ DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG);
|
|
+ }
|
|
+
|
|
status = dcesrv_netr_creds_server_step_check(dce_call,
|
|
mem_ctx,
|
|
r->in.computer_name,
|
|
@@ -2375,10 +2399,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
|
|
}
|
|
NT_STATUS_NOT_OK_RETURN(status);
|
|
|
|
- if (r->in.query_level != 1) {
|
|
- return NT_STATUS_NOT_SUPPORTED;
|
|
- }
|
|
-
|
|
r->out.capabilities->server_capabilities = creds->negotiate_flags;
|
|
|
|
return NT_STATUS_OK;
|
|
--
|
|
2.39.3
|
|
|