sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-20 22:50:26 +03:00
Code

CVE-2022-38023 s3:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind

Browse Source 
Follow s4 netlogon server changes and move the checks to the RPC bind
hook. Next commits will remove the s3 netr_creds_server_step_check()
function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 8141eae47aad849741beb138fae866c772e4ec4c)
This commit is contained in:
Samuel Cabrero 2022-12-21 15:53:04 +01:00 committed by Jule Anger
parent 34a9084044
commit 5a49be37d8
1 changed files with 28 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
source3/rpc_server/netlogon/srv_netlog_nt.c
View File

@ -1081,7 +1081,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
uint16_t opnum = dce_call->pkt.u.request.opnum;
const char *opname = "<unknown>";
static bool warned_global_once = false;
if (creds_out != NULL) {
*creds_out = NULL;
@ -1143,16 +1142,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
return NT_STATUS_ACCESS_DENIED;
}
if (!schannel_global_required && !warned_global_once) {
/*
* We want admins to notice their misconfiguration!
*/
DBG_ERR("CVE-2020-1472(ZeroLogon): "
"Please configure 'server schannel = yes', "
"See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
warned_global_once = true;
}
if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
DBG_ERR("CVE-2020-1472(ZeroLogon): "
"%s request (opnum[%u]) WITH schannel from "
@ -2997,5 +2986,33 @@ NTSTATUS _netr_DsrUpdateReadOnlyServerDnsRecords(struct pipes_struct *p,
return NT_STATUS_NOT_IMPLEMENTED;
}
/*
* Define the bind function that will be used by ndr_netlogon_scompat.c,
* included at the bottom of this file.
*/
#define DCESRV_INTERFACE_NETLOGON_BIND(context, iface) \
dcesrv_interface_netlogon_bind(context, iface)
static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context *context,
const struct dcesrv_interface *iface)
{
struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx;
int schannel = lpcfg_server_schannel(lp_ctx);
bool schannel_global_required = (schannel == true);
static bool warned_global_schannel_once = false;
if (!schannel_global_required && !warned_global_schannel_once) {
/*
* We want admins to notice their misconfiguration!
*/
D_ERR("CVE-2020-1472(ZeroLogon): "
"Please configure 'server schannel = yes' (the default), "
"See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
warned_global_schannel_once = true;
}
return NT_STATUS_OK;
}
/* include the generated boilerplate */
#include "librpc/gen_ndr/ndr_netlogon_scompat.c"