From dfeabce44fbb78083fbbb2aa634fc4172cf83db9 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 15 Jul 2023 16:11:48 +0200 Subject: [PATCH] s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels This is important as Windows clients with KB5028166 seem to call netr_LogonGetCapabilities with query_level=2 after a call with query_level=1. An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG for query_level values other than 1. While Samba tries to return NT_STATUS_NOT_SUPPORTED, but later fails to marshall the response, which results in DCERPC_FAULT_BAD_STUB_DATA instead. Because we don't have any documentation for level 2 yet, we just try to behave like an unpatched server and generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of DCERPC_FAULT_BAD_STUB_DATA. Which allows patched Windows clients to keep working against a Samba DC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224 --- .../knownfail.d/netr_LogonGetCapabilities | 1 - source3/rpc_server/netlogon/srv_netlog_nt.c | 29 ++++++++++++++++--- 2 files changed, 25 insertions(+), 5 deletions(-) delete mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities deleted file mode 100644 index 99c7ac711ed..00000000000 --- a/selftest/knownfail.d/netr_LogonGetCapabilities +++ /dev/null @@ -1 +0,0 @@ -^samba3.rpc.schannel.*\.schannel\(nt4_dc diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index 3ba58e61206..e8aa14167fc 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -2284,6 +2284,31 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p, struct netlogon_creds_CredentialState *creds; NTSTATUS status; + switch (r->in.query_level) { + case 1: + break; + case 2: + /* + * Until we know the details behind KB5028166 + * just return DCERPC_NCA_S_FAULT_INVALID_TAG + * like an unpatched Windows Server. + */ + FALL_THROUGH; + default: + /* + * There would not be a way to marshall the + * the response. Which would mean our final + * ndr_push would fail an we would return + * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA. + * + * But it's important to match a Windows server + * especially before KB5028166, see also our bug #15418 + * Otherwise Windows client would stop talking to us. + */ + p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG; + return NT_STATUS_NOT_SUPPORTED; + } + become_root(); status = dcesrv_netr_creds_server_step_check(p->dce_call, p->mem_ctx, @@ -2296,10 +2321,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p, return status; } - if (r->in.query_level != 1) { - return NT_STATUS_NOT_SUPPORTED; - } - r->out.capabilities->server_capabilities = creds->negotiate_flags; return NT_STATUS_OK;