The branch, master has been updated
via dfeabce44fb s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for
invalid netr_LogonGetCapabilities levels
via d5f1097b622 s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for
invalid netr_LogonGetCapabilities levels
via 404ce08e908 s4:torture/rpc: let rpc.schannel also check
netr_LogonGetCapabilities with different levels
via 5f87888ed53 netlogon.idl: add support for netr_LogonGetCapabilities
response level 2
from 5a5cccce24e s3:libsmb: Fix code spelling
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit dfeabce44fbb78083fbbb2aa634fc4172cf83db9
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Jul 15 16:11:48 2023 +0200
s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid
netr_LogonGetCapabilities levels
This is important as Windows clients with KB5028166 seem to
call netr_LogonGetCapabilities with query_level=2 after
a call with query_level=1.
An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
for query_level values other than 1.
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
later fails to marshall the response, which results
in DCERPC_FAULT_BAD_STUB_DATA instead.
Because we don't have any documentation for level 2 yet,
we just try to behave like an unpatched server and
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
DCERPC_FAULT_BAD_STUB_DATA.
Which allows patched Windows clients to keep working
against a Samba DC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224
commit d5f1097b6220676d56ed5fc6707acf667b704518
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Jul 15 16:11:48 2023 +0200
s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid
netr_LogonGetCapabilities levels
This is important as Windows clients with KB5028166 seem to
call netr_LogonGetCapabilities with query_level=2 after
a call with query_level=1.
An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
for query_level values other than 1.
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
later fails to marshall the response, which results
in DCERPC_FAULT_BAD_STUB_DATA instead.
Because we don't have any documentation for level 2 yet,
we just try to behave like an unpatched server and
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
DCERPC_FAULT_BAD_STUB_DATA.
Which allows patched Windows clients to keep working
against a Samba DC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 404ce08e9088968311c714e756f5d58ce2cef715
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Jul 15 17:25:05 2023 +0200
s4:torture/rpc: let rpc.schannel also check netr_LogonGetCapabilities with
different levels
The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG
for unsupported query_levels, we allow it to work with servers
with or without support for query_level=2.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 5f87888ed53320538cf773d64868390d8641a40e
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Jul 15 17:20:32 2023 +0200
netlogon.idl: add support for netr_LogonGetCapabilities response level 2
We don't have any documentation about this yet, but tests against
a Windows Server 2022 patched with KB5028166 revealed that
the response for query_level=2 is exactly the same as
for querey_level=1.
Until we know the reason for query_level=2 we won't
use it as client nor support it in the server, but
we want ndrdump to work.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
librpc/idl/netlogon.idl | 1 +
source3/rpc_server/netlogon/srv_netlog_nt.c | 29 ++++++++--
source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++++--
source4/torture/rpc/netlogon.c | 77 ++++++++++++++++++++++++++-
4 files changed, 126 insertions(+), 9 deletions(-)
Changeset truncated at 500 lines:
diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl
index 48a8c8f9310..85dd73ee7e4 100644
--- a/librpc/idl/netlogon.idl
+++ b/librpc/idl/netlogon.idl
@@ -1236,6 +1236,7 @@ interface netlogon
/* Function 0x15 */
typedef [switch_type(uint32)] union {
[case(1)] netr_NegotiateFlags server_capabilities;
+ [case(2)] netr_NegotiateFlags server_capabilities;
} netr_Capabilities;
NTSTATUS netr_LogonGetCapabilities(
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c
b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 3ba58e61206..e8aa14167fc 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -2284,6 +2284,31 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct
*p,
struct netlogon_creds_CredentialState *creds;
NTSTATUS status;
+ switch (r->in.query_level) {
+ case 1:
+ break;
+ case 2:
+ /*
+ * Until we know the details behind KB5028166
+ * just return DCERPC_NCA_S_FAULT_INVALID_TAG
+ * like an unpatched Windows Server.
+ */
+ FALL_THROUGH;
+ default:
+ /*
+ * There would not be a way to marshall the
+ * the response. Which would mean our final
+ * ndr_push would fail an we would return
+ * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
+ *
+ * But it's important to match a Windows server
+ * especially before KB5028166, see also our bug #15418
+ * Otherwise Windows client would stop talking to us.
+ */
+ p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG;
+ return NT_STATUS_NOT_SUPPORTED;
+ }
+
become_root();
status = dcesrv_netr_creds_server_step_check(p->dce_call,
p->mem_ctx,
@@ -2296,10 +2321,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct
*p,
return status;
}
- if (r->in.query_level != 1) {
- return NT_STATUS_NOT_SUPPORTED;
- }
-
r->out.capabilities->server_capabilities = creds->negotiate_flags;
return NT_STATUS_OK;
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c
b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 6ccba65d3bf..dc2167f08b2 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -2364,6 +2364,30 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct
dcesrv_call_state *dce_c
struct netlogon_creds_CredentialState *creds;
NTSTATUS status;
+ switch (r->in.query_level) {
+ case 1:
+ break;
+ case 2:
+ /*
+ * Until we know the details behind KB5028166
+ * just return DCERPC_NCA_S_FAULT_INVALID_TAG
+ * like an unpatched Windows Server.
+ */
+ FALL_THROUGH;
+ default:
+ /*
+ * There would not be a way to marshall the
+ * the response. Which would mean our final
+ * ndr_push would fail an we would return
+ * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
+ *
+ * But it's important to match a Windows server
+ * especially before KB5028166, see also our bug #15418
+ * Otherwise Windows client would stop talking to us.
+ */
+ DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG);
+ }
+
status = dcesrv_netr_creds_server_step_check(dce_call,
mem_ctx,
r->in.computer_name,
@@ -2375,10 +2399,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct
dcesrv_call_state *dce_c
}
NT_STATUS_NOT_OK_RETURN(status);
- if (r->in.query_level != 1) {
- return NT_STATUS_NOT_SUPPORTED;
- }
-
r->out.capabilities->server_capabilities = creds->negotiate_flags;
return NT_STATUS_OK;
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
index 1f068eb7826..a3d190f13dd 100644
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -2056,8 +2056,47 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p,
struct torture_context *t
r.out.capabilities = &capabilities;
r.out.return_authenticator = &return_auth;
- torture_comment(tctx, "Testing LogonGetCapabilities\n");
+ torture_comment(tctx, "Testing LogonGetCapabilities with
query_level=0\n");
+ r.in.query_level = 0;
+ ZERO_STRUCT(return_auth);
+
+ /*
+ * we need to operate on a temporary copy of creds
+ * because dcerpc_netr_LogonGetCapabilities with
+ * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
+ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
+ * without looking a the authenticator.
+ */
+ tmp_creds = *creds;
+ netlogon_creds_client_authenticator(&tmp_creds, &auth);
+
+ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
+ torture_assert_ntstatus_equal(tctx, status,
NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
+ "LogonGetCapabilities query_level=0
failed");
+
+ torture_comment(tctx, "Testing LogonGetCapabilities with
query_level=3\n");
+
+ r.in.query_level = 3;
+ ZERO_STRUCT(return_auth);
+
+ /*
+ * we need to operate on a temporary copy of creds
+ * because dcerpc_netr_LogonGetCapabilities with
+ * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
+ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
+ * without looking a the authenticator.
+ */
+ tmp_creds = *creds;
+ netlogon_creds_client_authenticator(&tmp_creds, &auth);
+
+ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
+ torture_assert_ntstatus_equal(tctx, status,
NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
+ "LogonGetCapabilities query_level=0
failed");
+
+ torture_comment(tctx, "Testing LogonGetCapabilities with
query_level=1\n");
+
+ r.in.query_level = 1;
ZERO_STRUCT(return_auth);
/*
@@ -2077,6 +2116,42 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p,
struct torture_context *t
*creds = tmp_creds;
+ torture_assert(tctx, netlogon_creds_client_check(creds,
+
&r.out.return_authenticator->cred),
+ "Credential chaining failed");
+
+ torture_assert_int_equal(tctx, creds->negotiate_flags,
+ capabilities.server_capabilities,
+ "negotiate flags");
+
+ torture_comment(tctx, "Testing LogonGetCapabilities with
query_level=2\n");
+
+ r.in.query_level = 2;
+ ZERO_STRUCT(return_auth);
+
+ /*
+ * we need to operate on a temporary copy of creds
+ * because dcerpc_netr_LogonGetCapabilities with
+ * an query level 2 may returns DCERPC_NCA_S_FAULT_INVALID_TAG
+ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
+ * without looking a the authenticator.
+ */
+ tmp_creds = *creds;
+ netlogon_creds_client_authenticator(&tmp_creds, &auth);
+
+ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE)) {
+ /*
+ * an server without KB5028166 returns
+ * DCERPC_NCA_S_FAULT_INVALID_TAG =>
+ * NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
+ */
+ return true;
+ }
+ torture_assert_ntstatus_ok(tctx, status, "LogonGetCapabilities
query_level=2 failed");
+
+ *creds = tmp_creds;
+
torture_assert(tctx, netlogon_creds_client_check(creds,
&r.out.return_authenticator->cred),
"Credential chaining failed");
--
Samba Shared Repository
