El 23/05/16 a las 22:28, Andrew Bartlett escribió: > On Wed, 2016-05-18 at 15:47 -0400, Antoine Beaupré wrote: > > On 2016-04-29 08:55:43, Santiago Ruano Rincón wrote: > > > Dear Samba maintainers, > > > > > > Any updates about this bug? > > > > > > LTS Team, anyone could help to handle it? > > > > > > According to comment#17 in > > > https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1572122 > > > Andreas Schneider prepared a fix for 3.6.25. > > > > Hi again! > > > > Should the LTS team prepare a regression update to the wheezy version > > at > > least? > > That would be a good idea at this point. > > I'm happy to review things, just not had the time to switch back on to > debian matters. > > Andrew Bartlett
Hi,
To the current package in git, I have added some patches imported from
the Ubuntu package, versions 2:3.6.25-0ubuntu0.12.04.3 and
2:3.6.25-0ubuntu0.12.04.4. The debdiff is attached. Andrew, could you
please take a look on it? Also, test package is available at:
deb https://people.debian.org/~santiago/debian santiago-wheezy/
deb-src https://people.debian.org/~santiago/debian santiago-wheezy/
Please, test them. I don't have the infrastructure to actually verify
they solve the regressions. So, if somebody else would like to claim
this package, please do it!
Cheers,
Santiago
diff -Nru samba-3.6.6/debian/changelog samba-3.6.6/debian/changelog --- samba-3.6.6/debian/changelog 2016-04-12 18:34:29.000000000 +0200 +++ samba-3.6.6/debian/changelog 2016-05-26 09:38:01.000000000 +0200 @@ -1,3 +1,27 @@ +samba (2:3.6.6-6+deb7u10~2) santiago-wheezy; urgency=high + + [ Andrew Bartlett ] + * Remove patch for CVE-2016-2115 as it causes too much trouble. + - The 3.6 client could not talk to the 3.6 server out of the box (ACCESS_DENIED) + - Administrators should instead set 'client signing = required' if desired + - Closes: #820982 + * Add NEWS file + + [ Santiago Ruano Rincón ] + * Non-maintainer upload by the LTS Team. + * Fix regression introduced by badlock patch in rpc_server. Closes: #821811. + * debian/patches/netlogon_credentials_regression.patch: Fix updating + netlogon credentials in source3/rpc_client/cli_pipe.c (Impored from + Ubuntu). + * debian/patches/bug9669_regression.patch: fix a crash when running net rpc + join against an older Samba PDC in source3/rpc_client/cli_pipe.c (Imported + from Ubuntu). + * debian/patches/fix_netapp.patch: don't require NTLMSSP_SIGN for smb + connections in source3/libsmb/ntlmssp.c (Imported from Ubuntu). + * Thanks to Andreas Schneider. + + -- Santiago Ruano Rincón <santiag...@riseup.net> Thu, 26 May 2016 09:37:57 +0200 + samba (2:3.6.6-6+deb7u9) wheezy-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru samba-3.6.6/debian/NEWS samba-3.6.6/debian/NEWS --- samba-3.6.6/debian/NEWS 2016-04-12 18:34:29.000000000 +0200 +++ samba-3.6.6/debian/NEWS 2016-04-29 14:12:50.000000000 +0200 @@ -1,3 +1,76 @@ +samba (2:3.6.6-6+deb7u10) wheezy-security; urgency=high + + This Samba security release addresses both Denial of Service and Man in + the Middle vulnerabilities. + + A significant number of patches were back-ported, and in some areas + of winbindd the behaviour is now more like Samba 4.2 than 3.6 + + This new security patch implements new smb.conf options and a + number of stricter behaviours to prevent Man in the Middle attacks + on our network services, as a client and as a server. + + Between these changes, compatibility with a large number of older + software versions has been lost in the default configuration. + + See the release notes in WHATNEW.txt for more information. + + + Here are some additional hints how to work around the new stricter default behaviors: + + * As a File Server, compatibility with the Linux Kernel cifs + client depends on which configuration options are selected, please + use "sec=krb5(i)" or "sec=ntlmssp(i)", not "sec=ntlmv2". + + * As a file or printer client and as a domain member, out of the + box compatibility with Samba less than 4.0 and other SMB/CIFS + servers, depends on support for SMB signing or SMB2 on the + server, which is often disabled or absent. You may need to + adjust the "client ipc signing" to "no" in these cases. + + However, all of these can be worked around by setting smb.conf + options in Samba, see the 4.2.0 and 4.2.11 release notes (because + many of the fixes are backported from there) at + https://www.samba.org/samba/history/samba-4.2.0.html and + https://www.samba.org/samba/history/samba-4.2.11.html and the + Samba wiki for details, workarounds and suggested + security-improving changes to these and other software packages. + + + New smb.conf options and defaults: + + * raw NTLMv2 auth = no + * allow dcerpc auth level connect = no + + + Suggested further improvements after patching: + + It is recommended that administrators set these additional options, + if compatible with their network environment: + + server signing = mandatory + ntlm auth = no + client signing = mandatory + + Without "server signing = mandatory", Man in the Middle attacks + are still possible against our file server and + classic/NT4-like/Samba3 Domain controller. (It is now enforced on + Samba's AD DC.) Note that this has heavy impact on the file server + performance, so you need to decide between performance and + security. These Man in the Middle attacks for smb file servers are + well known for decades. + + Without "ntlm auth = no", there may still be clients not using + NTLMv2, and these observed passwords may be brute-forced easily using + cloud-computing resources or rainbow tables. + + Without "client signing = mandetory" we will not be able to detect + a MitM attack between our client tools or winbindd and the server or + AD DC. Later verisions of Samba implement additional features + to protect these communications. Setting this option may however + disable connections to servers that have smb signing disabled (the default, + as above). + samba (2:3.6.5-2) unstable; urgency=low NSS modules have been split out from libpam-winbind to diff -Nru samba-3.6.6/debian/patches/821811-rpc_server-regression.patch samba-3.6.6/debian/patches/821811-rpc_server-regression.patch --- samba-3.6.6/debian/patches/821811-rpc_server-regression.patch 1970-01-01 01:00:00.000000000 +0100 +++ samba-3.6.6/debian/patches/821811-rpc_server-regression.patch 2016-05-24 15:47:17.000000000 +0200 @@ -0,0 +1,33 @@ +From: Andreas Schneider <a...@samba.org> +Date: Fri, 15 Apr 2016 09:56:08 +0000 (+0200) +Subject: s3:rpc_server: Fix a regression verifying the security trailer +X-Git-Url: https://git.samba.org/?p=asn%2Fsamba.git;a=commitdiff_plain;h=82fa625540abf8b8ec23d43c41e2ca906a9928a5;hp=ea6f2386611d0a4edd65962a59b3448be976c1bb + +s3:rpc_server: Fix a regression verifying the security trailer + +We do not support header signing so we should not check verify it if a +client sends the flag. + +Signed-off-by: Andreas Schneider <a...@samba.org> +Reviewed-by: Guenther Deschner <g...@samba.org> +--- + +--- a/source3/rpc_server/srv_pipe.c ++++ b/source3/rpc_server/srv_pipe.c +@@ -1748,7 +1748,6 @@ + { + TALLOC_CTX *frame = talloc_stackframe(); + struct dcerpc_sec_verification_trailer *vt = NULL; +- const uint32_t bitmask1 = 0; + const struct dcerpc_sec_vt_pcontext pcontext = { + .abstract_syntax = pipe_fns->syntax, + .transfer_syntax = ndr_transfer_syntax, +@@ -1769,7 +1768,7 @@ + goto done; + } + +- ret = dcerpc_sec_verification_trailer_check(vt, &bitmask1, ++ ret = dcerpc_sec_verification_trailer_check(vt, NULL, + &pcontext, &header2); + done: + TALLOC_FREE(frame); diff -Nru samba-3.6.6/debian/patches/bug9669_regression.patch samba-3.6.6/debian/patches/bug9669_regression.patch --- samba-3.6.6/debian/patches/bug9669_regression.patch 1970-01-01 01:00:00.000000000 +0100 +++ samba-3.6.6/debian/patches/bug9669_regression.patch 2016-05-26 09:29:18.000000000 +0200 @@ -0,0 +1,35 @@ +From 0abef6992dc342d443137f8a2ac6c01f490cecee Mon Sep 17 00:00:00 2001 +From: Christian Ambach <a...@samba.org> +Date: Wed, 20 Feb 2013 16:59:05 +0100 +Subject: [PATCH] s3:rpc_client fix a crash + +state->cli->dc does not have to be set (e.g. when running +net rpc join against an older Samba PDC), so check it before dereferencing it + +This fixes Bug 9669 - net rpc join crashes against a Samba 3.0.33 PDC + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=9669 + +Signed-off-by: Christian Ambach <a...@samba.org> +Reviewed-by: Andreas Schneider <a...@samba.org> + +Autobuild-User(master): Christian Ambach <a...@samba.org> +Autobuild-Date(master): Wed Feb 20 19:00:52 CET 2013 on sn-devel-104 +(cherry picked from commit 3d29bb2d37b02909ecb500e864f3c13e06957a86) + +(cherry picked from commit ff658bb36c28c9db91fc80a68725e893ffe300aa) +--- + source3/rpc_client/cli_pipe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/source3/rpc_client/cli_pipe.c ++++ b/source3/rpc_client/cli_pipe.c +@@ -2273,7 +2273,7 @@ + status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos()); + TALLOC_FREE(subreq); + if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) { +- if (state->cli->dc->negotiate_flags & ++ if (state->cli->dc && state->cli->dc->negotiate_flags & + NETLOGON_NEG_SUPPORTS_AES) { + DEBUG(5, ("AES is not supported and the error was %s\n", + nt_errstr(status))); diff -Nru samba-3.6.6/debian/patches/CVE-2016-2115-v3-6.patch samba-3.6.6/debian/patches/CVE-2016-2115-v3-6.patch --- samba-3.6.6/debian/patches/CVE-2016-2115-v3-6.patch 2016-04-12 18:34:29.000000000 +0200 +++ samba-3.6.6/debian/patches/CVE-2016-2115-v3-6.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,359 +0,0 @@ -From 513bd34e4523e49e742487be32a7239111486a12 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher <me...@samba.org> -Date: Sat, 27 Feb 2016 03:43:58 +0100 -Subject: [PATCH 1/4] CVE-2016-2115: docs-xml: add "client ipc signing" option - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756 - -Signed-off-by: Stefan Metzmacher <me...@samba.org> -Reviewed-by: Ralph Boehme <s...@samba.org> ---- - docs-xml/smbdotconf/security/clientipcsigning.xml | 23 +++++++++++++++++++++++ - docs-xml/smbdotconf/security/clientsigning.xml | 3 +++ - source3/include/proto.h | 1 + - source3/param/loadparm.c | 12 ++++++++++++ - 4 files changed, 39 insertions(+) - create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml - -diff --git a/docs-xml/smbdotconf/security/clientipcsigning.xml b/docs-xml/smbdotconf/security/clientipcsigning.xml -new file mode 100644 -index 0000000..1897fc6 ---- /dev/null -+++ b/docs-xml/smbdotconf/security/clientipcsigning.xml -@@ -0,0 +1,23 @@ -+<samba:parameter name="client ipc signing" -+ context="G" -+ type="enum" -+ enumlist="enum_smb_signing_vals" -+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";> -+<description> -+ <para>This controls whether the client is allowed or required to use SMB signing for IPC$ -+ connections as DCERPC transport inside of winbind. Possible values -+ are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis> -+ and <emphasis>disabled</emphasis>. -+ </para> -+ -+ <para>When set to auto, SMB signing is offered, but not enforced and if set -+ to disabled, SMB signing is not offered either.</para> -+ -+ <para>Connections from winbindd to Active Directory Domain Controllers -+ always enforce signing.</para> -+</description> -+ -+<related>client signing</related> -+ -+<value type="default">mandatory</value> -+</samba:parameter> -diff --git a/docs-xml/smbdotconf/security/clientsigning.xml b/docs-xml/smbdotconf/security/clientsigning.xml -index c657e05..189a7ae 100644 ---- a/docs-xml/smbdotconf/security/clientsigning.xml -+++ b/docs-xml/smbdotconf/security/clientsigning.xml -@@ -12,6 +12,9 @@ - <para>When set to auto, SMB signing is offered, but not enforced. - When set to mandatory, SMB signing is required and if set - to disabled, SMB signing is not offered either. -+ -+ <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the -+ <smbconfoption name="client ipc signing"/> option.</para> - </para> - </description> - -diff --git a/source3/include/proto.h b/source3/include/proto.h -index 43008ea..af950aa 100644 ---- a/source3/include/proto.h -+++ b/source3/include/proto.h -@@ -1693,6 +1693,7 @@ const char **lp_winbind_nss_info(void); - int lp_algorithmic_rid_base(void); - int lp_name_cache_timeout(void); - int lp_client_signing(void); -+int lp_client_ipc_signing(void); - int lp_server_signing(void); - int lp_client_ldap_sasl_wrapping(void); - char *lp_parm_talloc_string(int snum, const char *type, const char *option, const char *def); -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c -index c5249b7..a612e5a3 100644 ---- a/source3/param/loadparm.c -+++ b/source3/param/loadparm.c -@@ -366,6 +366,7 @@ struct global { - int restrict_anonymous; - int name_cache_timeout; - int client_signing; -+ int client_ipc_signing; - int server_signing; - int client_ldap_sasl_wrapping; - int iUsershareMaxShares; -@@ -2319,6 +2320,15 @@ static struct parm_struct parm_table[] = { - .flags = FLAG_ADVANCED, - }, - { -+ .label = "client ipc signing", -+ .type = P_ENUM, -+ .p_class = P_GLOBAL, -+ .ptr = &Globals.client_ipc_signing, -+ .special = NULL, -+ .enum_list = enum_smb_signing_vals, -+ .flags = FLAG_ADVANCED, -+ }, -+ { - .label = "server signing", - .type = P_ENUM, - .p_class = P_GLOBAL, -@@ -5470,6 +5480,7 @@ static void init_globals(bool reinit_globals) - Globals.bClientUseSpnego = True; - - Globals.client_signing = Auto; -+ Globals.client_ipc_signing = Required; - Globals.server_signing = False; - - Globals.bDeferSharingViolations = True; -@@ -6071,6 +6082,7 @@ FN_GLOBAL_LIST(lp_winbind_nss_info, &Globals.szWinbindNssInfo) - FN_GLOBAL_INTEGER(lp_algorithmic_rid_base, &Globals.AlgorithmicRidBase) - FN_GLOBAL_INTEGER(lp_name_cache_timeout, &Globals.name_cache_timeout) - FN_GLOBAL_INTEGER(lp_client_signing, &Globals.client_signing) -+FN_GLOBAL_INTEGER(lp_client_ipc_signing, &Globals.client_ipc_signing) - FN_GLOBAL_INTEGER(lp_server_signing, &Globals.server_signing) - FN_GLOBAL_INTEGER(lp_client_ldap_sasl_wrapping, &Globals.client_ldap_sasl_wrapping) - --- -2.8.1 - - -From 633fcce5f7f488738ef8f45393aa8990e01118f4 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider <a...@samba.org> -Date: Tue, 5 Apr 2016 10:46:53 +0200 -Subject: [PATCH 2/4] CVE-2016-2115: s3: Use lp_client_ipc_signing() if we are - not an smb client - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756 - -Pair-Programmed-With: Ralph Boehme <s...@samba.org> -Signed-off-by: Andreas Schneider <a...@samba.org> -Signed-off-by: Ralph Boehme <s...@samba.org> ---- - source3/param/loadparm.c | 14 ++++++++++++++ - source3/rpc_server/spoolss/srv_spoolss_nt.c | 2 +- - 2 files changed, 15 insertions(+), 1 deletion(-) - -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c -index a612e5a3..c58f860 100644 ---- a/source3/param/loadparm.c -+++ b/source3/param/loadparm.c -@@ -9712,6 +9712,20 @@ static bool lp_load_ex(const char *pszFname, - lp_do_parameter(GLOBAL_SECTION_SNUM, "wins server", "127.0.0.1"); - } - -+ if (!lp_is_in_client()) { -+ switch (lp_client_ipc_signing()) { -+ case Required: -+ lp_set_cmdline("client signing", "mandatory"); -+ break; -+ case Auto: -+ lp_set_cmdline("client signing", "auto"); -+ break; -+ case False: -+ lp_set_cmdline("client signing", "disabled"); -+ break; -+ } -+ } -+ - init_iconv(); - - bAllowIncludeRegistry = true; -diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c -index 181a7b5..a0fcf27 100644 ---- a/source3/rpc_server/spoolss/srv_spoolss_nt.c -+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c -@@ -2480,7 +2480,7 @@ static bool spoolss_connect_to_client(struct rpc_pipe_client **pp_pipe, - "", /* username */ - "", /* domain */ - "", /* password */ -- 0, lp_client_signing()); -+ 0, False); - - if ( !NT_STATUS_IS_OK( ret ) ) { - DEBUG(2,("spoolss_connect_to_client: connection to [%s] failed!\n", --- -2.8.1 - - -From e319838866bdd3f5f1602b441516d07a1171ab24 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme <s...@samba.org> -Date: Thu, 31 Mar 2016 11:30:03 +0200 -Subject: [PATCH 3/4] CVE-2016-2115: s3/param: pick up s4 option "winbind - sealed pipes" - -This will be used in the next commit to prevent mitm attacks on on lsa, -samr and netlogon in winbindd. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756 - -Signed-off-by: Ralph Boehme <s...@samba.org> -Reviewed-by: Stefan Metzmacher <me...@samba.org> -Reviewed-by: Andreas Schneider <a...@samba.org> ---- - docs-xml/smbdotconf/winbind/winbindsealedpipes.xml | 15 +++++++++++++++ - source3/include/proto.h | 1 + - source3/param/loadparm.c | 12 ++++++++++++ - 3 files changed, 28 insertions(+) - create mode 100644 docs-xml/smbdotconf/winbind/winbindsealedpipes.xml - -diff --git a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml -new file mode 100644 -index 0000000..016ac9b ---- /dev/null -+++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml -@@ -0,0 +1,15 @@ -+<samba:parameter name="winbind sealed pipes" -+ context="G" -+ type="boolean" -+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";> -+<description> -+ <para>This option controls whether any requests from winbindd to domain controllers -+ pipe will be sealed. Disabling sealing can be useful for debugging -+ purposes.</para> -+ -+ <para>The behavior can be controlled per netbios domain -+ by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para> -+</description> -+ -+<value type="default">yes</value> -+</samba:parameter> -diff --git a/source3/include/proto.h b/source3/include/proto.h -index af950aa..ac1540f 100644 ---- a/source3/include/proto.h -+++ b/source3/include/proto.h -@@ -1690,6 +1690,7 @@ int lp_winbind_cache_time(void); - int lp_winbind_reconnect_delay(void); - int lp_winbind_max_clients(void); - const char **lp_winbind_nss_info(void); -+bool lp_winbind_sealed_pipes(void); - int lp_algorithmic_rid_base(void); - int lp_name_cache_timeout(void); - int lp_client_signing(void); -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c -index c58f860..fdc9407 100644 ---- a/source3/param/loadparm.c -+++ b/source3/param/loadparm.c -@@ -215,6 +215,7 @@ struct global { - int winbind_expand_groups; - bool bWinbindRefreshTickets; - bool bWinbindOfflineLogon; -+ bool bWinbindSealedPipes; - bool bWinbindNormalizeNames; - bool bWinbindRpcOnly; - bool bCreateKrb5Conf; -@@ -4775,6 +4776,15 @@ static struct parm_struct parm_table[] = { - .flags = FLAG_ADVANCED, - }, - { -+ .label = "winbind sealed pipes", -+ .type = P_BOOL, -+ .p_class = P_GLOBAL, -+ .ptr = &Globals.bWinbindSealedPipes, -+ .special = NULL, -+ .enum_list = NULL, -+ .flags = FLAG_ADVANCED, -+ }, -+ { - .label = "winbind normalize names", - .type = P_BOOL, - .p_class = P_GLOBAL, -@@ -5468,6 +5478,7 @@ static void init_globals(bool reinit_globals) - Globals.szWinbindNssInfo = str_list_make_v3(NULL, "template", NULL); - Globals.bWinbindRefreshTickets = False; - Globals.bWinbindOfflineLogon = False; -+ Globals.bWinbindSealedPipes = True; - - Globals.iIdmapCacheTime = 86400 * 7; /* a week by default */ - Globals.iIdmapNegativeCacheTime = 120; /* 2 minutes by default */ -@@ -5747,6 +5758,7 @@ FN_GLOBAL_BOOL(lp_winbind_nested_groups, &Globals.bWinbindNestedGroups) - FN_GLOBAL_INTEGER(lp_winbind_expand_groups, &Globals.winbind_expand_groups) - FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets) - FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon) -+FN_GLOBAL_BOOL(lp_winbind_sealed_pipes, &Globals.bWinbindSealedPipes) - FN_GLOBAL_BOOL(lp_winbind_normalize_names, &Globals.bWinbindNormalizeNames) - FN_GLOBAL_BOOL(lp_winbind_rpc_only, &Globals.bWinbindRpcOnly) - FN_GLOBAL_BOOL(lp_create_krb5_conf, &Globals.bCreateKrb5Conf) --- -2.8.1 - - -From b47d8644e6a826f01dae3911fc510a7b2ff60273 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett <abart...@samba.org> -Date: Fri, 5 Sep 2014 17:00:31 +1200 -Subject: [PATCH 4/4] CVE-2016-2115: winbindd: Do not make anonymous - connections by default - -The requirement is that we have "winbind sealed pipes = false" and -"require strong key = false" before we make anonymous connections. -These are a security risk as we cannot prevent MITM attacks. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11796 - -Signed-off-by: Andrew Bartlett <abart...@samba.org> -Reviewed-by: Stefan Metzmacher <me...@samba.org> -(backported from commit e2cd3257141bd4a88cda1fff5bde9df60b253a97) ---- - source3/winbindd/winbindd_cm.c | 32 +++++++++++++++++++++++++++++++- - 1 file changed, 31 insertions(+), 1 deletion(-) - -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c -index 8271279..50a341e 100644 ---- a/source3/winbindd/winbindd_cm.c -+++ b/source3/winbindd/winbindd_cm.c -@@ -2384,6 +2384,15 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, - TALLOC_FREE(conn->samr_pipe); - - anonymous: -+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) { -+ status = NT_STATUS_DOWNGRADE_DETECTED; -+ DEBUG(1, ("Unwilling to make SAMR connection to domain %s " -+ "without connection level security, " -+ "must set 'winbind sealed pipes = false' " -+ "to proceed: %s\n", -+ domain->name, nt_errstr(status))); -+ goto done; -+ } - - /* Finally fall back to anonymous. */ - status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id, -@@ -2610,6 +2619,16 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, - - anonymous: - -+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) { -+ result = NT_STATUS_DOWNGRADE_DETECTED; -+ DEBUG(1, ("Unwilling to make LSA connection to domain %s " -+ "without connection level security, " -+ "must set 'winbind sealed pipes = false' " -+ "to proceed: %s\n", -+ domain->name, nt_errstr(result))); -+ goto done; -+ } -+ - result = cli_rpc_pipe_open_noauth(conn->cli, - &ndr_table_lsarpc.syntax_id, - &conn->lsa_pipe); -@@ -2749,7 +2768,18 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, - - no_schannel: - if ((lp_client_schannel() == False) || -- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) { -+ ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) { -+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) { -+ result = NT_STATUS_DOWNGRADE_DETECTED; -+ DEBUG(1, ("Unwilling to make connection to domain %s " -+ "without connection level security, " -+ "must set 'winbind sealed pipes = false' " -+ "to proceed: %s\n", -+ domain->name, nt_errstr(result))); -+ TALLOC_FREE(netlogon_pipe); -+ invalidate_cm_connection(conn); -+ return result; -+ } - /* - * NetSamLogonEx only works for schannel - */ --- -2.8.1 - diff -Nru samba-3.6.6/debian/patches/fix_netapp.patch samba-3.6.6/debian/patches/fix_netapp.patch --- samba-3.6.6/debian/patches/fix_netapp.patch 1970-01-01 01:00:00.000000000 +0100 +++ samba-3.6.6/debian/patches/fix_netapp.patch 2016-05-26 09:30:49.000000000 +0200 @@ -0,0 +1,33 @@ +Decription: Fix compatibility with NetAPP NAS +Origin: backport, https://git.samba.org/?p=samba.git;a=commit;h=d97b347d041f9b5c0aa71f35526cbefd56f3500b +Bug: https://bugzilla.samba.org/show_bug.cgi?id=11850 +Bug-Ubuntu: https://bugs.launchpad.net/samba/+bug/1576109 + +--- a/source3/libsmb/ntlmssp.c ++++ b/source3/libsmb/ntlmssp.c +@@ -206,7 +206,11 @@ + * also add NTLMSSP_NEGOTIATE_SEAL here. JRA. + */ + if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) { +- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; ++ /* ++ * We don't require this here as some servers (e.g. NetAPP) ++ * doesn't support this. ++ */ ++ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; + } + if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) { + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; +@@ -231,7 +235,11 @@ + { + /* As per JRA's comment above */ + if (feature & NTLMSSP_FEATURE_SESSION_KEY) { +- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; ++ /* ++ * We don't require this here as some servers (e.g. NetAPP) ++ * doesn't support this. ++ */ ++ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; + } + if (feature & NTLMSSP_FEATURE_SIGN) { + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; diff -Nru samba-3.6.6/debian/patches/netlogon_credentials_regression.patch samba-3.6.6/debian/patches/netlogon_credentials_regression.patch --- samba-3.6.6/debian/patches/netlogon_credentials_regression.patch 1970-01-01 01:00:00.000000000 +0100 +++ samba-3.6.6/debian/patches/netlogon_credentials_regression.patch 2016-05-26 09:28:33.000000000 +0200 @@ -0,0 +1,55 @@ +From 2d0424e7bb2c30bf9049529b207c73b55370dfc8 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <a...@samba.org> +Date: Tue, 10 Jan 2012 16:38:16 +0100 +Subject: [PATCH] s3-rpc_client: Fix updating netlogon credentials. +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Günther Deschner <g...@samba.org> +(cherry picked from commit 33206b1e240e55acedad606aed4f1952f7496b35) +--- + source3/rpc_client/cli_pipe.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +Index: samba-3.6.25/source3/rpc_client/cli_pipe.c +=================================================================== +--- samba-3.6.25.orig/source3/rpc_client/cli_pipe.c 2016-05-03 12:36:52.810453161 -0400 ++++ samba-3.6.25/source3/rpc_client/cli_pipe.c 2016-05-03 12:36:52.806453162 -0400 +@@ -2268,9 +2268,6 @@ + struct rpc_pipe_bind_state *state = + tevent_req_data(req, + struct rpc_pipe_bind_state); +- struct schannel_state *schannel_auth = +- talloc_get_type_abort(state->cli->auth->auth_ctx, +- struct schannel_state); + NTSTATUS status; + + status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos()); +@@ -2328,8 +2325,8 @@ + return; + } + +- TALLOC_FREE(schannel_auth->creds); +- schannel_auth->creds = talloc_steal(state->cli, state->creds); ++ TALLOC_FREE(state->cli->dc); ++ state->cli->dc = talloc_steal(state->cli, state->creds); + + if (!NT_STATUS_IS_OK(state->r.out.result)) { + DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n", +@@ -3526,10 +3523,12 @@ + * The credentials on a new netlogon pipe are the ones we are passed + * in - copy them over + */ +- result->dc = netlogon_creds_copy(result, *pdc); + if (result->dc == NULL) { +- TALLOC_FREE(result); +- return NT_STATUS_NO_MEMORY; ++ result->dc = netlogon_creds_copy(result, *pdc); ++ if (result->dc == NULL) { ++ TALLOC_FREE(result); ++ return NT_STATUS_NO_MEMORY; ++ } + } + + DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s " diff -Nru samba-3.6.6/debian/patches/series samba-3.6.6/debian/patches/series --- samba-3.6.6/debian/patches/series 2016-04-12 18:34:29.000000000 +0200 +++ samba-3.6.6/debian/patches/series 2016-05-26 09:30:44.000000000 +0200 @@ -44,8 +44,11 @@ CVE-2016-2110-v3-6.patch CVE-2016-2111-v3-6.patch CVE-2016-2112-v3-6.patch -CVE-2016-2115-v3-6.patch CVE-2016-2118-v3-6.patch CVE-2015-5370-v3-6.patch 0001-pidl-Add-skip-option-to-elements.patch 0001-PIDL-fix-parsing-linemarkers-in-preprocessor-output.patch +821811-rpc_server-regression.patch +netlogon_credentials_regression.patch +bug9669_regression.patch +fix_netapp.patch
signature.asc
Description: PGP signature
