[SCM] Samba Shared Repository - branch v4-17-stable updated

Jule Anger janger at samba.org
Thu Jan 26 17:49:45 UTC 2023


The branch, v4-17-stable has been updated
       via  420b9e67870 VERSION: Disable GIT_SNAPSHOT for the 4.17.5 release.
       via  c67be713048 WHATSNEW: Add release notes for Samba 4.17.5.
       via  85331e00b6f lib/replace - add extra check to bsd_attr_list
       via  f0729d7a72d s3: smbd: Always use metadata_fsp() when processing fsctls.
       via  cd3479c64a8 s3: smbd: Add test to show smbd crashes when doing an FSCTL on a named stream handle.
       via  961eda75a0c s3:auth: call wbcFreeMemory(info) in auth3_generate_session_info_pac()
       via  0b3fab18954 CVE-2022-38023 s3:rpc_server/netlogon: Avoid unnecessary loadparm_context allocations
       via  d737d6b8e2c CVE-2022-38023 docs-xml/smbdotconf: The "server schannel require seal[:COMPUTERACCOUNT]" options are also honoured by s3 netlogon server.
       via  67cdc5dec01 CVE-2022-38023 s3:rpc_server/netlogon: Check for global "server schannel require seal"
       via  03a65b246b5 CVE-2022-38023 s3:rpc_server/netlogon: make sure all _netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
       via  de2e2045bbb CVE-2022-38023 s3:rpc_server/netlogon: Use dcesrv_netr_creds_server_step_check()
       via  600a91f4bee CVE-2022-38023 s4:rpc_server/netlogon: Move schannel and credentials check functions to librpc
       via  71185d09ef8 CVE-2022-38023 s4:rpc_server:wscript: Reformat following pycodestyle
       via  6d31e359fbf CVE-2022-38023 selftest:Samba3: avoid global 'server schannel = auto'
       via  5a49be37d88 CVE-2022-38023 s3:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind
       via  34a90840448 s3: smbd: Tweak openat_pathref_dirfsp_nosymlink() to NULL out fsp->fsp_name after calling fd_close() on intermediate directories, rather than before.
       via  669da62d636 selftest: Show vfs_virusscanner crashes when traversing a 2-level directory tree.
       via  02e63b6d336 s4: libcli: Ignore errors when getting A records after fetching AAAA records.
       via  580cfa72138 s3: smbd: In synthetic_pathref() change DBG_ERR -> DBG_NOTICE to avoid spamming the logs.
       via  1e94c94ae85 s3: smbd: Cause SMB2_OP_FLUSH to go synchronous in a compound anywhere but the last operation in the list.
       via  61babd9af83 s3: smbd: Add utility function smbd_smb2_is_last_in_compound().
       via  7b4652b8027 s4: torture: Add an async SMB2_OP_FLUSH + SMB2_OP_FLUSH test to smb2.compound_async.
       via  67d388c71f7 s4: torture: Add an async SMB2_OP_FLUSH + SMB2_OP_CLOSE test to smb2.compound_async.
       via  7b29d4077d8 nsswitch:libwbclient - fix leak in wbcCtxPingDc2
       via  50330f69a07 s3: libsmbclient: Fix smbc_getxattr() to return 0 on success.
       via  a92a0043493 s4: torture: Show return value for smbc_getxattr() is incorrect (returns >0 for success, should return zero).
       via  0bc115f7570 s3:smbstatus: go to cmdline_messaging_context_free
       via  69f6517f93b source3/wscript: Remove implicit int and implicit function declarations
       via  fab96048ba5 source3/wscript: Fix detection of major/minor macros
       via  409dd9b20ea buildtools/wafsamba: Avoid calling lib_func without a prototype
       via  cedb4ff4ca9 s4:lib/messaging: fix interaction between imessaging_context_destructor and irpc_destructor
       via  b1d5552f2e2 s3:rpc_server/srvsvc: make sure we (re-)load all shares as root.
       via  a8934a92f1a selftest: add samba3.blackbox.registry_share
       via  658a590b353 testprogs: Add testit_grep_count() helper
       via  33a5ca2f999 s3: smbd: Strip any leading '\' characters if the SMB2 DFS flag is set.
       via  bc05daafbc6 s3:client: Fix a use-after-free issue in smbclient
       via  0d2acb2e228 s3:script: Improve test_chdir_cache.sh
       via  72e6fff0e5f s3:params:lp_do_section - protect against NULL deref
       via  4f47415e248 rpc_server:srvsvc - retrieve share ACL via root context
       via  0d89084e044 ctdb: Fix a use-after-free in run_proc
       via  72dcfb4773d VERSION: Bump version up to Samba 4.17.5...
      from  ab48448c650 VERSION: Disable GIT_SNAPSHOT for the 4.17.4 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-stable


- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 VERSION                                            |   2 +-
 WHATSNEW.txt                                       |  85 ++-
 buildtools/wafsamba/samba_waf18.py                 |   3 +-
 ctdb/common/run_proc.c                             |   5 +-
 .../security/serverschannelrequireseal.xml         |   5 +-
 lib/replace/xattr.c                                |  12 +
 librpc/rpc/server/netlogon/schannel_util.c         | 570 +++++++++++++++++++++
 librpc/rpc/server/netlogon/schannel_util.h         |  54 ++
 librpc/wscript_build                               |  12 +
 nsswitch/libwbclient/wbc_pam.c                     |   1 +
 selftest/knownfail                                 |   1 +
 selftest/target/Samba3.pm                          |  61 ++-
 source3/auth/auth_generic.c                        |   1 +
 source3/client/client.c                            |   5 +-
 source3/libsmb/libsmb_xattr.c                      |   6 +-
 source3/modules/vfs_default.c                      |   8 +-
 source3/param/loadparm.c                           |   2 +-
 source3/rpc_server/netlogon/srv_netlog_nt.c        | 318 ++++--------
 source3/rpc_server/srvsvc/srv_srvsvc_nt.c          |  45 +-
 source3/rpc_server/wscript_build                   |   2 +-
 source3/script/tests/test_chdir_cache.sh           |  12 +-
 source3/script/tests/test_registry_share.sh        |  39 ++
 source3/script/tests/test_virus_scanner.sh         |  25 +-
 source3/selftest/tests.py                          |   8 +
 source3/smbd/files.c                               |   6 +-
 source3/smbd/globals.h                             |   1 +
 source3/smbd/smb2_create.c                         |  13 +-
 source3/smbd/smb2_flush.c                          |  14 +
 source3/smbd/smb2_server.c                         |   6 +
 source3/utils/status.c                             |   3 +-
 source3/wscript                                    |  15 +-
 source4/lib/messaging/messaging.c                  |  13 +
 source4/lib/messaging/messaging_internal.h         |   3 +
 source4/libcli/resolve/dns_ex.c                    |  14 +-
 source4/rpc_server/netlogon/dcerpc_netlogon.c      | 546 +-------------------
 source4/rpc_server/wscript_build                   | 292 ++++++-----
 source4/torture/libsmbclient/libsmbclient.c        |  94 ++++
 source4/torture/smb2/compound.c                    | 232 +++++++++
 source4/torture/smb2/ioctl.c                       |  74 +++
 source4/torture/smb2/smb2.c                        |   3 +
 testprogs/blackbox/subunit.sh                      |  29 ++
 41 files changed, 1706 insertions(+), 934 deletions(-)
 create mode 100644 librpc/rpc/server/netlogon/schannel_util.c
 create mode 100644 librpc/rpc/server/netlogon/schannel_util.h
 create mode 100755 source3/script/tests/test_registry_share.sh


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 94b85f81683..604c5f065ca 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=17
-SAMBA_VERSION_RELEASE=4
+SAMBA_VERSION_RELEASE=5
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 40f99a45a90..5eb0a0281c1 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,85 @@
+                   ==============================
+                   Release Notes for Samba 4.17.5
+                          January 26, 2023
+                   ==============================
+
+
+This is the latest stable release of the Samba 4.17 release series.
+
+
+Changes since 4.17.4
+--------------------
+
+o  Jeremy Allison <jra at samba.org>
+   * BUG 14808: smbc_getxattr() return value is incorrect.
+   * BUG 15172: Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled
+     correctly.
+   * BUG 15210: synthetic_pathref AFP_AfpInfo failed errors.
+   * BUG 15226: samba-tool gpo listall fails IPv6 only - finddcs() fails to find
+     DC when there is only an AAAA record for the DC in DNS.
+   * BUG 15236: smbd crashes if an FSCTL request is done on a stream handle.
+   * BUG 15277: DFS links don't work anymore on Mac clients since 4.17.
+   * BUG 15283: vfs_virusfilter segfault on access, directory edgecase
+     (accessing NULL value).
+
+o  Samuel Cabrero <scabrero at samba.org>
+   * BUG 15240: CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5)
+     based SChannel on NETLOGON (additional changes).
+
+o  Volker Lendecke <vl at samba.org>
+   * BUG 15243: %U for include directive doesn't work for share listing
+     (netshareenum).
+   * BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
+   * BUG 15269: ctdb: use-after-free in run_proc.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 15243: %U for include directive doesn't work for share listing
+     (netshareenum).
+   * BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
+   * BUG 15280: irpc_destructor may crash during shutdown.
+   * BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo.
+
+o  Andreas Schneider <asn at samba.org>
+   * BUG 15268: smbclient segfaults with use after free on an optimized build.
+
+o  Jones Syue <jonessyue at qnap.com>
+   * BUG 15282: smbstatus leaking files in msg.sock and msg.lock.
+
+o  Andrew Walker <awalker at ixsystems.com>
+   * BUG 15164: Leak in wbcCtxPingDc2.
+   * BUG 15265: Access based share enum does not work in Samba 4.16+.
+   * BUG 15267: Crash during share enumeration.
+   * BUG 15271: rep_listxattr on FreeBSD does not properly check for reads off
+     end of returned buffer.
+
+o  Florian Weimer <fweimer at redhat.com>
+   * BUG 15281: Avoid relying on C89 features in a few places.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
                    ==============================
                    Release Notes for Samba 4.17.4
                          December 15, 2022
@@ -152,8 +234,7 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
                    ==============================
                    Release Notes for Samba 4.17.3
                          November 15, 2022
diff --git a/buildtools/wafsamba/samba_waf18.py b/buildtools/wafsamba/samba_waf18.py
index e2a078bd3a0..cfdceea14ca 100644
--- a/buildtools/wafsamba/samba_waf18.py
+++ b/buildtools/wafsamba/samba_waf18.py
@@ -209,7 +209,8 @@ def CHECK_LIBRARY_SUPPORT(conf, rpath=False, version_script=False, msg=None):
         lib_node.parent.mkdir()
         lib_node.write('int lib_func(void) { return 42; }\n', 'w')
         main_node = bld.srcnode.make_node('main.c')
-        main_node.write('int main(void) {return !(lib_func() == 42);}', 'w')
+        main_node.write('int lib_func(void);\n'
+                        'int main(void) {return !(lib_func() == 42);}', 'w')
         linkflags = []
         if version_script:
             script = bld.srcnode.make_node('ldscript')
diff --git a/ctdb/common/run_proc.c b/ctdb/common/run_proc.c
index d55af6c3a1e..84bc343ba1f 100644
--- a/ctdb/common/run_proc.c
+++ b/ctdb/common/run_proc.c
@@ -408,10 +408,10 @@ struct tevent_req *run_proc_send(TALLOC_CTX *mem_ctx,
 static int run_proc_state_destructor(struct run_proc_state *state)
 {
 	/* Do not get rid of the child process if timeout has occurred */
-	if (state->proc->req != NULL) {
+	if ((state->proc != NULL) && (state->proc->req != NULL)) {
 		state->proc->req = NULL;
 		DLIST_REMOVE(state->run_ctx->plist, state->proc);
-		talloc_free(state->proc);
+		TALLOC_FREE(state->proc);
 	}
 
 	return 0;
@@ -439,6 +439,7 @@ static void run_proc_kill(struct tevent_req *req)
 		req, struct run_proc_state);
 
 	state->proc->req = NULL;
+	state->proc = NULL;
 
 	state->result.sig = SIGKILL;
 
diff --git a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
index d4620d1252d..0bec67d2519 100644
--- a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
+++ b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
@@ -12,9 +12,8 @@
 	</para>
 
 	<para>
-	This option controls whether the netlogon server (currently
-	only in 'active directory domain controller' mode), will
-	reject the usage of netlogon secure channel without privacy/enryption.
+	This option controls whether the netlogon server, will reject the usage
+	of netlogon secure channel without privacy/enryption.
 	</para>
 
 	<para>
diff --git a/lib/replace/xattr.c b/lib/replace/xattr.c
index 4869367b7da..1044942f4b9 100644
--- a/lib/replace/xattr.c
+++ b/lib/replace/xattr.c
@@ -267,6 +267,18 @@ static ssize_t bsd_attr_list (int type, extattr_arg arg, char *list, size_t size
 
 		for(i = 0; i < list_size; i += len + 1) {
 			len = buf[i];
+
+			/*
+			 * If for some reason we receive a truncated
+			 * return from call to list xattrs the pascal
+			 * string lengths will not be changed and
+			 * therefore we must check that we're not
+			 * reading garbage data or off end of array
+			 */
+			if (len + i >= list_size) {
+				errno = ERANGE;
+				return -1;
+			}
 			strncpy(list, extattr[t].name, extattr[t].len + 1);
 			list += extattr[t].len;
 			strncpy(list, buf + i + 1, len);
diff --git a/librpc/rpc/server/netlogon/schannel_util.c b/librpc/rpc/server/netlogon/schannel_util.c
new file mode 100644
index 00000000000..b14497b13ce
--- /dev/null
+++ b/librpc/rpc/server/netlogon/schannel_util.c
@@ -0,0 +1,570 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   netlogon schannel utility functions
+
+   Copyright (C) Andrew Bartlett <abartlet at samba.org> 2004-2008
+   Copyright (C) Stefan Metzmacher <metze at samba.org>  2005
+   Copyright (C) Matthias Dieter Wallnöfer            2009-2010
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "schannel_util.h"
+#include "param/param.h"
+#include "libcli/security/dom_sid.h"
+#include "libcli/auth/schannel.h"
+#include "librpc/rpc/dcesrv_core.h"
+#include "librpc/gen_ndr/ndr_netlogon.h"
+#include "lib/util/util_str_escape.h"
+
+struct dcesrv_netr_check_schannel_state {
+	struct dom_sid account_sid;
+	enum dcerpc_AuthType auth_type;
+	enum dcerpc_AuthLevel auth_level;
+
+	bool schannel_global_required;
+	bool schannel_required;
+	bool schannel_explicitly_set;
+
+	bool seal_global_required;
+	bool seal_required;
+	bool seal_explicitly_set;
+
+	NTSTATUS result;
+};
+
+static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state *dce_call,
+						     const struct netlogon_creds_CredentialState *creds,
+						     enum dcerpc_AuthType auth_type,
+						     enum dcerpc_AuthLevel auth_level,
+						     struct dcesrv_netr_check_schannel_state **_s)
+{
+	struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
+	int schannel = lpcfg_server_schannel(lp_ctx);
+	bool schannel_global_required = (schannel == true);
+	bool schannel_required = schannel_global_required;
+	const char *explicit_opt = NULL;
+	bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx);
+	bool require_seal = global_require_seal;
+	const char *explicit_seal_opt = NULL;
+#define DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC (NETLOGON_SERVER_PIPE_STATE_MAGIC+1)
+	struct dcesrv_netr_check_schannel_state *s = NULL;
+	NTSTATUS status;
+
+	*_s = NULL;
+
+	s = dcesrv_iface_state_find_conn(dce_call,
+			DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC,
+			struct dcesrv_netr_check_schannel_state);
+	if (s != NULL) {
+		if (!dom_sid_equal(&s->account_sid, creds->sid)) {
+			goto new_state;
+		}
+		if (s->auth_type != auth_type) {
+			goto new_state;
+		}
+		if (s->auth_level != auth_level) {
+			goto new_state;
+		}
+
+		*_s = s;
+		return NT_STATUS_OK;
+	}
+
+new_state:
+	TALLOC_FREE(s);
+	s = talloc_zero(dce_call,
+			struct dcesrv_netr_check_schannel_state);
+	if (s == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	s->account_sid = *creds->sid;
+	s->auth_type = auth_type;
+	s->auth_level = auth_level;
+	s->result = NT_STATUS_MORE_PROCESSING_REQUIRED;
+
+	/*
+	 * We don't use lpcfg_parm_bool(), as we
+	 * need the explicit_opt pointer in order to
+	 * adjust the debug messages.
+	 */
+	explicit_seal_opt = lpcfg_get_parametric(lp_ctx,
+						 NULL,
+						 "server schannel require seal",
+						 creds->account_name);
+	if (explicit_seal_opt != NULL) {
+		require_seal = lp_bool(explicit_seal_opt);
+	}
+
+	/*
+	 * We don't use lpcfg_parm_bool(), as we
+	 * need the explicit_opt pointer in order to
+	 * adjust the debug messages.
+	 */
+	explicit_opt = lpcfg_get_parametric(lp_ctx,
+					    NULL,
+					    "server require schannel",
+					    creds->account_name);
+	if (explicit_opt != NULL) {
+		schannel_required = lp_bool(explicit_opt);
+	}
+
+	s->schannel_global_required = schannel_global_required;
+	s->schannel_required = schannel_required;
+	s->schannel_explicitly_set = explicit_opt != NULL;
+
+	s->seal_global_required = global_require_seal;
+	s->seal_required = require_seal;
+	s->seal_explicitly_set = explicit_seal_opt != NULL;
+
+	status = dcesrv_iface_state_store_conn(dce_call,
+			DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC,
+			s);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	*_s = s;
+	return NT_STATUS_OK;
+}
+
+static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_call,
+						struct dcesrv_netr_check_schannel_state *s,
+						const struct netlogon_creds_CredentialState *creds,
+						uint16_t opnum)
+{
+	struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
+	int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL,
+		"CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
+	int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
+		"CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
+	int CVE_2022_38023_warn_level = lpcfg_parm_int(lp_ctx, NULL,
+		"CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR);
+	int CVE_2022_38023_error_level = lpcfg_parm_int(lp_ctx, NULL,
+		"CVE_2022_38023", "error_debug_level", DBGLVL_ERR);
+	TALLOC_CTX *frame = talloc_stackframe();
+	unsigned int dbg_lvl = DBGLVL_DEBUG;
+	const char *opname = "<unknown>";
+	const char *reason = "<unknown>";
+
+	if (opnum < ndr_table_netlogon.num_calls) {
+		opname = ndr_table_netlogon.calls[opnum].name;
+	}
+
+	if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+		if (s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
+			reason = "WITH SEALED";
+		} else if (s->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
+			reason = "WITH SIGNED";
+		} else {
+			reason = "WITH INVALID";
+			dbg_lvl = DBGLVL_ERR;
+			s->result = NT_STATUS_INTERNAL_ERROR;
+		}
+	} else {
+		reason = "WITHOUT";
+	}
+
+	if (!NT_STATUS_EQUAL(s->result, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+		if (!NT_STATUS_IS_OK(s->result)) {
+			dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+		}
+
+		DEBUG(dbg_lvl, (
+		      "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
+		      "%s request (opnum[%u]) %s schannel from "
+		      "client_account[%s] client_computer_name[%s] %s\n",
+		      opname, opnum, reason,
+		      log_escape(frame, creds->account_name),
+		      log_escape(frame, creds->computer_name),
+		      nt_errstr(s->result)));
+		TALLOC_FREE(frame);
+		return s->result;
+	}
+
+	if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL &&
+	    s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY)
+	{
+		s->result = NT_STATUS_OK;
+
+		if (s->schannel_explicitly_set && !s->schannel_required) {
+			dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
+		} else if (!s->schannel_required) {
+			dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+		}
+		if (s->seal_explicitly_set && !s->seal_required) {
+			dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level);
+		} else if (!s->seal_required) {
+			dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+		}
+
+		DEBUG(dbg_lvl, (
+		      "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
+		      "%s request (opnum[%u]) %s schannel from "
+		      "client_account[%s] client_computer_name[%s] %s\n",
+		      opname, opnum, reason,
+		      log_escape(frame, creds->account_name),
+		      log_escape(frame, creds->computer_name),
+		      nt_errstr(s->result)));
+
+		if (s->schannel_explicitly_set && !s->schannel_required) {
+			DEBUG(CVE_2020_1472_warn_level, (
+			      "CVE-2020-1472(ZeroLogon): "
+			      "Option 'server require schannel:%s = no' not needed for '%s'!\n",
+			      log_escape(frame, creds->account_name),
+			      log_escape(frame, creds->computer_name)));
+		}
+
+		if (s->seal_explicitly_set && !s->seal_required) {
+			DEBUG(CVE_2022_38023_warn_level, (
+			      "CVE-2022-38023: "
+			      "Option 'server schannel require seal:%s = no' not needed for '%s'!\n",
+			      log_escape(frame, creds->account_name),
+			      log_escape(frame, creds->computer_name)));
+		}
+
+		TALLOC_FREE(frame);
+		return s->result;
+	}
+
+	if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+		if (s->seal_required) {
+			s->result = NT_STATUS_ACCESS_DENIED;
+
+			if (s->seal_explicitly_set) {
+				dbg_lvl = DBGLVL_NOTICE;
+			} else {
+				dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
+			}
+			if (s->schannel_explicitly_set && !s->schannel_required) {
+				dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level);
+			}
+
+			DEBUG(dbg_lvl, (
+			      "CVE-2022-38023: "
+			      "%s request (opnum[%u]) %s schannel from "
+			      "from client_account[%s] client_computer_name[%s] %s\n",
+			      opname, opnum, reason,
+			      log_escape(frame, creds->account_name),
+			      log_escape(frame, creds->computer_name),
+			      nt_errstr(s->result)));
+			if (s->seal_explicitly_set) {
+				D_NOTICE("CVE-2022-38023: Option "
+					 "'server schannel require seal:%s = yes' "
+					 "rejects access for client.\n",
+					 log_escape(frame, creds->account_name));
+			} else {
+				DEBUG(CVE_2020_1472_error_level, (
+				      "CVE-2022-38023: Check if option "
+				      "'server schannel require seal:%s = no' "
+				      "might be needed for a legacy client.\n",
+				      log_escape(frame, creds->account_name)));
+			}
+			if (s->schannel_explicitly_set && !s->schannel_required) {
+				DEBUG(CVE_2020_1472_warn_level, (
+				      "CVE-2020-1472(ZeroLogon): Option "
+				      "'server require schannel:%s = no' "
+				      "not needed for '%s'!\n",
+				      log_escape(frame, creds->account_name),
+				      log_escape(frame, creds->computer_name)));
+			}
+			TALLOC_FREE(frame);
+			return s->result;
+		}
+
+		s->result = NT_STATUS_OK;
+
+		if (s->schannel_explicitly_set && !s->schannel_required) {
+			dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
+		} else if (!s->schannel_required) {
+			dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+		}
+		if (s->seal_explicitly_set && !s->seal_required) {
+			dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+		} else if (!s->seal_required) {
+			dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
+		}
+
+		DEBUG(dbg_lvl, (
+		      "CVE-2020-1472(ZeroLogon): "


-- 
Samba Shared Repository



More information about the samba-cvs mailing list