[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher metze at samba.org
Mon Jul 17 07:36:01 UTC 2023 

The branch, master has been updated
       via  dfeabce44fb s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels
       via  d5f1097b622 s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels
       via  404ce08e908 s4:torture/rpc: let rpc.schannel also check netr_LogonGetCapabilities with different levels
       via  5f87888ed53 netlogon.idl: add support for netr_LogonGetCapabilities response level 2
      from  5a5cccce24e s3:libsmb: Fix code spelling

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit dfeabce44fbb78083fbbb2aa634fc4172cf83db9
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Jul 15 16:11:48 2023 +0200

    s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels
    
    This is important as Windows clients with KB5028166 seem to
    call netr_LogonGetCapabilities with query_level=2 after
    a call with query_level=1.
    
    An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
    for query_level values other than 1.
    While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
    later fails to marshall the response, which results
    in DCERPC_FAULT_BAD_STUB_DATA instead.
    
    Because we don't have any documentation for level 2 yet,
    we just try to behave like an unpatched server and
    generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
    DCERPC_FAULT_BAD_STUB_DATA.
    Which allows patched Windows clients to keep working
    against a Samba DC.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224

commit d5f1097b6220676d56ed5fc6707acf667b704518
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Jul 15 16:11:48 2023 +0200

    s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels
    
    This is important as Windows clients with KB5028166 seem to
    call netr_LogonGetCapabilities with query_level=2 after
    a call with query_level=1.
    
    An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
    for query_level values other than 1.
    While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
    later fails to marshall the response, which results
    in DCERPC_FAULT_BAD_STUB_DATA instead.
    
    Because we don't have any documentation for level 2 yet,
    we just try to behave like an unpatched server and
    generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
    DCERPC_FAULT_BAD_STUB_DATA.
    Which allows patched Windows clients to keep working
    against a Samba DC.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 404ce08e9088968311c714e756f5d58ce2cef715
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Jul 15 17:25:05 2023 +0200

    s4:torture/rpc: let rpc.schannel also check netr_LogonGetCapabilities with different levels
    
    The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG
    for unsupported query_levels, we allow it to work with servers
    with or without support for query_level=2.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 5f87888ed53320538cf773d64868390d8641a40e
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Jul 15 17:20:32 2023 +0200

    netlogon.idl: add support for netr_LogonGetCapabilities response level 2
    
    We don't have any documentation about this yet, but tests against
    a Windows Server 2022 patched with KB5028166 revealed that
    the response for query_level=2 is exactly the same as
    for querey_level=1.
    
    Until we know the reason for query_level=2 we won't
    use it as client nor support it in the server, but
    we want ndrdump to work.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 librpc/idl/netlogon.idl                       |  1 +
 source3/rpc_server/netlogon/srv_netlog_nt.c   | 29 ++++++++--
 source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++++--
 source4/torture/rpc/netlogon.c                | 77 ++++++++++++++++++++++++++-
 4 files changed, 126 insertions(+), 9 deletions(-)


Changeset truncated at 500 lines:

diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl
index 48a8c8f9310..85dd73ee7e4 100644
--- a/librpc/idl/netlogon.idl
+++ b/librpc/idl/netlogon.idl
@@ -1236,6 +1236,7 @@ interface netlogon
 	/* Function 0x15 */
 	typedef [switch_type(uint32)] union {
 		[case(1)] netr_NegotiateFlags server_capabilities;
+		[case(2)] netr_NegotiateFlags server_capabilities;
 	} netr_Capabilities;
 
 	NTSTATUS netr_LogonGetCapabilities(
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 3ba58e61206..e8aa14167fc 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -2284,6 +2284,31 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
 	struct netlogon_creds_CredentialState *creds;
 	NTSTATUS status;
 
+	switch (r->in.query_level) {
+	case 1:
+		break;
+	case 2:
+		/*
+		 * Until we know the details behind KB5028166
+		 * just return DCERPC_NCA_S_FAULT_INVALID_TAG
+		 * like an unpatched Windows Server.
+		 */
+		FALL_THROUGH;
+	default:
+		/*
+		 * There would not be a way to marshall the
+		 * the response. Which would mean our final
+		 * ndr_push would fail an we would return
+		 * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
+		 *
+		 * But it's important to match a Windows server
+		 * especially before KB5028166, see also our bug #15418
+		 * Otherwise Windows client would stop talking to us.
+		 */
+		p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG;
+		return NT_STATUS_NOT_SUPPORTED;
+	}
+
 	become_root();
 	status = dcesrv_netr_creds_server_step_check(p->dce_call,
 						p->mem_ctx,
@@ -2296,10 +2321,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
 		return status;
 	}
 
-	if (r->in.query_level != 1) {
-		return NT_STATUS_NOT_SUPPORTED;
-	}
-
 	r->out.capabilities->server_capabilities = creds->negotiate_flags;
 
 	return NT_STATUS_OK;
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 6ccba65d3bf..dc2167f08b2 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -2364,6 +2364,30 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
 	struct netlogon_creds_CredentialState *creds;
 	NTSTATUS status;
 
+	switch (r->in.query_level) {
+	case 1:
+		break;
+	case 2:
+		/*
+		 * Until we know the details behind KB5028166
+		 * just return DCERPC_NCA_S_FAULT_INVALID_TAG
+		 * like an unpatched Windows Server.
+		 */
+		FALL_THROUGH;
+	default:
+		/*
+		 * There would not be a way to marshall the
+		 * the response. Which would mean our final
+		 * ndr_push would fail an we would return
+		 * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
+		 *
+		 * But it's important to match a Windows server
+		 * especially before KB5028166, see also our bug #15418
+		 * Otherwise Windows client would stop talking to us.
+		 */
+		DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG);
+	}
+
 	status = dcesrv_netr_creds_server_step_check(dce_call,
 						     mem_ctx,
 						     r->in.computer_name,
@@ -2375,10 +2399,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
 	}
 	NT_STATUS_NOT_OK_RETURN(status);
 
-	if (r->in.query_level != 1) {
-		return NT_STATUS_NOT_SUPPORTED;
-	}
-
 	r->out.capabilities->server_capabilities = creds->negotiate_flags;
 
 	return NT_STATUS_OK;
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
index 1f068eb7826..a3d190f13dd 100644
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -2056,8 +2056,47 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
 	r.out.capabilities = &capabilities;
 	r.out.return_authenticator = &return_auth;
 
-	torture_comment(tctx, "Testing LogonGetCapabilities\n");
+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=0\n");
 
+	r.in.query_level = 0;
+	ZERO_STRUCT(return_auth);
+
+	/*
+	 * we need to operate on a temporary copy of creds
+	 * because dcerpc_netr_LogonGetCapabilities with
+	 * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
+	 * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
+	 * without looking a the authenticator.
+	 */
+	tmp_creds = *creds;
+	netlogon_creds_client_authenticator(&tmp_creds, &auth);
+
+	status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
+	torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
+				      "LogonGetCapabilities query_level=0 failed");
+
+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=3\n");
+
+	r.in.query_level = 3;
+	ZERO_STRUCT(return_auth);
+
+	/*
+	 * we need to operate on a temporary copy of creds
+	 * because dcerpc_netr_LogonGetCapabilities with
+	 * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
+	 * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
+	 * without looking a the authenticator.
+	 */
+	tmp_creds = *creds;
+	netlogon_creds_client_authenticator(&tmp_creds, &auth);
+
+	status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
+	torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
+				      "LogonGetCapabilities query_level=0 failed");
+
+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=1\n");
+
+	r.in.query_level = 1;
 	ZERO_STRUCT(return_auth);
 
 	/*
@@ -2077,6 +2116,42 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
 
 	*creds = tmp_creds;
 
+	torture_assert(tctx, netlogon_creds_client_check(creds,
+							 &r.out.return_authenticator->cred),
+		       "Credential chaining failed");
+
+	torture_assert_int_equal(tctx, creds->negotiate_flags,
+				 capabilities.server_capabilities,
+				 "negotiate flags");
+
+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=2\n");
+
+	r.in.query_level = 2;
+	ZERO_STRUCT(return_auth);
+
+	/*
+	 * we need to operate on a temporary copy of creds
+	 * because dcerpc_netr_LogonGetCapabilities with
+	 * an query level 2 may returns DCERPC_NCA_S_FAULT_INVALID_TAG
+	 * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
+	 * without looking a the authenticator.
+	 */
+	tmp_creds = *creds;
+	netlogon_creds_client_authenticator(&tmp_creds, &auth);
+
+	status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
+	if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE)) {
+		/*
+		 * an server without KB5028166 returns
+		 * DCERPC_NCA_S_FAULT_INVALID_TAG =>
+		 * NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
+		 */
+		return true;
+	}
+	torture_assert_ntstatus_ok(tctx, status, "LogonGetCapabilities query_level=2 failed");
+
+	*creds = tmp_creds;
+
 	torture_assert(tctx, netlogon_creds_client_check(creds,
 							 &r.out.return_authenticator->cred),
 		       "Credential chaining failed");


-- 
Samba Shared Repository

More information about the samba-cvs mailing list