[Badlock] Patch for samba3.6.25 makes clients fail to logon
Andrew Bartlett
abartlet at samba.org
Thu Apr 14 11:17:00 UTC 2016
On Thu, 2016-04-14 at 19:44 +0900, KAMEI Yutaka wrote:
> Hi,
>
> After applying the security patch for Samba 3.6.25 to my PDC system,
> clients fail to logon.
>
> In this patch, the bitmask1 variable is set to 0 in
> srv_pipe_check_verification_trailer().
> This always makes clients fail to logon.
>
> > @@ -1545,6 +1546,40 @@ static bool api_rpcTNP(struct pipes_struct
> > *p, struct ncacn_packet *pkt,
> > const struct api_struct *api_rpc_cmds, int
> > n_cmds,
> > const struct ndr_syntax_id *syntax);
> >
> > +static bool srv_pipe_check_verification_trailer(struct
> > pipes_struct *p,
> > + struct
> > ncacn_packet *pkt,
> > + struct
> > pipe_rpc_fns *pipe_fns)
> > +{
> > + TALLOC_CTX *frame = talloc_stackframe();
> > + struct dcerpc_sec_verification_trailer *vt = NULL;
> > + const uint32_t bitmask1 = 0;
> -- snip --
> > +
> > + ret = dcerpc_sec_verification_trailer_check(vt, &bitmask1,
> > + &pcontext,
> > &header2);
>
> When I tried to set the bitmask1 value to 1, client logon succeeded.
>
> I think that the bitmask1 should be set by client request
> packet, but DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN pfc_flags is not set
> when clients try to logon to Samba PDC.
>
> What the bitmask1 value should be set to?
I'm not sure, but it was documented that the 3.6 backport didn't cover
the DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN feature (too hard to backport).
That feature is in 4.2.
Hopefully that helps you until someone with more background in this
area can assist.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list