[Badlock] Patch for samba3.6.25 makes clients fail to logon
Andreas Schneider
asn at samba.org
Fri Apr 15 06:19:04 UTC 2016
On Thursday 14 April 2016 23:17:00 Andrew Bartlett wrote:
> On Thu, 2016-04-14 at 19:44 +0900, KAMEI Yutaka wrote:
> > Hi,
> >
> > After applying the security patch for Samba 3.6.25 to my PDC system,
> > clients fail to logon.
> >
> > In this patch, the bitmask1 variable is set to 0 in
> > srv_pipe_check_verification_trailer().
> > This always makes clients fail to logon.
> >
> > > @@ -1545,6 +1546,40 @@ static bool api_rpcTNP(struct pipes_struct
> > > *p, struct ncacn_packet *pkt,
> > >
> > > const struct api_struct *api_rpc_cmds, int
> > >
> > > n_cmds,
> > >
> > > const struct ndr_syntax_id *syntax);
> > >
> > > +static bool srv_pipe_check_verification_trailer(struct
> > > pipes_struct *p,
> > > + struct
> > > ncacn_packet *pkt,
> > > + struct
> > > pipe_rpc_fns *pipe_fns)
> > > +{
> > > + TALLOC_CTX *frame = talloc_stackframe();
> > > + struct dcerpc_sec_verification_trailer *vt = NULL;
> > > + const uint32_t bitmask1 = 0;
> >
> > -- snip --
> >
> > > +
> > > + ret = dcerpc_sec_verification_trailer_check(vt, &bitmask1,
> > > + &pcontext,
> > > &header2);
> >
> > When I tried to set the bitmask1 value to 1, client logon succeeded.
> >
> > I think that the bitmask1 should be set by client request
> > packet, but DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN pfc_flags is not set
> > when clients try to logon to Samba PDC.
> >
> > What the bitmask1 value should be set to?
>
> I'm not sure, but it was documented that the 3.6 backport didn't cover
> the DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN feature (too hard to backport).
>
> That feature is in 4.2.
>
> Hopefully that helps you until someone with more background in this
> area can assist.
Hi,
We either need to implement header signing support or remove checking the
verification trailer to fix this issue.
I will look into header singing support now ...
-- andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list