diff options
author | Samuel Cabrero <scabrero@suse.de> | 2022-12-21 15:53:04 +0100 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2023-01-23 09:06:16 +0000 |
commit | f79e03a9d95c5e003751023b1da701cff1a9b765 (patch) | |
tree | b0b519b3426d47c505883743ef99d26704391e4d | |
parent | c84fb834f6e5c9836043707ccc2d24e060ea004c (diff) | |
download | samba-f79e03a9d95c5e003751023b1da701cff1a9b765.tar.gz |
CVE-2022-38023 s3:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind
Follow s4 netlogon server changes and move the checks to the RPC bind
hook. Next commits will remove the s3 netr_creds_server_step_check()
function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 8141eae47aad849741beb138fae866c772e4ec4c)
-rw-r--r-- | source3/rpc_server/netlogon/srv_netlog_nt.c | 40 |
1 files changed, 29 insertions, 11 deletions
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index 2906fa3f30f..cf40825179c 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -28,6 +28,7 @@ #include "system/passwd.h" /* uid_wrapper */ #include "ntdomain.h" #include "../libcli/auth/schannel.h" +#include "librpc/rpc/dcesrv_core.h" #include "librpc/gen_ndr/ndr_netlogon.h" #include "librpc/gen_ndr/ndr_netlogon_scompat.h" #include "librpc/gen_ndr/ndr_samr_c.h" @@ -1047,7 +1048,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; uint16_t opnum = p->opnum; const char *opname = "<unknown>"; - static bool warned_global_once = false; if (creds_out != NULL) { *creds_out = NULL; @@ -1109,16 +1109,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, return NT_STATUS_ACCESS_DENIED; } - if (!schannel_global_required && !warned_global_once) { - /* - * We want admins to notice their misconfiguration! - */ - DBG_ERR("CVE-2020-1472(ZeroLogon): " - "Please configure 'server schannel = yes', " - "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n"); - warned_global_once = true; - } - if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { DBG_ERR("CVE-2020-1472(ZeroLogon): " "%s request (opnum[%u]) WITH schannel from " @@ -2946,5 +2936,33 @@ NTSTATUS _netr_DsrUpdateReadOnlyServerDnsRecords(struct pipes_struct *p, return NT_STATUS_NOT_IMPLEMENTED; } +/* + * Define the bind function that will be used by ndr_netlogon_scompat.c, + * included at the bottom of this file. + */ +#define DCESRV_INTERFACE_NETLOGON_BIND(context, iface) \ + dcesrv_interface_netlogon_bind(context, iface) + +static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context *context, + const struct dcesrv_interface *iface) +{ + struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx; + int schannel = lpcfg_server_schannel(lp_ctx); + bool schannel_global_required = (schannel == true); + static bool warned_global_schannel_once = false; + + if (!schannel_global_required && !warned_global_schannel_once) { + /* + * We want admins to notice their misconfiguration! + */ + D_ERR("CVE-2020-1472(ZeroLogon): " + "Please configure 'server schannel = yes' (the default), " + "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n"); + warned_global_schannel_once = true; + } + + return NT_STATUS_OK; +} + /* include the generated boilerplate */ #include "librpc/gen_ndr/ndr_netlogon_scompat.c" |