The branch, v4-17-stable has been updated
via 420b9e67870 VERSION: Disable GIT_SNAPSHOT for the 4.17.5 release.
via c67be713048 WHATSNEW: Add release notes for Samba 4.17.5.
via 85331e00b6f lib/replace - add extra check to bsd_attr_list
via f0729d7a72d s3: smbd: Always use metadata_fsp() when processing
fsctls.
via cd3479c64a8 s3: smbd: Add test to show smbd crashes when doing an
FSCTL on a named stream handle.
via 961eda75a0c s3:auth: call wbcFreeMemory(info) in
auth3_generate_session_info_pac()
via 0b3fab18954 CVE-2022-38023 s3:rpc_server/netlogon: Avoid
unnecessary loadparm_context allocations
via d737d6b8e2c CVE-2022-38023 docs-xml/smbdotconf: The "server
schannel require seal[:COMPUTERACCOUNT]" options are also honoured by s3
netlogon server.
via 67cdc5dec01 CVE-2022-38023 s3:rpc_server/netlogon: Check for global
"server schannel require seal"
via 03a65b246b5 CVE-2022-38023 s3:rpc_server/netlogon: make sure all
_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
via de2e2045bbb CVE-2022-38023 s3:rpc_server/netlogon: Use
dcesrv_netr_creds_server_step_check()
via 600a91f4bee CVE-2022-38023 s4:rpc_server/netlogon: Move schannel
and credentials check functions to librpc
via 71185d09ef8 CVE-2022-38023 s4:rpc_server:wscript: Reformat
following pycodestyle
via 6d31e359fbf CVE-2022-38023 selftest:Samba3: avoid global 'server
schannel = auto'
via 5a49be37d88 CVE-2022-38023 s3:rpc_server/netlogon: 'server schannel
!= yes' warning to dcesrv_interface_netlogon_bind
via 34a90840448 s3: smbd: Tweak openat_pathref_dirfsp_nosymlink() to
NULL out fsp->fsp_name after calling fd_close() on intermediate directories,
rather than before.
via 669da62d636 selftest: Show vfs_virusscanner crashes when traversing
a 2-level directory tree.
via 02e63b6d336 s4: libcli: Ignore errors when getting A records after
fetching AAAA records.
via 580cfa72138 s3: smbd: In synthetic_pathref() change DBG_ERR ->
DBG_NOTICE to avoid spamming the logs.
via 1e94c94ae85 s3: smbd: Cause SMB2_OP_FLUSH to go synchronous in a
compound anywhere but the last operation in the list.
via 61babd9af83 s3: smbd: Add utility function
smbd_smb2_is_last_in_compound().
via 7b4652b8027 s4: torture: Add an async SMB2_OP_FLUSH + SMB2_OP_FLUSH
test to smb2.compound_async.
via 67d388c71f7 s4: torture: Add an async SMB2_OP_FLUSH + SMB2_OP_CLOSE
test to smb2.compound_async.
via 7b29d4077d8 nsswitch:libwbclient - fix leak in wbcCtxPingDc2
via 50330f69a07 s3: libsmbclient: Fix smbc_getxattr() to return 0 on
success.
via a92a0043493 s4: torture: Show return value for smbc_getxattr() is
incorrect (returns >0 for success, should return zero).
via 0bc115f7570 s3:smbstatus: go to cmdline_messaging_context_free
via 69f6517f93b source3/wscript: Remove implicit int and implicit
function declarations
via fab96048ba5 source3/wscript: Fix detection of major/minor macros
via 409dd9b20ea buildtools/wafsamba: Avoid calling lib_func without a
prototype
via cedb4ff4ca9 s4:lib/messaging: fix interaction between
imessaging_context_destructor and irpc_destructor
via b1d5552f2e2 s3:rpc_server/srvsvc: make sure we (re-)load all shares
as root.
via a8934a92f1a selftest: add samba3.blackbox.registry_share
via 658a590b353 testprogs: Add testit_grep_count() helper
via 33a5ca2f999 s3: smbd: Strip any leading '\' characters if the SMB2
DFS flag is set.
via bc05daafbc6 s3:client: Fix a use-after-free issue in smbclient
via 0d2acb2e228 s3:script: Improve test_chdir_cache.sh
via 72e6fff0e5f s3:params:lp_do_section - protect against NULL deref
via 4f47415e248 rpc_server:srvsvc - retrieve share ACL via root context
via 0d89084e044 ctdb: Fix a use-after-free in run_proc
via 72dcfb4773d VERSION: Bump version up to Samba 4.17.5...
from ab48448c650 VERSION: Disable GIT_SNAPSHOT for the 4.17.4 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 85 ++-
buildtools/wafsamba/samba_waf18.py | 3 +-
ctdb/common/run_proc.c | 5 +-
.../security/serverschannelrequireseal.xml | 5 +-
lib/replace/xattr.c | 12 +
librpc/rpc/server/netlogon/schannel_util.c | 570 +++++++++++++++++++++
librpc/rpc/server/netlogon/schannel_util.h | 54 ++
librpc/wscript_build | 12 +
nsswitch/libwbclient/wbc_pam.c | 1 +
selftest/knownfail | 1 +
selftest/target/Samba3.pm | 61 ++-
source3/auth/auth_generic.c | 1 +
source3/client/client.c | 5 +-
source3/libsmb/libsmb_xattr.c | 6 +-
source3/modules/vfs_default.c | 8 +-
source3/param/loadparm.c | 2 +-
source3/rpc_server/netlogon/srv_netlog_nt.c | 318 ++++--------
source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 45 +-
source3/rpc_server/wscript_build | 2 +-
source3/script/tests/test_chdir_cache.sh | 12 +-
source3/script/tests/test_registry_share.sh | 39 ++
source3/script/tests/test_virus_scanner.sh | 25 +-
source3/selftest/tests.py | 8 +
source3/smbd/files.c | 6 +-
source3/smbd/globals.h | 1 +
source3/smbd/smb2_create.c | 13 +-
source3/smbd/smb2_flush.c | 14 +
source3/smbd/smb2_server.c | 6 +
source3/utils/status.c | 3 +-
source3/wscript | 15 +-
source4/lib/messaging/messaging.c | 13 +
source4/lib/messaging/messaging_internal.h | 3 +
source4/libcli/resolve/dns_ex.c | 14 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 546 +-------------------
source4/rpc_server/wscript_build | 292 ++++++-----
source4/torture/libsmbclient/libsmbclient.c | 94 ++++
source4/torture/smb2/compound.c | 232 +++++++++
source4/torture/smb2/ioctl.c | 74 +++
source4/torture/smb2/smb2.c | 3 +
testprogs/blackbox/subunit.sh | 29 ++
41 files changed, 1706 insertions(+), 934 deletions(-)
create mode 100644 librpc/rpc/server/netlogon/schannel_util.c
create mode 100644 librpc/rpc/server/netlogon/schannel_util.h
create mode 100755 source3/script/tests/test_registry_share.sh
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 94b85f81683..604c5f065ca 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=17
-SAMBA_VERSION_RELEASE=4
+SAMBA_VERSION_RELEASE=5
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 40f99a45a90..5eb0a0281c1 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,85 @@
+ ==============================
+ Release Notes for Samba 4.17.5
+ January 26, 2023
+ ==============================
+
+
+This is the latest stable release of the Samba 4.17 release series.
+
+
+Changes since 4.17.4
+--------------------
+
+o Jeremy Allison <j...@samba.org>
+ * BUG 14808: smbc_getxattr() return value is incorrect.
+ * BUG 15172: Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled
+ correctly.
+ * BUG 15210: synthetic_pathref AFP_AfpInfo failed errors.
+ * BUG 15226: samba-tool gpo listall fails IPv6 only - finddcs() fails to
find
+ DC when there is only an AAAA record for the DC in DNS.
+ * BUG 15236: smbd crashes if an FSCTL request is done on a stream handle.
+ * BUG 15277: DFS links don't work anymore on Mac clients since 4.17.
+ * BUG 15283: vfs_virusfilter segfault on access, directory edgecase
+ (accessing NULL value).
+
+o Samuel Cabrero <scabr...@samba.org>
+ * BUG 15240: CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5)
+ based SChannel on NETLOGON (additional changes).
+
+o Volker Lendecke <v...@samba.org>
+ * BUG 15243: %U for include directive doesn't work for share listing
+ (netshareenum).
+ * BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
+ * BUG 15269: ctdb: use-after-free in run_proc.
+
+o Stefan Metzmacher <me...@samba.org>
+ * BUG 15243: %U for include directive doesn't work for share listing
+ (netshareenum).
+ * BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
+ * BUG 15280: irpc_destructor may crash during shutdown.
+ * BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo.
+
+o Andreas Schneider <a...@samba.org>
+ * BUG 15268: smbclient segfaults with use after free on an optimized build.
+
+o Jones Syue <joness...@qnap.com>
+ * BUG 15282: smbstatus leaking files in msg.sock and msg.lock.
+
+o Andrew Walker <awal...@ixsystems.com>
+ * BUG 15164: Leak in wbcCtxPingDc2.
+ * BUG 15265: Access based share enum does not work in Samba 4.16+.
+ * BUG 15267: Crash during share enumeration.
+ * BUG 15271: rep_listxattr on FreeBSD does not properly check for reads off
+ end of returned buffer.
+
+o Florian Weimer <fwei...@redhat.com>
+ * BUG 15281: Avoid relying on C89 features in a few places.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.17.4
December 15, 2022
@@ -152,8 +234,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.17.3
November 15, 2022
diff --git a/buildtools/wafsamba/samba_waf18.py
b/buildtools/wafsamba/samba_waf18.py
index e2a078bd3a0..cfdceea14ca 100644
--- a/buildtools/wafsamba/samba_waf18.py
+++ b/buildtools/wafsamba/samba_waf18.py
@@ -209,7 +209,8 @@ def CHECK_LIBRARY_SUPPORT(conf, rpath=False,
version_script=False, msg=None):
lib_node.parent.mkdir()
lib_node.write('int lib_func(void) { return 42; }\n', 'w')
main_node = bld.srcnode.make_node('main.c')
- main_node.write('int main(void) {return !(lib_func() == 42);}', 'w')
+ main_node.write('int lib_func(void);\n'
+ 'int main(void) {return !(lib_func() == 42);}', 'w')
linkflags = []
if version_script:
script = bld.srcnode.make_node('ldscript')
diff --git a/ctdb/common/run_proc.c b/ctdb/common/run_proc.c
index d55af6c3a1e..84bc343ba1f 100644
--- a/ctdb/common/run_proc.c
+++ b/ctdb/common/run_proc.c
@@ -408,10 +408,10 @@ struct tevent_req *run_proc_send(TALLOC_CTX *mem_ctx,
static int run_proc_state_destructor(struct run_proc_state *state)
{
/* Do not get rid of the child process if timeout has occurred */
- if (state->proc->req != NULL) {
+ if ((state->proc != NULL) && (state->proc->req != NULL)) {
state->proc->req = NULL;
DLIST_REMOVE(state->run_ctx->plist, state->proc);
- talloc_free(state->proc);
+ TALLOC_FREE(state->proc);
}
return 0;
@@ -439,6 +439,7 @@ static void run_proc_kill(struct tevent_req *req)
req, struct run_proc_state);
state->proc->req = NULL;
+ state->proc = NULL;
state->result.sig = SIGKILL;
diff --git a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
index d4620d1252d..0bec67d2519 100644
--- a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
+++ b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
@@ -12,9 +12,8 @@
</para>
<para>
- This option controls whether the netlogon server (currently
- only in 'active directory domain controller' mode), will
- reject the usage of netlogon secure channel without privacy/enryption.
+ This option controls whether the netlogon server, will reject the usage
+ of netlogon secure channel without privacy/enryption.
</para>
<para>
diff --git a/lib/replace/xattr.c b/lib/replace/xattr.c
index 4869367b7da..1044942f4b9 100644
--- a/lib/replace/xattr.c
+++ b/lib/replace/xattr.c
@@ -267,6 +267,18 @@ static ssize_t bsd_attr_list (int type, extattr_arg arg,
char *list, size_t size
for(i = 0; i < list_size; i += len + 1) {
len = buf[i];
+
+ /*
+ * If for some reason we receive a truncated
+ * return from call to list xattrs the pascal
+ * string lengths will not be changed and
+ * therefore we must check that we're not
+ * reading garbage data or off end of array
+ */
+ if (len + i >= list_size) {
+ errno = ERANGE;
+ return -1;
+ }
strncpy(list, extattr[t].name, extattr[t].len + 1);
list += extattr[t].len;
strncpy(list, buf + i + 1, len);
diff --git a/librpc/rpc/server/netlogon/schannel_util.c
b/librpc/rpc/server/netlogon/schannel_util.c
new file mode 100644
index 00000000000..b14497b13ce
--- /dev/null
+++ b/librpc/rpc/server/netlogon/schannel_util.c
@@ -0,0 +1,570 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ netlogon schannel utility functions
+
+ Copyright (C) Andrew Bartlett <abart...@samba.org> 2004-2008
+ Copyright (C) Stefan Metzmacher <me...@samba.org> 2005
+ Copyright (C) Matthias Dieter Wallnöfer 2009-2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "schannel_util.h"
+#include "param/param.h"
+#include "libcli/security/dom_sid.h"
+#include "libcli/auth/schannel.h"
+#include "librpc/rpc/dcesrv_core.h"
+#include "librpc/gen_ndr/ndr_netlogon.h"
+#include "lib/util/util_str_escape.h"
+
+struct dcesrv_netr_check_schannel_state {
+ struct dom_sid account_sid;
+ enum dcerpc_AuthType auth_type;
+ enum dcerpc_AuthLevel auth_level;
+
+ bool schannel_global_required;
+ bool schannel_required;
+ bool schannel_explicitly_set;
+
+ bool seal_global_required;
+ bool seal_required;
+ bool seal_explicitly_set;
+
+ NTSTATUS result;
+};
+
+static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state
*dce_call,
+ const struct
netlogon_creds_CredentialState *creds,
+ enum dcerpc_AuthType
auth_type,
+ enum dcerpc_AuthLevel
auth_level,
+ struct
dcesrv_netr_check_schannel_state **_s)
+{
+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
+ int schannel = lpcfg_server_schannel(lp_ctx);
+ bool schannel_global_required = (schannel == true);
+ bool schannel_required = schannel_global_required;
+ const char *explicit_opt = NULL;
+ bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx);
+ bool require_seal = global_require_seal;
+ const char *explicit_seal_opt = NULL;
+#define DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC
(NETLOGON_SERVER_PIPE_STATE_MAGIC+1)
+ struct dcesrv_netr_check_schannel_state *s = NULL;
+ NTSTATUS status;
+
+ *_s = NULL;
+
+ s = dcesrv_iface_state_find_conn(dce_call,
+ DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC,
+ struct dcesrv_netr_check_schannel_state);
+ if (s != NULL) {
+ if (!dom_sid_equal(&s->account_sid, creds->sid)) {
+ goto new_state;
+ }
+ if (s->auth_type != auth_type) {
+ goto new_state;
+ }
+ if (s->auth_level != auth_level) {
+ goto new_state;
+ }
+
+ *_s = s;
+ return NT_STATUS_OK;
+ }
+
+new_state:
+ TALLOC_FREE(s);
+ s = talloc_zero(dce_call,
+ struct dcesrv_netr_check_schannel_state);
+ if (s == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ s->account_sid = *creds->sid;
+ s->auth_type = auth_type;
+ s->auth_level = auth_level;
+ s->result = NT_STATUS_MORE_PROCESSING_REQUIRED;
+
+ /*
+ * We don't use lpcfg_parm_bool(), as we
+ * need the explicit_opt pointer in order to
+ * adjust the debug messages.
+ */
+ explicit_seal_opt = lpcfg_get_parametric(lp_ctx,
+ NULL,
+ "server schannel require seal",
+ creds->account_name);
+ if (explicit_seal_opt != NULL) {
+ require_seal = lp_bool(explicit_seal_opt);
+ }
+
+ /*
+ * We don't use lpcfg_parm_bool(), as we
+ * need the explicit_opt pointer in order to
+ * adjust the debug messages.
+ */
+ explicit_opt = lpcfg_get_parametric(lp_ctx,
+ NULL,
+ "server require schannel",
+ creds->account_name);
+ if (explicit_opt != NULL) {
+ schannel_required = lp_bool(explicit_opt);
+ }
+
+ s->schannel_global_required = schannel_global_required;
+ s->schannel_required = schannel_required;
+ s->schannel_explicitly_set = explicit_opt != NULL;
+
+ s->seal_global_required = global_require_seal;
+ s->seal_required = require_seal;
+ s->seal_explicitly_set = explicit_seal_opt != NULL;
+
+ status = dcesrv_iface_state_store_conn(dce_call,
+ DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC,
+ s);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ *_s = s;
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state
*dce_call,
+ struct
dcesrv_netr_check_schannel_state *s,
+ const struct
netlogon_creds_CredentialState *creds,
+ uint16_t opnum)
+{
+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
+ int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL,
+ "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
+ int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
+ "CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
+ int CVE_2022_38023_warn_level = lpcfg_parm_int(lp_ctx, NULL,
+ "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR);
+ int CVE_2022_38023_error_level = lpcfg_parm_int(lp_ctx, NULL,
+ "CVE_2022_38023", "error_debug_level", DBGLVL_ERR);
+ TALLOC_CTX *frame = talloc_stackframe();
+ unsigned int dbg_lvl = DBGLVL_DEBUG;
+ const char *opname = "<unknown>";
+ const char *reason = "<unknown>";
+
+ if (opnum < ndr_table_netlogon.num_calls) {
+ opname = ndr_table_netlogon.calls[opnum].name;
+ }
+
+ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+ if (s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
+ reason = "WITH SEALED";
+ } else if (s->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
+ reason = "WITH SIGNED";
+ } else {
+ reason = "WITH INVALID";
+ dbg_lvl = DBGLVL_ERR;
+ s->result = NT_STATUS_INTERNAL_ERROR;
+ }
+ } else {
+ reason = "WITHOUT";
+ }
+
+ if (!NT_STATUS_EQUAL(s->result, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ if (!NT_STATUS_IS_OK(s->result)) {
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+ }
+
+ DEBUG(dbg_lvl, (
+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
+ "%s request (opnum[%u]) %s schannel from "
+ "client_account[%s] client_computer_name[%s] %s\n",
+ opname, opnum, reason,
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name),
+ nt_errstr(s->result)));
+ TALLOC_FREE(frame);
+ return s->result;
+ }
+
+ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL &&
+ s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY)
+ {
+ s->result = NT_STATUS_OK;
+
+ if (s->schannel_explicitly_set && !s->schannel_required) {
+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
+ } else if (!s->schannel_required) {
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+ }
+ if (s->seal_explicitly_set && !s->seal_required) {
+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level);
+ } else if (!s->seal_required) {
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+ }
+
+ DEBUG(dbg_lvl, (
+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
+ "%s request (opnum[%u]) %s schannel from "
+ "client_account[%s] client_computer_name[%s] %s\n",
+ opname, opnum, reason,
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name),
+ nt_errstr(s->result)));
+
+ if (s->schannel_explicitly_set && !s->schannel_required) {
+ DEBUG(CVE_2020_1472_warn_level, (
+ "CVE-2020-1472(ZeroLogon): "
+ "Option 'server require schannel:%s = no' not
needed for '%s'!\n",
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name)));
+ }
+
+ if (s->seal_explicitly_set && !s->seal_required) {
+ DEBUG(CVE_2022_38023_warn_level, (
+ "CVE-2022-38023: "
+ "Option 'server schannel require seal:%s = no'
not needed for '%s'!\n",
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name)));
+ }
+
+ TALLOC_FREE(frame);
+ return s->result;
+ }
+
+ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+ if (s->seal_required) {
+ s->result = NT_STATUS_ACCESS_DENIED;
+
+ if (s->seal_explicitly_set) {
+ dbg_lvl = DBGLVL_NOTICE;
+ } else {
+ dbg_lvl = MIN(dbg_lvl,
CVE_2022_38023_error_level);
+ }
+ if (s->schannel_explicitly_set &&
!s->schannel_required) {
+ dbg_lvl = MIN(dbg_lvl,
CVE_2022_38023_warn_level);
+ }
+
+ DEBUG(dbg_lvl, (
+ "CVE-2022-38023: "
+ "%s request (opnum[%u]) %s schannel from "
+ "from client_account[%s] client_computer_name[%s]
%s\n",
+ opname, opnum, reason,
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name),
+ nt_errstr(s->result)));
+ if (s->seal_explicitly_set) {
+ D_NOTICE("CVE-2022-38023: Option "
+ "'server schannel require seal:%s =
yes' "
+ "rejects access for client.\n",
+ log_escape(frame,
creds->account_name));
+ } else {
+ DEBUG(CVE_2020_1472_error_level, (
+ "CVE-2022-38023: Check if option "
+ "'server schannel require seal:%s = no' "
+ "might be needed for a legacy client.\n",
+ log_escape(frame, creds->account_name)));
+ }
+ if (s->schannel_explicitly_set &&
!s->schannel_required) {
+ DEBUG(CVE_2020_1472_warn_level, (
+ "CVE-2020-1472(ZeroLogon): Option "
+ "'server require schannel:%s = no' "
+ "not needed for '%s'!\n",
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name)));
+ }
+ TALLOC_FREE(frame);
+ return s->result;
+ }
+
+ s->result = NT_STATUS_OK;
+
+ if (s->schannel_explicitly_set && !s->schannel_required) {
+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
+ } else if (!s->schannel_required) {
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+ }
+ if (s->seal_explicitly_set && !s->seal_required) {
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+ } else if (!s->seal_required) {
+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
+ }
+
+ DEBUG(dbg_lvl, (
+ "CVE-2020-1472(ZeroLogon): "
--
Samba Shared Repository
