The branch, v4-16-stable has been updated
via 63f92a37f02 VERSION: Disable GIT_SNAPSHOT for the 4.16.9 release.
via f50ab3415cb WHATSNEW: Add release notes for Samba 4.16.9.
via 2b1d412f552 mdssvc: fix kMDScopeArray parsing
via eddd14cedbf lib/replace - add extra check to bsd_attr_list
via 11896049957 s3: smbd: Always use metadata_fsp() when processing
fsctls.
via c6733cbe872 s3: smbd: Add test to show smbd crashes when doing an
FSCTL on a named stream handle.
via 44ec3e4f292 s3:auth: call wbcFreeMemory(info) in
auth3_generate_session_info_pac()
via 02e56ac1bb5 CVE-2022-38023 s3:rpc_server/netlogon: Avoid
unnecessary loadparm_context allocations
via 3e7bbe047fe CVE-2022-38023 docs-xml/smbdotconf: The "server
schannel require seal[:COMPUTERACCOUNT]" options are also honoured by s3
netlogon server.
via 55900577757 CVE-2022-38023 s3:rpc_server/netlogon: Check for global
"server schannel require seal"
via 7f4f9a3277b CVE-2022-38023 s3:rpc_server/netlogon: make sure all
_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
via 080ff2cd284 CVE-2022-38023 s3:rpc_server/netlogon: Use
dcesrv_netr_creds_server_step_check()
via 0d27e4b4598 CVE-2022-38023 s4:rpc_server/netlogon: Move schannel
and credentials check functions to librpc
via 538dcc38faa CVE-2022-38023 s4:rpc_server:wscript: Reformat
following pycodestyle
via 71b22920a6c CVE-2022-38023 selftest:Samba3: avoid global 'server
schannel = auto'
via cc787d0becb CVE-2022-38023 s3:rpc_server/netlogon: 'server schannel
!= yes' warning to dcesrv_interface_netlogon_bind
via 7b49569afcb s4: libcli: Ignore errors when getting A records after
fetching AAAA records.
via 627a9886da8 s3: smbd: In synthetic_pathref() change DBG_ERR ->
DBG_NOTICE to avoid spamming the logs.
via e5e39bbc77f s3: smbd: Cause SMB2_OP_FLUSH to go synchronous in a
compound anywhere but the last operation in the list.
via bfadcc893e6 s3: smbd: Add utility function
smbd_smb2_is_last_in_compound().
via 9b357c947fd s4: torture: Add an async SMB2_OP_FLUSH + SMB2_OP_FLUSH
test to smb2.compound_async.
via c9ed55b39ef s4: torture: Add an async SMB2_OP_FLUSH + SMB2_OP_CLOSE
test to smb2.compound_async.
via d7bcdfa6b88 nsswitch:libwbclient - fix leak in wbcCtxPingDc2
via 113536e0d73 s3: libsmbclient: Fix smbc_getxattr() to return 0 on
success.
via 628a1c33827 s4: torture: Show return value for smbc_getxattr() is
incorrect (returns >0 for success, should return zero).
via a1fa2c18e56 s4:lib/messaging: fix interaction between
imessaging_context_destructor and irpc_destructor
via 6434e2df11e s3:rpc_server/srvsvc: make sure we (re-)load all shares
as root.
via ccb8abb0e72 selftest: add samba3.blackbox.registry_share
via cf2643e0209 testprogs: Add testit_grep_count() helper
via 6c5bc77653f testprogs: Reformat subunit.sh
via 78848f21a3e s3:client: Fix a use-after-free issue in smbclient
via eeeb1a476f6 s3:script: Improve test_chdir_cache.sh
via 4f9430f1260 s3:tests: Reformat test_chdir_cache.sh
via 810ae90aa6c s3:params:lp_do_section - protect against NULL deref
via b9d02e857b2 rpc_server:srvsvc - retrieve share ACL via root context
via 104fcaa89f8 ctdb: Fix a use-after-free in run_proc
via cb4cbfc83fc VERSION: Bump version up to Samba 4.16.9...
from 6cc6e233b5c VERSION: Disable GIT_SNAPSHOT for the 4.16.8 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 79 ++-
ctdb/common/run_proc.c | 5 +-
.../security/serverschannelrequireseal.xml | 5 +-
lib/replace/xattr.c | 12 +
librpc/rpc/server/netlogon/schannel_util.c | 570 +++++++++++++++++++++
librpc/rpc/server/netlogon/schannel_util.h | 54 ++
librpc/wscript_build | 12 +
nsswitch/libwbclient/wbc_pam.c | 1 +
selftest/knownfail | 1 +
selftest/target/Samba3.pm | 60 ++-
source3/auth/auth_generic.c | 1 +
source3/client/client.c | 5 +-
source3/libsmb/libsmb_xattr.c | 6 +-
source3/modules/vfs_default.c | 8 +-
source3/param/loadparm.c | 2 +-
source3/rpc_server/mdssvc/mdssvc.c | 6 +
source3/rpc_server/netlogon/srv_netlog_nt.c | 318 ++++--------
source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 45 +-
source3/rpc_server/wscript_build | 2 +-
source3/script/tests/test_chdir_cache.sh | 46 +-
source3/script/tests/test_registry_share.sh | 39 ++
source3/selftest/tests.py | 9 +
source3/smbd/files.c | 2 +-
source3/smbd/globals.h | 1 +
source3/smbd/smb2_flush.c | 14 +
source3/smbd/smb2_server.c | 6 +
source4/lib/messaging/messaging.c | 13 +
source4/lib/messaging/messaging_internal.h | 3 +
source4/libcli/resolve/dns_ex.c | 14 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 546 +-------------------
source4/rpc_server/wscript_build | 292 ++++++-----
source4/torture/libsmbclient/libsmbclient.c | 94 ++++
source4/torture/smb2/compound.c | 232 +++++++++
source4/torture/smb2/ioctl.c | 74 +++
source4/torture/smb2/smb2.c | 3 +
testprogs/blackbox/subunit.sh | 144 ++++--
37 files changed, 1745 insertions(+), 981 deletions(-)
create mode 100644 librpc/rpc/server/netlogon/schannel_util.c
create mode 100644 librpc/rpc/server/netlogon/schannel_util.h
create mode 100755 source3/script/tests/test_registry_share.sh
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index f78e4ac5ed1..5df61b2737a 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=16
-SAMBA_VERSION_RELEASE=8
+SAMBA_VERSION_RELEASE=9
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index c2aeab4afbe..b5b57e856d9 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,79 @@
+ ==============================
+ Release Notes for Samba 4.16.9
+ February 16, 2023
+ ==============================
+
+
+This is the latest stable release of the Samba 4.16 release series.
+
+
+Changes since 4.16.8
+--------------------
+
+o Jeremy Allison <j...@samba.org>
+ * BUG 14808: smbc_getxattr() return value is incorrect.
+ * BUG 15172: Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled
+ correctly.
+ * BUG 15210: synthetic_pathref AFP_AfpInfo failed errors.
+ * BUG 15226: samba-tool gpo listall fails IPv6 only - finddcs() fails to
find
+ DC when there is only an AAAA record for the DC in DNS.
+ * BUG 15236: smbd crashes if an FSCTL request is done on a stream handle.
+
+o Ralph Boehme <s...@samba.org>
+ * BUG 15299: Spotlight doesn't work with latest macOS Ventura.
+
+o Samuel Cabrero <scabr...@suse.de>
+ * BUG 15240: CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5)
+ based SChannel on NETLOGON.
+
+o Volker Lendecke <v...@samba.org>
+ * BUG 15243: %U for include directive doesn't work for share listing
+ (netshareenum).
+ * BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
+ * BUG 15269: ctdb: use-after-free in run_proc.
+
+o Stefan Metzmacher <me...@samba.org>
+ * BUG 15243: %U for include directive doesn't work for share listing
+ (netshareenum).
+ * BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
+ * BUG 15280: irpc_destructor may crash during shutdown.
+ * BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo.
+
+o Andreas Schneider <a...@samba.org>
+ * BUG 15268: smbclient segfaults with use after free on an optimized build.
+
+o Andrew Walker <awal...@ixsystems.com>
+ * BUG 15164: Leak in wbcCtxPingDc2.
+ * BUG 15265: Access based share enum does not work in Samba 4.16+.
+ * BUG 15267: Crash during share enumeration.
+ * BUG 15271: rep_listxattr on FreeBSD does not properly check for reads off
+ end of returned buffer.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.16.8
December 15, 2022
@@ -145,8 +221,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.16.7
November 15, 2022
diff --git a/ctdb/common/run_proc.c b/ctdb/common/run_proc.c
index d55af6c3a1e..84bc343ba1f 100644
--- a/ctdb/common/run_proc.c
+++ b/ctdb/common/run_proc.c
@@ -408,10 +408,10 @@ struct tevent_req *run_proc_send(TALLOC_CTX *mem_ctx,
static int run_proc_state_destructor(struct run_proc_state *state)
{
/* Do not get rid of the child process if timeout has occurred */
- if (state->proc->req != NULL) {
+ if ((state->proc != NULL) && (state->proc->req != NULL)) {
state->proc->req = NULL;
DLIST_REMOVE(state->run_ctx->plist, state->proc);
- talloc_free(state->proc);
+ TALLOC_FREE(state->proc);
}
return 0;
@@ -439,6 +439,7 @@ static void run_proc_kill(struct tevent_req *req)
req, struct run_proc_state);
state->proc->req = NULL;
+ state->proc = NULL;
state->result.sig = SIGKILL;
diff --git a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
index d4620d1252d..0bec67d2519 100644
--- a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
+++ b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
@@ -12,9 +12,8 @@
</para>
<para>
- This option controls whether the netlogon server (currently
- only in 'active directory domain controller' mode), will
- reject the usage of netlogon secure channel without privacy/enryption.
+ This option controls whether the netlogon server, will reject the usage
+ of netlogon secure channel without privacy/enryption.
</para>
<para>
diff --git a/lib/replace/xattr.c b/lib/replace/xattr.c
index 01215f1a9f3..8b93e675403 100644
--- a/lib/replace/xattr.c
+++ b/lib/replace/xattr.c
@@ -266,6 +266,18 @@ static ssize_t bsd_attr_list (int type, extattr_arg arg,
char *list, size_t size
for(i = 0; i < list_size; i += len + 1) {
len = buf[i];
+
+ /*
+ * If for some reason we receive a truncated
+ * return from call to list xattrs the pascal
+ * string lengths will not be changed and
+ * therefore we must check that we're not
+ * reading garbage data or off end of array
+ */
+ if (len + i >= list_size) {
+ errno = ERANGE;
+ return -1;
+ }
strncpy(list, extattr[t].name, extattr[t].len + 1);
list += extattr[t].len;
strncpy(list, buf + i + 1, len);
diff --git a/librpc/rpc/server/netlogon/schannel_util.c
b/librpc/rpc/server/netlogon/schannel_util.c
new file mode 100644
index 00000000000..b14497b13ce
--- /dev/null
+++ b/librpc/rpc/server/netlogon/schannel_util.c
@@ -0,0 +1,570 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ netlogon schannel utility functions
+
+ Copyright (C) Andrew Bartlett <abart...@samba.org> 2004-2008
+ Copyright (C) Stefan Metzmacher <me...@samba.org> 2005
+ Copyright (C) Matthias Dieter Wallnöfer 2009-2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "schannel_util.h"
+#include "param/param.h"
+#include "libcli/security/dom_sid.h"
+#include "libcli/auth/schannel.h"
+#include "librpc/rpc/dcesrv_core.h"
+#include "librpc/gen_ndr/ndr_netlogon.h"
+#include "lib/util/util_str_escape.h"
+
+struct dcesrv_netr_check_schannel_state {
+ struct dom_sid account_sid;
+ enum dcerpc_AuthType auth_type;
+ enum dcerpc_AuthLevel auth_level;
+
+ bool schannel_global_required;
+ bool schannel_required;
+ bool schannel_explicitly_set;
+
+ bool seal_global_required;
+ bool seal_required;
+ bool seal_explicitly_set;
+
+ NTSTATUS result;
+};
+
+static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state
*dce_call,
+ const struct
netlogon_creds_CredentialState *creds,
+ enum dcerpc_AuthType
auth_type,
+ enum dcerpc_AuthLevel
auth_level,
+ struct
dcesrv_netr_check_schannel_state **_s)
+{
+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
+ int schannel = lpcfg_server_schannel(lp_ctx);
+ bool schannel_global_required = (schannel == true);
+ bool schannel_required = schannel_global_required;
+ const char *explicit_opt = NULL;
+ bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx);
+ bool require_seal = global_require_seal;
+ const char *explicit_seal_opt = NULL;
+#define DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC
(NETLOGON_SERVER_PIPE_STATE_MAGIC+1)
+ struct dcesrv_netr_check_schannel_state *s = NULL;
+ NTSTATUS status;
+
+ *_s = NULL;
+
+ s = dcesrv_iface_state_find_conn(dce_call,
+ DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC,
+ struct dcesrv_netr_check_schannel_state);
+ if (s != NULL) {
+ if (!dom_sid_equal(&s->account_sid, creds->sid)) {
+ goto new_state;
+ }
+ if (s->auth_type != auth_type) {
+ goto new_state;
+ }
+ if (s->auth_level != auth_level) {
+ goto new_state;
+ }
+
+ *_s = s;
+ return NT_STATUS_OK;
+ }
+
+new_state:
+ TALLOC_FREE(s);
+ s = talloc_zero(dce_call,
+ struct dcesrv_netr_check_schannel_state);
+ if (s == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ s->account_sid = *creds->sid;
+ s->auth_type = auth_type;
+ s->auth_level = auth_level;
+ s->result = NT_STATUS_MORE_PROCESSING_REQUIRED;
+
+ /*
+ * We don't use lpcfg_parm_bool(), as we
+ * need the explicit_opt pointer in order to
+ * adjust the debug messages.
+ */
+ explicit_seal_opt = lpcfg_get_parametric(lp_ctx,
+ NULL,
+ "server schannel require seal",
+ creds->account_name);
+ if (explicit_seal_opt != NULL) {
+ require_seal = lp_bool(explicit_seal_opt);
+ }
+
+ /*
+ * We don't use lpcfg_parm_bool(), as we
+ * need the explicit_opt pointer in order to
+ * adjust the debug messages.
+ */
+ explicit_opt = lpcfg_get_parametric(lp_ctx,
+ NULL,
+ "server require schannel",
+ creds->account_name);
+ if (explicit_opt != NULL) {
+ schannel_required = lp_bool(explicit_opt);
+ }
+
+ s->schannel_global_required = schannel_global_required;
+ s->schannel_required = schannel_required;
+ s->schannel_explicitly_set = explicit_opt != NULL;
+
+ s->seal_global_required = global_require_seal;
+ s->seal_required = require_seal;
+ s->seal_explicitly_set = explicit_seal_opt != NULL;
+
+ status = dcesrv_iface_state_store_conn(dce_call,
+ DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC,
+ s);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ *_s = s;
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state
*dce_call,
+ struct
dcesrv_netr_check_schannel_state *s,
+ const struct
netlogon_creds_CredentialState *creds,
+ uint16_t opnum)
+{
+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
+ int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL,
+ "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
+ int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
+ "CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
+ int CVE_2022_38023_warn_level = lpcfg_parm_int(lp_ctx, NULL,
+ "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR);
+ int CVE_2022_38023_error_level = lpcfg_parm_int(lp_ctx, NULL,
+ "CVE_2022_38023", "error_debug_level", DBGLVL_ERR);
+ TALLOC_CTX *frame = talloc_stackframe();
+ unsigned int dbg_lvl = DBGLVL_DEBUG;
+ const char *opname = "<unknown>";
+ const char *reason = "<unknown>";
+
+ if (opnum < ndr_table_netlogon.num_calls) {
+ opname = ndr_table_netlogon.calls[opnum].name;
+ }
+
+ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+ if (s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
+ reason = "WITH SEALED";
+ } else if (s->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
+ reason = "WITH SIGNED";
+ } else {
+ reason = "WITH INVALID";
+ dbg_lvl = DBGLVL_ERR;
+ s->result = NT_STATUS_INTERNAL_ERROR;
+ }
+ } else {
+ reason = "WITHOUT";
+ }
+
+ if (!NT_STATUS_EQUAL(s->result, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ if (!NT_STATUS_IS_OK(s->result)) {
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+ }
+
+ DEBUG(dbg_lvl, (
+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
+ "%s request (opnum[%u]) %s schannel from "
+ "client_account[%s] client_computer_name[%s] %s\n",
+ opname, opnum, reason,
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name),
+ nt_errstr(s->result)));
+ TALLOC_FREE(frame);
+ return s->result;
+ }
+
+ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL &&
+ s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY)
+ {
+ s->result = NT_STATUS_OK;
+
+ if (s->schannel_explicitly_set && !s->schannel_required) {
+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
+ } else if (!s->schannel_required) {
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+ }
+ if (s->seal_explicitly_set && !s->seal_required) {
+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level);
+ } else if (!s->seal_required) {
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+ }
+
+ DEBUG(dbg_lvl, (
+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
+ "%s request (opnum[%u]) %s schannel from "
+ "client_account[%s] client_computer_name[%s] %s\n",
+ opname, opnum, reason,
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name),
+ nt_errstr(s->result)));
+
+ if (s->schannel_explicitly_set && !s->schannel_required) {
+ DEBUG(CVE_2020_1472_warn_level, (
+ "CVE-2020-1472(ZeroLogon): "
+ "Option 'server require schannel:%s = no' not
needed for '%s'!\n",
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name)));
+ }
+
+ if (s->seal_explicitly_set && !s->seal_required) {
+ DEBUG(CVE_2022_38023_warn_level, (
+ "CVE-2022-38023: "
+ "Option 'server schannel require seal:%s = no'
not needed for '%s'!\n",
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name)));
+ }
+
+ TALLOC_FREE(frame);
+ return s->result;
+ }
+
+ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+ if (s->seal_required) {
+ s->result = NT_STATUS_ACCESS_DENIED;
+
+ if (s->seal_explicitly_set) {
+ dbg_lvl = DBGLVL_NOTICE;
+ } else {
+ dbg_lvl = MIN(dbg_lvl,
CVE_2022_38023_error_level);
+ }
+ if (s->schannel_explicitly_set &&
!s->schannel_required) {
+ dbg_lvl = MIN(dbg_lvl,
CVE_2022_38023_warn_level);
+ }
+
+ DEBUG(dbg_lvl, (
+ "CVE-2022-38023: "
+ "%s request (opnum[%u]) %s schannel from "
+ "from client_account[%s] client_computer_name[%s]
%s\n",
+ opname, opnum, reason,
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name),
+ nt_errstr(s->result)));
+ if (s->seal_explicitly_set) {
+ D_NOTICE("CVE-2022-38023: Option "
+ "'server schannel require seal:%s =
yes' "
+ "rejects access for client.\n",
+ log_escape(frame,
creds->account_name));
+ } else {
+ DEBUG(CVE_2020_1472_error_level, (
+ "CVE-2022-38023: Check if option "
+ "'server schannel require seal:%s = no' "
+ "might be needed for a legacy client.\n",
+ log_escape(frame, creds->account_name)));
+ }
+ if (s->schannel_explicitly_set &&
!s->schannel_required) {
+ DEBUG(CVE_2020_1472_warn_level, (
+ "CVE-2020-1472(ZeroLogon): Option "
+ "'server require schannel:%s = no' "
+ "not needed for '%s'!\n",
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name)));
+ }
+ TALLOC_FREE(frame);
+ return s->result;
+ }
+
+ s->result = NT_STATUS_OK;
+
+ if (s->schannel_explicitly_set && !s->schannel_required) {
+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
+ } else if (!s->schannel_required) {
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+ }
+ if (s->seal_explicitly_set && !s->seal_required) {
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+ } else if (!s->seal_required) {
+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
+ }
+
+ DEBUG(dbg_lvl, (
+ "CVE-2020-1472(ZeroLogon): "
+ "%s request (opnum[%u]) %s schannel from "
+ "client_account[%s] client_computer_name[%s] %s\n",
+ opname, opnum, reason,
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name),
+ nt_errstr(s->result)));
+ if (s->schannel_explicitly_set && !s->schannel_required) {
+ DEBUG(CVE_2020_1472_warn_level, (
+ "CVE-2020-1472(ZeroLogon): "
+ "Option 'server require schannel:%s = no' not
needed for '%s'!\n",
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name)));
+ }
+ if (s->seal_explicitly_set && !s->seal_required) {
+ D_INFO("CVE-2022-38023: "
+ "Option 'server schannel require seal:%s = no'
still needed for '%s'!\n",
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name));
+ } else if (!s->seal_required) {
+ /*
--
Samba Shared Repository
