From 4cd36b5f6519cb8b4f76b17e6efad388fb7f1aab Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 27 May 2019 12:38:43 +0200 Subject: [PATCH 1/3] s4:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*() The domain join with VMWare Horizon Quickprep seems to use netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS (and in addition the NEG_SUPPORTS_AES) just to verify a password. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe) BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider (cherry picked from commit ead9b93ce5c2c67bbdb778232805d6d9e70112fc) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index e96cd08ce2db..31dc38c2ee03 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -136,8 +136,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(dce_call->conn->dce_ctx->lp_ctx); bool reject_des_client = !allow_nt4_crypto; bool reject_md5_client = lpcfg_reject_md5_clients(dce_call->conn->dce_ctx->lp_ctx); - int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx); - bool reject_none_rpc = (schannel == true); ZERO_STRUCTP(r->out.return_credentials); *r->out.rid = 0; @@ -217,10 +215,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( negotiate_flags = *r->in.negotiate_flags & server_flags; - if (negotiate_flags & NETLOGON_NEG_AUTHENTICATED_RPC) { - reject_none_rpc = false; - } - if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { reject_des_client = false; } @@ -267,15 +261,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( */ *r->out.negotiate_flags = negotiate_flags; - if (reject_none_rpc) { - /* schannel must be used, but client did not offer it. */ - DEBUG(0,("%s: schannel required but client failed " - "to offer it. Client was %s\n", - __func__, - log_escape(mem_ctx, r->in.account_name))); - return NT_STATUS_ACCESS_DENIED; - } - switch (r->in.secure_channel_type) { case SEC_CHAN_WKSTA: case SEC_CHAN_DNS_DOMAIN: -- 2.17.1 From 045ddd64c8e3303f55971793ac375805365c17fb Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 27 May 2019 12:38:43 +0200 Subject: [PATCH 2/3] s3:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*() The domain join with VMWare Horizon Quickprep seems to use netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS (and in addition the NEG_SUPPORTS_AES) just to verify a password. Note: NETLOGON_NEG_SCHANNEL is an alias to NEG_AUTHENTICATED_RPC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe) BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider (cherry picked from commit fa5215ce5b93fb032df341e718d7011e619f0916) --- source3/rpc_server/netlogon/srv_netlog_nt.c | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index 9b9947455ed9..afe7b25f74d6 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -927,7 +927,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p, srv_flgs |= NETLOGON_NEG_SUPPORTS_AES; } - if (lp_server_schannel() != false) { + if (in_neg_flags & NETLOGON_NEG_SCHANNEL) { srv_flgs |= NETLOGON_NEG_SCHANNEL; } @@ -968,17 +968,6 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p, goto out; } - if ( (lp_server_schannel() == true) && - ((in_neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) { - - /* schannel must be used, but client did not offer it. */ - DEBUG(0,("%s: schannel required but client failed " - "to offer it. Client was %s\n", - fn, r->in.account_name)); - status = NT_STATUS_ACCESS_DENIED; - goto out; - } - status = get_md4pw(&mach_pwd, r->in.account_name, r->in.secure_channel_type, -- 2.17.1 From 116c7cc1c7208f72c3f914757e0d2af1e8d8ea85 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 27 May 2019 13:12:14 +0200 Subject: [PATCH 3/3] s3:rpc_server:netlogon: simplify AUTH_TYPE_SCHANNEL check in netr_creds_server_step_check() The gensec schannel module already asserts that at least AUTH_LEVEL_INTEGRITY is used. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider (cherry picked from commit 0b6e37c9e801435e094194dd60d9213b4868c3de) --- source3/rpc_server/netlogon/srv_netlog_nt.c | 39 +++------------------ 1 file changed, 4 insertions(+), 35 deletions(-) diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index afe7b25f74d6..d799ba4feefa 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -1061,36 +1061,6 @@ NTSTATUS _netr_ServerAuthenticate2(struct pipes_struct *p, return _netr_ServerAuthenticate3(p, &a); } -/************************************************************************* - * If schannel is required for this call test that it actually is available. - *************************************************************************/ -static NTSTATUS schannel_check_required(struct pipe_auth_data *auth_info, - const char *computer_name, - bool integrity, bool privacy) -{ - if (auth_info && auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { - if (!privacy && !integrity) { - return NT_STATUS_OK; - } - - if ((!privacy && integrity) && - auth_info->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { - return NT_STATUS_OK; - } - - if ((privacy || integrity) && - auth_info->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { - return NT_STATUS_OK; - } - } - - /* test didn't pass */ - DEBUG(0, ("schannel_check_required: [%s] is not using schannel\n", - computer_name)); - - return NT_STATUS_ACCESS_DENIED; -} - /************************************************************************* *************************************************************************/ @@ -1110,11 +1080,10 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, } if (schannel_global_required) { - status = schannel_check_required(&p->auth, - computer_name, - false, false); - if (!NT_STATUS_IS_OK(status)) { - return status; + if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { + DBG_ERR("[%s] is not using schannel\n", + computer_name); + return NT_STATUS_ACCESS_DENIED; } } -- 2.17.1