The Samba-Bugzilla – Attachment 15271 Details for
Bug 13949
Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for v4-9-test
tmp49.diff.txt (text/plain), 6.81 KB, created by
Stefan Metzmacher
on 2019-07-02 07:39:31 UTC
(
hide
)
Description:
Patch for v4-9-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2019-07-02 07:39:31 UTC
Size:
6.81 KB
patch
obsolete
>From 4cd36b5f6519cb8b4f76b17e6efad388fb7f1aab Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 27 May 2019 12:38:43 +0200 >Subject: [PATCH 1/3] s4:rpc_server:netlogon: don't require > NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*() > >The domain join with VMWare Horizon Quickprep seems to use >netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS >(and in addition the NEG_SUPPORTS_AES) just to verify a password. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe) >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit ead9b93ce5c2c67bbdb778232805d6d9e70112fc) >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 15 --------------- > 1 file changed, 15 deletions(-) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index e96cd08ce2db..31dc38c2ee03 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -136,8 +136,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( > bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(dce_call->conn->dce_ctx->lp_ctx); > bool reject_des_client = !allow_nt4_crypto; > bool reject_md5_client = lpcfg_reject_md5_clients(dce_call->conn->dce_ctx->lp_ctx); >- int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx); >- bool reject_none_rpc = (schannel == true); > > ZERO_STRUCTP(r->out.return_credentials); > *r->out.rid = 0; >@@ -217,10 +215,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( > > negotiate_flags = *r->in.negotiate_flags & server_flags; > >- if (negotiate_flags & NETLOGON_NEG_AUTHENTICATED_RPC) { >- reject_none_rpc = false; >- } >- > if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { > reject_des_client = false; > } >@@ -267,15 +261,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( > */ > *r->out.negotiate_flags = negotiate_flags; > >- if (reject_none_rpc) { >- /* schannel must be used, but client did not offer it. */ >- DEBUG(0,("%s: schannel required but client failed " >- "to offer it. Client was %s\n", >- __func__, >- log_escape(mem_ctx, r->in.account_name))); >- return NT_STATUS_ACCESS_DENIED; >- } >- > switch (r->in.secure_channel_type) { > case SEC_CHAN_WKSTA: > case SEC_CHAN_DNS_DOMAIN: >-- >2.17.1 > > >From 045ddd64c8e3303f55971793ac375805365c17fb Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 27 May 2019 12:38:43 +0200 >Subject: [PATCH 2/3] s3:rpc_server:netlogon: don't require > NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*() > >The domain join with VMWare Horizon Quickprep seems to use >netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS >(and in addition the NEG_SUPPORTS_AES) just to verify a password. > >Note: NETLOGON_NEG_SCHANNEL is an alias to NEG_AUTHENTICATED_RPC. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe) >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit fa5215ce5b93fb032df341e718d7011e619f0916) >--- > source3/rpc_server/netlogon/srv_netlog_nt.c | 13 +------------ > 1 file changed, 1 insertion(+), 12 deletions(-) > >diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c >index 9b9947455ed9..afe7b25f74d6 100644 >--- a/source3/rpc_server/netlogon/srv_netlog_nt.c >+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c >@@ -927,7 +927,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p, > srv_flgs |= NETLOGON_NEG_SUPPORTS_AES; > } > >- if (lp_server_schannel() != false) { >+ if (in_neg_flags & NETLOGON_NEG_SCHANNEL) { > srv_flgs |= NETLOGON_NEG_SCHANNEL; > } > >@@ -968,17 +968,6 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p, > goto out; > } > >- if ( (lp_server_schannel() == true) && >- ((in_neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) { >- >- /* schannel must be used, but client did not offer it. */ >- DEBUG(0,("%s: schannel required but client failed " >- "to offer it. Client was %s\n", >- fn, r->in.account_name)); >- status = NT_STATUS_ACCESS_DENIED; >- goto out; >- } >- > status = get_md4pw(&mach_pwd, > r->in.account_name, > r->in.secure_channel_type, >-- >2.17.1 > > >From 116c7cc1c7208f72c3f914757e0d2af1e8d8ea85 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 27 May 2019 13:12:14 +0200 >Subject: [PATCH 3/3] s3:rpc_server:netlogon: simplify AUTH_TYPE_SCHANNEL check > in netr_creds_server_step_check() > >The gensec schannel module already asserts that at least >AUTH_LEVEL_INTEGRITY is used. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 0b6e37c9e801435e094194dd60d9213b4868c3de) >--- > source3/rpc_server/netlogon/srv_netlog_nt.c | 39 +++------------------ > 1 file changed, 4 insertions(+), 35 deletions(-) > >diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c >index afe7b25f74d6..d799ba4feefa 100644 >--- a/source3/rpc_server/netlogon/srv_netlog_nt.c >+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c >@@ -1061,36 +1061,6 @@ NTSTATUS _netr_ServerAuthenticate2(struct pipes_struct *p, > return _netr_ServerAuthenticate3(p, &a); > } > >-/************************************************************************* >- * If schannel is required for this call test that it actually is available. >- *************************************************************************/ >-static NTSTATUS schannel_check_required(struct pipe_auth_data *auth_info, >- const char *computer_name, >- bool integrity, bool privacy) >-{ >- if (auth_info && auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { >- if (!privacy && !integrity) { >- return NT_STATUS_OK; >- } >- >- if ((!privacy && integrity) && >- auth_info->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { >- return NT_STATUS_OK; >- } >- >- if ((privacy || integrity) && >- auth_info->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { >- return NT_STATUS_OK; >- } >- } >- >- /* test didn't pass */ >- DEBUG(0, ("schannel_check_required: [%s] is not using schannel\n", >- computer_name)); >- >- return NT_STATUS_ACCESS_DENIED; >-} >- > /************************************************************************* > *************************************************************************/ > >@@ -1110,11 +1080,10 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, > } > > if (schannel_global_required) { >- status = schannel_check_required(&p->auth, >- computer_name, >- false, false); >- if (!NT_STATUS_IS_OK(status)) { >- return status; >+ if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { >+ DBG_ERR("[%s] is not using schannel\n", >+ computer_name); >+ return NT_STATUS_ACCESS_DENIED; > } > } > >-- >2.17.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
asn
:
review+
Actions:
View
Attachments on
bug 13949
: 15271 |
15272