From 77aa1bdc8e92aa41ccb190c89f1c0b05923da2b8 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 17 Sep 2020 14:39:31 +1200
Subject: [PATCH] CVE-2020-1472: Totally require schannel for DCs and trusted
 domains

This matches new Microsoft behaviour.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/rpc_server/netlogon/dcerpc_netlogon.c | 36 +++++++++++--------
 1 file changed, 22 insertions(+), 14 deletions(-)

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 0007f219b3c..dfb45160f23 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -623,7 +623,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
 {
 	NTSTATUS nt_status;
 	int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx);
-	bool schannel_required = (schannel == true);
+	bool schannel_required = true;
 	struct netlogon_creds_CredentialState *creds = NULL;
 	enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
 	uint16_t opnum = dce_call->pkt.u.request.opnum;
@@ -646,19 +646,27 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
 		return nt_status;
 	}
 
-	schannel_required = lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx,
-					    NULL,
-					    "server require schannel",
-					    creds->account_name,
-					    schannel_required);
-	if (schannel_required && schannel != true) {
-		/*
-		 * We want admins to notice there misconfiguration!
-		 */
-		DBG_ERR("CVE-2020-1472(ZeroLogin): "
-			"Please configure 'server schannel = yes' when "
-			"using 'server require schannel:%s = yes'\n",
-			log_escape(mem_ctx, creds->account_name));
+	/*
+	 * Due to CVE-2020-1472 we must not allow DCs and trusted
+	 * domains to be impersonated without schannel
+	 */
+	if (creds->secure_channel_type == SEC_CHAN_WKSTA) {
+		schannel_required = (schannel == true);
+		
+		schannel_required = lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx,
+						    NULL,
+						    "server require schannel",
+						    creds->account_name,
+						    schannel_required);
+		if (schannel_required && schannel != true) {
+			/*
+			 * We want admins to notice there misconfiguration!
+			 */
+			DBG_ERR("CVE-2020-1472(ZeroLogin): "
+				"Please configure 'server schannel = yes' when "
+				"using 'server require schannel:%s = yes'\n",
+				log_escape(mem_ctx, creds->account_name));
+		}
 	}
 
 	if (schannel_required) {
-- 
2.25.1