Bug 14903 - support for ROLE_IPA_DC is incomplete
Summary: support for ROLE_IPA_DC is incomplete
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 4.15.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-11-12 16:57 UTC by Alexander Bokovoy
Modified: 2021-11-18 08:11 UTC (History)
2 users (show)

See Also:


Attachments
IPA-DC -- add missing checks (1.49 KB, patch)
2021-11-12 17:17 UTC, Alexander Bokovoy
no flags Details
backport to 4.15 (1.73 KB, patch)
2021-11-13 08:09 UTC, Alexander Bokovoy
asn: review+
gd: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bokovoy 2021-11-12 16:57:31 UTC
Problem figured out, need a bug to refer in a fix.

With the change to move FreeIPA use of 'server role = primary classic domain controller' to a dedicated role at least one place was overlooked: schannel_server_start() needs to be extended with ROLE_IPA_DC as well.

This omission prevents to complete NETLOGON_TC_VERIFY sequence when establishing forest trust between FreeIPA and Active Directory forest root. AD DC performs ServerAuthenticate3 request to which we positively respond but cannot marshal the response due to the bug mentioned above.

[2021/11/12 11:41:15.236537,  3, pid=36211, effective(0, 0), real(0, 0)] ../../libcli/auth/schannel_state_tdb.c:130(schannel_store_session_key_tdb)
  schannel_store_session_key_tdb: stored schannel info with key SECRETS/SCHANNEL/AD1
[2021/11/12 11:41:15.236570,  1, pid=36211, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:429(ndr_print_debug)
       creds: struct netlogon_creds_CredentialState
          negotiate_flags          : 0x411bc1ff (1092338175)
                 1: NETLOGON_NEG_ACCOUNT_LOCKOUT
                 1: NETLOGON_NEG_PERSISTENT_SAMREPL
                 1: NETLOGON_NEG_ARCFOUR     
                 1: NETLOGON_NEG_PROMOTION_COUNT
                 1: NETLOGON_NEG_CHANGELOG_BDC
                 1: NETLOGON_NEG_FULL_SYNC_REPL
                 1: NETLOGON_NEG_MULTIPLE_SIDS
                 1: NETLOGON_NEG_REDO        
                 1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
                 0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
                 0: NETLOGON_NEG_GENERIC_PASSTHROUGH
                 0: NETLOGON_NEG_CONCURRENT_RPC
                 0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
                 0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
                 1: NETLOGON_NEG_STRONG_KEYS 
                 1: NETLOGON_NEG_TRANSITIVE_TRUSTS
                 1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
                 1: NETLOGON_NEG_PASSWORD_SET2
                 0: NETLOGON_NEG_GETDOMAININFO
                 1: NETLOGON_NEG_CROSS_FOREST_TRUSTS
                 1: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
                 0: NETLOGON_NEG_RODC_PASSTHROUGH
                 0: NETLOGON_NEG_SUPPORTS_AES_SHA2
                 1: NETLOGON_NEG_SUPPORTS_AES
                 0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
                 1: NETLOGON_NEG_AUTHENTICATED_RPC
          session_key              : 7cf22f4749f7d8523cba143a512236b2
          sequence                 : 0x00000000 (0)
          seed: struct netr_Credential
              data                     : c3cf649293b32eeb
          client: struct netr_Credential
              data                     : c3cf649293b32eeb
          server: struct netr_Credential
              data                     : 9a411ac703cad937
          secure_channel_type      : SEC_CHAN_DNS_DOMAIN (0x3)
          computer_name            : 'AD1'
          account_name             : 'win2019.test.'
          sid                      : *
              sid                      : S-1-5-21-3306425499-2542250174-3704382410-1008
[2021/11/12 11:41:15.236765,  4, pid=36211, effective(65534, 65534), real(65534, 0)] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 1
[2021/11/12 11:41:15.236803,  4, pid=36211, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2021/11/12 11:41:15.236819,  1, pid=36211, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:478(ndr_print_function_debug)
       netr_ServerAuthenticate3: struct netr_ServerAuthenticate3
          out: struct netr_ServerAuthenticate3
              return_credentials       : *
                  return_credentials: struct netr_Credential
                      data                     : 9a411ac703cad937
              negotiate_flags          : *
                  negotiate_flags          : 0x411bc1ff (1092338175)
                         1: NETLOGON_NEG_ACCOUNT_LOCKOUT
                         1: NETLOGON_NEG_PERSISTENT_SAMREPL
                         1: NETLOGON_NEG_ARCFOUR     
                         1: NETLOGON_NEG_PROMOTION_COUNT
                         1: NETLOGON_NEG_CHANGELOG_BDC
                         1: NETLOGON_NEG_FULL_SYNC_REPL
                         1: NETLOGON_NEG_MULTIPLE_SIDS
                         1: NETLOGON_NEG_REDO        
                         1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
                         0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
                         0: NETLOGON_NEG_GENERIC_PASSTHROUGH
                         0: NETLOGON_NEG_CONCURRENT_RPC
                         0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
                         0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
                         1: NETLOGON_NEG_STRONG_KEYS 
                         1: NETLOGON_NEG_TRANSITIVE_TRUSTS
                         1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
                         1: NETLOGON_NEG_PASSWORD_SET2
                         0: NETLOGON_NEG_GETDOMAININFO
                         1: NETLOGON_NEG_CROSS_FOREST_TRUSTS
                         1: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
                         0: NETLOGON_NEG_RODC_PASSTHROUGH
                         0: NETLOGON_NEG_SUPPORTS_AES_SHA2
                         1: NETLOGON_NEG_SUPPORTS_AES
                         0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
                         1: NETLOGON_NEG_AUTHENTICATED_RPC
              rid                      : *
                  rid                      : 0x000003f0 (1008)
              result                   : NT_STATUS_OK
[2021/11/12 11:41:15.237601, 10, pid=36211, effective(0, 0), real(0, 0)] ../../librpc/rpc/dcerpc_util.c:400(dcerpc_pull_auth_trailer)
  dcerpc_pull_auth_trailer: auth_pad_length 0
[2021/11/12 11:41:15.237642,  5, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:565(make_auth3_context_for_ntlm)
  make_auth3_context_for_ntlm: Making default auth method list for server role = 'DC'
[2021/11/12 11:41:15.237741,  5, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:426(load_auth_module)
  load_auth_module: Attempting to find an auth method to match anonymous
[2021/11/12 11:41:15.237755,  5, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:451(load_auth_module)
  load_auth_module: auth method anonymous has a valid init
[2021/11/12 11:41:15.237765,  5, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:426(load_auth_module)
  load_auth_module: Attempting to find an auth method to match sam
[2021/11/12 11:41:15.237776,  5, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:451(load_auth_module)
  load_auth_module: auth method sam has a valid init
[2021/11/12 11:41:15.237787,  5, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:426(load_auth_module)
  load_auth_module: Attempting to find an auth method to match winbind
[2021/11/12 11:41:15.237797,  5, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:451(load_auth_module)
  load_auth_module: auth method winbind has a valid init
[2021/11/12 11:41:15.237810,  5, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:426(load_auth_module)
  load_auth_module: Attempting to find an auth method to match sam_ignoredomain
[2021/11/12 11:41:15.237821,  5, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:451(load_auth_module)
  load_auth_module: auth method sam_ignoredomain has a valid init
[2021/11/12 11:41:15.238191,  3, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:1089(gensec_register)
  GENSEC backend 'gssapi_spnego' registered
[2021/11/12 11:41:15.238217,  3, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:1089(gensec_register)
  GENSEC backend 'gssapi_krb5' registered
[2021/11/12 11:41:15.238238,  3, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:1089(gensec_register)
  GENSEC backend 'gssapi_krb5_sasl' registered
[2021/11/12 11:41:15.238288,  3, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:1089(gensec_register)
  GENSEC backend 'spnego' registered
[2021/11/12 11:41:15.238300,  3, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:1089(gensec_register)
  GENSEC backend 'schannel' registered
[2021/11/12 11:41:15.238310,  3, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:1089(gensec_register)
  GENSEC backend 'naclrpc_as_system' registered
[2021/11/12 11:41:15.238321,  3, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:1089(gensec_register)
  GENSEC backend 'sasl-EXTERNAL' registered
[2021/11/12 11:41:15.238334,  3, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:1089(gensec_register)
  GENSEC backend 'ntlmssp' registered
[2021/11/12 11:41:15.238345,  3, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:1089(gensec_register)
  GENSEC backend 'ntlmssp_resume_ccache' registered
[2021/11/12 11:41:15.238358,  3, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:1089(gensec_register)
  GENSEC backend 'http_basic' registered
[2021/11/12 11:41:15.238370,  3, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:1089(gensec_register)
  GENSEC backend 'http_ntlm' registered
[2021/11/12 11:41:15.238380,  3, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:1089(gensec_register)
  GENSEC backend 'http_negotiate' registered
[2021/11/12 11:41:15.238498,  5, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:851(gensec_start_mech)
  Starting GENSEC mechanism schannel
[2021/11/12 11:41:15.238511,  1, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:868(gensec_start_mech)
  Failed to start GENSEC server mech schannel: NT_STATUS_NOT_IMPLEMENTED
[2021/11/12 11:41:15.238557,  3, pid=36211, effective(0, 0), real(0, 0)] ../../librpc/rpc/dcesrv_auth.c:186(dcesrv_auth_prepare_gensec)
  Failed to start GENSEC mechanism for DCERPC server: auth_type=68 (schannel), auth_level=6: NT_STATUS_NOT_IMPLEMENTED
[2021/11/12 11:41:15.242753,  3, pid=36211, effective(0, 0), real(0, 0), class=rpc_srv] ../../source3/rpc_server/rpc_server.c:853(ncacn_terminate_connection)
  ncacn_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
Comment 1 Alexander Bokovoy 2021-11-12 17:05:48 UTC
Looks like only the following two locations were missed:

diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index 0cdae141ead..6ebbe8f3179 100644
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -1080,6 +1080,7 @@ static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
        case ROLE_DOMAIN_BDC:
        case ROLE_DOMAIN_PDC:
        case ROLE_ACTIVE_DIRECTORY_DC:
+       case ROLE_IPA_DC:
                return NT_STATUS_OK;
        default:
                return NT_STATUS_NOT_IMPLEMENTED;
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
index 8d71b5252ab..ea92a22cbc9 100644
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -683,6 +683,7 @@ NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p,
                switch (lp_server_role()) {
                        case ROLE_DOMAIN_PDC:
                        case ROLE_DOMAIN_BDC:
+                       case ROLE_IPA_DC:
                                name = get_global_sam_name();
                                sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid());
                                if (!sid) {
Comment 2 Alexander Bokovoy 2021-11-12 17:17:19 UTC
Created attachment 16992 [details]
IPA-DC -- add missing checks

Candidate patch. I am running a build to test it right now.
Comment 3 Alexander Bokovoy 2021-11-12 18:06:21 UTC
Yes, this patch fixed the problem for me and the process to establish trust moved further. I now have the working trust to AD with hardened Samba.

[2021/11/12 12:56:16.073614,  1, pid=99118, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:478(ndr_print_function_debug)
       netr_ServerAuthenticate3: struct netr_ServerAuthenticate3
          out: struct netr_ServerAuthenticate3
              return_credentials       : *
                  return_credentials: struct netr_Credential
                      data                     : f707cfe4fc84c1eb
              negotiate_flags          : *
                  negotiate_flags          : 0x411bc1ff (1092338175)
                         1: NETLOGON_NEG_ACCOUNT_LOCKOUT
                         1: NETLOGON_NEG_PERSISTENT_SAMREPL
                         1: NETLOGON_NEG_ARCFOUR     
                         1: NETLOGON_NEG_PROMOTION_COUNT
                         1: NETLOGON_NEG_CHANGELOG_BDC
                         1: NETLOGON_NEG_FULL_SYNC_REPL
                         1: NETLOGON_NEG_MULTIPLE_SIDS
                         1: NETLOGON_NEG_REDO        
                         1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
                         0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
                         0: NETLOGON_NEG_GENERIC_PASSTHROUGH
                         0: NETLOGON_NEG_CONCURRENT_RPC
                         0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
                         0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
                         1: NETLOGON_NEG_STRONG_KEYS 
                         1: NETLOGON_NEG_TRANSITIVE_TRUSTS
                         1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
                         1: NETLOGON_NEG_PASSWORD_SET2
                         0: NETLOGON_NEG_GETDOMAININFO
                         1: NETLOGON_NEG_CROSS_FOREST_TRUSTS
                         1: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
                         0: NETLOGON_NEG_RODC_PASSTHROUGH
                         0: NETLOGON_NEG_SUPPORTS_AES_SHA2
                         1: NETLOGON_NEG_SUPPORTS_AES
                         0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
                         1: NETLOGON_NEG_AUTHENTICATED_RPC
              rid                      : *
                  rid                      : 0x000003f1 (1009)
              result                   : NT_STATUS_OK
[2021/11/12 12:56:16.074463, 10, pid=99118, effective(0, 0), real(0, 0)] ../../librpc/rpc/dcerpc_util.c:400(dcerpc_pull_auth_trailer)
  dcerpc_pull_auth_trailer: auth_pad_length 0
[2021/11/12 12:56:16.074508,  5, pid=99118, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:565(make_auth3_context_for_ntlm)
  make_auth3_context_for_ntlm: Making default auth method list for server role = 'DC'
[2021/11/12 12:56:16.074532,  5, pid=99118, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:426(load_auth_module)
  load_auth_module: Attempting to find an auth method to match anonymous
[2021/11/12 12:56:16.074549,  5, pid=99118, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:451(load_auth_module)
  load_auth_module: auth method anonymous has a valid init
[2021/11/12 12:56:16.074563,  5, pid=99118, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:426(load_auth_module)
  load_auth_module: Attempting to find an auth method to match sam
[2021/11/12 12:56:16.074578,  5, pid=99118, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:451(load_auth_module)
  load_auth_module: auth method sam has a valid init
[2021/11/12 12:56:16.074593,  5, pid=99118, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:426(load_auth_module)
  load_auth_module: Attempting to find an auth method to match winbind
[2021/11/12 12:56:16.074606,  5, pid=99118, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:451(load_auth_module)
  load_auth_module: auth method winbind has a valid init
[2021/11/12 12:56:16.074625,  5, pid=99118, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:426(load_auth_module)
  load_auth_module: Attempting to find an auth method to match sam_ignoredomain
[2021/11/12 12:56:16.074640,  5, pid=99118, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:451(load_auth_module)
  load_auth_module: auth method sam_ignoredomain has a valid init
[2021/11/12 12:56:16.075152,  5, pid=99118, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:851(gensec_start_mech)
  Starting GENSEC mechanism schannel
[2021/11/12 12:56:16.075295,  1, pid=99118, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:429(ndr_print_debug)
       creds: struct netlogon_creds_CredentialState
          negotiate_flags          : 0x411bc1ff (1092338175)
                 1: NETLOGON_NEG_ACCOUNT_LOCKOUT
                 1: NETLOGON_NEG_PERSISTENT_SAMREPL
                 1: NETLOGON_NEG_ARCFOUR     
                 1: NETLOGON_NEG_PROMOTION_COUNT
                 1: NETLOGON_NEG_CHANGELOG_BDC
                 1: NETLOGON_NEG_FULL_SYNC_REPL
                 1: NETLOGON_NEG_MULTIPLE_SIDS
                 1: NETLOGON_NEG_REDO        
                 1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
                 0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
                 0: NETLOGON_NEG_GENERIC_PASSTHROUGH
                 0: NETLOGON_NEG_CONCURRENT_RPC
                 0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
                 0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
                 1: NETLOGON_NEG_STRONG_KEYS 
                 1: NETLOGON_NEG_TRANSITIVE_TRUSTS
                 1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
                 1: NETLOGON_NEG_PASSWORD_SET2
                 0: NETLOGON_NEG_GETDOMAININFO
                 1: NETLOGON_NEG_CROSS_FOREST_TRUSTS
                 1: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
                 0: NETLOGON_NEG_RODC_PASSTHROUGH
                 0: NETLOGON_NEG_SUPPORTS_AES_SHA2
                 1: NETLOGON_NEG_SUPPORTS_AES
                 0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
                 1: NETLOGON_NEG_AUTHENTICATED_RPC
          session_key              : 5dc38219a6bfda179aa1cf88a5986a2c
          sequence                 : 0x00000000 (0)
          seed: struct netr_Credential
              data                     : 41b2a4a642c2f02e
          client: struct netr_Credential
              data                     : 41b2a4a642c2f02e
          server: struct netr_Credential
              data                     : f707cfe4fc84c1eb
          secure_channel_type      : SEC_CHAN_DNS_DOMAIN (0x3)
          computer_name            : 'AD1'
          account_name             : 'win2019.test.'
          sid                      : *
              sid                      : S-1-5-21-3306425499-2542250174-3704382410-1009
[2021/11/12 12:56:16.075494,  3, pid=99118, effective(0, 0), real(0, 0)] ../../libcli/auth/schannel_state_tdb.c:199(schannel_fetch_session_key_tdb)
  schannel_fetch_session_key_tdb: restored schannel info key SECRETS/SCHANNEL/AD1
[2021/11/12 12:56:16.075537, 10, pid=99118, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:456(gensec_update_send)
  gensec_update_send: schannel[0x563e3d5dfb00]: subreq: 0x563e3d5d63e0
[2021/11/12 12:56:16.075572, 10, pid=99118, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:549(gensec_update_done)
  gensec_update_done: schannel[0x563e3d5dfb00]: NT_STATUS_OK tevent_req[0x563e3d5d63e0/../../auth/gensec/schannel.c:816]: state[2] error[0 (0x0)]  state[struct schannel_update_state (0x563e3d5d65a0)] timer[(nil)] finish[../../auth/gensec/schannel.c:832]
[2021/11/12 12:56:16.075665,  5, pid=99118, effective(0, 0), real(0, 0), class=auth_audit] ../../auth/auth_log.c:753(log_successful_authz_event_human_readable)
  Successful AuthZ: [DCE/RPC,schannel] user [NT AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at [Fri, 12 Nov 2021 12:56:16.075649 EST] Remote host [ipv4:10.0.96.138:62335] local host [ipv4:10.0.96.44:49152]
  {"timestamp": "2021-11-12T12:56:16.075718-0500", "type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1}, "localAddress": "ipv4:10.0.96.44:49152", "remoteAddress": "ipv4:10.0.96.138:62335", "serviceDescription": "DCE/RPC", "authType": "schannel", "domain": "NT AUTHORITY", "account": "ANONYMOUS LOGON", "sid": "S-1-5-7", "sessionId": "862f0805-eb22-4920-b2f9-96584f87aa73", "logonServer": "MASTER", "transportProtection": "SEAL", "accountFlags": "0x00000010"}}
[2021/11/12 12:56:16.076355, 10, pid=99118, effective(0, 0), real(0, 0)] ../../librpc/rpc/dcerpc_util.c:400(dcerpc_pull_auth_trailer)
  dcerpc_pull_auth_trailer: auth_pad_length 12
[2021/11/12 12:56:16.076448,  4, pid=99118, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2021/11/12 12:56:16.076468,  4, pid=99118, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (65534, 65534) - sec_ctx_stack_ndx = 1
[2021/11/12 12:56:16.076484,  5, pid=99118, effective(0, 0), real(0, 0)] ../../libcli/security/security_token.c:52(security_token_debug)
  Security token SIDs (5):
    SID[  0]: S-1-5-7
    SID[  1]: S-1-1-0
    SID[  2]: S-1-5-2
    SID[  3]: S-1-22-1-65534
    SID[  4]: S-1-22-2-65534
   Privileges (0x               0):
   Rights (0x               0):
Comment 4 Alexander Bokovoy 2021-11-13 08:09:48 UTC
Created attachment 16993 [details]
backport to 4.15
Comment 5 Samba QA Contact 2021-11-13 08:11:58 UTC
This bug was referenced in samba master:

c69b66f649c1d47a7367f7efe25b8df32369a3a5
Comment 6 Alexander Bokovoy 2021-11-13 08:12:53 UTC
Backport to 4.15 attached. Version for 4.14 is the same:

diff -u 0001-v4.15-IPA-DC-add-missing-checks.patch 0001-v4.14-IPA-DC-add-missing-checks.patch 
--- 0001-v4.15-IPA-DC-add-missing-checks.patch	2021-11-13 10:08:45.027426534 +0200
+++ 0001-v4.14-IPA-DC-add-missing-checks.patch	2021-11-13 10:11:11.430310279 +0200
@@ -1,4 +1,4 @@
-From 9fcb21d4a34342ecea8ad8d374bbc5ee49a585ce Mon Sep 17 00:00:00 2001
+From c11dab13dd30af3e0beb69e8d47c3bfd85e18a91 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <ab@samba.org>
 Date: Fri, 12 Nov 2021 19:06:01 +0200
 Subject: [PATCH] IPA DC: add missing checks

so I am not attaching it, we should apply this fix to all backports.
Comment 7 Andreas Schneider 2021-11-13 09:29:18 UTC
Jule, please apply the patch to v4.15. Thanks!
Comment 8 Andreas Schneider 2021-11-13 09:30:11 UTC
Alexander, It should be applied to 4.15, 4.14 and 4.13?
Comment 9 Alexander Bokovoy 2021-11-13 09:44:33 UTC
Yes, to 4.15-4.13
Comment 10 Guenther Deschner 2021-11-13 14:36:21 UTC
Comment on attachment 16993 [details]
backport to 4.15

LGTM, thanks!
Comment 11 Jule Anger 2021-11-15 11:53:09 UTC
(In reply to Andreas Schneider from comment #7)
Pushed to autobuild-v4-15-test.

What about the patch for 4.14? 4.13 is in security fixes only mode.
Comment 12 Alexander Bokovoy 2021-11-15 12:17:54 UTC
(In reply to Jule Anger from comment #11)
> (In reply to Andreas Schneider from comment #7)
> Pushed to autobuild-v4-15-test.
> 
> What about the patch for 4.14? 4.13 is in security fixes only mode.

the same attached patch applies to all versions down to 4.11 or even 4.10.
Please commit it to 4.14.
Comment 13 Alexander Bokovoy 2021-11-15 12:19:35 UTC
If we are going to make any other security release on 4.13 branch, then this patch is needed for 4.13 or otherwise it is going to be a regression once Fedora or RHEL considers a rebase of that. Fedora 33 is built on samba 4.13.
Comment 14 Jule Anger 2021-11-15 13:38:18 UTC
Okay, thanks for the explanation.
Pushed also to autobuild-v4-{14,13}-test.
Comment 15 Alexander Bokovoy 2021-11-15 14:26:41 UTC
Thank you, Jule! This will save a lot of time, very much appreciated!
Comment 16 Samba QA Contact 2021-11-15 14:35:03 UTC
This bug was referenced in samba v4-15-test:

0d3842697b44a821ccfba72b35fbbde2804c59cf
Comment 17 Samba QA Contact 2021-11-15 15:34:02 UTC
This bug was referenced in samba v4-13-test:

fadf49634500a08392f0625db4062d993ccb0b0a
Comment 18 Samba QA Contact 2021-11-18 07:40:06 UTC
This bug was referenced in samba v4-14-test:

75ab0a306fc78a9fc49c98325eadcf381b54e948
Comment 19 Jule Anger 2021-11-18 08:11:36 UTC
Closing out bug report.

Thanks!