15425 – NetrGetLogonCapabilities QueryLevel 2 needs to be implemented

Bug 15425 - NetrGetLogonCapabilities QueryLevel 2 needs to be implemented

Summary: NetrGetLogonCapabilities QueryLevel 2 needs to be implemented

Status:	ASSIGNED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.18.4
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Douglas Bagnall
QA Contact:	Samba QA Contact

URL:	https://gitlab.com/samba-team/samba/-...
Keywords:

Depends on:
Blocks:

Reported:	2023-07-19 05:36 UTC by Andrew Bartlett
Modified:	2023-11-28 23:38 UTC (History)
CC List:	9 users (show)

See Also:	15418

Attachments
WIP patches for master (38.42 KB, text/plain) 2023-07-19 19:21 UTC, Stefan Metzmacher	no flags	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Bartlett 2023-07-19 05:36:53 UTC

KB5028166 has caused some disruption in the Samba community, and we are assured that an updated MS-NRPC will be published soon.

The new level 2 will document the exact behaviour, but for this to have been rushed out in a security release it will have mattered.  (The failure against Samba was clearly not intentional).

Comment 2 Stefan Metzmacher 2023-07-19 19:21:10 UTC

Created attachment 17989 [details]
WIP patches for master

Comment 3 Michael Saxl 2023-07-20 08:09:46 UTC

I like the fact that you check for 
NT_STATUS_EQUAL(status, NT_STATUS_RPC_BAD_STUB_DATA) 
and set the result to NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE (is that the same as INVALID?)

but as you noted later, the sequence will be out of sync since a patched server will not call dcesrv_netr_creds_server_step_check whereas a not patched will (but is unable to return return_authenticator).

Don't know if there is a way to make this compatible with both patched/windows and not patched samba..

Comment 4 Stefan Metzmacher 2023-07-20 08:17:41 UTC

(In reply to Michael Saxl from comment #3)

It is compatible with patched/unpatched Windows/Samba.

notice the state->tmp_creds = *state->creds and *state->creds = state->tmp_creds, which allows us rollback when step function
was not called on the server.

Comment 5 Stefan Metzmacher 2023-07-20 08:18:29 UTC

(In reply to Michael Saxl from comment #3)

NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE is mapped from DCERPC_NCA_S_FAULT_INVALID_TAG

Comment 6 Stefan Metzmacher 2023-07-20 08:19:34 UTC

(In reply to Stefan Metzmacher from comment #5)

Oh, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE is wrong, it
should be NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE

Comment 7 Stefan Metzmacher 2023-07-20 08:28:36 UTC

Comment on attachment 17989 [details]
WIP patches for master

See https://gitlab.com/samba-team/samba/-/merge_requests/3189 for the latest version of patches

Comment 8 Michael Saxl 2023-07-20 08:41:51 UTC

(In reply to Stefan Metzmacher from comment #4)

but how do you decide if you rollback?
The intended way is to rollback since a patched samba/windows will not step, but samba unpatched will.

I'm quite dumb at the specifics but as far as I read you make the step if all succeeds with
*state->creds = state->tmp_creds;

else a rollback is done.

What happens if the server side does the step (as far as I understood the unpatched server will)?

Comment 9 Arvid Requate 2023-08-03 08:45:53 UTC

For reference: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-winerrata/69ffd0ac-a0dd-49f2-96ad-6720441b0a93

Comment 10 Douglas Bagnall 2023-11-28 23:38:32 UTC

I will work on this, unless someone else is well underway.