Bug 15425 - NetrGetLogonCapabilities QueryLevel 2 needs to be implemented
Summary: NetrGetLogonCapabilities QueryLevel 2 needs to be implemented
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.18.4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL: https://gitlab.com/samba-team/samba/-...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-07-19 05:36 UTC by Andrew Bartlett
Modified: 2023-09-08 12:22 UTC (History)
8 users (show)

See Also:

Attachments
WIP patches for master (38.42 KB, text/plain)
2023-07-19 19:21 UTC, Stefan Metzmacher 		no flags Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2023-07-19 05:36:53 UTC 
KB5028166 has caused some disruption in the Samba community, and we are assured that an updated MS-NRPC will be published soon.

The new level 2 will document the exact behaviour, but for this to have been rushed out in a security release it will have mattered.  (The failure against Samba was clearly not intentional).
Comment 2 Stefan Metzmacher 2023-07-19 19:21:10 UTC 
Created attachment 17989 [details]
WIP patches for master
Comment 3 Michael Saxl 2023-07-20 08:09:46 UTC 
I like the fact that you check for 
NT_STATUS_EQUAL(status, NT_STATUS_RPC_BAD_STUB_DATA) 
and set the result to NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE (is that the same as INVALID?)

but as you noted later, the sequence will be out of sync since a patched server will not call dcesrv_netr_creds_server_step_check whereas a not patched will (but is unable to return return_authenticator).

Don't know if there is a way to make this compatible with both patched/windows and not patched samba..
Comment 4 Stefan Metzmacher 2023-07-20 08:17:41 UTC 
(In reply to Michael Saxl from comment #3)

It is compatible with patched/unpatched Windows/Samba.

notice the state->tmp_creds = *state->creds and *state->creds = state->tmp_creds, which allows us rollback when step function
was not called on the server.
Comment 5 Stefan Metzmacher 2023-07-20 08:18:29 UTC 
(In reply to Michael Saxl from comment #3)

NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE is mapped from DCERPC_NCA_S_FAULT_INVALID_TAG
Comment 6 Stefan Metzmacher 2023-07-20 08:19:34 UTC 
(In reply to Stefan Metzmacher from comment #5)

Oh, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE is wrong, it
should be NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
Comment 7 Stefan Metzmacher 2023-07-20 08:28:36 UTC 
Comment on attachment 17989 [details]
WIP patches for master

See https://gitlab.com/samba-team/samba/-/merge_requests/3189 for the latest version of patches
Comment 8 Michael Saxl 2023-07-20 08:41:51 UTC 
(In reply to Stefan Metzmacher from comment #4)

but how do you decide if you rollback?
The intended way is to rollback since a patched samba/windows will not step, but samba unpatched will.

I'm quite dumb at the specifics but as far as I read you make the step if all succeeds with
*state->creds = state->tmp_creds;

else a rollback is done.

What happens if the server side does the step (as far as I understood the unpatched server will)?