[Pkg-samba-maint] Bug#821811: samba: badlock patch breaks trust relationship

Santiago Ruano Rincón santiagorr at riseup.net
Thu May 26 09:40:19 UTC 2016


El 23/05/16 a las 22:28, Andrew Bartlett escribió:
> On Wed, 2016-05-18 at 15:47 -0400, Antoine Beaupré wrote:
> > On 2016-04-29 08:55:43, Santiago Ruano Rincón wrote:
> > > Dear Samba maintainers,
> > > 
> > > Any updates about this bug?
> > > 
> > > LTS Team, anyone could help to handle it?
> > > 
> > > According to comment#17 in
> > > https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1572122
> > > Andreas Schneider prepared a fix for 3.6.25.
> > 
> > Hi again!
> > 
> > Should the LTS team prepare a regression update to the wheezy version
> > at
> > least?
> 
> That would be a good idea at this point.
> 
> I'm happy to review things, just not had the time to switch back on to
> debian matters.
> 
> Andrew Bartlett

Hi,

To the current package in git, I have added some patches imported from
the Ubuntu package, versions 2:3.6.25-0ubuntu0.12.04.3 and
2:3.6.25-0ubuntu0.12.04.4. The debdiff is attached. Andrew, could you
please take a look on it? Also, test package is available at:

    deb https://people.debian.org/~santiago/debian santiago-wheezy/
    deb-src https://people.debian.org/~santiago/debian santiago-wheezy/

Please, test them. I don't have the infrastructure to actually verify
they solve the regressions. So, if somebody else would like to claim
this package, please do it!

Cheers,

Santiago
-------------- next part --------------
diff -Nru samba-3.6.6/debian/changelog samba-3.6.6/debian/changelog
--- samba-3.6.6/debian/changelog	2016-04-12 18:34:29.000000000 +0200
+++ samba-3.6.6/debian/changelog	2016-05-26 09:38:01.000000000 +0200
@@ -1,3 +1,27 @@
+samba (2:3.6.6-6+deb7u10~2) santiago-wheezy; urgency=high
+
+  [ Andrew Bartlett ]
+  * Remove patch for CVE-2016-2115 as it causes too much trouble.
+    - The 3.6 client could not talk to the 3.6 server out of the box (ACCESS_DENIED)
+    - Administrators should instead set 'client signing = required' if desired
+    - Closes: #820982
+  * Add NEWS file
+
+  [ Santiago Ruano Rincón ]
+  * Non-maintainer upload by the LTS Team.
+  * Fix regression introduced by badlock patch in rpc_server. Closes: #821811.
+  * debian/patches/netlogon_credentials_regression.patch: Fix updating
+    netlogon credentials in source3/rpc_client/cli_pipe.c (Impored from
+    Ubuntu).
+  * debian/patches/bug9669_regression.patch: fix a crash when running net rpc
+    join against an older Samba PDC in source3/rpc_client/cli_pipe.c (Imported
+    from Ubuntu).
+  * debian/patches/fix_netapp.patch: don't require NTLMSSP_SIGN for smb
+    connections in source3/libsmb/ntlmssp.c (Imported from Ubuntu).
+  * Thanks to Andreas Schneider.
+
+ -- Santiago Ruano Rincón <santiagorr at riseup.net>  Thu, 26 May 2016 09:37:57 +0200
+
 samba (2:3.6.6-6+deb7u9) wheezy-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru samba-3.6.6/debian/NEWS samba-3.6.6/debian/NEWS
--- samba-3.6.6/debian/NEWS	2016-04-12 18:34:29.000000000 +0200
+++ samba-3.6.6/debian/NEWS	2016-04-29 14:12:50.000000000 +0200
@@ -1,3 +1,76 @@
+samba (2:3.6.6-6+deb7u10) wheezy-security; urgency=high
+
+    This Samba security release addresses both Denial of Service and Man in
+    the Middle vulnerabilities.
+
+    A significant number of patches were back-ported, and in some areas
+    of winbindd the behaviour is now more like Samba 4.2 than 3.6
+
+    This new security patch implements new smb.conf options and a
+    number of stricter behaviours to prevent Man in the Middle attacks
+    on our network services, as a client and as a server.
+
+    Between these changes, compatibility with a large number of older
+    software versions has been lost in the default configuration.
+
+    See the release notes in WHATNEW.txt for more information.
+
+
+    Here are some additional hints how to work around the new stricter default behaviors:
+
+    * As a File Server, compatibility with the Linux Kernel cifs
+      client depends on which configuration options are selected, please
+      use "sec=krb5(i)" or "sec=ntlmssp(i)", not "sec=ntlmv2".
+
+    * As a file or printer client and as a domain member, out of the
+      box compatibility with Samba less than 4.0 and other SMB/CIFS
+      servers, depends on support for SMB signing or SMB2 on the
+      server, which is often disabled or absent. You may need to
+      adjust the "client ipc signing" to "no" in these cases.
+
+    However, all of these can be worked around by setting smb.conf
+    options in Samba, see the 4.2.0 and 4.2.11 release notes (because
+    many of the fixes are backported from there) at
+    https://www.samba.org/samba/history/samba-4.2.0.html and
+    https://www.samba.org/samba/history/samba-4.2.11.html and the
+    Samba wiki for details, workarounds and suggested
+    security-improving changes to these and other software packages.
+
+
+    New smb.conf options and defaults:
+
+    * raw NTLMv2 auth = no
+    * allow dcerpc auth level connect = no
+
+
+    Suggested further improvements after patching:
+
+    It is recommended that administrators set these additional options,
+    if compatible with their network environment:
+
+        server signing = mandatory
+        ntlm auth = no
+	client signing = mandatory
+
+    Without "server signing = mandatory", Man in the Middle attacks
+    are still possible against our file server and
+    classic/NT4-like/Samba3 Domain controller. (It is now enforced on
+    Samba's AD DC.) Note that this has heavy impact on the file server
+    performance, so you need to decide between performance and
+    security. These Man in the Middle attacks for smb file servers are
+    well known for decades.
+
+    Without "ntlm auth = no", there may still be clients not using
+    NTLMv2, and these observed passwords may be brute-forced easily using
+    cloud-computing resources or rainbow tables.
+
+    Without "client signing = mandetory" we will not be able to detect
+    a MitM attack between our client tools or winbindd and the server or
+    AD DC.  Later verisions of Samba implement additional features
+    to protect these communications.  Setting this option may however
+    disable connections to servers that have smb signing disabled (the default,
+    as above).
+
 samba (2:3.6.5-2) unstable; urgency=low
 
     NSS modules have been split out from libpam-winbind to
diff -Nru samba-3.6.6/debian/patches/821811-rpc_server-regression.patch samba-3.6.6/debian/patches/821811-rpc_server-regression.patch
--- samba-3.6.6/debian/patches/821811-rpc_server-regression.patch	1970-01-01 01:00:00.000000000 +0100
+++ samba-3.6.6/debian/patches/821811-rpc_server-regression.patch	2016-05-24 15:47:17.000000000 +0200
@@ -0,0 +1,33 @@
+From: Andreas Schneider <asn at samba.org>
+Date: Fri, 15 Apr 2016 09:56:08 +0000 (+0200)
+Subject: s3:rpc_server: Fix a regression verifying the security trailer
+X-Git-Url: https://git.samba.org/?p=asn%2Fsamba.git;a=commitdiff_plain;h=82fa625540abf8b8ec23d43c41e2ca906a9928a5;hp=ea6f2386611d0a4edd65962a59b3448be976c1bb
+
+s3:rpc_server: Fix a regression verifying the security trailer
+
+We do not support header signing so we should not check verify it if a
+client sends the flag.
+
+Signed-off-by: Andreas Schneider <asn at samba.org>
+Reviewed-by: Guenther Deschner <gd at samba.org>
+---
+
+--- a/source3/rpc_server/srv_pipe.c
++++ b/source3/rpc_server/srv_pipe.c
+@@ -1748,7 +1748,6 @@
+ {
+ 	TALLOC_CTX *frame = talloc_stackframe();
+ 	struct dcerpc_sec_verification_trailer *vt = NULL;
+-	const uint32_t bitmask1 = 0;
+ 	const struct dcerpc_sec_vt_pcontext pcontext = {
+ 		.abstract_syntax = pipe_fns->syntax,
+ 		.transfer_syntax = ndr_transfer_syntax,
+@@ -1769,7 +1768,7 @@
+ 		goto done;
+ 	}
+ 
+-	ret = dcerpc_sec_verification_trailer_check(vt, &bitmask1,
++	ret = dcerpc_sec_verification_trailer_check(vt, NULL,
+ 						    &pcontext, &header2);
+ done:
+ 	TALLOC_FREE(frame);
diff -Nru samba-3.6.6/debian/patches/bug9669_regression.patch samba-3.6.6/debian/patches/bug9669_regression.patch
--- samba-3.6.6/debian/patches/bug9669_regression.patch	1970-01-01 01:00:00.000000000 +0100
+++ samba-3.6.6/debian/patches/bug9669_regression.patch	2016-05-26 09:29:18.000000000 +0200
@@ -0,0 +1,35 @@
+From 0abef6992dc342d443137f8a2ac6c01f490cecee Mon Sep 17 00:00:00 2001
+From: Christian Ambach <ambi at samba.org>
+Date: Wed, 20 Feb 2013 16:59:05 +0100
+Subject: [PATCH] s3:rpc_client fix a crash
+
+state->cli->dc does not have to be set (e.g. when running
+net rpc join against an older Samba PDC), so check it before dereferencing it
+
+This fixes Bug 9669 - net rpc join crashes against a Samba 3.0.33 PDC
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=9669
+
+Signed-off-by: Christian Ambach <ambi at samba.org>
+Reviewed-by: Andreas Schneider <asn at samba.org>
+
+Autobuild-User(master): Christian Ambach <ambi at samba.org>
+Autobuild-Date(master): Wed Feb 20 19:00:52 CET 2013 on sn-devel-104
+(cherry picked from commit 3d29bb2d37b02909ecb500e864f3c13e06957a86)
+
+(cherry picked from commit ff658bb36c28c9db91fc80a68725e893ffe300aa)
+---
+ source3/rpc_client/cli_pipe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -2273,7 +2273,7 @@
+ 	status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos());
+ 	TALLOC_FREE(subreq);
+ 	if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
+-		if (state->cli->dc->negotiate_flags &
++		if (state->cli->dc && state->cli->dc->negotiate_flags &
+ 		    NETLOGON_NEG_SUPPORTS_AES) {
+ 			DEBUG(5, ("AES is not supported and the error was %s\n",
+ 				  nt_errstr(status)));
diff -Nru samba-3.6.6/debian/patches/CVE-2016-2115-v3-6.patch samba-3.6.6/debian/patches/CVE-2016-2115-v3-6.patch
--- samba-3.6.6/debian/patches/CVE-2016-2115-v3-6.patch	2016-04-12 18:34:29.000000000 +0200
+++ samba-3.6.6/debian/patches/CVE-2016-2115-v3-6.patch	1970-01-01 01:00:00.000000000 +0100
@@ -1,359 +0,0 @@
-From 513bd34e4523e49e742487be32a7239111486a12 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze at samba.org>
-Date: Sat, 27 Feb 2016 03:43:58 +0100
-Subject: [PATCH 1/4] CVE-2016-2115: docs-xml: add "client ipc signing" option
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
-
-Signed-off-by: Stefan Metzmacher <metze at samba.org>
-Reviewed-by: Ralph Boehme <slow at samba.org>
----
- docs-xml/smbdotconf/security/clientipcsigning.xml | 23 +++++++++++++++++++++++
- docs-xml/smbdotconf/security/clientsigning.xml    |  3 +++
- source3/include/proto.h                           |  1 +
- source3/param/loadparm.c                          | 12 ++++++++++++
- 4 files changed, 39 insertions(+)
- create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml
-
-diff --git a/docs-xml/smbdotconf/security/clientipcsigning.xml b/docs-xml/smbdotconf/security/clientipcsigning.xml
-new file mode 100644
-index 0000000..1897fc6
---- /dev/null
-+++ b/docs-xml/smbdotconf/security/clientipcsigning.xml
-@@ -0,0 +1,23 @@
-+<samba:parameter name="client ipc signing"
-+                 context="G"
-+                 type="enum"
-+                 enumlist="enum_smb_signing_vals"
-+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-+<description>
-+    <para>This controls whether the client is allowed or required to use SMB signing for IPC$
-+    connections as DCERPC transport inside of winbind. Possible values
-+    are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis>
-+    and <emphasis>disabled</emphasis>.
-+    </para>
-+
-+    <para>When set to auto, SMB signing is offered, but not enforced and if set
-+    to disabled, SMB signing is not offered either.</para>
-+
-+    <para>Connections from winbindd to Active Directory Domain Controllers
-+    always enforce signing.</para>
-+</description>
-+
-+<related>client signing</related>
-+
-+<value type="default">mandatory</value>
-+</samba:parameter>
-diff --git a/docs-xml/smbdotconf/security/clientsigning.xml b/docs-xml/smbdotconf/security/clientsigning.xml
-index c657e05..189a7ae 100644
---- a/docs-xml/smbdotconf/security/clientsigning.xml
-+++ b/docs-xml/smbdotconf/security/clientsigning.xml
-@@ -12,6 +12,9 @@
-     <para>When set to auto, SMB signing is offered, but not enforced. 
-     When set to mandatory, SMB signing is required and if set 
- 	to disabled, SMB signing is not offered either.
-+
-+    <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
-+    <smbconfoption name="client ipc signing"/> option.</para>
- </para>
- </description>
- 
-diff --git a/source3/include/proto.h b/source3/include/proto.h
-index 43008ea..af950aa 100644
---- a/source3/include/proto.h
-+++ b/source3/include/proto.h
-@@ -1693,6 +1693,7 @@ const char **lp_winbind_nss_info(void);
- int lp_algorithmic_rid_base(void);
- int lp_name_cache_timeout(void);
- int lp_client_signing(void);
-+int lp_client_ipc_signing(void);
- int lp_server_signing(void);
- int lp_client_ldap_sasl_wrapping(void);
- char *lp_parm_talloc_string(int snum, const char *type, const char *option, const char *def);
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index c5249b7..a612e5a3 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -366,6 +366,7 @@ struct global {
- 	int restrict_anonymous;
- 	int name_cache_timeout;
- 	int client_signing;
-+	int client_ipc_signing;
- 	int server_signing;
- 	int client_ldap_sasl_wrapping;
- 	int iUsershareMaxShares;
-@@ -2319,6 +2320,15 @@ static struct parm_struct parm_table[] = {
- 		.flags		= FLAG_ADVANCED,
- 	},
- 	{
-+		.label		= "client ipc signing",
-+		.type		= P_ENUM,
-+		.p_class	= P_GLOBAL,
-+		.ptr		= &Globals.client_ipc_signing,
-+		.special	= NULL,
-+		.enum_list	= enum_smb_signing_vals,
-+		.flags		= FLAG_ADVANCED,
-+	},
-+	{
- 		.label		= "server signing",
- 		.type		= P_ENUM,
- 		.p_class	= P_GLOBAL,
-@@ -5470,6 +5480,7 @@ static void init_globals(bool reinit_globals)
- 	Globals.bClientUseSpnego = True;
- 
- 	Globals.client_signing = Auto;
-+	Globals.client_ipc_signing = Required;
- 	Globals.server_signing = False;
- 
- 	Globals.bDeferSharingViolations = True;
-@@ -6071,6 +6082,7 @@ FN_GLOBAL_LIST(lp_winbind_nss_info, &Globals.szWinbindNssInfo)
- FN_GLOBAL_INTEGER(lp_algorithmic_rid_base, &Globals.AlgorithmicRidBase)
- FN_GLOBAL_INTEGER(lp_name_cache_timeout, &Globals.name_cache_timeout)
- FN_GLOBAL_INTEGER(lp_client_signing, &Globals.client_signing)
-+FN_GLOBAL_INTEGER(lp_client_ipc_signing, &Globals.client_ipc_signing)
- FN_GLOBAL_INTEGER(lp_server_signing, &Globals.server_signing)
- FN_GLOBAL_INTEGER(lp_client_ldap_sasl_wrapping, &Globals.client_ldap_sasl_wrapping)
- 
--- 
-2.8.1
-
-
-From 633fcce5f7f488738ef8f45393aa8990e01118f4 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn at samba.org>
-Date: Tue, 5 Apr 2016 10:46:53 +0200
-Subject: [PATCH 2/4] CVE-2016-2115: s3: Use lp_client_ipc_signing() if we are
- not an smb client
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
-
-Pair-Programmed-With: Ralph Boehme <slow at samba.org>
-Signed-off-by: Andreas Schneider <asn at samba.org>
-Signed-off-by: Ralph Boehme <slow at samba.org>
----
- source3/param/loadparm.c                    | 14 ++++++++++++++
- source3/rpc_server/spoolss/srv_spoolss_nt.c |  2 +-
- 2 files changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index a612e5a3..c58f860 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -9712,6 +9712,20 @@ static bool lp_load_ex(const char *pszFname,
- 		lp_do_parameter(GLOBAL_SECTION_SNUM, "wins server", "127.0.0.1");
- 	}
- 
-+	if (!lp_is_in_client()) {
-+		switch (lp_client_ipc_signing()) {
-+		case Required:
-+			lp_set_cmdline("client signing", "mandatory");
-+			break;
-+		case Auto:
-+			lp_set_cmdline("client signing", "auto");
-+			break;
-+		case False:
-+			lp_set_cmdline("client signing", "disabled");
-+			break;
-+		}
-+	}
-+
- 	init_iconv();
- 
- 	bAllowIncludeRegistry = true;
-diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
-index 181a7b5..a0fcf27 100644
---- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
-+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
-@@ -2480,7 +2480,7 @@ static bool spoolss_connect_to_client(struct rpc_pipe_client **pp_pipe,
- 		"", /* username */
- 		"", /* domain */
- 		"", /* password */
--		0, lp_client_signing());
-+		0, False);
- 
- 	if ( !NT_STATUS_IS_OK( ret ) ) {
- 		DEBUG(2,("spoolss_connect_to_client: connection to [%s] failed!\n",
--- 
-2.8.1
-
-
-From e319838866bdd3f5f1602b441516d07a1171ab24 Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow at samba.org>
-Date: Thu, 31 Mar 2016 11:30:03 +0200
-Subject: [PATCH 3/4] CVE-2016-2115: s3/param: pick up s4 option "winbind
- sealed pipes"
-
-This will be used in the next commit to prevent mitm attacks on on lsa,
-samr and netlogon in winbindd.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
-
-Signed-off-by: Ralph Boehme <slow at samba.org>
-Reviewed-by: Stefan Metzmacher <metze at samba.org>
-Reviewed-by: Andreas Schneider <asn at samba.org>
----
- docs-xml/smbdotconf/winbind/winbindsealedpipes.xml | 15 +++++++++++++++
- source3/include/proto.h                            |  1 +
- source3/param/loadparm.c                           | 12 ++++++++++++
- 3 files changed, 28 insertions(+)
- create mode 100644 docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
-
-diff --git a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
-new file mode 100644
-index 0000000..016ac9b
---- /dev/null
-+++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
-@@ -0,0 +1,15 @@
-+<samba:parameter name="winbind sealed pipes"
-+                 context="G"
-+                 type="boolean"
-+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-+<description>
-+	<para>This option controls whether any requests from winbindd to domain controllers
-+		pipe will be sealed. Disabling sealing can be useful for debugging
-+		purposes.</para>
-+
-+	<para>The behavior can be controlled per netbios domain
-+	by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para>
-+</description>
-+
-+<value type="default">yes</value>
-+</samba:parameter>
-diff --git a/source3/include/proto.h b/source3/include/proto.h
-index af950aa..ac1540f 100644
---- a/source3/include/proto.h
-+++ b/source3/include/proto.h
-@@ -1690,6 +1690,7 @@ int lp_winbind_cache_time(void);
- int lp_winbind_reconnect_delay(void);
- int lp_winbind_max_clients(void);
- const char **lp_winbind_nss_info(void);
-+bool lp_winbind_sealed_pipes(void);
- int lp_algorithmic_rid_base(void);
- int lp_name_cache_timeout(void);
- int lp_client_signing(void);
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index c58f860..fdc9407 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -215,6 +215,7 @@ struct global {
- 	int  winbind_expand_groups;
- 	bool bWinbindRefreshTickets;
- 	bool bWinbindOfflineLogon;
-+	bool bWinbindSealedPipes;
- 	bool bWinbindNormalizeNames;
- 	bool bWinbindRpcOnly;
- 	bool bCreateKrb5Conf;
-@@ -4775,6 +4776,15 @@ static struct parm_struct parm_table[] = {
- 		.flags		= FLAG_ADVANCED,
- 	},
- 	{
-+		.label		= "winbind sealed pipes",
-+		.type		= P_BOOL,
-+		.p_class	= P_GLOBAL,
-+		.ptr		= &Globals.bWinbindSealedPipes,
-+		.special	= NULL,
-+		.enum_list	= NULL,
-+		.flags		= FLAG_ADVANCED,
-+	},
-+	{
- 		.label		= "winbind normalize names",
- 		.type		= P_BOOL,
- 		.p_class	= P_GLOBAL,
-@@ -5468,6 +5478,7 @@ static void init_globals(bool reinit_globals)
- 	Globals.szWinbindNssInfo = str_list_make_v3(NULL, "template", NULL);
- 	Globals.bWinbindRefreshTickets = False;
- 	Globals.bWinbindOfflineLogon = False;
-+	Globals.bWinbindSealedPipes = True;
- 
- 	Globals.iIdmapCacheTime = 86400 * 7; /* a week by default */
- 	Globals.iIdmapNegativeCacheTime = 120; /* 2 minutes by default */
-@@ -5747,6 +5758,7 @@ FN_GLOBAL_BOOL(lp_winbind_nested_groups, &Globals.bWinbindNestedGroups)
- FN_GLOBAL_INTEGER(lp_winbind_expand_groups, &Globals.winbind_expand_groups)
- FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets)
- FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon)
-+FN_GLOBAL_BOOL(lp_winbind_sealed_pipes, &Globals.bWinbindSealedPipes)
- FN_GLOBAL_BOOL(lp_winbind_normalize_names, &Globals.bWinbindNormalizeNames)
- FN_GLOBAL_BOOL(lp_winbind_rpc_only, &Globals.bWinbindRpcOnly)
- FN_GLOBAL_BOOL(lp_create_krb5_conf, &Globals.bCreateKrb5Conf)
--- 
-2.8.1
-
-
-From b47d8644e6a826f01dae3911fc510a7b2ff60273 Mon Sep 17 00:00:00 2001
-From: Andrew Bartlett <abartlet at samba.org>
-Date: Fri, 5 Sep 2014 17:00:31 +1200
-Subject: [PATCH 4/4] CVE-2016-2115: winbindd: Do not make anonymous
- connections by default
-
-The requirement is that we have "winbind sealed pipes = false" and
-"require strong key = false" before we make anonymous connections.
-These are a security risk as we cannot prevent MITM attacks.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11796
-
-Signed-off-by: Andrew Bartlett <abartlet at samba.org>
-Reviewed-by: Stefan Metzmacher <metze at samba.org>
-(backported from commit e2cd3257141bd4a88cda1fff5bde9df60b253a97)
----
- source3/winbindd/winbindd_cm.c | 32 +++++++++++++++++++++++++++++++-
- 1 file changed, 31 insertions(+), 1 deletion(-)
-
-diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
-index 8271279..50a341e 100644
---- a/source3/winbindd/winbindd_cm.c
-+++ b/source3/winbindd/winbindd_cm.c
-@@ -2384,6 +2384,15 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
- 	TALLOC_FREE(conn->samr_pipe);
- 
-  anonymous:
-+	if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
-+		status = NT_STATUS_DOWNGRADE_DETECTED;
-+		DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
-+			  "without connection level security, "
-+			  "must set 'winbind sealed pipes = false' "
-+			  "to proceed: %s\n",
-+			  domain->name, nt_errstr(status)));
-+		goto done;
-+	}
- 
- 	/* Finally fall back to anonymous. */
- 	status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
-@@ -2610,6 +2619,16 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
- 
-  anonymous:
- 
-+	if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
-+		result = NT_STATUS_DOWNGRADE_DETECTED;
-+		DEBUG(1, ("Unwilling to make LSA connection to domain %s "
-+			  "without connection level security, "
-+			  "must set 'winbind sealed pipes = false' "
-+			  "to proceed: %s\n",
-+			  domain->name, nt_errstr(result)));
-+		goto done;
-+	}
-+
- 	result = cli_rpc_pipe_open_noauth(conn->cli,
- 					  &ndr_table_lsarpc.syntax_id,
- 					  &conn->lsa_pipe);
-@@ -2749,7 +2768,18 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
- 
-  no_schannel:
- 	if ((lp_client_schannel() == False) ||
--			((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
-+		((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
-+		if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
-+			result = NT_STATUS_DOWNGRADE_DETECTED;
-+			DEBUG(1, ("Unwilling to make connection to domain %s "
-+				  "without connection level security, "
-+				  "must set 'winbind sealed pipes = false' "
-+				  "to proceed: %s\n",
-+				  domain->name, nt_errstr(result)));
-+			TALLOC_FREE(netlogon_pipe);
-+			invalidate_cm_connection(conn);
-+			return result;
-+		}
- 		/*
- 		 * NetSamLogonEx only works for schannel
- 		 */
--- 
-2.8.1
-
diff -Nru samba-3.6.6/debian/patches/fix_netapp.patch samba-3.6.6/debian/patches/fix_netapp.patch
--- samba-3.6.6/debian/patches/fix_netapp.patch	1970-01-01 01:00:00.000000000 +0100
+++ samba-3.6.6/debian/patches/fix_netapp.patch	2016-05-26 09:30:49.000000000 +0200
@@ -0,0 +1,33 @@
+Decription: Fix compatibility with NetAPP NAS
+Origin: backport, https://git.samba.org/?p=samba.git;a=commit;h=d97b347d041f9b5c0aa71f35526cbefd56f3500b
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=11850
+Bug-Ubuntu: https://bugs.launchpad.net/samba/+bug/1576109
+
+--- a/source3/libsmb/ntlmssp.c
++++ b/source3/libsmb/ntlmssp.c
+@@ -206,7 +206,11 @@
+ 	 * also add  NTLMSSP_NEGOTIATE_SEAL here. JRA.
+ 	 */
+ 	if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) {
+-		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
++		/*
++		 * We don't require this here as some servers (e.g. NetAPP)
++		 * doesn't support this.
++		 */
++		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ 	}
+ 	if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) {
+ 		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+@@ -231,7 +235,11 @@
+ {
+ 	/* As per JRA's comment above */
+ 	if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
+-		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
++		/*
++		 * We don't require this here as some servers (e.g. NetAPP)
++		 * doesn't support this.
++		 */
++		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ 	}
+ 	if (feature & NTLMSSP_FEATURE_SIGN) {
+ 		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
diff -Nru samba-3.6.6/debian/patches/netlogon_credentials_regression.patch samba-3.6.6/debian/patches/netlogon_credentials_regression.patch
--- samba-3.6.6/debian/patches/netlogon_credentials_regression.patch	1970-01-01 01:00:00.000000000 +0100
+++ samba-3.6.6/debian/patches/netlogon_credentials_regression.patch	2016-05-26 09:28:33.000000000 +0200
@@ -0,0 +1,55 @@
+From 2d0424e7bb2c30bf9049529b207c73b55370dfc8 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn at samba.org>
+Date: Tue, 10 Jan 2012 16:38:16 +0100
+Subject: [PATCH] s3-rpc_client: Fix updating netlogon credentials.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Günther Deschner <gd at samba.org>
+(cherry picked from commit 33206b1e240e55acedad606aed4f1952f7496b35)
+---
+ source3/rpc_client/cli_pipe.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+Index: samba-3.6.25/source3/rpc_client/cli_pipe.c
+===================================================================
+--- samba-3.6.25.orig/source3/rpc_client/cli_pipe.c	2016-05-03 12:36:52.810453161 -0400
++++ samba-3.6.25/source3/rpc_client/cli_pipe.c	2016-05-03 12:36:52.806453162 -0400
+@@ -2268,9 +2268,6 @@
+ 	struct rpc_pipe_bind_state *state =
+ 		tevent_req_data(req,
+ 				struct rpc_pipe_bind_state);
+-	struct schannel_state *schannel_auth =
+-		talloc_get_type_abort(state->cli->auth->auth_ctx,
+-				      struct schannel_state);
+ 	NTSTATUS status;
+ 
+ 	status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos());
+@@ -2328,8 +2325,8 @@
+ 		return;
+ 	}
+ 
+-	TALLOC_FREE(schannel_auth->creds);
+-	schannel_auth->creds = talloc_steal(state->cli, state->creds);
++	TALLOC_FREE(state->cli->dc);
++	state->cli->dc = talloc_steal(state->cli, state->creds);
+ 
+ 	if (!NT_STATUS_IS_OK(state->r.out.result)) {
+ 		DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
+@@ -3526,10 +3523,12 @@
+ 	 * The credentials on a new netlogon pipe are the ones we are passed
+ 	 * in - copy them over
+ 	 */
+-	result->dc = netlogon_creds_copy(result, *pdc);
+ 	if (result->dc == NULL) {
+-		TALLOC_FREE(result);
+-		return NT_STATUS_NO_MEMORY;
++		result->dc = netlogon_creds_copy(result, *pdc);
++		if (result->dc == NULL) {
++			TALLOC_FREE(result);
++			return NT_STATUS_NO_MEMORY;
++		}
+ 	}
+ 
+ 	DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
diff -Nru samba-3.6.6/debian/patches/series samba-3.6.6/debian/patches/series
--- samba-3.6.6/debian/patches/series	2016-04-12 18:34:29.000000000 +0200
+++ samba-3.6.6/debian/patches/series	2016-05-26 09:30:44.000000000 +0200
@@ -44,8 +44,11 @@
 CVE-2016-2110-v3-6.patch
 CVE-2016-2111-v3-6.patch
 CVE-2016-2112-v3-6.patch
-CVE-2016-2115-v3-6.patch
 CVE-2016-2118-v3-6.patch
 CVE-2015-5370-v3-6.patch
 0001-pidl-Add-skip-option-to-elements.patch
 0001-PIDL-fix-parsing-linemarkers-in-preprocessor-output.patch
+821811-rpc_server-regression.patch
+netlogon_credentials_regression.patch
+bug9669_regression.patch
+fix_netapp.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20160526/cf2e853d/attachment-0005.sig>


More information about the Pkg-samba-maint mailing list