[Pkg-samba-maint] Bug#821811: samba: badlock patch breaks trust relationship
Santiago Ruano Rincón
santiagorr at riseup.net
Thu May 26 09:40:19 UTC 2016
El 23/05/16 a las 22:28, Andrew Bartlett escribió:
> On Wed, 2016-05-18 at 15:47 -0400, Antoine Beaupré wrote:
> > On 2016-04-29 08:55:43, Santiago Ruano Rincón wrote:
> > > Dear Samba maintainers,
> > >
> > > Any updates about this bug?
> > >
> > > LTS Team, anyone could help to handle it?
> > >
> > > According to comment#17 in
> > > https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1572122
> > > Andreas Schneider prepared a fix for 3.6.25.
> >
> > Hi again!
> >
> > Should the LTS team prepare a regression update to the wheezy version
> > at
> > least?
>
> That would be a good idea at this point.
>
> I'm happy to review things, just not had the time to switch back on to
> debian matters.
>
> Andrew Bartlett
Hi,
To the current package in git, I have added some patches imported from
the Ubuntu package, versions 2:3.6.25-0ubuntu0.12.04.3 and
2:3.6.25-0ubuntu0.12.04.4. The debdiff is attached. Andrew, could you
please take a look on it? Also, test package is available at:
deb https://people.debian.org/~santiago/debian santiago-wheezy/
deb-src https://people.debian.org/~santiago/debian santiago-wheezy/
Please, test them. I don't have the infrastructure to actually verify
they solve the regressions. So, if somebody else would like to claim
this package, please do it!
Cheers,
Santiago
-------------- next part --------------
diff -Nru samba-3.6.6/debian/changelog samba-3.6.6/debian/changelog
--- samba-3.6.6/debian/changelog 2016-04-12 18:34:29.000000000 +0200
+++ samba-3.6.6/debian/changelog 2016-05-26 09:38:01.000000000 +0200
@@ -1,3 +1,27 @@
+samba (2:3.6.6-6+deb7u10~2) santiago-wheezy; urgency=high
+
+ [ Andrew Bartlett ]
+ * Remove patch for CVE-2016-2115 as it causes too much trouble.
+ - The 3.6 client could not talk to the 3.6 server out of the box (ACCESS_DENIED)
+ - Administrators should instead set 'client signing = required' if desired
+ - Closes: #820982
+ * Add NEWS file
+
+ [ Santiago Ruano Rincón ]
+ * Non-maintainer upload by the LTS Team.
+ * Fix regression introduced by badlock patch in rpc_server. Closes: #821811.
+ * debian/patches/netlogon_credentials_regression.patch: Fix updating
+ netlogon credentials in source3/rpc_client/cli_pipe.c (Impored from
+ Ubuntu).
+ * debian/patches/bug9669_regression.patch: fix a crash when running net rpc
+ join against an older Samba PDC in source3/rpc_client/cli_pipe.c (Imported
+ from Ubuntu).
+ * debian/patches/fix_netapp.patch: don't require NTLMSSP_SIGN for smb
+ connections in source3/libsmb/ntlmssp.c (Imported from Ubuntu).
+ * Thanks to Andreas Schneider.
+
+ -- Santiago Ruano Rincón <santiagorr at riseup.net> Thu, 26 May 2016 09:37:57 +0200
+
samba (2:3.6.6-6+deb7u9) wheezy-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru samba-3.6.6/debian/NEWS samba-3.6.6/debian/NEWS
--- samba-3.6.6/debian/NEWS 2016-04-12 18:34:29.000000000 +0200
+++ samba-3.6.6/debian/NEWS 2016-04-29 14:12:50.000000000 +0200
@@ -1,3 +1,76 @@
+samba (2:3.6.6-6+deb7u10) wheezy-security; urgency=high
+
+ This Samba security release addresses both Denial of Service and Man in
+ the Middle vulnerabilities.
+
+ A significant number of patches were back-ported, and in some areas
+ of winbindd the behaviour is now more like Samba 4.2 than 3.6
+
+ This new security patch implements new smb.conf options and a
+ number of stricter behaviours to prevent Man in the Middle attacks
+ on our network services, as a client and as a server.
+
+ Between these changes, compatibility with a large number of older
+ software versions has been lost in the default configuration.
+
+ See the release notes in WHATNEW.txt for more information.
+
+
+ Here are some additional hints how to work around the new stricter default behaviors:
+
+ * As a File Server, compatibility with the Linux Kernel cifs
+ client depends on which configuration options are selected, please
+ use "sec=krb5(i)" or "sec=ntlmssp(i)", not "sec=ntlmv2".
+
+ * As a file or printer client and as a domain member, out of the
+ box compatibility with Samba less than 4.0 and other SMB/CIFS
+ servers, depends on support for SMB signing or SMB2 on the
+ server, which is often disabled or absent. You may need to
+ adjust the "client ipc signing" to "no" in these cases.
+
+ However, all of these can be worked around by setting smb.conf
+ options in Samba, see the 4.2.0 and 4.2.11 release notes (because
+ many of the fixes are backported from there) at
+ https://www.samba.org/samba/history/samba-4.2.0.html and
+ https://www.samba.org/samba/history/samba-4.2.11.html and the
+ Samba wiki for details, workarounds and suggested
+ security-improving changes to these and other software packages.
+
+
+ New smb.conf options and defaults:
+
+ * raw NTLMv2 auth = no
+ * allow dcerpc auth level connect = no
+
+
+ Suggested further improvements after patching:
+
+ It is recommended that administrators set these additional options,
+ if compatible with their network environment:
+
+ server signing = mandatory
+ ntlm auth = no
+ client signing = mandatory
+
+ Without "server signing = mandatory", Man in the Middle attacks
+ are still possible against our file server and
+ classic/NT4-like/Samba3 Domain controller. (It is now enforced on
+ Samba's AD DC.) Note that this has heavy impact on the file server
+ performance, so you need to decide between performance and
+ security. These Man in the Middle attacks for smb file servers are
+ well known for decades.
+
+ Without "ntlm auth = no", there may still be clients not using
+ NTLMv2, and these observed passwords may be brute-forced easily using
+ cloud-computing resources or rainbow tables.
+
+ Without "client signing = mandetory" we will not be able to detect
+ a MitM attack between our client tools or winbindd and the server or
+ AD DC. Later verisions of Samba implement additional features
+ to protect these communications. Setting this option may however
+ disable connections to servers that have smb signing disabled (the default,
+ as above).
+
samba (2:3.6.5-2) unstable; urgency=low
NSS modules have been split out from libpam-winbind to
diff -Nru samba-3.6.6/debian/patches/821811-rpc_server-regression.patch samba-3.6.6/debian/patches/821811-rpc_server-regression.patch
--- samba-3.6.6/debian/patches/821811-rpc_server-regression.patch 1970-01-01 01:00:00.000000000 +0100
+++ samba-3.6.6/debian/patches/821811-rpc_server-regression.patch 2016-05-24 15:47:17.000000000 +0200
@@ -0,0 +1,33 @@
+From: Andreas Schneider <asn at samba.org>
+Date: Fri, 15 Apr 2016 09:56:08 +0000 (+0200)
+Subject: s3:rpc_server: Fix a regression verifying the security trailer
+X-Git-Url: https://git.samba.org/?p=asn%2Fsamba.git;a=commitdiff_plain;h=82fa625540abf8b8ec23d43c41e2ca906a9928a5;hp=ea6f2386611d0a4edd65962a59b3448be976c1bb
+
+s3:rpc_server: Fix a regression verifying the security trailer
+
+We do not support header signing so we should not check verify it if a
+client sends the flag.
+
+Signed-off-by: Andreas Schneider <asn at samba.org>
+Reviewed-by: Guenther Deschner <gd at samba.org>
+---
+
+--- a/source3/rpc_server/srv_pipe.c
++++ b/source3/rpc_server/srv_pipe.c
+@@ -1748,7 +1748,6 @@
+ {
+ TALLOC_CTX *frame = talloc_stackframe();
+ struct dcerpc_sec_verification_trailer *vt = NULL;
+- const uint32_t bitmask1 = 0;
+ const struct dcerpc_sec_vt_pcontext pcontext = {
+ .abstract_syntax = pipe_fns->syntax,
+ .transfer_syntax = ndr_transfer_syntax,
+@@ -1769,7 +1768,7 @@
+ goto done;
+ }
+
+- ret = dcerpc_sec_verification_trailer_check(vt, &bitmask1,
++ ret = dcerpc_sec_verification_trailer_check(vt, NULL,
+ &pcontext, &header2);
+ done:
+ TALLOC_FREE(frame);
diff -Nru samba-3.6.6/debian/patches/bug9669_regression.patch samba-3.6.6/debian/patches/bug9669_regression.patch
--- samba-3.6.6/debian/patches/bug9669_regression.patch 1970-01-01 01:00:00.000000000 +0100
+++ samba-3.6.6/debian/patches/bug9669_regression.patch 2016-05-26 09:29:18.000000000 +0200
@@ -0,0 +1,35 @@
+From 0abef6992dc342d443137f8a2ac6c01f490cecee Mon Sep 17 00:00:00 2001
+From: Christian Ambach <ambi at samba.org>
+Date: Wed, 20 Feb 2013 16:59:05 +0100
+Subject: [PATCH] s3:rpc_client fix a crash
+
+state->cli->dc does not have to be set (e.g. when running
+net rpc join against an older Samba PDC), so check it before dereferencing it
+
+This fixes Bug 9669 - net rpc join crashes against a Samba 3.0.33 PDC
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=9669
+
+Signed-off-by: Christian Ambach <ambi at samba.org>
+Reviewed-by: Andreas Schneider <asn at samba.org>
+
+Autobuild-User(master): Christian Ambach <ambi at samba.org>
+Autobuild-Date(master): Wed Feb 20 19:00:52 CET 2013 on sn-devel-104
+(cherry picked from commit 3d29bb2d37b02909ecb500e864f3c13e06957a86)
+
+(cherry picked from commit ff658bb36c28c9db91fc80a68725e893ffe300aa)
+---
+ source3/rpc_client/cli_pipe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -2273,7 +2273,7 @@
+ status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos());
+ TALLOC_FREE(subreq);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
+- if (state->cli->dc->negotiate_flags &
++ if (state->cli->dc && state->cli->dc->negotiate_flags &
+ NETLOGON_NEG_SUPPORTS_AES) {
+ DEBUG(5, ("AES is not supported and the error was %s\n",
+ nt_errstr(status)));
diff -Nru samba-3.6.6/debian/patches/CVE-2016-2115-v3-6.patch samba-3.6.6/debian/patches/CVE-2016-2115-v3-6.patch
--- samba-3.6.6/debian/patches/CVE-2016-2115-v3-6.patch 2016-04-12 18:34:29.000000000 +0200
+++ samba-3.6.6/debian/patches/CVE-2016-2115-v3-6.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,359 +0,0 @@
-From 513bd34e4523e49e742487be32a7239111486a12 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze at samba.org>
-Date: Sat, 27 Feb 2016 03:43:58 +0100
-Subject: [PATCH 1/4] CVE-2016-2115: docs-xml: add "client ipc signing" option
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
-
-Signed-off-by: Stefan Metzmacher <metze at samba.org>
-Reviewed-by: Ralph Boehme <slow at samba.org>
----
- docs-xml/smbdotconf/security/clientipcsigning.xml | 23 +++++++++++++++++++++++
- docs-xml/smbdotconf/security/clientsigning.xml | 3 +++
- source3/include/proto.h | 1 +
- source3/param/loadparm.c | 12 ++++++++++++
- 4 files changed, 39 insertions(+)
- create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml
-
-diff --git a/docs-xml/smbdotconf/security/clientipcsigning.xml b/docs-xml/smbdotconf/security/clientipcsigning.xml
-new file mode 100644
-index 0000000..1897fc6
---- /dev/null
-+++ b/docs-xml/smbdotconf/security/clientipcsigning.xml
-@@ -0,0 +1,23 @@
-+<samba:parameter name="client ipc signing"
-+ context="G"
-+ type="enum"
-+ enumlist="enum_smb_signing_vals"
-+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-+<description>
-+ <para>This controls whether the client is allowed or required to use SMB signing for IPC$
-+ connections as DCERPC transport inside of winbind. Possible values
-+ are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis>
-+ and <emphasis>disabled</emphasis>.
-+ </para>
-+
-+ <para>When set to auto, SMB signing is offered, but not enforced and if set
-+ to disabled, SMB signing is not offered either.</para>
-+
-+ <para>Connections from winbindd to Active Directory Domain Controllers
-+ always enforce signing.</para>
-+</description>
-+
-+<related>client signing</related>
-+
-+<value type="default">mandatory</value>
-+</samba:parameter>
-diff --git a/docs-xml/smbdotconf/security/clientsigning.xml b/docs-xml/smbdotconf/security/clientsigning.xml
-index c657e05..189a7ae 100644
---- a/docs-xml/smbdotconf/security/clientsigning.xml
-+++ b/docs-xml/smbdotconf/security/clientsigning.xml
-@@ -12,6 +12,9 @@
- <para>When set to auto, SMB signing is offered, but not enforced.
- When set to mandatory, SMB signing is required and if set
- to disabled, SMB signing is not offered either.
-+
-+ <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
-+ <smbconfoption name="client ipc signing"/> option.</para>
- </para>
- </description>
-
-diff --git a/source3/include/proto.h b/source3/include/proto.h
-index 43008ea..af950aa 100644
---- a/source3/include/proto.h
-+++ b/source3/include/proto.h
-@@ -1693,6 +1693,7 @@ const char **lp_winbind_nss_info(void);
- int lp_algorithmic_rid_base(void);
- int lp_name_cache_timeout(void);
- int lp_client_signing(void);
-+int lp_client_ipc_signing(void);
- int lp_server_signing(void);
- int lp_client_ldap_sasl_wrapping(void);
- char *lp_parm_talloc_string(int snum, const char *type, const char *option, const char *def);
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index c5249b7..a612e5a3 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -366,6 +366,7 @@ struct global {
- int restrict_anonymous;
- int name_cache_timeout;
- int client_signing;
-+ int client_ipc_signing;
- int server_signing;
- int client_ldap_sasl_wrapping;
- int iUsershareMaxShares;
-@@ -2319,6 +2320,15 @@ static struct parm_struct parm_table[] = {
- .flags = FLAG_ADVANCED,
- },
- {
-+ .label = "client ipc signing",
-+ .type = P_ENUM,
-+ .p_class = P_GLOBAL,
-+ .ptr = &Globals.client_ipc_signing,
-+ .special = NULL,
-+ .enum_list = enum_smb_signing_vals,
-+ .flags = FLAG_ADVANCED,
-+ },
-+ {
- .label = "server signing",
- .type = P_ENUM,
- .p_class = P_GLOBAL,
-@@ -5470,6 +5480,7 @@ static void init_globals(bool reinit_globals)
- Globals.bClientUseSpnego = True;
-
- Globals.client_signing = Auto;
-+ Globals.client_ipc_signing = Required;
- Globals.server_signing = False;
-
- Globals.bDeferSharingViolations = True;
-@@ -6071,6 +6082,7 @@ FN_GLOBAL_LIST(lp_winbind_nss_info, &Globals.szWinbindNssInfo)
- FN_GLOBAL_INTEGER(lp_algorithmic_rid_base, &Globals.AlgorithmicRidBase)
- FN_GLOBAL_INTEGER(lp_name_cache_timeout, &Globals.name_cache_timeout)
- FN_GLOBAL_INTEGER(lp_client_signing, &Globals.client_signing)
-+FN_GLOBAL_INTEGER(lp_client_ipc_signing, &Globals.client_ipc_signing)
- FN_GLOBAL_INTEGER(lp_server_signing, &Globals.server_signing)
- FN_GLOBAL_INTEGER(lp_client_ldap_sasl_wrapping, &Globals.client_ldap_sasl_wrapping)
-
---
-2.8.1
-
-
-From 633fcce5f7f488738ef8f45393aa8990e01118f4 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn at samba.org>
-Date: Tue, 5 Apr 2016 10:46:53 +0200
-Subject: [PATCH 2/4] CVE-2016-2115: s3: Use lp_client_ipc_signing() if we are
- not an smb client
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
-
-Pair-Programmed-With: Ralph Boehme <slow at samba.org>
-Signed-off-by: Andreas Schneider <asn at samba.org>
-Signed-off-by: Ralph Boehme <slow at samba.org>
----
- source3/param/loadparm.c | 14 ++++++++++++++
- source3/rpc_server/spoolss/srv_spoolss_nt.c | 2 +-
- 2 files changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index a612e5a3..c58f860 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -9712,6 +9712,20 @@ static bool lp_load_ex(const char *pszFname,
- lp_do_parameter(GLOBAL_SECTION_SNUM, "wins server", "127.0.0.1");
- }
-
-+ if (!lp_is_in_client()) {
-+ switch (lp_client_ipc_signing()) {
-+ case Required:
-+ lp_set_cmdline("client signing", "mandatory");
-+ break;
-+ case Auto:
-+ lp_set_cmdline("client signing", "auto");
-+ break;
-+ case False:
-+ lp_set_cmdline("client signing", "disabled");
-+ break;
-+ }
-+ }
-+
- init_iconv();
-
- bAllowIncludeRegistry = true;
-diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
-index 181a7b5..a0fcf27 100644
---- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
-+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
-@@ -2480,7 +2480,7 @@ static bool spoolss_connect_to_client(struct rpc_pipe_client **pp_pipe,
- "", /* username */
- "", /* domain */
- "", /* password */
-- 0, lp_client_signing());
-+ 0, False);
-
- if ( !NT_STATUS_IS_OK( ret ) ) {
- DEBUG(2,("spoolss_connect_to_client: connection to [%s] failed!\n",
---
-2.8.1
-
-
-From e319838866bdd3f5f1602b441516d07a1171ab24 Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow at samba.org>
-Date: Thu, 31 Mar 2016 11:30:03 +0200
-Subject: [PATCH 3/4] CVE-2016-2115: s3/param: pick up s4 option "winbind
- sealed pipes"
-
-This will be used in the next commit to prevent mitm attacks on on lsa,
-samr and netlogon in winbindd.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
-
-Signed-off-by: Ralph Boehme <slow at samba.org>
-Reviewed-by: Stefan Metzmacher <metze at samba.org>
-Reviewed-by: Andreas Schneider <asn at samba.org>
----
- docs-xml/smbdotconf/winbind/winbindsealedpipes.xml | 15 +++++++++++++++
- source3/include/proto.h | 1 +
- source3/param/loadparm.c | 12 ++++++++++++
- 3 files changed, 28 insertions(+)
- create mode 100644 docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
-
-diff --git a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
-new file mode 100644
-index 0000000..016ac9b
---- /dev/null
-+++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
-@@ -0,0 +1,15 @@
-+<samba:parameter name="winbind sealed pipes"
-+ context="G"
-+ type="boolean"
-+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-+<description>
-+ <para>This option controls whether any requests from winbindd to domain controllers
-+ pipe will be sealed. Disabling sealing can be useful for debugging
-+ purposes.</para>
-+
-+ <para>The behavior can be controlled per netbios domain
-+ by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para>
-+</description>
-+
-+<value type="default">yes</value>
-+</samba:parameter>
-diff --git a/source3/include/proto.h b/source3/include/proto.h
-index af950aa..ac1540f 100644
---- a/source3/include/proto.h
-+++ b/source3/include/proto.h
-@@ -1690,6 +1690,7 @@ int lp_winbind_cache_time(void);
- int lp_winbind_reconnect_delay(void);
- int lp_winbind_max_clients(void);
- const char **lp_winbind_nss_info(void);
-+bool lp_winbind_sealed_pipes(void);
- int lp_algorithmic_rid_base(void);
- int lp_name_cache_timeout(void);
- int lp_client_signing(void);
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index c58f860..fdc9407 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -215,6 +215,7 @@ struct global {
- int winbind_expand_groups;
- bool bWinbindRefreshTickets;
- bool bWinbindOfflineLogon;
-+ bool bWinbindSealedPipes;
- bool bWinbindNormalizeNames;
- bool bWinbindRpcOnly;
- bool bCreateKrb5Conf;
-@@ -4775,6 +4776,15 @@ static struct parm_struct parm_table[] = {
- .flags = FLAG_ADVANCED,
- },
- {
-+ .label = "winbind sealed pipes",
-+ .type = P_BOOL,
-+ .p_class = P_GLOBAL,
-+ .ptr = &Globals.bWinbindSealedPipes,
-+ .special = NULL,
-+ .enum_list = NULL,
-+ .flags = FLAG_ADVANCED,
-+ },
-+ {
- .label = "winbind normalize names",
- .type = P_BOOL,
- .p_class = P_GLOBAL,
-@@ -5468,6 +5478,7 @@ static void init_globals(bool reinit_globals)
- Globals.szWinbindNssInfo = str_list_make_v3(NULL, "template", NULL);
- Globals.bWinbindRefreshTickets = False;
- Globals.bWinbindOfflineLogon = False;
-+ Globals.bWinbindSealedPipes = True;
-
- Globals.iIdmapCacheTime = 86400 * 7; /* a week by default */
- Globals.iIdmapNegativeCacheTime = 120; /* 2 minutes by default */
-@@ -5747,6 +5758,7 @@ FN_GLOBAL_BOOL(lp_winbind_nested_groups, &Globals.bWinbindNestedGroups)
- FN_GLOBAL_INTEGER(lp_winbind_expand_groups, &Globals.winbind_expand_groups)
- FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets)
- FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon)
-+FN_GLOBAL_BOOL(lp_winbind_sealed_pipes, &Globals.bWinbindSealedPipes)
- FN_GLOBAL_BOOL(lp_winbind_normalize_names, &Globals.bWinbindNormalizeNames)
- FN_GLOBAL_BOOL(lp_winbind_rpc_only, &Globals.bWinbindRpcOnly)
- FN_GLOBAL_BOOL(lp_create_krb5_conf, &Globals.bCreateKrb5Conf)
---
-2.8.1
-
-
-From b47d8644e6a826f01dae3911fc510a7b2ff60273 Mon Sep 17 00:00:00 2001
-From: Andrew Bartlett <abartlet at samba.org>
-Date: Fri, 5 Sep 2014 17:00:31 +1200
-Subject: [PATCH 4/4] CVE-2016-2115: winbindd: Do not make anonymous
- connections by default
-
-The requirement is that we have "winbind sealed pipes = false" and
-"require strong key = false" before we make anonymous connections.
-These are a security risk as we cannot prevent MITM attacks.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11796
-
-Signed-off-by: Andrew Bartlett <abartlet at samba.org>
-Reviewed-by: Stefan Metzmacher <metze at samba.org>
-(backported from commit e2cd3257141bd4a88cda1fff5bde9df60b253a97)
----
- source3/winbindd/winbindd_cm.c | 32 +++++++++++++++++++++++++++++++-
- 1 file changed, 31 insertions(+), 1 deletion(-)
-
-diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
-index 8271279..50a341e 100644
---- a/source3/winbindd/winbindd_cm.c
-+++ b/source3/winbindd/winbindd_cm.c
-@@ -2384,6 +2384,15 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
- TALLOC_FREE(conn->samr_pipe);
-
- anonymous:
-+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
-+ status = NT_STATUS_DOWNGRADE_DETECTED;
-+ DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
-+ "without connection level security, "
-+ "must set 'winbind sealed pipes = false' "
-+ "to proceed: %s\n",
-+ domain->name, nt_errstr(status)));
-+ goto done;
-+ }
-
- /* Finally fall back to anonymous. */
- status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
-@@ -2610,6 +2619,16 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
-
- anonymous:
-
-+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
-+ result = NT_STATUS_DOWNGRADE_DETECTED;
-+ DEBUG(1, ("Unwilling to make LSA connection to domain %s "
-+ "without connection level security, "
-+ "must set 'winbind sealed pipes = false' "
-+ "to proceed: %s\n",
-+ domain->name, nt_errstr(result)));
-+ goto done;
-+ }
-+
- result = cli_rpc_pipe_open_noauth(conn->cli,
- &ndr_table_lsarpc.syntax_id,
- &conn->lsa_pipe);
-@@ -2749,7 +2768,18 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
-
- no_schannel:
- if ((lp_client_schannel() == False) ||
-- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
-+ ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
-+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
-+ result = NT_STATUS_DOWNGRADE_DETECTED;
-+ DEBUG(1, ("Unwilling to make connection to domain %s "
-+ "without connection level security, "
-+ "must set 'winbind sealed pipes = false' "
-+ "to proceed: %s\n",
-+ domain->name, nt_errstr(result)));
-+ TALLOC_FREE(netlogon_pipe);
-+ invalidate_cm_connection(conn);
-+ return result;
-+ }
- /*
- * NetSamLogonEx only works for schannel
- */
---
-2.8.1
-
diff -Nru samba-3.6.6/debian/patches/fix_netapp.patch samba-3.6.6/debian/patches/fix_netapp.patch
--- samba-3.6.6/debian/patches/fix_netapp.patch 1970-01-01 01:00:00.000000000 +0100
+++ samba-3.6.6/debian/patches/fix_netapp.patch 2016-05-26 09:30:49.000000000 +0200
@@ -0,0 +1,33 @@
+Decription: Fix compatibility with NetAPP NAS
+Origin: backport, https://git.samba.org/?p=samba.git;a=commit;h=d97b347d041f9b5c0aa71f35526cbefd56f3500b
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=11850
+Bug-Ubuntu: https://bugs.launchpad.net/samba/+bug/1576109
+
+--- a/source3/libsmb/ntlmssp.c
++++ b/source3/libsmb/ntlmssp.c
+@@ -206,7 +206,11 @@
+ * also add NTLMSSP_NEGOTIATE_SEAL here. JRA.
+ */
+ if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) {
+- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
++ /*
++ * We don't require this here as some servers (e.g. NetAPP)
++ * doesn't support this.
++ */
++ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ }
+ if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) {
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+@@ -231,7 +235,11 @@
+ {
+ /* As per JRA's comment above */
+ if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
+- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
++ /*
++ * We don't require this here as some servers (e.g. NetAPP)
++ * doesn't support this.
++ */
++ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ }
+ if (feature & NTLMSSP_FEATURE_SIGN) {
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
diff -Nru samba-3.6.6/debian/patches/netlogon_credentials_regression.patch samba-3.6.6/debian/patches/netlogon_credentials_regression.patch
--- samba-3.6.6/debian/patches/netlogon_credentials_regression.patch 1970-01-01 01:00:00.000000000 +0100
+++ samba-3.6.6/debian/patches/netlogon_credentials_regression.patch 2016-05-26 09:28:33.000000000 +0200
@@ -0,0 +1,55 @@
+From 2d0424e7bb2c30bf9049529b207c73b55370dfc8 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn at samba.org>
+Date: Tue, 10 Jan 2012 16:38:16 +0100
+Subject: [PATCH] s3-rpc_client: Fix updating netlogon credentials.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Günther Deschner <gd at samba.org>
+(cherry picked from commit 33206b1e240e55acedad606aed4f1952f7496b35)
+---
+ source3/rpc_client/cli_pipe.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+Index: samba-3.6.25/source3/rpc_client/cli_pipe.c
+===================================================================
+--- samba-3.6.25.orig/source3/rpc_client/cli_pipe.c 2016-05-03 12:36:52.810453161 -0400
++++ samba-3.6.25/source3/rpc_client/cli_pipe.c 2016-05-03 12:36:52.806453162 -0400
+@@ -2268,9 +2268,6 @@
+ struct rpc_pipe_bind_state *state =
+ tevent_req_data(req,
+ struct rpc_pipe_bind_state);
+- struct schannel_state *schannel_auth =
+- talloc_get_type_abort(state->cli->auth->auth_ctx,
+- struct schannel_state);
+ NTSTATUS status;
+
+ status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos());
+@@ -2328,8 +2325,8 @@
+ return;
+ }
+
+- TALLOC_FREE(schannel_auth->creds);
+- schannel_auth->creds = talloc_steal(state->cli, state->creds);
++ TALLOC_FREE(state->cli->dc);
++ state->cli->dc = talloc_steal(state->cli, state->creds);
+
+ if (!NT_STATUS_IS_OK(state->r.out.result)) {
+ DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
+@@ -3526,10 +3523,12 @@
+ * The credentials on a new netlogon pipe are the ones we are passed
+ * in - copy them over
+ */
+- result->dc = netlogon_creds_copy(result, *pdc);
+ if (result->dc == NULL) {
+- TALLOC_FREE(result);
+- return NT_STATUS_NO_MEMORY;
++ result->dc = netlogon_creds_copy(result, *pdc);
++ if (result->dc == NULL) {
++ TALLOC_FREE(result);
++ return NT_STATUS_NO_MEMORY;
++ }
+ }
+
+ DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
diff -Nru samba-3.6.6/debian/patches/series samba-3.6.6/debian/patches/series
--- samba-3.6.6/debian/patches/series 2016-04-12 18:34:29.000000000 +0200
+++ samba-3.6.6/debian/patches/series 2016-05-26 09:30:44.000000000 +0200
@@ -44,8 +44,11 @@
CVE-2016-2110-v3-6.patch
CVE-2016-2111-v3-6.patch
CVE-2016-2112-v3-6.patch
-CVE-2016-2115-v3-6.patch
CVE-2016-2118-v3-6.patch
CVE-2015-5370-v3-6.patch
0001-pidl-Add-skip-option-to-elements.patch
0001-PIDL-fix-parsing-linemarkers-in-preprocessor-output.patch
+821811-rpc_server-regression.patch
+netlogon_credentials_regression.patch
+bug9669_regression.patch
+fix_netapp.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20160526/cf2e853d/attachment-0005.sig>
More information about the Pkg-samba-maint
mailing list