[ipfire-2.x.git] / src / patches / samba / CVE-2016-2115-v3-6.patch

From 513bd34e4523e49e742487be32a7239111486a12 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 27 Feb 2016 03:43:58 +0100
Subject: [PATCH 1/4] CVE-2016-2115: docs-xml: add "client ipc signing" option

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
 docs-xml/smbdotconf/security/clientipcsigning.xml | 23 +++++++++++++++++++++++
 docs-xml/smbdotconf/security/clientsigning.xml    |  3 +++
 source3/include/proto.h                           |  1 +
 source3/param/loadparm.c                          | 12 ++++++++++++
 4 files changed, 39 insertions(+)
 create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml

diff --git a/docs-xml/smbdotconf/security/clientipcsigning.xml b/docs-xml/smbdotconf/security/clientipcsigning.xml
new file mode 100644
index 0000000..1897fc6
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientipcsigning.xml
@@ -0,0 +1,23 @@
+<samba:parameter name="client ipc signing"
+                 context="G"
+                 type="enum"
+                 enumlist="enum_smb_signing_vals"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This controls whether the client is allowed or required to use SMB signing for IPC$
+    connections as DCERPC transport inside of winbind. Possible values
+    are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis>
+    and <emphasis>disabled</emphasis>.
+    </para>
+
+    <para>When set to auto, SMB signing is offered, but not enforced and if set
+    to disabled, SMB signing is not offered either.</para>
+
+    <para>Connections from winbindd to Active Directory Domain Controllers
+    always enforce signing.</para>
+</description>
+
+<related>client signing</related>
+
+<value type="default">mandatory</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientsigning.xml b/docs-xml/smbdotconf/security/clientsigning.xml
index c657e05..189a7ae 100644
--- a/docs-xml/smbdotconf/security/clientsigning.xml
+++ b/docs-xml/smbdotconf/security/clientsigning.xml
@@ -12,6 +12,9 @@
     <para>When set to auto, SMB signing is offered, but not enforced. 
     When set to mandatory, SMB signing is required and if set 
 	to disabled, SMB signing is not offered either.
+
+    <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
+    <smbconfoption name="client ipc signing"/> option.</para>
 </para>
 </description>
 
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 43008ea..af950aa 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1693,6 +1693,7 @@ const char **lp_winbind_nss_info(void);
 int lp_algorithmic_rid_base(void);
 int lp_name_cache_timeout(void);
 int lp_client_signing(void);
+int lp_client_ipc_signing(void);
 int lp_server_signing(void);
 int lp_client_ldap_sasl_wrapping(void);
 char *lp_parm_talloc_string(int snum, const char *type, const char *option, const char *def);
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index c5249b7..a612e5a3 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -366,6 +366,7 @@ struct global {
 	int restrict_anonymous;
 	int name_cache_timeout;
 	int client_signing;
+	int client_ipc_signing;
 	int server_signing;
 	int client_ldap_sasl_wrapping;
 	int iUsershareMaxShares;
@@ -2319,6 +2320,15 @@ static struct parm_struct parm_table[] = {
 		.flags		= FLAG_ADVANCED,
 	},
 	{
+		.label		= "client ipc signing",
+		.type		= P_ENUM,
+		.p_class	= P_GLOBAL,
+		.ptr		= &Globals.client_ipc_signing,
+		.special	= NULL,
+		.enum_list	= enum_smb_signing_vals,
+		.flags		= FLAG_ADVANCED,
+	},
+	{
 		.label		= "server signing",
 		.type		= P_ENUM,
 		.p_class	= P_GLOBAL,
@@ -5470,6 +5480,7 @@ static void init_globals(bool reinit_globals)
 	Globals.bClientUseSpnego = True;
 
 	Globals.client_signing = Auto;
+	Globals.client_ipc_signing = Required;
 	Globals.server_signing = False;
 
 	Globals.bDeferSharingViolations = True;
@@ -6071,6 +6082,7 @@ FN_GLOBAL_LIST(lp_winbind_nss_info, &Globals.szWinbindNssInfo)
 FN_GLOBAL_INTEGER(lp_algorithmic_rid_base, &Globals.AlgorithmicRidBase)
 FN_GLOBAL_INTEGER(lp_name_cache_timeout, &Globals.name_cache_timeout)
 FN_GLOBAL_INTEGER(lp_client_signing, &Globals.client_signing)
+FN_GLOBAL_INTEGER(lp_client_ipc_signing, &Globals.client_ipc_signing)
 FN_GLOBAL_INTEGER(lp_server_signing, &Globals.server_signing)
 FN_GLOBAL_INTEGER(lp_client_ldap_sasl_wrapping, &Globals.client_ldap_sasl_wrapping)
 
-- 
2.8.1


From 633fcce5f7f488738ef8f45393aa8990e01118f4 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 5 Apr 2016 10:46:53 +0200
Subject: [PATCH 2/4] CVE-2016-2115: s3: Use lp_client_ipc_signing() if we are
 not an smb client

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Pair-Programmed-With: Ralph Boehme <slow@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
---
 source3/param/loadparm.c                    | 14 ++++++++++++++
 source3/rpc_server/spoolss/srv_spoolss_nt.c |  2 +-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index a612e5a3..c58f860 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -9712,6 +9712,20 @@ static bool lp_load_ex(const char *pszFname,
 		lp_do_parameter(GLOBAL_SECTION_SNUM, "wins server", "127.0.0.1");
 	}
 
+	if (!lp_is_in_client()) {
+		switch (lp_client_ipc_signing()) {
+		case Required:
+			lp_set_cmdline("client signing", "mandatory");
+			break;
+		case Auto:
+			lp_set_cmdline("client signing", "auto");
+			break;
+		case False:
+			lp_set_cmdline("client signing", "disabled");
+			break;
+		}
+	}
+
 	init_iconv();
 
 	bAllowIncludeRegistry = true;
diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
index 181a7b5..a0fcf27 100644
--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
@@ -2480,7 +2480,7 @@ static bool spoolss_connect_to_client(struct rpc_pipe_client **pp_pipe,
 		"", /* username */
 		"", /* domain */
 		"", /* password */
-		0, lp_client_signing());
+		0, False);
 
 	if ( !NT_STATUS_IS_OK( ret ) ) {
 		DEBUG(2,("spoolss_connect_to_client: connection to [%s] failed!\n",
-- 
2.8.1


From e319838866bdd3f5f1602b441516d07a1171ab24 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Thu, 31 Mar 2016 11:30:03 +0200
Subject: [PATCH 3/4] CVE-2016-2115: s3/param: pick up s4 option "winbind
 sealed pipes"

This will be used in the next commit to prevent mitm attacks on on lsa,
samr and netlogon in winbindd.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 docs-xml/smbdotconf/winbind/winbindsealedpipes.xml | 15 +++++++++++++++
 source3/include/proto.h                            |  1 +
 source3/param/loadparm.c                           | 12 ++++++++++++
 3 files changed, 28 insertions(+)
 create mode 100644 docs-xml/smbdotconf/winbind/winbindsealedpipes.xml

diff --git a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
new file mode 100644
index 0000000..016ac9b
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="winbind sealed pipes"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This option controls whether any requests from winbindd to domain controllers
+		pipe will be sealed. Disabling sealing can be useful for debugging
+		purposes.</para>
+
+	<para>The behavior can be controlled per netbios domain
+	by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/source3/include/proto.h b/source3/include/proto.h
index af950aa..ac1540f 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1690,6 +1690,7 @@ int lp_winbind_cache_time(void);
 int lp_winbind_reconnect_delay(void);
 int lp_winbind_max_clients(void);
 const char **lp_winbind_nss_info(void);
+bool lp_winbind_sealed_pipes(void);
 int lp_algorithmic_rid_base(void);
 int lp_name_cache_timeout(void);
 int lp_client_signing(void);
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index c58f860..fdc9407 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -215,6 +215,7 @@ struct global {
 	int  winbind_expand_groups;
 	bool bWinbindRefreshTickets;
 	bool bWinbindOfflineLogon;
+	bool bWinbindSealedPipes;
 	bool bWinbindNormalizeNames;
 	bool bWinbindRpcOnly;
 	bool bCreateKrb5Conf;
@@ -4775,6 +4776,15 @@ static struct parm_struct parm_table[] = {
 		.flags		= FLAG_ADVANCED,
 	},
 	{
+		.label		= "winbind sealed pipes",
+		.type		= P_BOOL,
+		.p_class	= P_GLOBAL,
+		.ptr		= &Globals.bWinbindSealedPipes,
+		.special	= NULL,
+		.enum_list	= NULL,
+		.flags		= FLAG_ADVANCED,
+	},
+	{
 		.label		= "winbind normalize names",
 		.type		= P_BOOL,
 		.p_class	= P_GLOBAL,
@@ -5468,6 +5478,7 @@ static void init_globals(bool reinit_globals)
 	Globals.szWinbindNssInfo = str_list_make_v3(NULL, "template", NULL);
 	Globals.bWinbindRefreshTickets = False;
 	Globals.bWinbindOfflineLogon = False;
+	Globals.bWinbindSealedPipes = True;
 
 	Globals.iIdmapCacheTime = 86400 * 7; /* a week by default */
 	Globals.iIdmapNegativeCacheTime = 120; /* 2 minutes by default */
@@ -5747,6 +5758,7 @@ FN_GLOBAL_BOOL(lp_winbind_nested_groups, &Globals.bWinbindNestedGroups)
 FN_GLOBAL_INTEGER(lp_winbind_expand_groups, &Globals.winbind_expand_groups)
 FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets)
 FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon)
+FN_GLOBAL_BOOL(lp_winbind_sealed_pipes, &Globals.bWinbindSealedPipes)
 FN_GLOBAL_BOOL(lp_winbind_normalize_names, &Globals.bWinbindNormalizeNames)
 FN_GLOBAL_BOOL(lp_winbind_rpc_only, &Globals.bWinbindRpcOnly)
 FN_GLOBAL_BOOL(lp_create_krb5_conf, &Globals.bCreateKrb5Conf)
-- 
2.8.1


From b47d8644e6a826f01dae3911fc510a7b2ff60273 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 5 Sep 2014 17:00:31 +1200
Subject: [PATCH 4/4] CVE-2016-2115: winbindd: Do not make anonymous
 connections by default

The requirement is that we have "winbind sealed pipes = false" and
"require strong key = false" before we make anonymous connections.
These are a security risk as we cannot prevent MITM attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11796

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(backported from commit e2cd3257141bd4a88cda1fff5bde9df60b253a97)
---
 source3/winbindd/winbindd_cm.c | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 8271279..50a341e 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2384,6 +2384,15 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 	TALLOC_FREE(conn->samr_pipe);
 
  anonymous:
+	if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
+		status = NT_STATUS_DOWNGRADE_DETECTED;
+		DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
+			  "without connection level security, "
+			  "must set 'winbind sealed pipes = false' "
+			  "to proceed: %s\n",
+			  domain->name, nt_errstr(status)));
+		goto done;
+	}
 
 	/* Finally fall back to anonymous. */
 	status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
@@ -2610,6 +2619,16 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 
  anonymous:
 
+	if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
+		result = NT_STATUS_DOWNGRADE_DETECTED;
+		DEBUG(1, ("Unwilling to make LSA connection to domain %s "
+			  "without connection level security, "
+			  "must set 'winbind sealed pipes = false' "
+			  "to proceed: %s\n",
+			  domain->name, nt_errstr(result)));
+		goto done;
+	}
+
 	result = cli_rpc_pipe_open_noauth(conn->cli,
 					  &ndr_table_lsarpc.syntax_id,
 					  &conn->lsa_pipe);
@@ -2749,7 +2768,18 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 
  no_schannel:
 	if ((lp_client_schannel() == False) ||
-			((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
+		((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
+		if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
+			result = NT_STATUS_DOWNGRADE_DETECTED;
+			DEBUG(1, ("Unwilling to make connection to domain %s "
+				  "without connection level security, "
+				  "must set 'winbind sealed pipes = false' "
+				  "to proceed: %s\n",
+				  domain->name, nt_errstr(result)));
+			TALLOC_FREE(netlogon_pipe);
+			invalidate_cm_connection(conn);
+			return result;
+		}
 		/*
 		 * NetSamLogonEx only works for schannel
 		 */
-- 
2.8.1
Commit	Line	Data
77ecb239 AF	1	From 513bd34e4523e49e742487be32a7239111486a12 Mon Sep 17 00:00:00 2001
	2	From: Stefan Metzmacher <metze@samba.org>
	3	Date: Sat, 27 Feb 2016 03:43:58 +0100
	4	Subject: [PATCH 1/4] CVE-2016-2115: docs-xml: add "client ipc signing" option
	5
	6	BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
	7
	8	Signed-off-by: Stefan Metzmacher <metze@samba.org>
	9	Reviewed-by: Ralph Boehme <slow@samba.org>
	10	---
	11	docs-xml/smbdotconf/security/clientipcsigning.xml \| 23 +++++++++++++++++++++++
	12	docs-xml/smbdotconf/security/clientsigning.xml \| 3 +++
	13	source3/include/proto.h \| 1 +
	14	source3/param/loadparm.c \| 12 ++++++++++++
	15	4 files changed, 39 insertions(+)
	16	create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml
	17
	18	diff --git a/docs-xml/smbdotconf/security/clientipcsigning.xml b/docs-xml/smbdotconf/security/clientipcsigning.xml
	19	new file mode 100644
	20	index 0000000..1897fc6
	21	--- /dev/null
	22	+++ b/docs-xml/smbdotconf/security/clientipcsigning.xml
	23	@@ -0,0 +1,23 @@
	24	+<samba:parameter name="client ipc signing"
	25	+ context="G"
	26	+ type="enum"
	27	+ enumlist="enum_smb_signing_vals"
	28	+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
	29	+<description>
	30	+ <para>This controls whether the client is allowed or required to use SMB signing for IPC$
	31	+ connections as DCERPC transport inside of winbind. Possible values
	32	+ are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis>
	33	+ and <emphasis>disabled</emphasis>.
	34	+ </para>
	35	+
	36	+ <para>When set to auto, SMB signing is offered, but not enforced and if set
	37	+ to disabled, SMB signing is not offered either.</para>
	38	+
	39	+ <para>Connections from winbindd to Active Directory Domain Controllers
	40	+ always enforce signing.</para>
	41	+</description>
	42	+
	43	+<related>client signing</related>
	44	+
	45	+<value type="default">mandatory</value>
	46	+</samba:parameter>
	47	diff --git a/docs-xml/smbdotconf/security/clientsigning.xml b/docs-xml/smbdotconf/security/clientsigning.xml
	48	index c657e05..189a7ae 100644
	49	--- a/docs-xml/smbdotconf/security/clientsigning.xml
	50	+++ b/docs-xml/smbdotconf/security/clientsigning.xml
	51	@@ -12,6 +12,9 @@
	52	<para>When set to auto, SMB signing is offered, but not enforced.
	53	When set to mandatory, SMB signing is required and if set
	54	to disabled, SMB signing is not offered either.
	55	+
	56	+ <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
	57	+ <smbconfoption name="client ipc signing"/> option.</para>
	58	</para>
	59	</description>
	60
	61	diff --git a/source3/include/proto.h b/source3/include/proto.h
	62	index 43008ea..af950aa 100644
	63	--- a/source3/include/proto.h
	64	+++ b/source3/include/proto.h
65	@@ -1693,6 +1693,7 @@ const char **lp_winbind_nss_info(void);
66	int lp_algorithmic_rid_base(void);
67	int lp_name_cache_timeout(void);
68	int lp_client_signing(void);
69	+int lp_client_ipc_signing(void);
70	int lp_server_signing(void);
71	int lp_client_ldap_sasl_wrapping(void);
72	char lp_parm_talloc_string(int snum, const char type, const char option, const char def);
73	diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
74	index c5249b7..a612e5a3 100644
75	--- a/source3/param/loadparm.c
76	+++ b/source3/param/loadparm.c
77	@@ -366,6 +366,7 @@ struct global {
78	int restrict_anonymous;
79	int name_cache_timeout;
80	int client_signing;
81	+ int client_ipc_signing;
82	int server_signing;
83	int client_ldap_sasl_wrapping;
84	int iUsershareMaxShares;
85	@@ -2319,6 +2320,15 @@ static struct parm_struct parm_table[] = {
86	.flags = FLAG_ADVANCED,
87	},
88	{
89	+ .label = "client ipc signing",
90	+ .type = P_ENUM,
91	+ .p_class = P_GLOBAL,
92	+ .ptr = &Globals.client_ipc_signing,
93	+ .special = NULL,
94	+ .enum_list = enum_smb_signing_vals,
95	+ .flags = FLAG_ADVANCED,
96	+ },
97	+ {
98	.label = "server signing",
99	.type = P_ENUM,
100	.p_class = P_GLOBAL,
101	@@ -5470,6 +5480,7 @@ static void init_globals(bool reinit_globals)
102	Globals.bClientUseSpnego = True;
103
104	Globals.client_signing = Auto;
105	+ Globals.client_ipc_signing = Required;
106	Globals.server_signing = False;
107
108	Globals.bDeferSharingViolations = True;
109	@@ -6071,6 +6082,7 @@ FN_GLOBAL_LIST(lp_winbind_nss_info, &Globals.szWinbindNssInfo)
110	FN_GLOBAL_INTEGER(lp_algorithmic_rid_base, &Globals.AlgorithmicRidBase)
111	FN_GLOBAL_INTEGER(lp_name_cache_timeout, &Globals.name_cache_timeout)
112	FN_GLOBAL_INTEGER(lp_client_signing, &Globals.client_signing)
113	+FN_GLOBAL_INTEGER(lp_client_ipc_signing, &Globals.client_ipc_signing)
114	FN_GLOBAL_INTEGER(lp_server_signing, &Globals.server_signing)
115	FN_GLOBAL_INTEGER(lp_client_ldap_sasl_wrapping, &Globals.client_ldap_sasl_wrapping)
116
117	--
118	2.8.1
119
120
121	From 633fcce5f7f488738ef8f45393aa8990e01118f4 Mon Sep 17 00:00:00 2001
122	From: Andreas Schneider <asn@samba.org>
123	Date: Tue, 5 Apr 2016 10:46:53 +0200
124	Subject: [PATCH 2/4] CVE-2016-2115: s3: Use lp_client_ipc_signing() if we are
125	not an smb client
126
127	BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
128
129	Pair-Programmed-With: Ralph Boehme <slow@samba.org>
130	Signed-off-by: Andreas Schneider <asn@samba.org>
131	Signed-off-by: Ralph Boehme <slow@samba.org>
132	---
133	source3/param/loadparm.c \| 14 ++++++++++++++
134	source3/rpc_server/spoolss/srv_spoolss_nt.c \| 2 +-
135	2 files changed, 15 insertions(+), 1 deletion(-)
136
137	diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
138	index a612e5a3..c58f860 100644
139	--- a/source3/param/loadparm.c
140	+++ b/source3/param/loadparm.c
141	@@ -9712,6 +9712,20 @@ static bool lp_load_ex(const char *pszFname,
142	lp_do_parameter(GLOBAL_SECTION_SNUM, "wins server", "127.0.0.1");
143	}
144
145	+ if (!lp_is_in_client()) {
146	+ switch (lp_client_ipc_signing()) {
147	+ case Required:
148	+ lp_set_cmdline("client signing", "mandatory");
149	+ break;
150	+ case Auto:
151	+ lp_set_cmdline("client signing", "auto");
152	+ break;
153	+ case False:
154	+ lp_set_cmdline("client signing", "disabled");
155	+ break;
156	+ }
157	+ }
158	+
159	init_iconv();
160
161	bAllowIncludeRegistry = true;
162	diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
163	index 181a7b5..a0fcf27 100644
164	--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
165	+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
166	@@ -2480,7 +2480,7 @@ static bool spoolss_connect_to_client(struct rpc_pipe_client **pp_pipe,
167	"", /* username */
168	"", /* domain */
169	"", /* password */
170	- 0, lp_client_signing());
171	+ 0, False);
172
173	if ( !NT_STATUS_IS_OK( ret ) ) {
174	DEBUG(2,("spoolss_connect_to_client: connection to [%s] failed!\n",
175	--
176	2.8.1
177
178
179	From e319838866bdd3f5f1602b441516d07a1171ab24 Mon Sep 17 00:00:00 2001
180	From: Ralph Boehme <slow@samba.org>
181	Date: Thu, 31 Mar 2016 11:30:03 +0200
182	Subject: [PATCH 3/4] CVE-2016-2115: s3/param: pick up s4 option "winbind
183	sealed pipes"
184
185	This will be used in the next commit to prevent mitm attacks on on lsa,
186	samr and netlogon in winbindd.
187
188	BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
189
190	Signed-off-by: Ralph Boehme <slow@samba.org>
191	Reviewed-by: Stefan Metzmacher <metze@samba.org>
192	Reviewed-by: Andreas Schneider <asn@samba.org>
193	---
194	docs-xml/smbdotconf/winbind/winbindsealedpipes.xml \| 15 +++++++++++++++
195	source3/include/proto.h \| 1 +
196	source3/param/loadparm.c \| 12 ++++++++++++
197	3 files changed, 28 insertions(+)
198	create mode 100644 docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
199
200	diff --git a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
201	new file mode 100644
202	index 0000000..016ac9b
203	--- /dev/null
204	+++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
205	@@ -0,0 +1,15 @@
206	+<samba:parameter name="winbind sealed pipes"
207	+ context="G"
208	+ type="boolean"
209	+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
210	+<description>
211	+ <para>This option controls whether any requests from winbindd to domain controllers
212	+ pipe will be sealed. Disabling sealing can be useful for debugging
213	+ purposes.</para>
214	+
215	+ <para>The behavior can be controlled per netbios domain
216	+ by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para>
217	+</description>
218	+
219	+<value type="default">yes</value>
220	+</samba:parameter>
221	diff --git a/source3/include/proto.h b/source3/include/proto.h
222	index af950aa..ac1540f 100644
223	--- a/source3/include/proto.h
224	+++ b/source3/include/proto.h
225	@@ -1690,6 +1690,7 @@ int lp_winbind_cache_time(void);
226	int lp_winbind_reconnect_delay(void);
227	int lp_winbind_max_clients(void);
228	const char **lp_winbind_nss_info(void);
229	+bool lp_winbind_sealed_pipes(void);
230	int lp_algorithmic_rid_base(void);
231	int lp_name_cache_timeout(void);
232	int lp_client_signing(void);
233	diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
234	index c58f860..fdc9407 100644
235	--- a/source3/param/loadparm.c
236	+++ b/source3/param/loadparm.c
237	@@ -215,6 +215,7 @@ struct global {
238	int winbind_expand_groups;
239	bool bWinbindRefreshTickets;
240	bool bWinbindOfflineLogon;
241	+ bool bWinbindSealedPipes;
242	bool bWinbindNormalizeNames;
243	bool bWinbindRpcOnly;
244	bool bCreateKrb5Conf;
245	@@ -4775,6 +4776,15 @@ static struct parm_struct parm_table[] = {
246	.flags = FLAG_ADVANCED,
247	},
248	{
249	+ .label = "winbind sealed pipes",
250	+ .type = P_BOOL,
251	+ .p_class = P_GLOBAL,
252	+ .ptr = &Globals.bWinbindSealedPipes,
253	+ .special = NULL,
254	+ .enum_list = NULL,
255	+ .flags = FLAG_ADVANCED,
256	+ },
257	+ {
258	.label = "winbind normalize names",
259	.type = P_BOOL,
260	.p_class = P_GLOBAL,
261	@@ -5468,6 +5478,7 @@ static void init_globals(bool reinit_globals)
262	Globals.szWinbindNssInfo = str_list_make_v3(NULL, "template", NULL);
263	Globals.bWinbindRefreshTickets = False;
264	Globals.bWinbindOfflineLogon = False;
265	+ Globals.bWinbindSealedPipes = True;
266
267	Globals.iIdmapCacheTime = 86400 * 7; /* a week by default */
268	Globals.iIdmapNegativeCacheTime = 120; /* 2 minutes by default */
269	@@ -5747,6 +5758,7 @@ FN_GLOBAL_BOOL(lp_winbind_nested_groups, &Globals.bWinbindNestedGroups)
270	FN_GLOBAL_INTEGER(lp_winbind_expand_groups, &Globals.winbind_expand_groups)
271	FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets)
272	FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon)
273	+FN_GLOBAL_BOOL(lp_winbind_sealed_pipes, &Globals.bWinbindSealedPipes)
274	FN_GLOBAL_BOOL(lp_winbind_normalize_names, &Globals.bWinbindNormalizeNames)
275	FN_GLOBAL_BOOL(lp_winbind_rpc_only, &Globals.bWinbindRpcOnly)
276	FN_GLOBAL_BOOL(lp_create_krb5_conf, &Globals.bCreateKrb5Conf)
277	--
278	2.8.1
279
280
281	From b47d8644e6a826f01dae3911fc510a7b2ff60273 Mon Sep 17 00:00:00 2001
282	From: Andrew Bartlett <abartlet@samba.org>
283	Date: Fri, 5 Sep 2014 17:00:31 +1200
284	Subject: [PATCH 4/4] CVE-2016-2115: winbindd: Do not make anonymous
285	connections by default
286
287	The requirement is that we have "winbind sealed pipes = false" and
288	"require strong key = false" before we make anonymous connections.
289	These are a security risk as we cannot prevent MITM attacks.
290
291	BUG: https://bugzilla.samba.org/show_bug.cgi?id=11796
292
293	Signed-off-by: Andrew Bartlett <abartlet@samba.org>
294	Reviewed-by: Stefan Metzmacher <metze@samba.org>
295	(backported from commit e2cd3257141bd4a88cda1fff5bde9df60b253a97)
296	---
297	source3/winbindd/winbindd_cm.c \| 32 +++++++++++++++++++++++++++++++-
298	1 file changed, 31 insertions(+), 1 deletion(-)
299
300	diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
301	index 8271279..50a341e 100644
302	--- a/source3/winbindd/winbindd_cm.c
303	+++ b/source3/winbindd/winbindd_cm.c
304	@@ -2384,6 +2384,15 @@ NTSTATUS cm_connect_sam(struct winbindd_domain domain, TALLOC_CTX mem_ctx,
305	TALLOC_FREE(conn->samr_pipe);
306
307	anonymous:
308	+ if (lp_winbind_sealed_pipes() && (IS_DC \|\| domain->primary)) {
309	+ status = NT_STATUS_DOWNGRADE_DETECTED;
310	+ DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
311	+ "without connection level security, "
312	+ "must set 'winbind sealed pipes = false' "
313	+ "to proceed: %s\n",
314	+ domain->name, nt_errstr(status)));
315	+ goto done;
316	+ }
317
318	/* Finally fall back to anonymous. */
319	status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
320	@@ -2610,6 +2619,16 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain domain, TALLOC_CTX mem_ctx,
321
322	anonymous:
323
324	+ if (lp_winbind_sealed_pipes() && (IS_DC \|\| domain->primary)) {
325	+ result = NT_STATUS_DOWNGRADE_DETECTED;
326	+ DEBUG(1, ("Unwilling to make LSA connection to domain %s "
327	+ "without connection level security, "
328	+ "must set 'winbind sealed pipes = false' "
329	+ "to proceed: %s\n",
330	+ domain->name, nt_errstr(result)));
331	+ goto done;
332	+ }
333	+
334	result = cli_rpc_pipe_open_noauth(conn->cli,
335	&ndr_table_lsarpc.syntax_id,
336	&conn->lsa_pipe);
337	@@ -2749,7 +2768,18 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
338
339	no_schannel:
340	if ((lp_client_schannel() == False) \|\|
341	- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
342	+ ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
343	+ if (lp_winbind_sealed_pipes() && (IS_DC \|\| domain->primary)) {
344	+ result = NT_STATUS_DOWNGRADE_DETECTED;
345	+ DEBUG(1, ("Unwilling to make connection to domain %s "
346	+ "without connection level security, "
347	+ "must set 'winbind sealed pipes = false' "
348	+ "to proceed: %s\n",
349	+ domain->name, nt_errstr(result)));
350	+ TALLOC_FREE(netlogon_pipe);
351	+ invalidate_cm_connection(conn);
352	+ return result;
353	+ }
354	/*
355	* NetSamLogonEx only works for schannel
356	*/
357	--
358	2.8.1
359