CVE-2016-2118: docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"

We sadly need to allow this for now by default.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
new file mode 100644 (file)
index 0000000..27a9733
--- /dev/null
+++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
@@ -0,0 +1,29 @@
+<samba:parameter name="allow dcerpc auth level connect"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+       <para>This option controls whether DCERPC services are allowed to
+       be used with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication,
+       but no per message integrity nor privacy protection.</para>
+
+       <para>Some interfaces like samr, lsarpc and netlogon have a hard-coded default of
+       <constant>no</constant> and epmapper, mgmt and rpcecho have a hard-coded default of
+       <constant>yes</constant>.
+       </para>
+
+       <para>The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc,
+       winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option.</para>
+
+       <para>This option yields precedence to the implementation specific restrictions.
+       E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
+       The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
+       </para>
+
+       <para>Note the default will very likely change to <constant>no</constant> for Samba 4.5.</para>
+</description>
+
+<value type="default">yes</value>
+<value type="example">no</value>
+
+</samba:parameter>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 8c2a3714801f4081fa3429bc4620c4c06b03e214..fca1fe86a28aeb4395dce41972c1795f069e4666 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2514,6 +2514,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
        lpcfg_do_global_parameter(lp_ctx, "RawNTLMv2Auth", "False");
        lpcfg_do_global_parameter(lp_ctx, "client use spnego principal", "False");
 
+       lpcfg_do_global_parameter(lp_ctx, "allow dcerpc auth level connect", "True");
+
        lpcfg_do_global_parameter(lp_ctx, "UnixExtensions", "True");
 
        lpcfg_do_global_parameter(lp_ctx, "PreferredMaster", "Auto");

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index cfbc196bcbe22e40e4e1bab412eb0055cb8c0822..0ec8c971b7b3351a7ef5a4b31f2c9191e8ac05cd 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -667,6 +667,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
        Globals.client_ntlmv2_auth = true; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
        /* Note, that we will also use NTLM2 session security (which is different), if it is available */
 
+       Globals.allow_dcerpc_auth_level_connect = true; /* we need to allow this for now by default */
+
        Globals.map_to_guest = 0;       /* By Default, "Never" */
        Globals.oplock_break_wait_time = 0;     /* By Default, 0 msecs. */
        Globals.enhanced_browsing = true;