CVE-2022-38023 s3:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_int...

Follow s4 netlogon server changes and move the checks to the RPC bind
hook. Next commits will remove the s3 netr_creds_server_step_check()
function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 8141eae47aad849741beb138fae866c772e4ec4c)

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 2906fa3f30f9b790f96442fc5f1fe5c17a116ae2..cf40825179c8760285d0fb4bc76c9481b83ec038 100644 (file)
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -28,6 +28,7 @@
 #include "system/passwd.h" /* uid_wrapper */
 #include "ntdomain.h"
 #include "../libcli/auth/schannel.h"
+#include "librpc/rpc/dcesrv_core.h"
 #include "librpc/gen_ndr/ndr_netlogon.h"
 #include "librpc/gen_ndr/ndr_netlogon_scompat.h"
 #include "librpc/gen_ndr/ndr_samr_c.h"
@@ -1047,7 +1048,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
        enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
        uint16_t opnum = p->opnum;
        const char *opname = "<unknown>";
-       static bool warned_global_once = false;
 
        if (creds_out != NULL) {
                *creds_out = NULL;
@@ -1109,16 +1109,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
                return NT_STATUS_ACCESS_DENIED;
        }
 
-       if (!schannel_global_required && !warned_global_once) {
-               /*
-                * We want admins to notice their misconfiguration!
-                */
-               DBG_ERR("CVE-2020-1472(ZeroLogon): "
-                       "Please configure 'server schannel = yes', "
-                       "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
-               warned_global_once = true;
-       }
-
        if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
                DBG_ERR("CVE-2020-1472(ZeroLogon): "
                        "%s request (opnum[%u]) WITH schannel from "
@@ -2946,5 +2936,33 @@ NTSTATUS _netr_DsrUpdateReadOnlyServerDnsRecords(struct pipes_struct *p,
        return NT_STATUS_NOT_IMPLEMENTED;
 }
 
+/*
+ * Define the bind function that will be used by ndr_netlogon_scompat.c,
+ * included at the bottom of this file.
+ */
+#define DCESRV_INTERFACE_NETLOGON_BIND(context, iface) \
+       dcesrv_interface_netlogon_bind(context, iface)
+
+static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context *context,
+                                              const struct dcesrv_interface *iface)
+{
+       struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx;
+       int schannel = lpcfg_server_schannel(lp_ctx);
+       bool schannel_global_required = (schannel == true);
+       static bool warned_global_schannel_once = false;
+
+       if (!schannel_global_required && !warned_global_schannel_once) {
+               /*
+                * We want admins to notice their misconfiguration!
+                */
+               D_ERR("CVE-2020-1472(ZeroLogon): "
+                     "Please configure 'server schannel = yes' (the default), "
+                     "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
+               warned_global_schannel_once = true;
+       }
+
+       return NT_STATUS_OK;
+}
+
 /* include the generated boilerplate */
 #include "librpc/gen_ndr/ndr_netlogon_scompat.c"