From: Stefan Metzmacher Date: Wed, 30 Nov 2022 13:59:36 +0000 (+0100) Subject: CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed pipes:DOMAIN" and... X-Git-Tag: samba-4.15.13~89 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f1cb8950583c12eaa5cbe907d0b16923f7187541;p=thirdparty%2Fsamba.git CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN" This avoids advising insecure defaults for the global options. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Ralph Boehme (cherry picked from commit d60828f6391307a59abaa02b72b6a8acf66b2fef) --- diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 0c4a3cc3593..ff5dc22f52c 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2447,6 +2447,8 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, bool retry = false; /* allow one retry attempt for expired session */ const char *remote_name = NULL; const struct sockaddr_storage *remote_sockaddr = NULL; + bool sealed_pipes = true; + bool strong_key = true; if (sid_check_is_our_sam(&domain->sid)) { if (domain->rodc == false || need_rw_dc == false) { @@ -2626,14 +2628,24 @@ retry: anonymous: + sealed_pipes = lp_winbind_sealed_pipes(); + sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes", + domain->name, + sealed_pipes); + strong_key = lp_require_strong_key(); + strong_key = lp_parm_bool(-1, "require strong key", + domain->name, + strong_key); + /* Finally fall back to anonymous. */ - if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { + if (sealed_pipes || strong_key) { status = NT_STATUS_DOWNGRADE_DETECTED; DEBUG(1, ("Unwilling to make SAMR connection to domain %s " "without connection level security, " - "must set 'winbind sealed pipes = false' and " - "'require strong key = false' to proceed: %s\n", - domain->name, nt_errstr(status))); + "must set 'winbind sealed pipes:%s = false' and " + "'require strong key:%s = false' to proceed: %s\n", + domain->name, domain->name, domain->name, + nt_errstr(status))); goto done; } status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr, @@ -2790,6 +2802,8 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, bool retry = false; /* allow one retry attempt for expired session */ const char *remote_name = NULL; const struct sockaddr_storage *remote_sockaddr = NULL; + bool sealed_pipes = true; + bool strong_key = true; retry: result = init_dc_connection_rpc(domain, false); @@ -2951,13 +2965,24 @@ retry: goto done; } - if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { + sealed_pipes = lp_winbind_sealed_pipes(); + sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes", + domain->name, + sealed_pipes); + strong_key = lp_require_strong_key(); + strong_key = lp_parm_bool(-1, "require strong key", + domain->name, + strong_key); + + /* Finally fall back to anonymous. */ + if (sealed_pipes || strong_key) { result = NT_STATUS_DOWNGRADE_DETECTED; DEBUG(1, ("Unwilling to make LSA connection to domain %s " "without connection level security, " - "must set 'winbind sealed pipes = false' and " - "'require strong key = false' to proceed: %s\n", - domain->name, nt_errstr(result))); + "must set 'winbind sealed pipes:%s = false' and " + "'require strong key:%s = false' to proceed: %s\n", + domain->name, domain->name, domain->name, + nt_errstr(result))); goto done; }