s4:rpc_server/netlogon: fix dcesrv_netr_ServerPasswordSet[2] for ServerAuthenticateKe...

author Stefan Metzmacher <metze@samba.org>

Tue, 26 Nov 2024 10:10:16 +0000 (11:10 +0100)

committer Andreas Schneider <asn@cryptomilk.org>

Thu, 12 Dec 2024 13:59:29 +0000 (13:59 +0000)
author Stefan Metzmacher <metze@samba.org>
Tue, 26 Nov 2024 10:10:16 +0000 (11:10 +0100)
committer Andreas Schneider <asn@cryptomilk.org>
Thu, 12 Dec 2024 13:59:29 +0000 (13:59 +0000)
diff --git a/selftest/knownfail.d/samba.tests.krb5.netlogon b/selftest/knownfail.d/samba.tests.krb5.netlogon

index 2f64171e5e2466fb990eb2f668677ebd78781bb9..a59934805b4b101a4023da067bf15b0e76aa42d3 100644 (file)
--- a/selftest/knownfail.d/samba.tests.krb5.netlogon
+++ b/selftest/knownfail.d/samba.tests.krb5.netlogon
@@ -1,6 +1,4 @@
  # This is not implemented yet
  ^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_ticket_samlogon
  # These will be fixed in the next commits
-^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_check_passwords_.*_auth3_e13fffff
-^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_check_passwords_.*_authK
  ^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_.*_samlogon_.*_authK
diff --git a/selftest/knownfail.d/samba4.rpc.netlogon.netlogon.SetPassword2 b/selftest/knownfail.d/samba4.rpc.netlogon.netlogon.SetPassword2

deleted file mode 100644 (file)

index 43211a6..0000000
--- a/selftest/knownfail.d/samba4.rpc.netlogon.netlogon.SetPassword2
+++ /dev/null
@@ -1,4 +0,0 @@
-# The ad_dc_ntvfs allows negotiating des crypto
-# it means ServerPasswordSet2 don't use crypto at all
-# We'll adjust the server in the next commits
-^samba4.rpc.netlogon.*.netlogon.SetPassword2.*.ad_dc_ntvfs
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c

index 91f7a655d9e19cc5d86138795c599694fa4ca4d0..0c36ad6be2085dfbd8e57bfb1f186f34f938892c 100644 (file)
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -1101,6 +1101,10 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet(struct dcesrv_call_state *dce_call
                 return NT_STATUS_INVALID_SYSTEM_SERVICE;
         }
  
+       if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_KERBEROS_AUTH) {
+               return NT_STATUS_NOT_SUPPORTED;
+       }
+
         nt_status = netlogon_creds_decrypt_samr_Password(creds,
                                                          r->in.new_password,
                                                          auth_type,
@@ -1190,24 +1194,46 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal
  
         if (!extract_pw_from_buffer(mem_ctx, password_buf.data, &new_password)) {
                 DEBUG(3,("samr: failed to decode password buffer\n"));
-               return NT_STATUS_WRONG_PASSWORD;
+               return NT_STATUS_ACCESS_DENIED;
         }
  
         /*
-        * Make sure the length field was encrypted,
-        * otherwise we are under attack.
+        * We don't allow empty passwords for machine accounts.
          */
-       if (new_password.length == r->in.new_password->length) {
-               DBG_WARNING("Length[%zu] field not encrypted\n",
+       if (new_password.length < 2) {
+               DBG_WARNING("Empty password Length[%zu]\n",
                             new_password.length);
                 return NT_STATUS_WRONG_PASSWORD;
         }
  
+       if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_KERBEROS_AUTH) {
+               /*
+                * netlogon_creds_decrypt_samr_CryptPassword
+                * already checked for DCERPC_AUTH_LEVEL_PRIVACY
+                */
+               goto checked_encryption;
+       } else if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+               /*
+                * check it's encrypted
+                */
+       } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+               /*
+                * check it's encrypted
+                */
+       } else {
+               /*
+                * netlogon_creds_decrypt_samr_CryptPassword
+                * already checked for DCERPC_AUTH_LEVEL_PRIVACY
+                */
+               goto checked_encryption;
+       }
+
         /*
-        * We don't allow empty passwords for machine accounts.
+        * Make sure the length field was encrypted,
+        * otherwise we are under attack.
          */
-       if (new_password.length < 2) {
-               DBG_WARNING("Empty password Length[%zu]\n",
+       if (new_password.length == r->in.new_password->length) {
+               DBG_WARNING("Length[%zu] field not encrypted\n",
                             new_password.length);
                 return NT_STATUS_WRONG_PASSWORD;
         }
@@ -1239,6 +1265,8 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal
                 return NT_STATUS_WRONG_PASSWORD;
         }
  
+checked_encryption:
+
         /*
          * don't allow zero buffers
          */
author	Stefan Metzmacher <metze@samba.org>
	Tue, 26 Nov 2024 10:10:16 +0000 (11:10 +0100)
committer	Andreas Schneider <asn@cryptomilk.org>
	Thu, 12 Dec 2024 13:59:29 +0000 (13:59 +0000)
selftest/knownfail.d/samba.tests.krb5.netlogon		patch \| blob \| blame \| history
selftest/knownfail.d/samba4.rpc.netlogon.netlogon.SetPassword2	[deleted file]	patch \| blob \| blame \| history
source4/rpc_server/netlogon/dcerpc_netlogon.c		patch \| blob \| blame \| history