openwrtv4/package/network/services/samba36/patches/250-remove_domain_logon.patch
Hauke Mehrtens 1414f1647d samba: fix some security problems
This fixes the following security problems:
* CVE-2015-7560
* CVE-2015-5370
* CVE-2016-2110
* CVE-2016-2111
* CVE-2016-2112
* CVE-2016-2115
* CVE-2016-2118

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 49175
2016-04-16 20:06:34 +00:00

213 lines
5.6 KiB
Diff

--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -606,6 +606,7 @@ static bool samr_init_cb(void *ptr)
return true;
}
+#ifdef NETLOGON_SUPPORT
static bool netlogon_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -654,6 +655,7 @@ static bool netlogon_init_cb(void *ptr)
return true;
}
+#endif
static bool spoolss_init_cb(void *ptr)
{
@@ -1116,12 +1118,15 @@ bool dcesrv_ep_setup(struct tevent_conte
return false;
}
+#ifdef NETLOGON_SUPPORT
netlogon_cb.init = netlogon_init_cb;
netlogon_cb.shutdown = NULL;
netlogon_cb.private_data = ep_ctx;
if (!NT_STATUS_IS_OK(rpc_netlogon_init(&netlogon_cb))) {
return false;
}
+#endif
+
rpcsrv_type = lp_parm_const_string(GLOBAL_SECTION_SNUM,
"rpc_server",
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -103,9 +103,11 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_samr)) {
return false;
}
+#ifdef NETLOGON_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_netlogon)) {
return false;
}
+#endif
if (!smb_register_ndr_interface(&ndr_table_srvsvc)) {
return false;
}
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -156,7 +156,9 @@ static void exit_server_common(enum serv
rpc_winreg_shutdown();
#endif
+#ifdef NETLOGON_SUPPORT
rpc_netlogon_shutdown();
+#endif
rpc_samr_shutdown();
rpc_lsarpc_shutdown();
}
--- a/source3/rpc_server/svcctl/srv_svcctl_nt.c
+++ b/source3/rpc_server/svcctl/srv_svcctl_nt.c
@@ -91,9 +91,11 @@ bool init_service_op_table( void )
i++;
#endif
+#ifdef NETLOGON_SUPPORT
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "NETLOGON" );
svcctl_ops[i].ops = &netlogon_svc_ops;
i++;
+#endif
#ifdef WINREG_SUPPORT
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "RemoteRegistry" );
--- a/source3/nmbd/nmbd_processlogon.c
+++ b/source3/nmbd/nmbd_processlogon.c
@@ -320,6 +320,10 @@ void process_logon_packet(struct packet_
NTSTATUS status;
const char *pdc_name;
+#ifndef NETLOGON_SUPPORT
+ return;
+#endif
+
in_addr_to_sockaddr_storage(&ss, p->ip);
pss = iface_ip((struct sockaddr *)&ss);
if (!pss) {
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -627,7 +627,9 @@ static struct cmd_set *rpcclient_command
#ifdef PRINTER_SUPPORT
spoolss_commands,
#endif
+#ifdef NETLOGON_SUPPORT
netlogon_commands,
+#endif
srvsvc_commands,
#ifdef DFS_SUPPORT
dfs_commands,
--- a/source3/rpc_server/wkssvc/srv_wkssvc_nt.c
+++ b/source3/rpc_server/wkssvc/srv_wkssvc_nt.c
@@ -824,6 +824,10 @@ WERROR _wkssvc_NetrJoinDomain2(struct pi
WERROR werr;
struct security_token *token = p->session_info->security_token;
+#ifndef NETLOGON_SUPPORT
+ return WERR_NOT_SUPPORTED;
+#endif
+
if (!r->in.domain_name) {
return WERR_INVALID_PARAM;
}
@@ -901,6 +905,10 @@ WERROR _wkssvc_NetrUnjoinDomain2(struct
WERROR werr;
struct security_token *token = p->session_info->security_token;
+#ifndef NETLOGON_SUPPORT
+ return WERR_NOT_SUPPORTED;
+#endif
+
if (!r->in.account || !r->in.encrypted_password) {
return WERR_INVALID_PARAM;
}
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -46,9 +46,11 @@ NTSTATUS trust_pw_change_and_store_it(st
NTSTATUS nt_status;
switch (sec_channel_type) {
+#ifdef NETLOGON_SUPPORT
case SEC_CHAN_WKSTA:
case SEC_CHAN_DOMAIN:
break;
+#endif
default:
return NT_STATUS_NOT_SUPPORTED;
}
@@ -159,6 +161,11 @@ bool enumerate_domain_trusts( TALLOC_CTX
*num_domains = 0;
*sids = NULL;
+#ifndef NETLOGON_SUPPORT
+ return False;
+#endif
+
+
/* lookup a DC first */
if ( !get_dc_name(domain, NULL, dc_name, &dc_ss) ) {
@@ -243,6 +250,10 @@ NTSTATUS change_trust_account_password(
struct cli_state *cli = NULL;
struct rpc_pipe_client *netlogon_pipe = NULL;
+#ifndef NETLOGON_SUPPORT
+ return NT_STATUS_UNSUCCESSFUL;
+#endif
+
DEBUG(5,("change_trust_account_password: Attempting to change trust account password in domain %s....\n",
domain));
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -538,7 +538,9 @@ static NTSTATUS auth_init_trustdomain(st
NTSTATUS auth_domain_init(void)
{
+#ifdef NETLOGON_SUPPORT
smb_register_auth(AUTH_INTERFACE_VERSION, "trustdomain", auth_init_trustdomain);
smb_register_auth(AUTH_INTERFACE_VERSION, "ntdomain", auth_init_ntdomain);
+#endif
return NT_STATUS_OK;
}
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -2431,8 +2431,10 @@ static bool housekeeping_fn(const struct
/* check if we need to reload services */
check_reload(sconn, time_mono(NULL));
+#ifdef NETLOGON_SUPPORT
/* Change machine password if neccessary. */
attempt_machine_password_change();
+#endif
/*
* Force a log file check.
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -421,10 +421,12 @@ static bool check_bind_req(struct pipes_
if (ok) {
context_fns->allow_connect = false;
}
+#ifdef NETLOGON_SUPPORT
ok = ndr_syntax_id_equal(abstract, &ndr_table_netlogon.syntax_id);
if (ok) {
context_fns->allow_connect = false;
}
+#endif
/*
* for the epmapper and echo interfaces we allow "connect"
* auth_level by default.
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2221,6 +2221,10 @@ static void rpc_pipe_bind_step_two_trigg
struct schannel_state);
struct tevent_req *subreq;
+#ifndef NETLOGON_SUPPORT
+ tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
+ return;
+#endif
if (schannel_auth == NULL ||
!ndr_syntax_id_equal(&state->cli->abstract_syntax,
&ndr_table_netlogon.syntax_id)) {