From 9519f8f5123be055a4e845f87badef8b80ab2ee4 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 15 Dec 2015 14:49:36 +0100 Subject: [PATCH 01/10] CVE-2016-2118: s3: rpcclient: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY ncacn_ip_tcp:server should get the same protection as ncacn_np:server if authentication and smb signing is used. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616 Signed-off-by: Stefan Metzmacher (cherry picked from commit dab41dee8a4fb27dbf3913b0e44a4cc726e3ac98) --- source3/rpcclient/rpcclient.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c index 949e14c..81c5f42 100644 --- a/source3/rpcclient/rpcclient.c +++ b/source3/rpcclient/rpcclient.c @@ -1062,10 +1062,9 @@ out_free: } } if (pipe_default_auth_type != DCERPC_AUTH_TYPE_NONE) { - /* If neither Integrity or Privacy are requested then - * Use just Connect level */ + /* If nothing is requested then default to integrity */ if (pipe_default_auth_level == DCERPC_AUTH_LEVEL_NONE) { - pipe_default_auth_level = DCERPC_AUTH_LEVEL_CONNECT; + pipe_default_auth_level = DCERPC_AUTH_LEVEL_INTEGRITY; } } -- 2.8.1 From 0e00f6da40e6f76d9bd56187e74841c85ea86c55 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 11 Mar 2016 16:02:25 +0100 Subject: [PATCH 02/10] CVE-2016-2118: s4:librpc: use integrity by default for authenticated binds ncacn_ip_tcp:server should get the same protection as ncacn_np:server if authentication and smb signing is used. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616 Signed-off-by: Stefan Metzmacher (cherry picked from commit 7847ee85d278adb9ce4fc7da7cf171917227c93f) --- source4/librpc/rpc/dcerpc_util.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c index 2cd9499..a6d0df5 100644 --- a/source4/librpc/rpc/dcerpc_util.c +++ b/source4/librpc/rpc/dcerpc_util.c @@ -593,15 +593,15 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p, /* Perform an authenticated DCE-RPC bind */ - if (!(conn->flags & (DCERPC_SIGN|DCERPC_SEAL))) { + if (!(conn->flags & (DCERPC_CONNECT|DCERPC_SEAL))) { /* we are doing an authenticated connection, - but not using sign or seal. We must force - the CONNECT dcerpc auth type as a NONE auth - type doesn't allow authentication - information to be passed. + which needs to use [connect], [sign] or [seal]. + If nothing is specified, we default to [sign] now. + This give roughly the same protection as + ncacn_np with smb signing. */ - conn->flags |= DCERPC_CONNECT; + conn->flags |= DCERPC_SIGN; } if (s->binding->flags & DCERPC_AUTH_SPNEGO) { -- 2.8.1 From 8d53761dbcbea6439f4bfaef86ff79f42b682b22 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 10 Mar 2016 17:03:59 +0100 Subject: [PATCH 03/10] CVE-2016-2118: docs-xml: add "allow dcerpc auth level connect" defaulting to "yes" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We sadly need to allow this for now by default. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner (backported from commit 56baca8619ba9ae1734c3d77524fc705ebcbd8d2) --- .../security/allowdcerpcauthlevelconnect.xml | 24 ++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml new file mode 100644 index 0000000..5552112 --- /dev/null +++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml @@ -0,0 +1,24 @@ + + + This option controls whether DCERPC services are allowed to + be used with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, + but no per message integrity nor privacy protection. + + The behavior can be controlled per interface name (e.g. lsarpc, netlogon, samr, srvsvc, + winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = no' as option. + + This option yields precedence to the implentation specific restrictions. + E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY. + While others like samr and lsarpc have a hardcoded default of no. + + + Note the default will very likely change to no for Samba 4.5. + + +yes +no + + -- 2.8.1 From 9a0e8182314c631681f2dd47da5d790168066279 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Fri, 18 Mar 2016 08:45:11 +0100 Subject: [PATCH 04/10] CVE-2016-2118: param: add "allow dcerpc auth level connect" defaulting to "yes" BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher (backported from commit 6e3ada2c36f527077d77a8278bd41bbc030f48cd) (cherry picked from commit 74172d061597c96f0e733c11daee6cb15f3277dc) Signed-off-by: Aurelien Aptel --- source3/include/proto.h | 1 + source3/param/loadparm.c | 13 +++++++++++++ 2 files changed, 14 insertions(+) diff --git a/source3/include/proto.h b/source3/include/proto.h index ac1540f..2ed6547 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1821,6 +1821,7 @@ char* lp_perfcount_module(void); void lp_set_passdb_backend(const char *backend); void widelinks_warning(int snum); char *lp_ncalrpc_dir(void); +bool lp_allow_dcerpc_auth_level_connect(void); /* The following definitions come from param/loadparm_server_role.c */ diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index fdc9407..87d33c5 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -355,6 +355,7 @@ struct global { bool bUseMmap; bool bHostnameLookups; bool bUnixExtensions; + bool bAllowDcerpcAuthLevelConnect; bool bDisableNetbios; char * szDedicatedKeytabFile; int iKerberosMethod; @@ -2303,6 +2304,15 @@ static struct parm_struct parm_table[] = { .flags = FLAG_ADVANCED, }, { + .label = "allow dcerpc auth level connect", + .type = P_BOOL, + .p_class = P_GLOBAL, + .ptr = &Globals.bAllowDcerpcAuthLevelConnect, + .special = NULL, + .enum_list = NULL, + .flags = FLAG_ADVANCED, + }, + { .label = "use spnego", .type = P_BOOL, .p_class = P_GLOBAL, @@ -5371,6 +5381,8 @@ static void init_globals(bool reinit_globals) Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */ /* Note, that we will also use NTLM2 session security (which is different), if it is available */ + Globals.bAllowDcerpcAuthLevelConnect = true; /* we need to allow this for now by default */ + Globals.map_to_guest = 0; /* By Default, "Never" */ Globals.oplock_break_wait_time = 0; /* By Default, 0 msecs. */ Globals.enhanced_browsing = true; @@ -5745,6 +5757,7 @@ FN_GLOBAL_INTEGER(lp_username_map_cache_time, &Globals.iUsernameMapCacheTime) FN_GLOBAL_STRING(lp_check_password_script, &Globals.szCheckPasswordScript) +FN_GLOBAL_BOOL(lp_allow_dcerpc_auth_level_connect, &Globals.bAllowDcerpcAuthLevelConnect) FN_GLOBAL_STRING(lp_wins_hook, &Globals.szWINSHook) FN_GLOBAL_CONST_STRING(lp_template_homedir, &Globals.szTemplateHomedir) FN_GLOBAL_CONST_STRING(lp_template_shell, &Globals.szTemplateShell) -- 2.8.1 From 82a245ff842ea33c050a8fbe415a531497232d3d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 18 Mar 2016 04:40:30 +0100 Subject: [PATCH 05/10] CVE-2016-2118: s3:rpc_server: make use of "allow dcerpc auth level connect" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit With this option turned off we only allow DCERPC_AUTH_LEVEL_{NONE,INTEGRITY,PRIVACY}, this means the reject any request with AUTH_LEVEL_CONNECT with ACCESS_DENIED. We sadly need to keep this enabled by default for now. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616 Pair-Programmed-With: Günther Deschner Signed-off-by: Stefan Metzmacher Signed-off-by: Günther Deschner (cherry picked from commit 1fa0bad3da921fca1d34971062522b4cc3e6db2c) (cherry picked from commit 46744bbe5e3616613b2dbee7cf6fdf0d8d5caab3) Signed-off-by: Aurelien Aptel --- source3/include/ntdomain.h | 4 ++++ source3/rpc_server/srv_pipe.c | 49 ++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 52 insertions(+), 1 deletion(-) diff --git a/source3/include/ntdomain.h b/source3/include/ntdomain.h index 2fbeabc..650f1d0 100644 --- a/source3/include/ntdomain.h +++ b/source3/include/ntdomain.h @@ -89,6 +89,10 @@ typedef struct pipe_rpc_fns { uint32 context_id; struct ndr_syntax_id syntax; + /* + * shall we allow "connect" auth level for this interface ? + */ + bool allow_connect; } PIPE_RPC_FNS; /* diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index d659705..c462dcf 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -335,6 +335,7 @@ static bool check_bind_req(struct pipes_struct *p, uint32 context_id) { struct pipe_rpc_fns *context_fns; + const char *interface_name = NULL; DEBUG(3,("check_bind_req for %s\n", get_pipe_name_from_syntax(talloc_tos(), abstract))); @@ -355,12 +356,29 @@ static bool check_bind_req(struct pipes_struct *p, return False; } + interface_name = get_pipe_name_from_syntax(talloc_tos(), + abstract); + + SMB_ASSERT(interface_name != NULL); + context_fns->next = context_fns->prev = NULL; context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract); context_fns->cmds = rpc_srv_get_pipe_cmds(abstract); context_fns->context_id = context_id; context_fns->syntax = *abstract; + context_fns->allow_connect = lp_allow_dcerpc_auth_level_connect(); + /* + * every interface can be modified to allow "connect" auth_level by + * using a parametric option like: + * allow dcerpc auth level connect: + * e.g. + * allow dcerpc auth level connect:samr = yes + */ + context_fns->allow_connect = lp_parm_bool(-1, + "allow dcerpc auth level connect", + interface_name, context_fns->allow_connect); + /* add to the list of open contexts */ DLIST_ADD( p->contexts, context_fns ); @@ -1592,6 +1610,7 @@ static bool api_pipe_request(struct pipes_struct *p, TALLOC_CTX *frame = talloc_stackframe(); bool ret = False; PIPE_RPC_FNS *pipe_fns; + const char *interface_name = NULL; if (!p->pipe_bound) { DEBUG(1, ("Pipe not bound!\n")); @@ -1613,8 +1632,36 @@ static bool api_pipe_request(struct pipes_struct *p, return false; } + interface_name = get_pipe_name_from_syntax(talloc_tos(), + &pipe_fns->syntax); + + SMB_ASSERT(interface_name != NULL); + DEBUG(5, ("Requested \\PIPE\\%s\n", - get_pipe_name_from_syntax(talloc_tos(), &pipe_fns->syntax))); + interface_name)); + + switch (p->auth.auth_level) { + case DCERPC_AUTH_LEVEL_NONE: + case DCERPC_AUTH_LEVEL_INTEGRITY: + case DCERPC_AUTH_LEVEL_PRIVACY: + break; + default: + if (!pipe_fns->allow_connect) { + DEBUG(1, ("%s: restrict auth_level_connect access " + "to [%s] with auth[type=0x%x,level=0x%x] " + "on [%s] from [%s]\n", + __func__, interface_name, + p->auth.auth_type, + p->auth.auth_level, + derpc_transport_string_by_transport(p->transport), + p->client_id->name)); + + setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_ACCESS_DENIED)); + TALLOC_FREE(frame); + return true; + } + break; + } if (!srv_pipe_check_verification_trailer(p, pkt, pipe_fns)) { DEBUG(1, ("srv_pipe_check_verification_trailer: failed\n")); -- 2.8.1 From b68b204307e0b24bc2879ea667a706e11925166d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 7 Aug 2015 09:50:30 +0200 Subject: [PATCH 06/10] CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}: reject DCERPC_AUTH_LEVEL_CONNECT by default MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This prevents man in the middle downgrade attacks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616 Pair-Programmed-With: Günther Deschner Signed-off-by: Stefan Metzmacher Signed-off-by: Günther Deschner (cherry picked from commit 51dd08951eb4ab9d297678f96cde61f508937721) Signed-off-by: Aurelien Aptel Conflicts: selftest/knownfail source3/rpc_server/srv_pipe.c selftest/knownfail is ignored in 3.6 --- source3/rpc_server/srv_pipe.c | 20 ++++++++++++++++++++ source3/selftest/knownfail | 1 + source3/selftest/tests.py | 2 ++ 3 files changed, 23 insertions(+) diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index c462dcf..3086b9e 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -43,6 +43,9 @@ #include "ntdomain.h" #include "rpc_server/srv_pipe.h" #include "../librpc/ndr/ndr_dcerpc.h" +#include "../librpc/gen_ndr/ndr_samr.h" +#include "../librpc/gen_ndr/ndr_lsa.h" +#include "../librpc/gen_ndr/ndr_netlogon.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_RPC_SRV @@ -336,6 +339,7 @@ static bool check_bind_req(struct pipes_struct *p, { struct pipe_rpc_fns *context_fns; const char *interface_name = NULL; + bool ok; DEBUG(3,("check_bind_req for %s\n", get_pipe_name_from_syntax(talloc_tos(), abstract))); @@ -369,6 +373,22 @@ static bool check_bind_req(struct pipes_struct *p, context_fns->allow_connect = lp_allow_dcerpc_auth_level_connect(); /* + * for the samr and the lsarpc interfaces we don't allow "connect" + * auth_level by default. + */ + ok = ndr_syntax_id_equal(abstract, &ndr_table_samr.syntax_id); + if (ok) { + context_fns->allow_connect = false; + } + ok = ndr_syntax_id_equal(abstract, &ndr_table_lsarpc.syntax_id); + if (ok) { + context_fns->allow_connect = false; + } + ok = ndr_syntax_id_equal(abstract, &ndr_table_netlogon.syntax_id); + if (ok) { + context_fns->allow_connect = false; + } + /* * every interface can be modified to allow "connect" auth_level by * using a parametric option like: * allow dcerpc auth level connect: diff --git a/source3/selftest/knownfail b/source3/selftest/knownfail index bda1fe0..8717a4d 100644 --- a/source3/selftest/knownfail +++ b/source3/selftest/knownfail @@ -18,3 +18,4 @@ samba3.posix_s3.nbt.dgram.*netlogon2 samba3.*rap.sam.*.useradd # Not provided by Samba 3 samba3.*rap.sam.*.userdelete # Not provided by Samba 3 samba3.*rap.basic.*.netsessiongetinfo # Not provided by Samba 3 +samba3.blackbox.rpcclient.over.ncacn_np.with.*connect.* # we don't allow auth_level_connect anymore diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index a733f14..8dfbf1e 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -201,6 +201,8 @@ if sub.returncode == 0: plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD') elif t == "raw.samba3posixtimedlock": plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/dc/share') + elif t == "rpc.samr.passwords.validate": + plansmbtorturetestsuite(t, "s3dc", 'ncacn_np:$SERVER_IP[seal] -U$USERNAME%$PASSWORD', 'over ncacn_np ') else: plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD') -- 2.8.1 From 720b9f861322c5fe804c53eb74e7d2d6a4d8b876 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 5 Apr 2016 09:54:38 +0200 Subject: [PATCH 07/10] CVE-2016-2118: s3:selftest: The lsa tests which use connect need to fail BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616 Signed-off-by: Andreas Schneider --- source3/selftest/knownfail | 1 + 1 file changed, 1 insertion(+) diff --git a/source3/selftest/knownfail b/source3/selftest/knownfail index 8717a4d..7d9275e 100644 --- a/source3/selftest/knownfail +++ b/source3/selftest/knownfail @@ -19,3 +19,4 @@ samba3.*rap.sam.*.useradd # Not provided by Samba 3 samba3.*rap.sam.*.userdelete # Not provided by Samba 3 samba3.*rap.basic.*.netsessiongetinfo # Not provided by Samba 3 samba3.blackbox.rpcclient.over.ncacn_np.with.*connect.* # we don't allow auth_level_connect anymore +samba3.posix_s3.rpc.lsa.lookupsids.*ncacn_ip_tcp.*connect.* # we don't allow auth_level_connect anymore -- 2.8.1 From 9b2b563a1f8247f5ec7efde52d70efc666e30f56 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 26 Mar 2016 08:47:42 +0100 Subject: [PATCH 08/10] CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow DCERPC_AUTH_LEVEL_CONNECT by default BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616 Signed-off-by: Stefan Metzmacher Reviewed-by: Alexander Bokovoy (cherry picked from commit 98f1a85f23d3d2a4f1c665746588688574261d90) --- source3/rpc_server/srv_pipe.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 3086b9e..964b843 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -46,6 +46,8 @@ #include "../librpc/gen_ndr/ndr_samr.h" #include "../librpc/gen_ndr/ndr_lsa.h" #include "../librpc/gen_ndr/ndr_netlogon.h" +#include "../librpc/gen_ndr/ndr_epmapper.h" +#include "../librpc/gen_ndr/ndr_echo.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_RPC_SRV @@ -389,6 +391,18 @@ static bool check_bind_req(struct pipes_struct *p, context_fns->allow_connect = false; } /* + * for the epmapper and echo interfaces we allow "connect" + * auth_level by default. + */ + ok = ndr_syntax_id_equal(abstract, &ndr_table_epmapper.syntax_id); + if (ok) { + context_fns->allow_connect = true; + } + ok = ndr_syntax_id_equal(abstract, &ndr_table_rpcecho.syntax_id); + if (ok) { + context_fns->allow_connect = true; + } + /* * every interface can be modified to allow "connect" auth_level by * using a parametric option like: * allow dcerpc auth level connect: -- 2.8.1 From 21453f6887569b162be44faaf43e1b9a81423210 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 10 Mar 2016 17:03:59 +0100 Subject: [PATCH 09/10] CVE-2016-2118: docs-xml/param: default "allow dcerpc auth level connect" to "no" BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616 Signed-off-by: Stefan Metzmacher Reviewed-by: Alexander Bokovoy (backported from commit 6469e21af32a2a405dd4f43e7d96a2f87c4a9902) Conflicts: lib/param/loadparm.c source3/param/loadparm.c --- docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml | 6 ++---- source3/param/loadparm.c | 2 +- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml index 5552112..c8e9d18 100644 --- a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml +++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml @@ -14,11 +14,9 @@ E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY. While others like samr and lsarpc have a hardcoded default of no. - - Note the default will very likely change to no for Samba 4.5. -yes -no +no +yes diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 87d33c5..a514727 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -5381,7 +5381,7 @@ static void init_globals(bool reinit_globals) Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */ /* Note, that we will also use NTLM2 session security (which is different), if it is available */ - Globals.bAllowDcerpcAuthLevelConnect = true; /* we need to allow this for now by default */ + Globals.bAllowDcerpcAuthLevelConnect = false; /* we don't allow this by default */ Globals.map_to_guest = 0; /* By Default, "Never" */ Globals.oplock_break_wait_time = 0; /* By Default, 0 msecs. */ -- 2.8.1 From a5aebec4ff2f1d3b824dfcc05091da712639220d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sun, 28 Feb 2016 22:48:11 +0100 Subject: [PATCH 10/10] CVE-2016-2118: s3:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY... MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This requires transport encryption. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner (cherry picked from commit d7c2f1e12544ee0f80438dcc1586e2d30c23b54a) --- source3/rpc_server/samr/srv_samr_nt.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c index 0984984..37e2e4f 100644 --- a/source3/rpc_server/samr/srv_samr_nt.c +++ b/source3/rpc_server/samr/srv_samr_nt.c @@ -6628,6 +6628,11 @@ NTSTATUS _samr_ValidatePassword(struct pipes_struct *p, struct samr_GetDomPwInfo pw; struct samr_PwInfo dom_pw_info; + if (p->auth.auth_level != DCERPC_AUTH_LEVEL_PRIVACY) { + p->fault_state = DCERPC_FAULT_ACCESS_DENIED; + return NT_STATUS_ACCESS_DENIED; + } + if (r->in.level < 1 || r->in.level > 3) { return NT_STATUS_INVALID_INFO_CLASS; } -- 2.8.1