1414f1647d
This fixes the following security problems: * CVE-2015-7560 * CVE-2015-5370 * CVE-2016-2110 * CVE-2016-2111 * CVE-2016-2112 * CVE-2016-2115 * CVE-2016-2118 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> SVN-Revision: 49175
214 lines
5.6 KiB
Diff
214 lines
5.6 KiB
Diff
--- a/source3/rpc_server/rpc_ep_setup.c
|
|
+++ b/source3/rpc_server/rpc_ep_setup.c
|
|
@@ -606,6 +606,7 @@ static bool samr_init_cb(void *ptr)
|
|
return true;
|
|
}
|
|
|
|
+#ifdef NETLOGON_SUPPORT
|
|
static bool netlogon_init_cb(void *ptr)
|
|
{
|
|
struct dcesrv_ep_context *ep_ctx =
|
|
@@ -654,6 +655,7 @@ static bool netlogon_init_cb(void *ptr)
|
|
|
|
return true;
|
|
}
|
|
+#endif
|
|
|
|
static bool spoolss_init_cb(void *ptr)
|
|
{
|
|
@@ -1116,12 +1118,15 @@ bool dcesrv_ep_setup(struct tevent_conte
|
|
return false;
|
|
}
|
|
|
|
+#ifdef NETLOGON_SUPPORT
|
|
netlogon_cb.init = netlogon_init_cb;
|
|
netlogon_cb.shutdown = NULL;
|
|
netlogon_cb.private_data = ep_ctx;
|
|
if (!NT_STATUS_IS_OK(rpc_netlogon_init(&netlogon_cb))) {
|
|
return false;
|
|
}
|
|
+#endif
|
|
+
|
|
|
|
rpcsrv_type = lp_parm_const_string(GLOBAL_SECTION_SNUM,
|
|
"rpc_server",
|
|
--- a/source3/librpc/rpc/rpc_common.c
|
|
+++ b/source3/librpc/rpc/rpc_common.c
|
|
@@ -103,9 +103,11 @@ static bool initialize_interfaces(void)
|
|
if (!smb_register_ndr_interface(&ndr_table_samr)) {
|
|
return false;
|
|
}
|
|
+#ifdef NETLOGON_SUPPORT
|
|
if (!smb_register_ndr_interface(&ndr_table_netlogon)) {
|
|
return false;
|
|
}
|
|
+#endif
|
|
if (!smb_register_ndr_interface(&ndr_table_srvsvc)) {
|
|
return false;
|
|
}
|
|
--- a/source3/smbd/server_exit.c
|
|
+++ b/source3/smbd/server_exit.c
|
|
@@ -156,7 +156,9 @@ static void exit_server_common(enum serv
|
|
rpc_winreg_shutdown();
|
|
#endif
|
|
|
|
+#ifdef NETLOGON_SUPPORT
|
|
rpc_netlogon_shutdown();
|
|
+#endif
|
|
rpc_samr_shutdown();
|
|
rpc_lsarpc_shutdown();
|
|
}
|
|
--- a/source3/rpc_server/svcctl/srv_svcctl_nt.c
|
|
+++ b/source3/rpc_server/svcctl/srv_svcctl_nt.c
|
|
@@ -91,9 +91,11 @@ bool init_service_op_table( void )
|
|
i++;
|
|
#endif
|
|
|
|
+#ifdef NETLOGON_SUPPORT
|
|
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "NETLOGON" );
|
|
svcctl_ops[i].ops = &netlogon_svc_ops;
|
|
i++;
|
|
+#endif
|
|
|
|
#ifdef WINREG_SUPPORT
|
|
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "RemoteRegistry" );
|
|
--- a/source3/nmbd/nmbd_processlogon.c
|
|
+++ b/source3/nmbd/nmbd_processlogon.c
|
|
@@ -320,6 +320,10 @@ void process_logon_packet(struct packet_
|
|
NTSTATUS status;
|
|
const char *pdc_name;
|
|
|
|
+#ifndef NETLOGON_SUPPORT
|
|
+ return;
|
|
+#endif
|
|
+
|
|
in_addr_to_sockaddr_storage(&ss, p->ip);
|
|
pss = iface_ip((struct sockaddr *)&ss);
|
|
if (!pss) {
|
|
--- a/source3/rpcclient/rpcclient.c
|
|
+++ b/source3/rpcclient/rpcclient.c
|
|
@@ -627,7 +627,9 @@ static struct cmd_set *rpcclient_command
|
|
#ifdef PRINTER_SUPPORT
|
|
spoolss_commands,
|
|
#endif
|
|
+#ifdef NETLOGON_SUPPORT
|
|
netlogon_commands,
|
|
+#endif
|
|
srvsvc_commands,
|
|
#ifdef DFS_SUPPORT
|
|
dfs_commands,
|
|
--- a/source3/rpc_server/wkssvc/srv_wkssvc_nt.c
|
|
+++ b/source3/rpc_server/wkssvc/srv_wkssvc_nt.c
|
|
@@ -824,6 +824,10 @@ WERROR _wkssvc_NetrJoinDomain2(struct pi
|
|
WERROR werr;
|
|
struct security_token *token = p->session_info->security_token;
|
|
|
|
+#ifndef NETLOGON_SUPPORT
|
|
+ return WERR_NOT_SUPPORTED;
|
|
+#endif
|
|
+
|
|
if (!r->in.domain_name) {
|
|
return WERR_INVALID_PARAM;
|
|
}
|
|
@@ -901,6 +905,10 @@ WERROR _wkssvc_NetrUnjoinDomain2(struct
|
|
WERROR werr;
|
|
struct security_token *token = p->session_info->security_token;
|
|
|
|
+#ifndef NETLOGON_SUPPORT
|
|
+ return WERR_NOT_SUPPORTED;
|
|
+#endif
|
|
+
|
|
if (!r->in.account || !r->in.encrypted_password) {
|
|
return WERR_INVALID_PARAM;
|
|
}
|
|
--- a/source3/libsmb/trusts_util.c
|
|
+++ b/source3/libsmb/trusts_util.c
|
|
@@ -46,9 +46,11 @@ NTSTATUS trust_pw_change_and_store_it(st
|
|
NTSTATUS nt_status;
|
|
|
|
switch (sec_channel_type) {
|
|
+#ifdef NETLOGON_SUPPORT
|
|
case SEC_CHAN_WKSTA:
|
|
case SEC_CHAN_DOMAIN:
|
|
break;
|
|
+#endif
|
|
default:
|
|
return NT_STATUS_NOT_SUPPORTED;
|
|
}
|
|
@@ -159,6 +161,11 @@ bool enumerate_domain_trusts( TALLOC_CTX
|
|
*num_domains = 0;
|
|
*sids = NULL;
|
|
|
|
+#ifndef NETLOGON_SUPPORT
|
|
+ return False;
|
|
+#endif
|
|
+
|
|
+
|
|
/* lookup a DC first */
|
|
|
|
if ( !get_dc_name(domain, NULL, dc_name, &dc_ss) ) {
|
|
@@ -243,6 +250,10 @@ NTSTATUS change_trust_account_password(
|
|
struct cli_state *cli = NULL;
|
|
struct rpc_pipe_client *netlogon_pipe = NULL;
|
|
|
|
+#ifndef NETLOGON_SUPPORT
|
|
+ return NT_STATUS_UNSUCCESSFUL;
|
|
+#endif
|
|
+
|
|
DEBUG(5,("change_trust_account_password: Attempting to change trust account password in domain %s....\n",
|
|
domain));
|
|
|
|
--- a/source3/auth/auth_domain.c
|
|
+++ b/source3/auth/auth_domain.c
|
|
@@ -538,7 +538,9 @@ static NTSTATUS auth_init_trustdomain(st
|
|
|
|
NTSTATUS auth_domain_init(void)
|
|
{
|
|
+#ifdef NETLOGON_SUPPORT
|
|
smb_register_auth(AUTH_INTERFACE_VERSION, "trustdomain", auth_init_trustdomain);
|
|
smb_register_auth(AUTH_INTERFACE_VERSION, "ntdomain", auth_init_ntdomain);
|
|
+#endif
|
|
return NT_STATUS_OK;
|
|
}
|
|
--- a/source3/smbd/process.c
|
|
+++ b/source3/smbd/process.c
|
|
@@ -2431,8 +2431,10 @@ static bool housekeeping_fn(const struct
|
|
/* check if we need to reload services */
|
|
check_reload(sconn, time_mono(NULL));
|
|
|
|
+#ifdef NETLOGON_SUPPORT
|
|
/* Change machine password if neccessary. */
|
|
attempt_machine_password_change();
|
|
+#endif
|
|
|
|
/*
|
|
* Force a log file check.
|
|
--- a/source3/rpc_server/srv_pipe.c
|
|
+++ b/source3/rpc_server/srv_pipe.c
|
|
@@ -421,10 +421,12 @@ static bool check_bind_req(struct pipes_
|
|
if (ok) {
|
|
context_fns->allow_connect = false;
|
|
}
|
|
+#ifdef NETLOGON_SUPPORT
|
|
ok = ndr_syntax_id_equal(abstract, &ndr_table_netlogon.syntax_id);
|
|
if (ok) {
|
|
context_fns->allow_connect = false;
|
|
}
|
|
+#endif
|
|
/*
|
|
* for the epmapper and echo interfaces we allow "connect"
|
|
* auth_level by default.
|
|
--- a/source3/rpc_client/cli_pipe.c
|
|
+++ b/source3/rpc_client/cli_pipe.c
|
|
@@ -2221,6 +2221,10 @@ static void rpc_pipe_bind_step_two_trigg
|
|
struct schannel_state);
|
|
struct tevent_req *subreq;
|
|
|
|
+#ifndef NETLOGON_SUPPORT
|
|
+ tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
|
|
+ return;
|
|
+#endif
|
|
if (schannel_auth == NULL ||
|
|
!ndr_syntax_id_equal(&state->cli->abstract_syntax,
|
|
&ndr_table_netlogon.syntax_id)) {
|