diff --git a/SOURCES/samba-4.10-redhat.patch b/SOURCES/samba-4.10-redhat.patch
index 825630f..548e410 100644
--- a/SOURCES/samba-4.10-redhat.patch
+++ b/SOURCES/samba-4.10-redhat.patch
@@ -1,7 +1,7 @@
-From 0ef46723cad274d0fe7948a67b33f9f20fab3f0d Mon Sep 17 00:00:00 2001
+From 9aa816f5017bd38cbb9af2af5a7c385647e4f76d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Tue, 7 Jan 2020 19:25:53 +0200
-Subject: [PATCH 01/11] s3-rpcserver: fix security level check for
+Subject: [PATCH 01/38] s3-rpcserver: fix security level check for
DsRGetForestTrustInformation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@@ -80,13 +80,13 @@ index d799ba4feef..87613b99fde 100644
}
--
-2.25.4
+2.28.0
-From 67c40147a3c1da49a8d407282e1917ed3be511b0 Mon Sep 17 00:00:00 2001
+From e71fddb9ad5275a222d96bdcee06571a9a8c73c8 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 27 May 2020 16:50:45 +0200
-Subject: [PATCH 02/11] Add a test to check dNSHostName with netbios aliases
+Subject: [PATCH 02/38] Add a test to check dNSHostName with netbios aliases
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
@@ -132,13 +132,13 @@ index 95c0cf76f90..6073ea972f9 100755
# Test createcomputer option of 'net ads join'
#
--
-2.25.4
+2.28.0
-From b3e19ea4f4f366e7f6b99114c71f65c303402ef8 Mon Sep 17 00:00:00 2001
+From e80e373485818eb7faebf5c9aae10d82fbc4e2e2 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 27 May 2020 15:52:46 +0200
-Subject: [PATCH 03/11] Fix accidental overwrite of dnsHostName by the last
+Subject: [PATCH 03/38] Fix accidental overwrite of dnsHostName by the last
netbios alias
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
@@ -186,13 +186,13 @@ index 9d4f656ffec..a31011b0ff8 100644
status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
goto done;
--
-2.25.4
+2.28.0
-From 134c761913dcf84c8c18751a8ba9cc3652995138 Mon Sep 17 00:00:00 2001
+From 7ca5f9b2956ec41777837a7e14800a4345505ed6 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 24 Oct 2019 19:04:51 +0300
-Subject: [PATCH 04/11] Refactor ads_keytab_add_entry() to make it iterable
+Subject: [PATCH 04/38] Refactor ads_keytab_add_entry() to make it iterable
so we can more easily add msDS-AdditionalDnsHostName entries.
@@ -453,13 +453,13 @@ index 97d5535041c..0f450a09df5 100644
out:
SAFE_FREE(salt_princ_s);
--
-2.25.4
+2.28.0
-From 7b2295db8683bb9432f49e2f09912799e65e2e6b Mon Sep 17 00:00:00 2001
+From 087d6dd4c4f25860643ab5920a1b2c0c70e5551b Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 27 May 2020 17:55:12 +0200
-Subject: [PATCH 05/11] Add a test for msDS-AdditionalDnsHostName entries in
+Subject: [PATCH 05/38] Add a test for msDS-AdditionalDnsHostName entries in
keytab
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
@@ -501,13 +501,13 @@ index 6073ea972f9..a40b477a173 100755
testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
--
-2.25.4
+2.28.0
-From ca89f163524c317b6a2fffeb527194b34ede526d Mon Sep 17 00:00:00 2001
+From 1ae32dddad89cdb75ae2c8fb3e7378ce6f5ad6af Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 27 May 2020 15:36:28 +0200
-Subject: [PATCH 06/11] Add msDS-AdditionalDnsHostName entries to the keytab
+Subject: [PATCH 06/38] Add msDS-AdditionalDnsHostName entries to the keytab
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
@@ -648,13 +648,13 @@ index db2b72ab1b5..02a628ee0e6 100644
{
LDAPMessage *res = NULL;
--
-2.25.4
+2.28.0
-From 48d6a35118f2c8e51bbe3f31c1500f8ab097498e Mon Sep 17 00:00:00 2001
+From 939b9265a533393189ef3c513e77b2cb009a51d5 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 27 May 2020 15:54:12 +0200
-Subject: [PATCH 07/11] Add net-ads-join dnshostname=fqdn option
+Subject: [PATCH 07/38] Add net-ads-join dnshostname=fqdn option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
@@ -794,18 +794,2352 @@ index a40b477a173..85257f445d8 100755
exit $failed
--
-2.25.4
+2.28.0
-From 8cd52f39772bf6b9c008a4e281c3a75f150a043b Mon Sep 17 00:00:00 2001
+From 25a6679a5260dafde7a7d2aed9bfe43eaf083b1c Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 16 Sep 2020 16:04:57 +0200
+Subject: [PATCH 08/38] CVE-2020-1472(ZeroLogon): libcli/auth: add
+ netlogon_creds_random_challenge()
+
+It's good to have just a single isolated function that will generate
+random challenges, in future we can add some logic in order to
+avoid weak values, which are likely to be rejected by a server.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ libcli/auth/credentials.c | 8 ++++++++
+ libcli/auth/proto.h | 2 ++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
+index b6c8ba281ba..dbbef9e7a3c 100644
+--- a/libcli/auth/credentials.c
++++ b/libcli/auth/credentials.c
+@@ -26,9 +26,17 @@
+ #include "libcli/auth/libcli_auth.h"
+ #include "../libcli/security/dom_sid.h"
+
++
++void netlogon_creds_random_challenge(struct netr_Credential *challenge)
++{
++ ZERO_STRUCTP(challenge);
++ generate_random_buffer(challenge->data, sizeof(challenge->data));
++}
++
+ static void netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *creds,
+ const struct netr_Credential *in,
+ struct netr_Credential *out)
++
+ {
+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+ AES_KEY key;
+diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
+index 82febe74440..82797d453ed 100644
+--- a/libcli/auth/proto.h
++++ b/libcli/auth/proto.h
+@@ -11,6 +11,8 @@
+
+ /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/credentials.c */
+
++void netlogon_creds_random_challenge(struct netr_Credential *challenge);
++
+ void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key);
+ void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key);
+ void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass);
+--
+2.28.0
+
+
+From 1e8ad7efe35d8b79fef387ff709d6a499565c39a Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 16 Sep 2020 16:07:30 +0200
+Subject: [PATCH 09/38] CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of
+ netlogon_creds_random_challenge()
+
+This will avoid getting flakey tests once our server starts to
+reject weak challenges.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/torture/rpc/lsa.c | 2 +-
+ source4/torture/rpc/netlogon.c | 34 ++++++++++++----------------------
+ 2 files changed, 13 insertions(+), 23 deletions(-)
+
+diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
+index 21cc16afbaf..7bdc0cf679a 100644
+--- a/source4/torture/rpc/lsa.c
++++ b/source4/torture/rpc/lsa.c
+@@ -2847,7 +2847,7 @@ static bool check_pw_with_ServerAuthenticate3(struct dcerpc_pipe *p,
+ r.in.credentials = &credentials1;
+ r.out.return_credentials = &credentials2;
+
+- generate_random_buffer(credentials1.data, sizeof(credentials1.data));
++ netlogon_creds_random_challenge(&credentials1);
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
+ "ServerReqChallenge failed");
+diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
+index 026d86d50e4..e11014922f8 100644
+--- a/source4/torture/rpc/netlogon.c
++++ b/source4/torture/rpc/netlogon.c
+@@ -160,7 +160,7 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
+ r.in.credentials = &credentials1;
+ r.out.return_credentials = &credentials2;
+
+- generate_random_buffer(credentials1.data, sizeof(credentials1.data));
++ netlogon_creds_random_challenge(&credentials1);
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
+ "ServerReqChallenge failed");
+@@ -229,7 +229,7 @@ bool test_SetupCredentials2ex(struct dcerpc_pipe *p, struct torture_context *tct
+ r.in.credentials = &credentials1;
+ r.out.return_credentials = &credentials2;
+
+- generate_random_buffer(credentials1.data, sizeof(credentials1.data));
++ netlogon_creds_random_challenge(&credentials1);
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
+ "ServerReqChallenge failed");
+@@ -318,7 +318,7 @@ bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx,
+ r.in.credentials = &credentials1;
+ r.out.return_credentials = &credentials2;
+
+- generate_random_buffer(credentials1.data, sizeof(credentials1.data));
++ netlogon_creds_random_challenge(&credentials1);
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
+ "ServerReqChallenge failed");
+@@ -390,7 +390,7 @@ bool test_SetupCredentialsDowngrade(struct torture_context *tctx,
+ r.in.credentials = &credentials1;
+ r.out.return_credentials = &credentials2;
+
+- generate_random_buffer(credentials1.data, sizeof(credentials1.data));
++ netlogon_creds_random_challenge(&credentials1);
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
+ "ServerReqChallenge failed");
+@@ -1278,7 +1278,7 @@ static bool test_ServerReqChallengeGlobal(struct torture_context *tctx,
+ r.in.credentials = &credentials1;
+ r.out.return_credentials = &credentials2;
+
+- generate_random_buffer(credentials1.data, sizeof(credentials1.data));
++ netlogon_creds_random_challenge(&credentials1);
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
+ "ServerReqChallenge failed on b1");
+@@ -1367,7 +1367,7 @@ static bool test_ServerReqChallengeReuseGlobal(struct torture_context *tctx,
+ r.in.credentials = &credentials1;
+ r.out.return_credentials = &credentials2;
+
+- generate_random_buffer(credentials1.data, sizeof(credentials1.data));
++ netlogon_creds_random_challenge(&credentials1);
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
+ "ServerReqChallenge failed on b1");
+@@ -1456,7 +1456,7 @@ static bool test_ServerReqChallengeReuseGlobal2(struct torture_context *tctx,
+ r.in.credentials = &credentials1;
+ r.out.return_credentials = &credentials2;
+
+- generate_random_buffer(credentials1.data, sizeof(credentials1.data));
++ netlogon_creds_random_challenge(&credentials1);
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
+ "ServerReqChallenge failed on b1");
+@@ -1546,7 +1546,7 @@ static bool test_ServerReqChallengeReuseGlobal3(struct torture_context *tctx,
+ r.in.credentials = &credentials1;
+ r.out.return_credentials = &credentials2;
+
+- generate_random_buffer(credentials1.data, sizeof(credentials1.data));
++ netlogon_creds_random_challenge(&credentials1);
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
+ "ServerReqChallenge failed on b1");
+@@ -1638,8 +1638,7 @@ static bool test_ServerReqChallengeReuseGlobal4(struct torture_context *tctx,
+ r.in.credentials = &credentials1_random;
+ r.out.return_credentials = &credentials_discard;
+
+- generate_random_buffer(credentials1_random.data,
+- sizeof(credentials1_random.data));
++ netlogon_creds_random_challenge(&credentials1_random);
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
+ "ServerReqChallenge failed on b1");
+@@ -1651,7 +1650,7 @@ static bool test_ServerReqChallengeReuseGlobal4(struct torture_context *tctx,
+ r.in.credentials = &credentials1;
+ r.out.return_credentials = &credentials2;
+
+- generate_random_buffer(credentials1.data, sizeof(credentials1.data));
++ netlogon_creds_random_challenge(&credentials1);
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
+ "ServerReqChallenge failed on b1");
+@@ -1662,16 +1661,7 @@ static bool test_ServerReqChallengeReuseGlobal4(struct torture_context *tctx,
+ r.in.credentials = &credentials1_random;
+ r.out.return_credentials = &credentials_discard;
+
+- generate_random_buffer(credentials1_random.data,
+- sizeof(credentials1_random.data));
+-
+- r.in.server_name = NULL;
+- r.in.computer_name = "CHALTEST3";
+- r.in.credentials = &credentials1_random;
+- r.out.return_credentials = &credentials_discard;
+-
+- generate_random_buffer(credentials1_random.data,
+- sizeof(credentials1_random.data));
++ netlogon_creds_random_challenge(&credentials1_random);
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
+ "ServerReqChallenge failed on b1");
+@@ -1747,7 +1737,7 @@ static bool test_ServerReqChallengeReuse(struct torture_context *tctx,
+ r.in.credentials = &credentials1;
+ r.out.return_credentials = &credentials2;
+
+- generate_random_buffer(credentials1.data, sizeof(credentials1.data));
++ netlogon_creds_random_challenge(&credentials1);
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
+ "ServerReqChallenge");
+--
+2.28.0
+
+
+From 74ee204ad4647d0d7a2097124652cbcd43406c7d Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 16 Sep 2020 16:08:38 +0200
+Subject: [PATCH 10/38] CVE-2020-1472(ZeroLogon): libcli/auth: make use of
+ netlogon_creds_random_challenge() in netlogon_creds_cli.c
+
+This will avoid getting rejected by the server if we generate
+a weak challenge.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ libcli/auth/netlogon_creds_cli.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
+index 817d2cd041a..0f6ca11ff96 100644
+--- a/libcli/auth/netlogon_creds_cli.c
++++ b/libcli/auth/netlogon_creds_cli.c
+@@ -1177,8 +1177,7 @@ static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req)
+
+ TALLOC_FREE(state->creds);
+
+- generate_random_buffer(state->client_challenge.data,
+- sizeof(state->client_challenge.data));
++ netlogon_creds_random_challenge(&state->client_challenge);
+
+ subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev,
+ state->binding_handle,
+--
+2.28.0
+
+
+From 10196846d019d0e2ccef51f32ddd39fc17ca60aa Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 16 Sep 2020 16:10:53 +0200
+Subject: [PATCH 11/38] CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon: make
+ use of netlogon_creds_random_challenge()
+
+This is not strictly needed, but makes things more clear.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index 87613b99fde..86b2f343e82 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -840,8 +840,7 @@ NTSTATUS _netr_ServerReqChallenge(struct pipes_struct *p,
+
+ pipe_state->client_challenge = *r->in.credentials;
+
+- generate_random_buffer(pipe_state->server_challenge.data,
+- sizeof(pipe_state->server_challenge.data));
++ netlogon_creds_random_challenge(&pipe_state->server_challenge);
+
+ *r->out.return_credentials = pipe_state->server_challenge;
+
+--
+2.28.0
+
+
+From 215aca6d11b900ee3cf11568d27bce77e0567653 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 16 Sep 2020 16:10:53 +0200
+Subject: [PATCH 12/38] CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: make
+ use of netlogon_creds_random_challenge()
+
+This is not strictly needed, but makes things more clear.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/rpc_server/netlogon/dcerpc_netlogon.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+index 023adfd99e9..de260d8051d 100644
+--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+@@ -90,8 +90,7 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal
+
+ pipe_state->client_challenge = *r->in.credentials;
+
+- generate_random_buffer(pipe_state->server_challenge.data,
+- sizeof(pipe_state->server_challenge.data));
++ netlogon_creds_random_challenge(&pipe_state->server_challenge);
+
+ *r->out.return_credentials = pipe_state->server_challenge;
+
+--
+2.28.0
+
+
+From 4551bf623426e8c543b287807d447feb69bb0f09 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 16 Sep 2020 16:15:26 +0200
+Subject: [PATCH 13/38] CVE-2020-1472(ZeroLogon): libcli/auth: add
+ netlogon_creds_is_random_challenge() to avoid weak values
+
+This is the check Windows is using, so we won't generate challenges,
+which are rejected by Windows DCs (and future Samba DCs).
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ libcli/auth/credentials.c | 23 ++++++++++++++++++++++-
+ libcli/auth/proto.h | 1 +
+ 2 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
+index dbbef9e7a3c..64b424c099f 100644
+--- a/libcli/auth/credentials.c
++++ b/libcli/auth/credentials.c
+@@ -27,10 +27,31 @@
+ #include "../libcli/security/dom_sid.h"
+
+
++bool netlogon_creds_is_random_challenge(const struct netr_Credential *challenge)
++{
++ /*
++ * If none of the first 5 bytes of the client challenge is unique, the
++ * server MUST fail session-key negotiation without further processing
++ * of the following steps.
++ */
++
++ if (challenge->data[1] == challenge->data[0] &&
++ challenge->data[2] == challenge->data[0] &&
++ challenge->data[3] == challenge->data[0] &&
++ challenge->data[4] == challenge->data[0])
++ {
++ return false;
++ }
++
++ return true;
++}
++
+ void netlogon_creds_random_challenge(struct netr_Credential *challenge)
+ {
+ ZERO_STRUCTP(challenge);
+- generate_random_buffer(challenge->data, sizeof(challenge->data));
++ while (!netlogon_creds_is_random_challenge(challenge)) {
++ generate_random_buffer(challenge->data, sizeof(challenge->data));
++ }
+ }
+
+ static void netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *creds,
+diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
+index 82797d453ed..ad768682b9f 100644
+--- a/libcli/auth/proto.h
++++ b/libcli/auth/proto.h
+@@ -11,6 +11,7 @@
+
+ /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/credentials.c */
+
++bool netlogon_creds_is_random_challenge(const struct netr_Credential *challenge);
+ void netlogon_creds_random_challenge(struct netr_Credential *challenge);
+
+ void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key);
+--
+2.28.0
+
+
+From f7e09421ace8fe60c0110770d909800d21ae6c8e Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 16 Sep 2020 16:17:29 +0200
+Subject: [PATCH 14/38] CVE-2020-1472(ZeroLogon): libcli/auth: reject weak
+ client challenges in netlogon_creds_server_init()
+
+This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation:
+
+ 7. If none of the first 5 bytes of the client challenge is unique, the
+ server MUST fail session-key negotiation without further processing of
+ the following steps.
+
+It lets ./zerologon_tester.py from
+https://github.com/SecuraBV/CVE-2020-1472.git
+report: "Attack failed. Target is probably patched."
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+[dbagnall@samba.org, abartlet@samba.org: wscript_build backport
+differs because 4.10 has no gnutls dependency]
+---
+ libcli/auth/credentials.c | 16 ++++++++++++++++
+ libcli/auth/wscript_build | 2 +-
+ 2 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
+index 64b424c099f..e2bc82809b7 100644
+--- a/libcli/auth/credentials.c
++++ b/libcli/auth/credentials.c
+@@ -25,6 +25,7 @@
+ #include "../lib/crypto/crypto.h"
+ #include "libcli/auth/libcli_auth.h"
+ #include "../libcli/security/dom_sid.h"
++#include "lib/util/util_str_escape.h"
+
+
+ bool netlogon_creds_is_random_challenge(const struct netr_Credential *challenge)
+@@ -451,6 +452,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
+ {
+
+ struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
++ bool ok;
+
+ if (!creds) {
+ return NULL;
+@@ -463,6 +465,20 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
+ dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data));
+ dump_data_pw("Machine Pass", machine_password->hash, sizeof(machine_password->hash));
+
++ ok = netlogon_creds_is_random_challenge(client_challenge);
++ if (!ok) {
++ DBG_WARNING("CVE-2020-1472(ZeroLogon): "
++ "non-random client challenge rejected for "
++ "client_account[%s] client_computer_name[%s]\n",
++ log_escape(mem_ctx, client_account),
++ log_escape(mem_ctx, client_computer_name));
++ dump_data(DBGLVL_WARNING,
++ client_challenge->data,
++ sizeof(client_challenge->data));
++ talloc_free(creds);
++ return NULL;
++ }
++
+ creds->computer_name = talloc_strdup(creds, client_computer_name);
+ if (!creds->computer_name) {
+ talloc_free(creds);
+diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
+index d319d9b879e..394505d166d 100644
+--- a/libcli/auth/wscript_build
++++ b/libcli/auth/wscript_build
+@@ -18,7 +18,7 @@ bld.SAMBA_SUBSYSTEM('NTLM_CHECK',
+
+ bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH',
+ source='credentials.c session.c smbencrypt.c smbdes.c',
+- public_deps='MSRPC_PARSE',
++ public_deps='MSRPC_PARSE util_str_escape',
+ public_headers='credentials.h:domain_credentials.h'
+ )
+
+--
+2.28.0
+
+
+From 6bc86fb69bf50c89a334fd2dcbce6999a2360fb7 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 16 Sep 2020 19:20:25 +0200
+Subject: [PATCH 15/38] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
+ protect netr_ServerPasswordSet2 against unencrypted passwords
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/rpc_server/netlogon/dcerpc_netlogon.c | 60 ++++++++++++++++++-
+ 1 file changed, 59 insertions(+), 1 deletion(-)
+
+diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+index de260d8051d..acbf077c6c7 100644
+--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+@@ -722,7 +722,10 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal
+ struct NL_PASSWORD_VERSION version = {};
+ const uint32_t *new_version = NULL;
+ NTSTATUS nt_status;
+- DATA_BLOB new_password;
++ DATA_BLOB new_password = data_blob_null;
++ size_t confounder_len;
++ DATA_BLOB dec_blob = data_blob_null;
++ DATA_BLOB enc_blob = data_blob_null;
+ int ret;
+ struct samr_CryptPassword password_buf;
+
+@@ -780,6 +783,61 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+
++ /*
++ * Make sure the length field was encrypted,
++ * otherwise we are under attack.
++ */
++ if (new_password.length == r->in.new_password->length) {
++ DBG_WARNING("Length[%zu] field not encrypted\n",
++ new_password.length);
++ return NT_STATUS_WRONG_PASSWORD;
++ }
++
++ /*
++ * We don't allow empty passwords for machine accounts.
++ */
++ if (new_password.length < 2) {
++ DBG_WARNING("Empty password Length[%zu]\n",
++ new_password.length);
++ return NT_STATUS_WRONG_PASSWORD;
++ }
++
++ /*
++ * Make sure the confounder part of CryptPassword
++ * buffer was encrypted, otherwise we are under attack.
++ */
++ confounder_len = 512 - new_password.length;
++ enc_blob = data_blob_const(r->in.new_password->data, confounder_len);
++ dec_blob = data_blob_const(password_buf.data, confounder_len);
++ if (data_blob_cmp(&dec_blob, &enc_blob) == 0) {
++ DBG_WARNING("Confounder buffer not encrypted Length[%zu]\n",
++ confounder_len);
++ return NT_STATUS_WRONG_PASSWORD;
++ }
++
++ /*
++ * Check that the password part was actually encrypted,
++ * otherwise we are under attack.
++ */
++ enc_blob = data_blob_const(r->in.new_password->data + confounder_len,
++ new_password.length);
++ dec_blob = data_blob_const(password_buf.data + confounder_len,
++ new_password.length);
++ if (data_blob_cmp(&dec_blob, &enc_blob) == 0) {
++ DBG_WARNING("Password buffer not encrypted Length[%zu]\n",
++ new_password.length);
++ return NT_STATUS_WRONG_PASSWORD;
++ }
++
++ /*
++ * don't allow zero buffers
++ */
++ if (all_zero(new_password.data, new_password.length)) {
++ DBG_WARNING("Password zero buffer Length[%zu]\n",
++ new_password.length);
++ return NT_STATUS_WRONG_PASSWORD;
++ }
++
+ /* fetch the old password hashes (at least one of both has to exist) */
+
+ ret = gendb_search(sam_ctx, mem_ctx, NULL, &res, attrs,
+--
+2.28.0
+
+
+From 1f8dec1cbb37f3406d999425590f8a923586ccac Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Wed, 16 Sep 2020 12:53:50 -0700
+Subject: [PATCH 16/38] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
+ protect netr_ServerPasswordSet2 against unencrypted passwords
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 98 +++++++++++++++++++--
+ 1 file changed, 92 insertions(+), 6 deletions(-)
+
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index 86b2f343e82..fd9127b386f 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -1326,9 +1326,14 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p,
+ {
+ NTSTATUS status;
+ struct netlogon_creds_CredentialState *creds = NULL;
+- DATA_BLOB plaintext;
++ DATA_BLOB plaintext = data_blob_null;
++ DATA_BLOB new_password = data_blob_null;
++ size_t confounder_len;
++ DATA_BLOB dec_blob = data_blob_null;
++ DATA_BLOB enc_blob = data_blob_null;
+ struct samr_CryptPassword password_buf;
+ struct _samr_Credentials_t cr = { CRED_TYPE_PLAIN_TEXT, {0}};
++ bool ok;
+
+ become_root();
+ status = netr_creds_server_step_check(p, p->mem_ctx,
+@@ -1364,18 +1369,99 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p,
+ netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
+ }
+
+- if (!decode_pw_buffer(p->mem_ctx,
+- password_buf.data,
+- (char**) &plaintext.data,
+- &plaintext.length,
+- CH_UTF16)) {
++ if (!extract_pw_from_buffer(p->mem_ctx, password_buf.data, &new_password)) {
+ DEBUG(2,("_netr_ServerPasswordSet2: unable to extract password "
+ "from a buffer. Rejecting auth request as a wrong password\n"));
+ TALLOC_FREE(creds);
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+
++ /*
++ * Make sure the length field was encrypted,
++ * otherwise we are under attack.
++ */
++ if (new_password.length == r->in.new_password->length) {
++ DBG_WARNING("Length[%zu] field not encrypted\n",
++ new_password.length);
++ TALLOC_FREE(creds);
++ return NT_STATUS_WRONG_PASSWORD;
++ }
++
++ /*
++ * We don't allow empty passwords for machine accounts.
++ */
++ if (new_password.length < 2) {
++ DBG_WARNING("Empty password Length[%zu]\n",
++ new_password.length);
++ TALLOC_FREE(creds);
++ return NT_STATUS_WRONG_PASSWORD;
++ }
++
++ /*
++ * Make sure the confounder part of CryptPassword
++ * buffer was encrypted, otherwise we are under attack.
++ */
++ confounder_len = 512 - new_password.length;
++ enc_blob = data_blob_const(r->in.new_password->data, confounder_len);
++ dec_blob = data_blob_const(password_buf.data, confounder_len);
++ if (data_blob_cmp(&dec_blob, &enc_blob) == 0) {
++ DBG_WARNING("Confounder buffer not encrypted Length[%zu]\n",
++ confounder_len);
++ TALLOC_FREE(creds);
++ return NT_STATUS_WRONG_PASSWORD;
++ }
++
++ /*
++ * Check that the password part was actually encrypted,
++ * otherwise we are under attack.
++ */
++ enc_blob = data_blob_const(r->in.new_password->data + confounder_len,
++ new_password.length);
++ dec_blob = data_blob_const(password_buf.data + confounder_len,
++ new_password.length);
++ if (data_blob_cmp(&dec_blob, &enc_blob) == 0) {
++ DBG_WARNING("Password buffer not encrypted Length[%zu]\n",
++ new_password.length);
++ TALLOC_FREE(creds);
++ return NT_STATUS_WRONG_PASSWORD;
++ }
++
++ /*
++ * don't allow zero buffers
++ */
++ if (all_zero(new_password.data, new_password.length)) {
++ DBG_WARNING("Password zero buffer Length[%zu]\n",
++ new_password.length);
++ TALLOC_FREE(creds);
++ return NT_STATUS_WRONG_PASSWORD;
++ }
++
++ /* Convert from UTF16 -> plaintext. */
++ ok = convert_string_talloc(p->mem_ctx,
++ CH_UTF16,
++ CH_UNIX,
++ new_password.data,
++ new_password.length,
++ (void *)&plaintext.data,
++ &plaintext.length);
++ if (!ok) {
++ DBG_WARNING("unable to extract password from a buffer. "
++ "Rejecting auth request as a wrong password\n");
++ TALLOC_FREE(creds);
++ return NT_STATUS_WRONG_PASSWORD;
++ }
++
++ /*
++ * We don't allow empty passwords for machine accounts.
++ */
++
+ cr.creds.password = (const char*) plaintext.data;
++ if (strlen(cr.creds.password) == 0) {
++ DBG_WARNING("Empty plaintext password\n");
++ TALLOC_FREE(creds);
++ return NT_STATUS_WRONG_PASSWORD;
++ }
++
+ status = netr_set_machine_account_password(p->mem_ctx,
+ p->session_info,
+ p->msg_ctx,
+--
+2.28.0
+
+
+From 2ad269be74481789ded62a3dcb538709c6d6e291 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 16 Sep 2020 10:18:45 +0200
+Subject: [PATCH 17/38] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
+ refactor dcesrv_netr_creds_server_step_check()
+
+We should debug more details about the failing request.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/rpc_server/netlogon/dcerpc_netlogon.c | 45 ++++++++++++++-----
+ 1 file changed, 33 insertions(+), 12 deletions(-)
+
+diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+index acbf077c6c7..b4326a4ecaa 100644
+--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+@@ -623,26 +623,47 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
+ NTSTATUS nt_status;
+ int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx);
+ bool schannel_global_required = (schannel == true);
++ struct netlogon_creds_CredentialState *creds = NULL;
++ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
++ uint16_t opnum = dce_call->pkt.u.request.opnum;
++ const char *opname = "<unknown>";
+
+- if (schannel_global_required) {
+- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+-
+- dcesrv_call_auth_info(dce_call, &auth_type, NULL);
+-
+- if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
+- DBG_ERR("[%s] is not using schannel\n",
+- computer_name);
+- return NT_STATUS_ACCESS_DENIED;
+- }
++ if (opnum < ndr_table_netlogon.num_calls) {
++ opname = ndr_table_netlogon.calls[opnum].name;
+ }
+
++ dcesrv_call_auth_info(dce_call, &auth_type, NULL);
++
+ nt_status = schannel_check_creds_state(mem_ctx,
+ dce_call->conn->dce_ctx->lp_ctx,
+ computer_name,
+ received_authenticator,
+ return_authenticator,
+- creds_out);
+- return nt_status;
++ &creds);
++ if (!NT_STATUS_IS_OK(nt_status)) {
++ ZERO_STRUCTP(return_authenticator);
++ return nt_status;
++ }
++
++ if (schannel_global_required) {
++ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
++ *creds_out = creds;
++ return NT_STATUS_OK;
++ }
++
++ DBG_ERR("CVE-2020-1472(ZeroLogon): "
++ "%s request (opnum[%u]) without schannel from "
++ "client_account[%s] client_computer_name[%s]\n",
++ opname, opnum,
++ log_escape(mem_ctx, creds->account_name),
++ log_escape(mem_ctx, creds->computer_name));
++ TALLOC_FREE(creds);
++ ZERO_STRUCTP(return_authenticator);
++ return NT_STATUS_ACCESS_DENIED;
++ }
++
++ *creds_out = creds;
++ return NT_STATUS_OK;
+ }
+
+ /*
+--
+2.28.0
+
+
+From 57941290adb9a2fd4be9aa4a70f879a684b38dfd Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 16 Sep 2020 10:56:53 +0200
+Subject: [PATCH 18/38] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
+ support "server require schannel:WORKSTATION$ = no"
+
+This allows to add expections for individual workstations, when using "server schannel = yes".
+"server schannel = auto" is very insecure and will be removed soon.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/rpc_server/netlogon/dcerpc_netlogon.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+index b4326a4ecaa..e7bafb31e83 100644
+--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+@@ -623,6 +623,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
+ NTSTATUS nt_status;
+ int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx);
+ bool schannel_global_required = (schannel == true);
++ bool schannel_required = schannel_global_required;
+ struct netlogon_creds_CredentialState *creds = NULL;
+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+ uint16_t opnum = dce_call->pkt.u.request.opnum;
+@@ -645,7 +646,13 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
+ return nt_status;
+ }
+
+- if (schannel_global_required) {
++ schannel_required = lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx,
++ NULL,
++ "server require schannel",
++ creds->account_name,
++ schannel_global_required);
++
++ if (schannel_required) {
+ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+ *creds_out = creds;
+ return NT_STATUS_OK;
+--
+2.28.0
+
+
+From 779b37e825fe406892ff77be18c098d314cd387d Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 17 Sep 2020 13:37:26 +0200
+Subject: [PATCH 19/38] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log
+ warnings about unsecure configurations
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This should give admins wawrnings until they have a secure
+configuration.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: G端nther Deschner <gd@samba.org>
+---
+ source4/rpc_server/netlogon/dcerpc_netlogon.c | 66 ++++++++++++++++++-
+ 1 file changed, 63 insertions(+), 3 deletions(-)
+
+diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+index e7bafb31e83..7668a9eb923 100644
+--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+@@ -624,10 +624,12 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
+ int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx);
+ bool schannel_global_required = (schannel == true);
+ bool schannel_required = schannel_global_required;
++ const char *explicit_opt = NULL;
+ struct netlogon_creds_CredentialState *creds = NULL;
+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+ uint16_t opnum = dce_call->pkt.u.request.opnum;
+ const char *opname = "<unknown>";
++ static bool warned_global_once = false;
+
+ if (opnum < ndr_table_netlogon.num_calls) {
+ opname = ndr_table_netlogon.calls[opnum].name;
+@@ -646,11 +648,18 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
+ return nt_status;
+ }
+
+- schannel_required = lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx,
++ /*
++ * We don't use lpcfg_parm_bool(), as we
++ * need the explicit_opt pointer in order to
++ * adjust the debug messages.
++ */
++ explicit_opt = lpcfg_get_parametric(dce_call->conn->dce_ctx->lp_ctx,
+ NULL,
+ "server require schannel",
+- creds->account_name,
+- schannel_global_required);
++ creds->account_name);
++ if (explicit_opt != NULL) {
++ schannel_required = lp_bool(explicit_opt);
++ }
+
+ if (schannel_required) {
+ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+@@ -664,11 +673,62 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
+ opname, opnum,
+ log_escape(mem_ctx, creds->account_name),
+ log_escape(mem_ctx, creds->computer_name));
++ DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
++ "'server require schannel:%s = no' is needed! \n",
++ log_escape(mem_ctx, creds->account_name));
+ TALLOC_FREE(creds);
+ ZERO_STRUCTP(return_authenticator);
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
++ if (!schannel_global_required && !warned_global_once) {
++ /*
++ * We want admins to notice their misconfiguration!
++ */
++ DBG_ERR("CVE-2020-1472(ZeroLogon): "
++ "Please configure 'server schannel = yes', "
++ "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
++ warned_global_once = true;
++ }
++
++ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
++ DBG_ERR("CVE-2020-1472(ZeroLogon): "
++ "%s request (opnum[%u]) WITH schannel from "
++ "client_account[%s] client_computer_name[%s]\n",
++ opname, opnum,
++ log_escape(mem_ctx, creds->account_name),
++ log_escape(mem_ctx, creds->computer_name));
++ DBG_ERR("CVE-2020-1472(ZeroLogon): "
++ "Option 'server require schannel:%s = no' not needed!?\n",
++ log_escape(mem_ctx, creds->account_name));
++
++ *creds_out = creds;
++ return NT_STATUS_OK;
++ }
++
++
++ if (explicit_opt != NULL) {
++ DBG_INFO("CVE-2020-1472(ZeroLogon): "
++ "%s request (opnum[%u]) without schannel from "
++ "client_account[%s] client_computer_name[%s]\n",
++ opname, opnum,
++ log_escape(mem_ctx, creds->account_name),
++ log_escape(mem_ctx, creds->computer_name));
++ DBG_INFO("CVE-2020-1472(ZeroLogon): "
++ "Option 'server require schannel:%s = no' still needed!\n",
++ log_escape(mem_ctx, creds->account_name));
++ } else {
++ DBG_ERR("CVE-2020-1472(ZeroLogon): "
++ "%s request (opnum[%u]) without schannel from "
++ "client_account[%s] client_computer_name[%s]\n",
++ opname, opnum,
++ log_escape(mem_ctx, creds->account_name),
++ log_escape(mem_ctx, creds->computer_name));
++ DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
++ "'server require schannel:%s = no' might be needed!\n",
++ log_escape(mem_ctx, creds->account_name));
++ }
++
+ *creds_out = creds;
+ return NT_STATUS_OK;
+ }
+--
+2.28.0
+
+
+From 60b83fbda31c53c592a02f0ed43356a912021021 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Thu, 17 Sep 2020 14:57:22 +0200
+Subject: [PATCH 20/38] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
+ refactor dcesrv_netr_creds_server_step_check()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We should debug more details about the failing request.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: G端nther Deschner <gd@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 43 +++++++++++++++++----
+ 1 file changed, 35 insertions(+), 8 deletions(-)
+
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index fd9127b386f..8541571b459 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -48,6 +48,7 @@
+ #include "../lib/tsocket/tsocket.h"
+ #include "lib/param/param.h"
+ #include "libsmb/dsgetdcname.h"
++#include "lib/util/util_str_escape.h"
+
+ extern userdom_struct current_user_info;
+
+@@ -1073,19 +1074,21 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ NTSTATUS status;
+ bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
+ struct loadparm_context *lp_ctx;
++ struct netlogon_creds_CredentialState *creds = NULL;
++ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
++ uint16_t opnum = p->opnum;
++ const char *opname = "<unknown>";
+
+ if (creds_out != NULL) {
+ *creds_out = NULL;
+ }
+
+- if (schannel_global_required) {
+- if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
+- DBG_ERR("[%s] is not using schannel\n",
+- computer_name);
+- return NT_STATUS_ACCESS_DENIED;
+- }
++ if (opnum < ndr_table_netlogon.num_calls) {
++ opname = ndr_table_netlogon.calls[opnum].name;
+ }
+
++ auth_type = p->auth.auth_type;
++
+ lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers());
+ if (lp_ctx == NULL) {
+ DEBUG(0, ("loadparm_init_s3 failed\n"));
+@@ -1094,9 +1097,33 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+
+ status = schannel_check_creds_state(mem_ctx, lp_ctx,
+ computer_name, received_authenticator,
+- return_authenticator, creds_out);
++ return_authenticator, &creds);
+ talloc_unlink(mem_ctx, lp_ctx);
+- return status;
++
++ if (!NT_STATUS_IS_OK(status)) {
++ ZERO_STRUCTP(return_authenticator);
++ return status;
++ }
++
++ if (schannel_global_required) {
++ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
++ *creds_out = creds;
++ return NT_STATUS_OK;
++ }
++
++ DBG_ERR("CVE-2020-1472(ZeroLogon): "
++ "%s request (opnum[%u]) without schannel from "
++ "client_account[%s] client_computer_name[%s]\n",
++ opname, opnum,
++ log_escape(mem_ctx, creds->account_name),
++ log_escape(mem_ctx, creds->computer_name));
++ TALLOC_FREE(creds);
++ ZERO_STRUCTP(return_authenticator);
++ return NT_STATUS_ACCESS_DENIED;
++ }
++
++ *creds_out = creds;
++ return NT_STATUS_OK;
+ }
+
+
+--
+2.28.0
+
+
+From c0a188b2696edb8f3ae9f7f56a820b11358bad98 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Thu, 17 Sep 2020 14:23:16 +0200
+Subject: [PATCH 21/38] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
+ support "server require schannel:WORKSTATION$ = no"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This allows to add expections for individual workstations, when using "server schannel = yes".
+"server schannel = auto" is very insecure and will be removed soon.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: G端nther Deschner <gd@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index 8541571b459..f9b10103bd5 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -1073,6 +1073,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ {
+ NTSTATUS status;
+ bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
++ bool schannel_required = schannel_global_required;
+ struct loadparm_context *lp_ctx;
+ struct netlogon_creds_CredentialState *creds = NULL;
+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+@@ -1105,7 +1106,11 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ return status;
+ }
+
+- if (schannel_global_required) {
++ schannel_required = lp_parm_bool(GLOBAL_SECTION_SNUM,
++ "server require schannel",
++ creds->account_name,
++ schannel_global_required);
++ if (schannel_required) {
+ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+ *creds_out = creds;
+ return NT_STATUS_OK;
+--
+2.28.0
+
+
+From c9550b81b55316cf5d667502885fc248a5999fb5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Thu, 17 Sep 2020 14:42:52 +0200
+Subject: [PATCH 22/38] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log
+ warnings about unsecure configurations
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: G端nther Deschner <gd@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 70 +++++++++++++++++++--
+ 1 file changed, 66 insertions(+), 4 deletions(-)
+
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index f9b10103bd5..7f6704adbda 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -1074,11 +1074,13 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ NTSTATUS status;
+ bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
+ bool schannel_required = schannel_global_required;
++ const char *explicit_opt = NULL;
+ struct loadparm_context *lp_ctx;
+ struct netlogon_creds_CredentialState *creds = NULL;
+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+ uint16_t opnum = p->opnum;
+ const char *opname = "<unknown>";
++ static bool warned_global_once = false;
+
+ if (creds_out != NULL) {
+ *creds_out = NULL;
+@@ -1106,10 +1108,20 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ return status;
+ }
+
+- schannel_required = lp_parm_bool(GLOBAL_SECTION_SNUM,
+- "server require schannel",
+- creds->account_name,
+- schannel_global_required);
++ /*
++ * We don't use lp_parm_bool(), as we
++ * need the explicit_opt pointer in order to
++ * adjust the debug messages.
++ */
++
++ explicit_opt = lp_parm_const_string(GLOBAL_SECTION_SNUM,
++ "server require schannel",
++ creds->account_name,
++ NULL);
++ if (explicit_opt != NULL) {
++ schannel_required = lp_bool(explicit_opt);
++ }
++
+ if (schannel_required) {
+ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+ *creds_out = creds;
+@@ -1122,11 +1134,61 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ opname, opnum,
+ log_escape(mem_ctx, creds->account_name),
+ log_escape(mem_ctx, creds->computer_name));
++ DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
++ "'server require schannel:%s = no' is needed! \n",
++ log_escape(mem_ctx, creds->account_name));
+ TALLOC_FREE(creds);
+ ZERO_STRUCTP(return_authenticator);
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
++ if (!schannel_global_required && !warned_global_once) {
++ /*
++ * We want admins to notice their misconfiguration!
++ */
++ DBG_ERR("CVE-2020-1472(ZeroLogon): "
++ "Please configure 'server schannel = yes', "
++ "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
++ warned_global_once = true;
++ }
++
++ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
++ DBG_ERR("CVE-2020-1472(ZeroLogon): "
++ "%s request (opnum[%u]) WITH schannel from "
++ "client_account[%s] client_computer_name[%s]\n",
++ opname, opnum,
++ log_escape(mem_ctx, creds->account_name),
++ log_escape(mem_ctx, creds->computer_name));
++ DBG_ERR("CVE-2020-1472(ZeroLogon): "
++ "Option 'server require schannel:%s = no' not needed!?\n",
++ log_escape(mem_ctx, creds->account_name));
++
++ *creds_out = creds;
++ return NT_STATUS_OK;
++ }
++
++ if (explicit_opt != NULL) {
++ DBG_INFO("CVE-2020-1472(ZeroLogon): "
++ "%s request (opnum[%u]) without schannel from "
++ "client_account[%s] client_computer_name[%s]\n",
++ opname, opnum,
++ log_escape(mem_ctx, creds->account_name),
++ log_escape(mem_ctx, creds->computer_name));
++ DBG_INFO("CVE-2020-1472(ZeroLogon): "
++ "Option 'server require schannel:%s = no' still needed!\n",
++ log_escape(mem_ctx, creds->account_name));
++ } else {
++ DBG_ERR("CVE-2020-1472(ZeroLogon): "
++ "%s request (opnum[%u]) without schannel from "
++ "client_account[%s] client_computer_name[%s]\n",
++ opname, opnum,
++ log_escape(mem_ctx, creds->account_name),
++ log_escape(mem_ctx, creds->computer_name));
++ DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
++ "'server require schannel:%s = no' might be needed!\n",
++ log_escape(mem_ctx, creds->account_name));
++ }
++
+ *creds_out = creds;
+ return NT_STATUS_OK;
+ }
+--
+2.28.0
+
+
+From 63f03e2e29e81f890a5d88c726cced6d3e7bbf5d Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 17 Sep 2020 17:27:54 +0200
+Subject: [PATCH 23/38] CVE-2020-1472(ZeroLogon): docs-xml: document 'server
+ require schannel:COMPUTERACCOUNT'
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ .../smbdotconf/security/serverschannel.xml | 69 +++++++++++++++----
+ 1 file changed, 54 insertions(+), 15 deletions(-)
+
+diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
+index 489492d79b1..b682d086f76 100644
+--- a/docs-xml/smbdotconf/security/serverschannel.xml
++++ b/docs-xml/smbdotconf/security/serverschannel.xml
+@@ -7,26 +7,65 @@
+ <description>
+
+ <para>
+- This option is deprecated with Samba 4.8 and will be removed in future.
+- At the same time the default changed to yes, which will be the
+- hardcoded behavior in future. If you have the need for the behavior of "auto"
+- to be kept, please file a bug at https://bugzilla.samba.org.
++ This option is deprecated and will be removed in future,
++ as it is a security problem if not set to "yes" (which will be
++ the hardcoded behavior in future).
+ </para>
+
+ <para>
+- This controls whether the server offers or even demands the use of the netlogon schannel.
+- <smbconfoption name="server schannel">no</smbconfoption> does not offer the schannel, <smbconfoption
+- name="server schannel">auto</smbconfoption> offers the schannel but does not enforce it, and <smbconfoption
+- name="server schannel">yes</smbconfoption> denies access if the client is not able to speak netlogon schannel.
+- This is only the case for Windows NT4 before SP4.
+- </para>
+-
++ Samba will complain in the log files at log level 0,
++ about the security problem if the option is not set to "yes".
++ </para>
+ <para>
+- Please note that with this set to <literal>no</literal>, you will have to apply the WindowsXP
+- <filename>WinXP_SignOrSeal.reg</filename> registry patch found in the docs/registry subdirectory of the Samba distribution tarball.
+- </para>
++ See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
++ </para>
++
++ <para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.
++ </para>
++
++ <para>This option yields precedence to the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>
++
+ </description>
+
+ <value type="default">yes</value>
+-<value type="example">auto</value>
++</samba:parameter>
++
++<samba:parameter name="server require schannel:COMPUTERACCOUNT"
++ context="G"
++ type="string"
++ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
++<description>
++
++ <para>If you still have legacy domain members, which required "server schannel = auto" before,
++ it is possible to specify explicit expection per computer account
++ by using 'server require schannel:COMPUTERACCOUNT = no' as option.
++ Note that COMPUTERACCOUNT has to be the sAMAccountName value of
++ the computer account (including the trailing '$' sign).
++ </para>
++
++ <para>
++ Samba will complain in the log files at log level 0,
++ about the security problem if the option is not set to "no",
++ but the related computer is actually using the netlogon
++ secure channel (schannel) feature.
++ </para>
++
++ <para>
++ Samba will warn in the log files at log level 5,
++ if a setting is still needed for the specified computer account.
++ </para>
++
++ <para>
++ See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
++ </para>
++
++ <para>This option takes precedence to the <smbconfoption name="server schannel"/> option.</para>
++
++ <programlisting>
++ server require schannel:LEGACYCOMPUTER1$ = no
++ server require schannel:NASBOX$ = no
++ server require schannel:LEGACYCOMPUTER2$ = no
++ </programlisting>
++</description>
++
+ </samba:parameter>
+--
+2.28.0
+
+
+From 8a40da45b7f4e7a9110daf010383c4fce30bd9b6 Mon Sep 17 00:00:00 2001
+From: Gary Lockyer <gary@catalyst.net.nz>
+Date: Fri, 18 Sep 2020 12:39:54 +1200
+Subject: [PATCH 24/38] CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty
+ machine acct pwd
+
+Ensure that an empty machine account password can't be set by
+netr_ServerPasswordSet2
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
+
+Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
+---
+ source4/torture/rpc/netlogon.c | 64 +++++++++++++++-------------------
+ 1 file changed, 29 insertions(+), 35 deletions(-)
+
+diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
+index e11014922f8..0ba45f0c1da 100644
+--- a/source4/torture/rpc/netlogon.c
++++ b/source4/torture/rpc/netlogon.c
+@@ -719,45 +719,39 @@ static bool test_SetPassword2_with_flags(struct torture_context *tctx,
+
+ cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
+
+- if (!torture_setting_bool(tctx, "dangerous", false)) {
+- torture_comment(tctx,
+- "Not testing ability to set password to '', enable dangerous tests to perform this test\n");
++ /*
++ * As a consequence of CVE-2020-1472(ZeroLogon)
++ * Samba explicitly disallows the setting of an empty machine account
++ * password.
++ *
++ * Note that this may fail against Windows, and leave a machine account
++ * with an empty password.
++ */
++ password = "";
++ encode_pw_buffer(password_buf.data, password, STR_UNICODE);
++ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
++ netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
+ } else {
+- /* by changing the machine password to ""
+- * we check if the server uses password restrictions
+- * for ServerPasswordSet2
+- * (win2k3 accepts "")
+- */
+- password = "";
+- encode_pw_buffer(password_buf.data, password, STR_UNICODE);
+- if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+- netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
+- } else {
+- netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
+- }
+- memcpy(new_password.data, password_buf.data, 512);
+- new_password.length = IVAL(password_buf.data, 512);
+-
+- torture_comment(tctx,
+- "Testing ServerPasswordSet2 on machine account\n");
+- torture_comment(tctx,
+- "Changing machine account password to '%s'\n", password);
+-
+- netlogon_creds_client_authenticator(creds, &credential);
+-
+- torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
+- "ServerPasswordSet2 failed");
+- torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet2 failed");
++ netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
++ }
++ memcpy(new_password.data, password_buf.data, 512);
++ new_password.length = IVAL(password_buf.data, 512);
+
+- if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
+- torture_comment(tctx, "Credential chaining failed\n");
+- }
++ torture_comment(tctx,
++ "Testing ServerPasswordSet2 on machine account\n");
++ torture_comment(tctx,
++ "Changing machine account password to '%s'\n", password);
+
+- cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
+- }
++ netlogon_creds_client_authenticator(creds, &credential);
+
+- torture_assert(tctx, test_SetupCredentials(p, tctx, machine_credentials, &creds),
+- "ServerPasswordSet failed to actually change the password");
++ torture_assert_ntstatus_ok(
++ tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
++ "ServerPasswordSet2 failed");
++ torture_assert_ntstatus_equal(
++ tctx,
++ r.out.result,
++ NT_STATUS_WRONG_PASSWORD,
++ "ServerPasswordSet2 did not return NT_STATUS_WRONG_PASSWORD");
+
+ /* now try a random password */
+ password = generate_random_password(tctx, 8, 255);
+--
+2.28.0
+
+
+From 341a448cb69557410fa79dbb8a3d4adbab79d5b6 Mon Sep 17 00:00:00 2001
+From: Gary Lockyer <gary@catalyst.net.nz>
+Date: Fri, 18 Sep 2020 15:57:34 +1200
+Subject: [PATCH 25/38] CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated
+ bytes in client challenge
+
+Ensure that client challenges with the first 5 bytes identical are
+rejected.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
+
+Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
+
+[abartlet@samba.org: backported from master as test order was flipped]
+---
+ source4/torture/rpc/netlogon.c | 335 +++++++++++++++++++++++++++++++++
+ 1 file changed, 335 insertions(+)
+
+diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
+index 0ba45f0c1da..97c16688bc9 100644
+--- a/source4/torture/rpc/netlogon.c
++++ b/source4/torture/rpc/netlogon.c
+@@ -480,6 +480,325 @@ bool test_SetupCredentialsPipe(const struct dcerpc_pipe *p1,
+ return true;
+ }
+
++static bool test_ServerReqChallenge(
++ struct torture_context *tctx,
++ struct dcerpc_pipe *p,
++ struct cli_credentials *credentials)
++{
++ struct netr_ServerReqChallenge r;
++ struct netr_Credential credentials1, credentials2, credentials3;
++ const char *machine_name;
++ struct dcerpc_binding_handle *b = p->binding_handle;
++ struct netr_ServerAuthenticate2 a;
++ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
++ uint32_t out_negotiate_flags = 0;
++ const struct samr_Password *mach_password = NULL;
++ enum netr_SchannelType sec_chan_type = 0;
++ struct netlogon_creds_CredentialState *creds = NULL;
++ const char *account_name = NULL;
++
++ machine_name = cli_credentials_get_workstation(credentials);
++ mach_password = cli_credentials_get_nt_hash(credentials, tctx);
++ account_name = cli_credentials_get_username(credentials);
++ sec_chan_type = cli_credentials_get_secure_channel_type(credentials);
++
++ torture_comment(tctx, "Testing ServerReqChallenge\n");
++
++ r.in.server_name = NULL;
++ r.in.computer_name = machine_name;
++ r.in.credentials = &credentials1;
++ r.out.return_credentials = &credentials2;
++
++ netlogon_creds_random_challenge(&credentials1);
++
++ torture_assert_ntstatus_ok(
++ tctx,
++ dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
++ "ServerReqChallenge failed");
++ torture_assert_ntstatus_ok(
++ tctx,
++ r.out.result,
++ "ServerReqChallenge failed");
++ a.in.server_name = NULL;
++ a.in.account_name = account_name;
++ a.in.secure_channel_type = sec_chan_type;
++ a.in.computer_name = machine_name;
++ a.in.negotiate_flags = &in_negotiate_flags;
++ a.out.negotiate_flags = &out_negotiate_flags;
++ a.in.credentials = &credentials3;
++ a.out.return_credentials = &credentials3;
++
++ creds = netlogon_creds_client_init(tctx, a.in.account_name,
++ a.in.computer_name,
++ a.in.secure_channel_type,
++ &credentials1, &credentials2,
++ mach_password, &credentials3,
++ in_negotiate_flags);
++
++ torture_assert(tctx, creds != NULL, "memory allocation");
++
++ torture_comment(tctx, "Testing ServerAuthenticate2\n");
++
++ torture_assert_ntstatus_ok(
++ tctx,
++ dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a),
++ "ServerAuthenticate2 failed");
++ torture_assert_ntstatus_equal(
++ tctx,
++ a.out.result,
++ NT_STATUS_OK,
++ "ServerAuthenticate2 unexpected");
++
++ return true;
++}
++
++static bool test_ServerReqChallenge_zero_challenge(
++ struct torture_context *tctx,
++ struct dcerpc_pipe *p,
++ struct cli_credentials *credentials)
++{
++ struct netr_ServerReqChallenge r;
++ struct netr_Credential credentials1, credentials2, credentials3;
++ const char *machine_name;
++ struct dcerpc_binding_handle *b = p->binding_handle;
++ struct netr_ServerAuthenticate2 a;
++ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
++ uint32_t out_negotiate_flags = 0;
++ const struct samr_Password *mach_password = NULL;
++ enum netr_SchannelType sec_chan_type = 0;
++ struct netlogon_creds_CredentialState *creds = NULL;
++ const char *account_name = NULL;
++
++ machine_name = cli_credentials_get_workstation(credentials);
++ mach_password = cli_credentials_get_nt_hash(credentials, tctx);
++ account_name = cli_credentials_get_username(credentials);
++ sec_chan_type = cli_credentials_get_secure_channel_type(credentials);
++
++ torture_comment(tctx, "Testing ServerReqChallenge\n");
++
++ r.in.server_name = NULL;
++ r.in.computer_name = machine_name;
++ r.in.credentials = &credentials1;
++ r.out.return_credentials = &credentials2;
++
++ /*
++ * Set the client challenge to zero, this should fail
++ * CVE-2020-1472(ZeroLogon)
++ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
++ */
++ ZERO_STRUCT(credentials1);
++
++ torture_assert_ntstatus_ok(
++ tctx,
++ dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
++ "ServerReqChallenge failed");
++ torture_assert_ntstatus_ok(
++ tctx,
++ r.out.result,
++ "ServerReqChallenge failed");
++ a.in.server_name = NULL;
++ a.in.account_name = account_name;
++ a.in.secure_channel_type = sec_chan_type;
++ a.in.computer_name = machine_name;
++ a.in.negotiate_flags = &in_negotiate_flags;
++ a.out.negotiate_flags = &out_negotiate_flags;
++ a.in.credentials = &credentials3;
++ a.out.return_credentials = &credentials3;
++
++ creds = netlogon_creds_client_init(tctx, a.in.account_name,
++ a.in.computer_name,
++ a.in.secure_channel_type,
++ &credentials1, &credentials2,
++ mach_password, &credentials3,
++ in_negotiate_flags);
++
++ torture_assert(tctx, creds != NULL, "memory allocation");
++
++ torture_comment(tctx, "Testing ServerAuthenticate2\n");
++
++ torture_assert_ntstatus_ok(
++ tctx,
++ dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a),
++ "ServerAuthenticate2 failed");
++ torture_assert_ntstatus_equal(
++ tctx,
++ a.out.result,
++ NT_STATUS_ACCESS_DENIED,
++ "ServerAuthenticate2 unexpected");
++
++ return true;
++}
++
++static bool test_ServerReqChallenge_5_repeats(
++ struct torture_context *tctx,
++ struct dcerpc_pipe *p,
++ struct cli_credentials *credentials)
++{
++ struct netr_ServerReqChallenge r;
++ struct netr_Credential credentials1, credentials2, credentials3;
++ const char *machine_name;
++ struct dcerpc_binding_handle *b = p->binding_handle;
++ struct netr_ServerAuthenticate2 a;
++ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
++ uint32_t out_negotiate_flags = 0;
++ const struct samr_Password *mach_password = NULL;
++ enum netr_SchannelType sec_chan_type = 0;
++ struct netlogon_creds_CredentialState *creds = NULL;
++ const char *account_name = NULL;
++
++ machine_name = cli_credentials_get_workstation(credentials);
++ mach_password = cli_credentials_get_nt_hash(credentials, tctx);
++ account_name = cli_credentials_get_username(credentials);
++ sec_chan_type = cli_credentials_get_secure_channel_type(credentials);
++
++ torture_comment(tctx, "Testing ServerReqChallenge\n");
++
++ r.in.server_name = NULL;
++ r.in.computer_name = machine_name;
++ r.in.credentials = &credentials1;
++ r.out.return_credentials = &credentials2;
++
++ /*
++ * Set the first 5 bytes of the client challenge to the same value,
++ * this should fail CVE-2020-1472(ZeroLogon)
++ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
++ */
++ credentials1.data[0] = 'A';
++ credentials1.data[1] = 'A';
++ credentials1.data[2] = 'A';
++ credentials1.data[3] = 'A';
++ credentials1.data[4] = 'A';
++ credentials1.data[5] = 'B';
++ credentials1.data[6] = 'C';
++ credentials1.data[7] = 'D';
++
++ torture_assert_ntstatus_ok(
++ tctx,
++ dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
++ "ServerReqChallenge failed");
++ torture_assert_ntstatus_ok(
++ tctx,
++ r.out.result,
++ "ServerReqChallenge failed");
++ a.in.server_name = NULL;
++ a.in.account_name = account_name;
++ a.in.secure_channel_type = sec_chan_type;
++ a.in.computer_name = machine_name;
++ a.in.negotiate_flags = &in_negotiate_flags;
++ a.out.negotiate_flags = &out_negotiate_flags;
++ a.in.credentials = &credentials3;
++ a.out.return_credentials = &credentials3;
++
++ creds = netlogon_creds_client_init(tctx, a.in.account_name,
++ a.in.computer_name,
++ a.in.secure_channel_type,
++ &credentials1, &credentials2,
++ mach_password, &credentials3,
++ in_negotiate_flags);
++
++ torture_assert(tctx, creds != NULL, "memory allocation");
++
++ torture_comment(tctx, "Testing ServerAuthenticate2\n");
++
++ torture_assert_ntstatus_ok(
++ tctx,
++ dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a),
++ "ServerAuthenticate2 failed");
++ torture_assert_ntstatus_equal(
++ tctx,
++ a.out.result,
++ NT_STATUS_ACCESS_DENIED,
++ "ServerAuthenticate2 unexpected");
++
++ return true;
++}
++
++static bool test_ServerReqChallenge_4_repeats(
++ struct torture_context *tctx,
++ struct dcerpc_pipe *p,
++ struct cli_credentials *credentials)
++{
++ struct netr_ServerReqChallenge r;
++ struct netr_Credential credentials1, credentials2, credentials3;
++ const char *machine_name;
++ struct dcerpc_binding_handle *b = p->binding_handle;
++ struct netr_ServerAuthenticate2 a;
++ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
++ uint32_t out_negotiate_flags = 0;
++ const struct samr_Password *mach_password = NULL;
++ enum netr_SchannelType sec_chan_type = 0;
++ struct netlogon_creds_CredentialState *creds = NULL;
++ const char *account_name = NULL;
++
++ machine_name = cli_credentials_get_workstation(credentials);
++ mach_password = cli_credentials_get_nt_hash(credentials, tctx);
++ account_name = cli_credentials_get_username(credentials);
++ sec_chan_type = cli_credentials_get_secure_channel_type(credentials);
++
++ torture_comment(tctx, "Testing ServerReqChallenge\n");
++
++ r.in.server_name = NULL;
++ r.in.computer_name = machine_name;
++ r.in.credentials = &credentials1;
++ r.out.return_credentials = &credentials2;
++
++ /*
++ * Set the first 4 bytes of the client challenge to the same
++ * value, this should pass as 5 bytes identical are needed to
++ * fail for CVE-2020-1472(ZeroLogon)
++ *
++ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
++ */
++ credentials1.data[0] = 'A';
++ credentials1.data[1] = 'A';
++ credentials1.data[2] = 'A';
++ credentials1.data[3] = 'A';
++ credentials1.data[4] = 'B';
++ credentials1.data[5] = 'C';
++ credentials1.data[6] = 'D';
++ credentials1.data[7] = 'E';
++
++ torture_assert_ntstatus_ok(
++ tctx,
++ dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
++ "ServerReqChallenge failed");
++ torture_assert_ntstatus_ok(
++ tctx,
++ r.out.result,
++ "ServerReqChallenge failed");
++ a.in.server_name = NULL;
++ a.in.account_name = account_name;
++ a.in.secure_channel_type = sec_chan_type;
++ a.in.computer_name = machine_name;
++ a.in.negotiate_flags = &in_negotiate_flags;
++ a.out.negotiate_flags = &out_negotiate_flags;
++ a.in.credentials = &credentials3;
++ a.out.return_credentials = &credentials3;
++
++ creds = netlogon_creds_client_init(tctx, a.in.account_name,
++ a.in.computer_name,
++ a.in.secure_channel_type,
++ &credentials1, &credentials2,
++ mach_password, &credentials3,
++ in_negotiate_flags);
++
++ torture_assert(tctx, creds != NULL, "memory allocation");
++
++ torture_comment(tctx, "Testing ServerAuthenticate2\n");
++
++ torture_assert_ntstatus_ok(
++ tctx,
++ dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a),
++ "ServerAuthenticate2 failed");
++ torture_assert_ntstatus_equal(
++ tctx,
++ a.out.result,
++ NT_STATUS_OK,
++ "ServerAuthenticate2 unexpected");
++
++ return true;
++}
++
+ /*
+ try a change password for our machine account
+ */
+@@ -4949,6 +5268,22 @@ struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx)
+ torture_rpc_tcase_add_test(tcase, "lsa_over_netlogon", test_lsa_over_netlogon);
+ torture_rpc_tcase_add_test_creds(tcase, "SetupCredentialsDowngrade", test_SetupCredentialsDowngrade);
+
++ torture_rpc_tcase_add_test_creds(
++ tcase,
++ "ServerReqChallenge",
++ test_ServerReqChallenge);
++ torture_rpc_tcase_add_test_creds(
++ tcase,
++ "ServerReqChallenge_zero_challenge",
++ test_ServerReqChallenge_zero_challenge);
++ torture_rpc_tcase_add_test_creds(
++ tcase,
++ "ServerReqChallenge_5_repeats",
++ test_ServerReqChallenge_5_repeats);
++ torture_rpc_tcase_add_test_creds(
++ tcase,
++ "ServerReqChallenge_4_repeats",
++ test_ServerReqChallenge_4_repeats);
+ return suite;
+ }
+
+--
+2.28.0
+
+
+From 268303632f79d7395b452172c06b25ad68fe35fb Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Fri, 10 Jul 2020 15:09:33 -0700
+Subject: [PATCH 26/38] s4: torture: Add smb2.notify.handle-permissions test.
+
+Add knownfail entry.
+
+CVE-2020-14318
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit f100bd2f2e4f047942002a992c99104227a17f81)
+---
+ .../smb2_notify_handle_permissions | 2 +
+ source4/torture/smb2/notify.c | 80 +++++++++++++++++++
+ 2 files changed, 82 insertions(+)
+ create mode 100644 selftest/knownfail.d/smb2_notify_handle_permissions
+
+diff --git a/selftest/knownfail.d/smb2_notify_handle_permissions b/selftest/knownfail.d/smb2_notify_handle_permissions
+new file mode 100644
+index 00000000000..c0ec8fc8153
+--- /dev/null
++++ b/selftest/knownfail.d/smb2_notify_handle_permissions
+@@ -0,0 +1,2 @@
++^samba3.smb2.notify.handle-permissions
++
+diff --git a/source4/torture/smb2/notify.c b/source4/torture/smb2/notify.c
+index ebb4f8a4f8e..b017491c8fb 100644
+--- a/source4/torture/smb2/notify.c
++++ b/source4/torture/smb2/notify.c
+@@ -2569,6 +2569,83 @@ done:
+ return ok;
+ }
+
++/*
++ Test asking for a change notify on a handle without permissions.
++*/
++
++#define BASEDIR_HPERM BASEDIR "_HPERM"
++
++static bool torture_smb2_notify_handle_permissions(
++ struct torture_context *torture,
++ struct smb2_tree *tree)
++{
++ bool ret = true;
++ NTSTATUS status;
++ union smb_notify notify;
++ union smb_open io;
++ struct smb2_handle h1 = {{0}};
++ struct smb2_request *req;
++
++ smb2_deltree(tree, BASEDIR_HPERM);
++ smb2_util_rmdir(tree, BASEDIR_HPERM);
++
++ torture_comment(torture,
++ "TESTING CHANGE NOTIFY "
++ "ON A HANDLE WITHOUT PERMISSIONS\n");
++
++ /*
++ get a handle on the directory
++ */
++ ZERO_STRUCT(io.smb2);
++ io.generic.level = RAW_OPEN_SMB2;
++ io.smb2.in.create_flags = 0;
++ io.smb2.in.desired_access = SEC_FILE_READ_ATTRIBUTE;
++ io.smb2.in.create_options = NTCREATEX_OPTIONS_DIRECTORY;
++ io.smb2.in.file_attributes = FILE_ATTRIBUTE_NORMAL;
++ io.smb2.in.share_access = NTCREATEX_SHARE_ACCESS_READ |
++ NTCREATEX_SHARE_ACCESS_WRITE;
++ io.smb2.in.alloc_size = 0;
++ io.smb2.in.create_disposition = NTCREATEX_DISP_CREATE;
++ io.smb2.in.impersonation_level = SMB2_IMPERSONATION_ANONYMOUS;
++ io.smb2.in.security_flags = 0;
++ io.smb2.in.fname = BASEDIR_HPERM;
++
++ status = smb2_create(tree, torture, &io.smb2);
++ CHECK_STATUS(status, NT_STATUS_OK);
++ h1 = io.smb2.out.file.handle;
++
++ /* ask for a change notify,
++ on file or directory name changes */
++ ZERO_STRUCT(notify.smb2);
++ notify.smb2.level = RAW_NOTIFY_SMB2;
++ notify.smb2.in.buffer_size = 1000;
++ notify.smb2.in.completion_filter = FILE_NOTIFY_CHANGE_NAME;
++ notify.smb2.in.file.handle = h1;
++ notify.smb2.in.recursive = true;
++
++ req = smb2_notify_send(tree, ¬ify.smb2);
++ torture_assert_goto(torture,
++ req != NULL,
++ ret,
++ done,
++ "smb2_notify_send failed\n");
++
++ /*
++ * Cancel it, we don't really want to wait.
++ */
++ smb2_cancel(req);
++ status = smb2_notify_recv(req, torture, ¬ify.smb2);
++ /* Handle h1 doesn't have permissions for ChangeNotify. */
++ CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
++
++done:
++ if (!smb2_util_handle_empty(h1)) {
++ smb2_util_close(tree, h1);
++ }
++ smb2_deltree(tree, BASEDIR_HPERM);
++ return ret;
++}
++
+ /*
+ basic testing of SMB2 change notify
+ */
+@@ -2602,6 +2679,9 @@ struct torture_suite *torture_smb2_notify_init(TALLOC_CTX *ctx)
+ torture_smb2_notify_rmdir3);
+ torture_suite_add_2smb2_test(suite, "rmdir4",
+ torture_smb2_notify_rmdir4);
++ torture_suite_add_1smb2_test(suite,
++ "handle-permissions",
++ torture_smb2_notify_handle_permissions);
+
+ suite->description = talloc_strdup(suite, "SMB2-NOTIFY tests");
+
+--
+2.28.0
+
+
+From 448d4e99f8883a07589264cfca474c3dff8b5942 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 7 Jul 2020 18:25:23 -0700
+Subject: [PATCH 27/38] s3: smbd: Ensure change notifies can't get set unless
+ the directory handle is open for SEC_DIR_LIST.
+
+Remove knownfail entry.
+
+CVE-2020-14318
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit f43ecce46a89c6380317fbb5f2ae38f48d3d42c8)
+---
+ selftest/knownfail.d/smb2_notify_handle_permissions | 2 --
+ source3/smbd/notify.c | 8 ++++++++
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+ delete mode 100644 selftest/knownfail.d/smb2_notify_handle_permissions
+
+diff --git a/selftest/knownfail.d/smb2_notify_handle_permissions b/selftest/knownfail.d/smb2_notify_handle_permissions
+deleted file mode 100644
+index c0ec8fc8153..00000000000
+--- a/selftest/knownfail.d/smb2_notify_handle_permissions
++++ /dev/null
+@@ -1,2 +0,0 @@
+-^samba3.smb2.notify.handle-permissions
+-
+diff --git a/source3/smbd/notify.c b/source3/smbd/notify.c
+index 44c0b09432e..d23c03bce41 100644
+--- a/source3/smbd/notify.c
++++ b/source3/smbd/notify.c
+@@ -283,6 +283,14 @@ NTSTATUS change_notify_create(struct files_struct *fsp, uint32_t filter,
+ char fullpath[len+1];
+ NTSTATUS status = NT_STATUS_NOT_IMPLEMENTED;
+
++ /*
++ * Setting a changenotify needs READ/LIST access
++ * on the directory handle.
++ */
++ if (!(fsp->access_mask & SEC_DIR_LIST)) {
++ return NT_STATUS_ACCESS_DENIED;
++ }
++
+ if (fsp->notify != NULL) {
+ DEBUG(1, ("change_notify_create: fsp->notify != NULL, "
+ "fname = %s\n", fsp->fsp_name->base_name));
+--
+2.28.0
+
+
+From 041c86926999594f13b884522b1d9fcc65f92a52 Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Thu, 9 Jul 2020 21:49:25 +0200
+Subject: [PATCH 28/38] CVE-2020-14323 winbind: Fix invalid lookupsids DoS
+
+A lookupsids request without extra_data will lead to "state->domain==NULL",
+which makes winbindd_lookupsids_recv trying to dereference it.
+
+Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436
+Signed-off-by: Volker Lendecke <vl@samba.org>
+(cherry picked from commit f17967ad73e9c1d2bd6e0b7c181f08079d2a8214)
+---
+ source3/winbindd/winbindd_lookupsids.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/winbindd/winbindd_lookupsids.c b/source3/winbindd/winbindd_lookupsids.c
+index d28b5fa9f01..a289fd86f0f 100644
+--- a/source3/winbindd/winbindd_lookupsids.c
++++ b/source3/winbindd/winbindd_lookupsids.c
+@@ -47,7 +47,7 @@ struct tevent_req *winbindd_lookupsids_send(TALLOC_CTX *mem_ctx,
+ DEBUG(3, ("lookupsids\n"));
+
+ if (request->extra_len == 0) {
+- tevent_req_done(req);
++ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+ if (request->extra_data.data[request->extra_len-1] != '\0') {
+--
+2.28.0
+
+
+From e6e77a3a503f9223ecbc2d32a1d24e20f834659f Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Thu, 9 Jul 2020 21:48:57 +0200
+Subject: [PATCH 29/38] CVE-2020-14323 torture4: Add a simple test for invalid
+ lookup_sids winbind call
+
+We can't add this test before the fix, add it to knownfail and have the fix
+remove the knownfail entry again. As this crashes winbind, many tests after
+this one will fail.
+
+Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436
+Signed-off-by: Volker Lendecke <vl@samba.org>
+(cherry picked from commit d0ca2a63aaedf123205337aaa211426175ffcebf)
+---
+ source4/torture/winbind/struct_based.c | 27 ++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/source4/torture/winbind/struct_based.c b/source4/torture/winbind/struct_based.c
+index 9745b621ca9..71f248c0d61 100644
+--- a/source4/torture/winbind/struct_based.c
++++ b/source4/torture/winbind/struct_based.c
+@@ -1110,6 +1110,29 @@ static bool torture_winbind_struct_lookup_name_sid(struct torture_context *tortu
+ return true;
+ }
+
++static bool torture_winbind_struct_lookup_sids_invalid(
++ struct torture_context *torture)
++{
++ struct winbindd_request req = {0};
++ struct winbindd_response rep = {0};
++ bool strict = torture_setting_bool(torture, "strict mode", false);
++ bool ok;
++
++ torture_comment(torture,
++ "Running WINBINDD_LOOKUP_SIDS (struct based)\n");
++
++ ok = true;
++ DO_STRUCT_REQ_REP_EXT(WINBINDD_LOOKUPSIDS, &req, &rep,
++ NSS_STATUS_NOTFOUND,
++ strict,
++ ok=false,
++ talloc_asprintf(
++ torture,
++ "invalid lookupsids succeeded"));
++
++ return ok;
++}
++
+ struct torture_suite *torture_winbind_struct_init(TALLOC_CTX *ctx)
+ {
+ struct torture_suite *suite = torture_suite_create(ctx, "struct");
+@@ -1132,6 +1155,10 @@ struct torture_suite *torture_winbind_struct_init(TALLOC_CTX *ctx)
+ torture_suite_add_simple_test(suite, "getpwent", torture_winbind_struct_getpwent);
+ torture_suite_add_simple_test(suite, "endpwent", torture_winbind_struct_endpwent);
+ torture_suite_add_simple_test(suite, "lookup_name_sid", torture_winbind_struct_lookup_name_sid);
++ torture_suite_add_simple_test(
++ suite,
++ "lookup_sids_invalid",
++ torture_winbind_struct_lookup_sids_invalid);
+
+ suite->description = talloc_strdup(suite, "WINBIND - struct based protocol tests");
+
+--
+2.28.0
+
+
+From 2b4763940d1826a2b4e5eaa1e2df338004cd9af0 Mon Sep 17 00:00:00 2001
+From: Laurent Menase <laurent.menase@hpe.com>
+Date: Wed, 20 May 2020 12:31:53 +0200
+Subject: [PATCH 30/38] winbind: Fix a memleak
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=14388
+Signed-off-by: Laurent Menase <laurent.menase@hpe.com>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Noel Power <noel.power@suse.com>
+
+Autobuild-User(master): Volker Lendecke <vl@samba.org>
+Autobuild-Date(master): Mon Sep 14 13:33:13 UTC 2020 on sn-devel-184
+
+(cherry picked from commit 8f868b0ea0b4795668f7bc0b028cd85686b249fb)
+---
+ source3/winbindd/winbindd_ads.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
+index 556b4523866..325ba1abd82 100644
+--- a/source3/winbindd/winbindd_ads.c
++++ b/source3/winbindd/winbindd_ads.c
+@@ -405,6 +405,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
+ DBG_NOTICE("ads query_user_list gave %d entries\n", count);
+
+ done:
++ ads_msgfree(ads, res);
+ return status;
+ }
+
+--
+2.28.0
+
+
+From accc423a4eb9170ab0dbe4b2ba90ce83790e7a16 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 17 Aug 2020 13:39:58 +0200
+Subject: [PATCH 31/38] s3:tests: Add test for 'valid users = DOMAIN\%U'
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14467
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit 53b6dd951249052772e1ffcf651b7efd0963b931)
+(cherry picked from commit 20d3cf455c631c6cea6d471333779cc15d0e8d8a)
+---
+ selftest/knownfail.d/samba3.substiutions | 1 +
+ selftest/target/Samba3.pm | 4 ++++
+ source3/script/tests/test_substitutions.sh | 5 +++++
+ 3 files changed, 10 insertions(+)
+ create mode 100644 selftest/knownfail.d/samba3.substiutions
+
+diff --git a/selftest/knownfail.d/samba3.substiutions b/selftest/knownfail.d/samba3.substiutions
+new file mode 100644
+index 00000000000..f116d3b2fcf
+--- /dev/null
++++ b/selftest/knownfail.d/samba3.substiutions
+@@ -0,0 +1 @@
++^samba3.substitutions.Test.login.to.share.with.substitution.for.valid.users
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index 75960dbc790..9e4da0e6a08 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -423,6 +423,10 @@ sub setup_ad_member
+ path = $share_dir/D_%D/u_%u/g_%g
+ writeable = yes
+
++[sub_valid_users]
++ path = $share_dir
++ valid users = ADDOMAIN/%U
++
+ ";
+
+ my $ret = $self->provision($prefix, $dcvars->{DOMAIN},
+diff --git a/source3/script/tests/test_substitutions.sh b/source3/script/tests/test_substitutions.sh
+index 1a46f11c85d..c813a8f9def 100755
+--- a/source3/script/tests/test_substitutions.sh
++++ b/source3/script/tests/test_substitutions.sh
+@@ -34,4 +34,9 @@ SMB_UNC="//$SERVER/sub_dug2"
+ test_smbclient "Test login to share with substitution (Dug)" \
+ "ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1)
+
++SMB_UNC="//$SERVER/sub_valid_users"
++
++test_smbclient "Test login to share with substitution for valid users" \
++ "ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1)
++
+ exit $failed
+--
+2.28.0
+
+
+From 1c594e3734e3ffd2dfc615897ac95792878f2df4 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 17 Aug 2020 14:12:48 +0200
+Subject: [PATCH 32/38] s3:smbd: Fix %U substitutions if it contains a domain
+ name
+
+'valid users = DOMAIN\%U' worked with Samba 3.6 and broke in a newer
+version.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14467
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit 5de7c91e6d4e98f438157a7675c8582cabdd828d)
+(cherry picked from commit 60ddb7b20071b00f0cd7f1cb818022220eb0c279)
+---
+ selftest/knownfail.d/samba3.substiutions | 1 -
+ source3/smbd/share_access.c | 18 +++++++++++++++++-
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+ delete mode 100644 selftest/knownfail.d/samba3.substiutions
+
+diff --git a/selftest/knownfail.d/samba3.substiutions b/selftest/knownfail.d/samba3.substiutions
+deleted file mode 100644
+index f116d3b2fcf..00000000000
+--- a/selftest/knownfail.d/samba3.substiutions
++++ /dev/null
+@@ -1 +0,0 @@
+-^samba3.substitutions.Test.login.to.share.with.substitution.for.valid.users
+diff --git a/source3/smbd/share_access.c b/source3/smbd/share_access.c
+index 3cbf7f318a2..0705e197975 100644
+--- a/source3/smbd/share_access.c
++++ b/source3/smbd/share_access.c
+@@ -79,7 +79,23 @@ static bool token_contains_name(TALLOC_CTX *mem_ctx,
+ enum lsa_SidType type;
+
+ if (username != NULL) {
+- name = talloc_sub_basic(mem_ctx, username, domain, name);
++ size_t domain_len = strlen(domain);
++
++ /* Check if username starts with domain name */
++ if (domain_len > 0) {
++ const char *sep = lp_winbind_separator();
++ int cmp = strncasecmp_m(username, domain, domain_len);
++ if (cmp == 0 && sep[0] == username[domain_len]) {
++ /* Move after the winbind separator */
++ domain_len += 1;
++ } else {
++ domain_len = 0;
++ }
++ }
++ name = talloc_sub_basic(mem_ctx,
++ username + domain_len,
++ domain,
++ name);
+ }
+ if (sharename != NULL) {
+ name = talloc_string_sub(mem_ctx, name, "%S", sharename);
+--
+2.28.0
+
+
+From d93ddae23e1b378f771134e93d1b15e61e2278af Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 9 Jul 2020 11:48:26 +0200
+Subject: [PATCH 33/38] docs: Fix documentation for require_membership_of of
+ pam_winbind
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit 4c74db6978c682f8ba4e74a6ee8157cfcbb54971)
+---
+ docs-xml/manpages/pam_winbind.8.xml | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/docs-xml/manpages/pam_winbind.8.xml b/docs-xml/manpages/pam_winbind.8.xml
+index a9a227f1647..a61fb2d58e5 100644
+--- a/docs-xml/manpages/pam_winbind.8.xml
++++ b/docs-xml/manpages/pam_winbind.8.xml
+@@ -84,9 +84,11 @@
+ If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID
+ can be either a group-SID, an alias-SID or even an user-SID. It is also possible to give a NAME instead of the
+ SID. That name must have the form: <parameter>MYDOMAIN\mygroup</parameter> or
+- <parameter>MYDOMAIN\myuser</parameter>. pam_winbind will, in that case, lookup the SID internally. Note that
+- NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a
+- user is a member of with <command>wbinfo --user-sids=SID</command>.
++ <parameter>MYDOMAIN\myuser</parameter> (where '\' character corresponds to the value of
++ <parameter>winbind separator</parameter> parameter). It is also possible to use a UPN in the form
++ <parameter>user@REALM</parameter> or <parameter>group@REALM</parameter>. pam_winbind will, in that case, lookup
++ the SID internally. Note that NAME may not contain any spaces. It is thus recommended to only use SIDs. You can
++ verify the list of SIDs a user is a member of with <command>wbinfo --user-sids=SID</command>.
+ </para>
+
+ <para>
+--
+2.28.0
+
+
+From c9aea952eb3f8d83701abd6db4d48c8d93a8517a Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 17 Jul 2020 12:14:16 +0200
+Subject: [PATCH 34/38] docs: Fix documentation for require_membership_of of
+ pam_winbind.conf
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Isaac Boukris <iboukris@samba.org>
+(cherry picked from commit 71b7140fd0a33e7e8c5bf37c2897cea8224b3f01)
+---
+ docs-xml/manpages/pam_winbind.conf.5.xml | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
+index fcac1ee7036..d81a0bd6eba 100644
+--- a/docs-xml/manpages/pam_winbind.conf.5.xml
++++ b/docs-xml/manpages/pam_winbind.conf.5.xml
+@@ -69,9 +69,12 @@
+ If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID
+ can be either a group-SID, an alias-SID or even an user-SID. It is also possible to give a NAME instead of the
+ SID. That name must have the form: <parameter>MYDOMAIN\mygroup</parameter> or
+- <parameter>MYDOMAIN\myuser</parameter>. pam_winbind will, in that case, lookup the SID internally. Note that
+- NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a
+- user is a member of with <command>wbinfo --user-sids=SID</command>. This setting is empty by default.
++ <parameter>MYDOMAIN\myuser</parameter> (where '\' character corresponds to the value of
++ <parameter>winbind separator</parameter> parameter). It is also possible to use a UPN in the form
++ <parameter>user@REALM</parameter> or <parameter>group@REALM</parameter>. pam_winbind will, in that case, lookup
++ the SID internally. Note that NAME may not contain any spaces. It is thus recommended to only use SIDs. You can
++ verify the list of SIDs a user is a member of with <command>wbinfo --user-sids=SID</command>.
++ This setting is empty by default.
+ </para>
+ <para>This option only operates during password authentication, and will not restrict access if a password is not required for any reason (such as SSH key-based login).</para>
+ </listitem>
+--
+2.28.0
+
+
+From b04be6ffd3a1c9eda1f1dc78d60ad7b3a9b7471d Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 11 Jun 2020 21:05:07 +0300
-Subject: [PATCH 08/11] Fix a typo in recent net man page changes
+Subject: [PATCH 35/38] Fix a typo in recent net man page changes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 4e51e832176a99f2a841c7a0d78fb0424f02956e)
---
docs-xml/manpages/net.8.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
@@ -824,13 +3158,13 @@ index 69e18df8b6c..9b1d4458acc 100644
</para>
--
-2.25.4
+2.28.0
-From 2741058ea556296869d8895eb4adc30a07ecd59a Mon Sep 17 00:00:00 2001
+From a5a7dac759c2570861732c68efefb62371a29565 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 16 Jun 2020 22:01:49 +0300
-Subject: [PATCH 09/11] selftest: add tests for binary
+Subject: [PATCH 36/38] selftest: add tests for binary
msDS-AdditionalDnsHostName
Like the short names added implicitly by Windows DC.
@@ -839,6 +3173,7 @@ BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 4605d7aec5caf494a23f2c9800d6689f710ffbce)
---
selftest/knownfail.d/binary_addl_hostname | 3 +++
testprogs/blackbox/test_net_ads.sh | 22 ++++++++++++++++++++++
@@ -901,13 +3236,13 @@ index 85257f445d8..eef4a31a6a7 100755
rm -f $dedicated_keytab_file
--
-2.25.4
+2.28.0
-From 8fc75d1992a2b736c14e8d6b76c04e8227757971 Mon Sep 17 00:00:00 2001
+From 2769976aaa13474d2b5ee7b58ee17d5824dfa5a2 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 11 Jun 2020 16:51:27 +0300
-Subject: [PATCH 10/11] Properly handle msDS-AdditionalDnsHostName returned
+Subject: [PATCH 37/38] Properly handle msDS-AdditionalDnsHostName returned
from Windows DC
Windows DC adds short names for each specified msDS-AdditionalDnsHostName
@@ -918,6 +3253,11 @@ BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
+Autobuild-Date(master): Thu Jun 18 16:43:47 UTC 2020 on sn-devel-184
+
+(cherry picked from commit 9a447fb7e0701bf8b2fd922aed44d89f40420251)
---
selftest/knownfail.d/binary_addl_hostname | 3 --
source3/libads/ldap.c | 38 +++++++++++++++++++++--
@@ -990,13 +3330,13 @@ index 02a628ee0e6..2684bba63ec 100644
DEBUG(1, ("Host account for %s does not have msDS-AdditionalDnsHostName.\n",
machine_name));
--
-2.25.4
+2.28.0
-From 05dc94412f1f9809a3c84f4335c157258ee31273 Mon Sep 17 00:00:00 2001
+From 9727953d482a3849d4ac1f40486bc567f6b77067 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Sat, 20 Jun 2020 17:17:33 +0200
-Subject: [PATCH 11/11] Fix usage of ldap_get_values_len for
+Subject: [PATCH 38/38] Fix usage of ldap_get_values_len for
msDS-AdditionalDnsHostName
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
@@ -1006,6 +3346,8 @@ Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jun 22 09:59:04 UTC 2020 on sn-devel-184
+
+(cherry picked from commit f9dd67355ba35539d7ae1774d5135fd05d747b3f)
---
source3/libads/ldap.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
@@ -1030,5 +3372,5 @@ index 2684bba63ec..d1ce9cee2f0 100644
return NULL;
}
--
-2.25.4
+2.28.0
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index 0218fed..1def443 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -6,7 +6,7 @@
# ctdb is enabled by default, you can disable it with: --without clustering
%bcond_without clustering
-%define main_release 7
+%define main_release 9
%define samba_version 4.10.16
%define talloc_version 2.1.16
@@ -88,7 +88,8 @@
%global with_clustering_support 1
%endif
-%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
+%define __python %{__python2}
+%{!?python_sitearch: %define python_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
%global _systemd_extra "Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba"
@@ -1214,8 +1215,7 @@ fi
%systemd_preun winbind.service
%postun winbind
-%systemd_postun_with_restart smb.service
-%systemd_postun_with_restart nmb.service
+%systemd_postun_with_restart winbind.service
%postun winbind-krb5-locator
if [ "$1" -ge "1" ]; then
@@ -3299,6 +3299,19 @@ rm -rf %{buildroot}
%endif # with_clustering_support
%changelog
+* Fri Nov 06 2020 Andreas Schneider <asn@redhat.com> - 4.10.17-9
+- related: #1853272 - Add back missing patch hunks
+
+* Mon Nov 02 2020 Andreas Schneider <asn@redhat.com> - 4.10.16-8
+- resolves: #1878205 - Fix restarting winbind on package upgrade
+- resolves: #1892632 - Fix CVE-2020-14318
+- resolves: #1891687 - Fix CVE-2020-14323
+- resolves: #1879834 - Fix CVE-2020-1472
+- resolves: #1892313 - Fix memory leak in winbindd (wbinfo -u)
+- resolves: #1868917 - Fix %U substitution for 'valid users' option
+- resolves: #1853272 - Fix 'require_membership_of' documentation in
+ pam_winbind{.conf} manpage
+
* Tue Jul 21 2020 Isaac Boukris <iboukris@redhat.com> - 4.10.16-7
- related: #1852812 - trigger a rebuild to get the right tag