s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilit...

This is important as Windows clients with KB5028166 seem to
call netr_LogonGetCapabilities with query_level=2 after
a call with query_level=1.

An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
for query_level values other than 1.
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
later fails to marshall the response, which results
in DCERPC_FAULT_BAD_STUB_DATA instead.

Because we don't have any documentation for level 2 yet,
we just try to behave like an unpatched server and
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
DCERPC_FAULT_BAD_STUB_DATA.
Which allows patched Windows clients to keep working
against a Samba DC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224

diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
deleted file mode 100644 (file)
index 99c7ac7..0000000
--- a/selftest/knownfail.d/netr_LogonGetCapabilities
+++ /dev/null
@@ -1 +0,0 @@
-^samba3.rpc.schannel.*\.schannel\(nt4_dc

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 3ba58e61206f32b4b07a10ca6ee7b935867b7a74..e8aa14167fc43be116ef507465b9674a27a81c16 100644 (file)
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -2284,6 +2284,31 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
        struct netlogon_creds_CredentialState *creds;
        NTSTATUS status;
 
+       switch (r->in.query_level) {
+       case 1:
+               break;
+       case 2:
+               /*
+                * Until we know the details behind KB5028166
+                * just return DCERPC_NCA_S_FAULT_INVALID_TAG
+                * like an unpatched Windows Server.
+                */
+               FALL_THROUGH;
+       default:
+               /*
+                * There would not be a way to marshall the
+                * the response. Which would mean our final
+                * ndr_push would fail an we would return
+                * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
+                *
+                * But it's important to match a Windows server
+                * especially before KB5028166, see also our bug #15418
+                * Otherwise Windows client would stop talking to us.
+                */
+               p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG;
+               return NT_STATUS_NOT_SUPPORTED;
+       }
+
        become_root();
        status = dcesrv_netr_creds_server_step_check(p->dce_call,
                                                p->mem_ctx,
@@ -2296,10 +2321,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
                return status;
        }
 
-       if (r->in.query_level != 1) {
-               return NT_STATUS_NOT_SUPPORTED;
-       }
-
        r->out.capabilities->server_capabilities = creds->negotiate_flags;
 
        return NT_STATUS_OK;