CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed pipes:DOMAIN" and...

This avoids advising insecure defaults for the global options.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(backported from commit d60828f6391307a59abaa02b72b6a8acf66b2fef)

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 0e671ca22be9019afbaa95dbe805929298d4a9f2..c052dfedefaac60aa40dd5f6f2b1f66ea329b19e 100644 (file)
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2725,6 +2725,8 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
        struct netlogon_creds_cli_context *p_creds;
        struct cli_credentials *creds = NULL;
        bool retry = false; /* allow one retry attempt for expired session */
+       bool sealed_pipes = true;
+       bool strong_key = true;
 
        if (sid_check_is_our_sam(&domain->sid)) {
                if (domain->rodc == false || need_rw_dc == false) {
@@ -2898,14 +2900,24 @@ retry:
 
  anonymous:
 
+       sealed_pipes = lp_winbind_sealed_pipes();
+       sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes",
+                                   domain->name,
+                                   sealed_pipes);
+       strong_key = lp_require_strong_key();
+       strong_key = lp_parm_bool(-1, "require strong key",
+                                 domain->name,
+                                 strong_key);
+
        /* Finally fall back to anonymous. */
-       if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+       if (sealed_pipes || strong_key) {
                status = NT_STATUS_DOWNGRADE_DETECTED;
                DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
                          "without connection level security, "
-                         "must set 'winbind sealed pipes = false' and "
-                         "'require strong key = false' to proceed: %s\n",
-                         domain->name, nt_errstr(status)));
+                         "must set 'winbind sealed pipes:%s = false' and "
+                         "'require strong key:%s = false' to proceed: %s\n",
+                         domain->name, domain->name, domain->name,
+                         nt_errstr(status)));
                goto done;
        }
        status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr,
@@ -3052,6 +3064,8 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
        struct netlogon_creds_cli_context *p_creds;
        struct cli_credentials *creds = NULL;
        bool retry = false; /* allow one retry attempt for expired session */
+       bool sealed_pipes = true;
+       bool strong_key = true;
 
 retry:
        result = init_dc_connection_rpc(domain, false);
@@ -3207,13 +3221,24 @@ retry:
                goto done;
        }
 
-       if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+       sealed_pipes = lp_winbind_sealed_pipes();
+       sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes",
+                                   domain->name,
+                                   sealed_pipes);
+       strong_key = lp_require_strong_key();
+       strong_key = lp_parm_bool(-1, "require strong key",
+                                 domain->name,
+                                 strong_key);
+
+       /* Finally fall back to anonymous. */
+       if (sealed_pipes || strong_key) {
                result = NT_STATUS_DOWNGRADE_DETECTED;
                DEBUG(1, ("Unwilling to make LSA connection to domain %s "
                          "without connection level security, "
-                         "must set 'winbind sealed pipes = false' and "
-                         "'require strong key = false' to proceed: %s\n",
-                         domain->name, nt_errstr(result)));
+                         "must set 'winbind sealed pipes:%s = false' and "
+                         "'require strong key:%s = false' to proceed: %s\n",
+                         domain->name, domain->name, domain->name,
+                         nt_errstr(result)));
                goto done;
        }