s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilit...

This is important as Windows clients with KB5028166 seem to
call netr_LogonGetCapabilities with query_level=2 after
a call with query_level=1.

An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
for query_level values other than 1.
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
later fails to marshall the response, which results
in DCERPC_FAULT_BAD_STUB_DATA instead.

Because we don't have any documentation for level 2 yet,
we just try to behave like an unpatched server and
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
DCERPC_FAULT_BAD_STUB_DATA.
Which allows patched Windows clients to keep working
against a Samba DC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d5f1097b6220676d56ed5fc6707acf667b704518)

diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
index 30aadf3bb9d5420d1d69f3c634036556ec1ac72a..99c7ac711edec2f0ad863bda039e1bc827778e5b 100644 (file)
--- a/selftest/knownfail.d/netr_LogonGetCapabilities
+++ b/selftest/knownfail.d/netr_LogonGetCapabilities
@@ -1,3 +1 @@
 ^samba3.rpc.schannel.*\.schannel\(nt4_dc
-^samba3.rpc.schannel.*\.schannel\(ad_dc
-^samba4.rpc.schannel.*\.schannel\(ad_dc

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 6a3e044eb9dabe845379c801b98ab74ec4ebd822..26be4f5675134a0604519e7f6773ea30ca4685f0 100644 (file)
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -2399,6 +2399,30 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
        struct netlogon_creds_CredentialState *creds;
        NTSTATUS status;
 
+       switch (r->in.query_level) {
+       case 1:
+               break;
+       case 2:
+               /*
+                * Until we know the details behind KB5028166
+                * just return DCERPC_NCA_S_FAULT_INVALID_TAG
+                * like an unpatched Windows Server.
+                */
+               FALL_THROUGH;
+       default:
+               /*
+                * There would not be a way to marshall the
+                * the response. Which would mean our final
+                * ndr_push would fail an we would return
+                * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
+                *
+                * But it's important to match a Windows server
+                * especially before KB5028166, see also our bug #15418
+                * Otherwise Windows client would stop talking to us.
+                */
+               DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG);
+       }
+
        status = dcesrv_netr_creds_server_step_check(dce_call,
                                                     mem_ctx,
                                                     r->in.computer_name,
@@ -2410,10 +2434,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
        }
        NT_STATUS_NOT_OK_RETURN(status);
 
-       if (r->in.query_level != 1) {
-               return NT_STATUS_NOT_SUPPORTED;
-       }
-
        r->out.capabilities->server_capabilities = creds->negotiate_flags;
 
        return NT_STATUS_OK;