Netlogon client stops using SecureRPC after RPC call error
If the netlogon service gets an error trying to connect to a DC,
it zeros out the netr_info in that service which holds state including
the security options (eg. whether to use SecureRPC) and therefore
accidentally stops using SecureRPC.
Updated by Gordon Ross 2 months ago
- Status changed from New to In Progress
Integrate this commit from github/Nexenta
commit 915fa9178dcd903daad5b65b3cd5a4926ab54f7e Author: Matt Barden <firstname.lastname@example.org> Date: Mon May 24 20:47:24 2021 -0400 FIR-1847 Netlogon client stops using SecureRPC after RPC call error Reviewed by: Prashanth Badari <email@example.com> Reviewed by: Gordon Ross <firstname.lastname@example.org> 23 7 usr/src/lib/smbsrv/libmlsvc/common/netr_auth.c 18 9 usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c
Updated by Gordon Ross 18 days ago
Testing this requires a domain setup, which I don't have where I'm doing this work.
(To test, one must temporarily take your AD servers off line and watch smbd.)
This code is now identical to what was tested at Nexenta/Tintri and later RackTop.
I hope that's sufficient.
Tests like smbtorture don't exercise the affected code, so I didn't bother.
Updated by Gordon Ross 17 days ago
Requires an AD server that restricts NetLogon RPC to require signing, as described in:
#13169 CVE-2020-1472 (ZeroLogon) and SMB authentication
Connect to the server using //IPADDR/share with an SMB client using a domain account.
Find the address of the AD server, using:
Kill the connection to the AD server using this utility:
.../abort_conn -p 445 AD_SERVER_IP
Disconnect the SMB client (unmap the share, "net use * ... /del" (make sure the client connection is gone).
Attempt to logon from that SMB client again, using a domain account.
One may want to take a capture of traffic using tcp.port==445 and examine it afterwards with Wireshark.
The reconnect to the AD server should show the RPC bind using "Auth info", type "NetLogon secure channel".
Before this fix, the next logon fails in smbd:netr_server_samlogon,
(smbd:authsvc fails to reconnect to the AD server and the client fails to authenticate)
After the fix, the SMB client successfully authenticates
(smbd:auth_service reconnects to the AD server and the client is authenticated)
Updated by Electric Monk 17 days ago
- Status changed from In Progress to Closed
- % Done changed from 0 to 100
commit c585f97b10d318e825698eb51d4671fef5b4d21f Author: Matt Barden <email@example.com> Date: 2022-09-18T15:07:42.000Z 14870 Netlogon client stops using SecureRPC after RPC call error Reviewed by: Prashanth Badari <firstname.lastname@example.org> Reviewed by: Gordon Ross <email@example.com> Approved by: Patrick Mooney <firstname.lastname@example.org>