Project

General

Profile

Actions

Bug #14870

closed

Netlogon client stops using SecureRPC after RPC call error

Added by Gordon Ross 2 months ago. Updated 14 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
cifs - CIFS server and client
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:
External Bug:
racktop:BSR-9840

Description

If the netlogon service gets an error trying to connect to a DC,
it zeros out the netr_info in that service which holds state including
the security options (eg. whether to use SecureRPC) and therefore
accidentally stops using SecureRPC.

Actions #1

Updated by Gordon Ross 2 months ago

  • Status changed from New to In Progress

Integrate this commit from github/Nexenta

commit 915fa9178dcd903daad5b65b3cd5a4926ab54f7e
Author: Matt Barden <mbarden@tintri.com>
Date:   Mon May 24 20:47:24 2021 -0400

    FIR-1847 Netlogon client stops using SecureRPC after RPC call error

    Reviewed by: Prashanth Badari <prbadari@tintri.com>
    Reviewed by: Gordon Ross <gordon.ross@tintri.com>

23    7    usr/src/lib/smbsrv/libmlsvc/common/netr_auth.c
18    9    usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c
Actions #2

Updated by Electric Monk 2 months ago

  • Gerrit CR set to 2276
Actions #3

Updated by Gordon Ross 26 days ago

Ref. BSR-9840

Actions #4

Updated by Gordon Ross 18 days ago

Testing this requires a domain setup, which I don't have where I'm doing this work.
(To test, one must temporarily take your AD servers off line and watch smbd.)

This code is now identical to what was tested at Nexenta/Tintri and later RackTop.
I hope that's sufficient.

Tests like smbtorture don't exercise the affected code, so I didn't bother.

Actions #5

Updated by Gordon Ross 17 days ago

Test method:

Requires an AD server that restricts NetLogon RPC to require signing, as described in:
#13169 CVE-2020-1472 (ZeroLogon) and SMB authentication

Connect to the server using //IPADDR/share with an SMB client using a domain account.
Find the address of the AD server, using:

nltest /dsgetdcname

Kill the connection to the AD server using this utility:
usr/src/test/smbclient-tests/cmd/abort_conn/abort_conn.c
.../abort_conn -p 445 AD_SERVER_IP

Disconnect the SMB client (unmap the share, "net use * ... /del" (make sure the client connection is gone).
Attempt to logon from that SMB client again, using a domain account.

One may want to take a capture of traffic using tcp.port==445 and examine it afterwards with Wireshark.
The reconnect to the AD server should show the RPC bind using "Auth info", type "NetLogon secure channel".

Before this fix, the next logon fails in smbd:netr_server_samlogon,
(smbd:authsvc fails to reconnect to the AD server and the client fails to authenticate)

After the fix, the SMB client successfully authenticates
(smbd:auth_service reconnects to the AD server and the client is authenticated)

Actions #6

Updated by Electric Monk 17 days ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit c585f97b10d318e825698eb51d4671fef5b4d21f

commit  c585f97b10d318e825698eb51d4671fef5b4d21f
Author: Matt Barden <mbarden@tintri.com>
Date:   2022-09-18T15:07:42.000Z

    14870 Netlogon client stops using SecureRPC after RPC call error
    Reviewed by: Prashanth Badari <prbadari@tintri.com>
    Reviewed by: Gordon Ross <gordon.w.ross@gmail.com>
    Approved by: Patrick Mooney <pmooney@pfmooney.com>

Actions #7

Updated by Gordon Ross 14 days ago

  • External Bug set to racktop:BSR-9840
Actions

Also available in: Atom PDF