samba: import RHEL security fixes.

CVE-2015-7560
CVE-2016-2110
CVE-2016-2111
CVE-2016-2112
CVE-2016-2115
CVE-2016-2118 aka Badlock
CVE-2015-5370

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

lfs/samba

@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2015  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2016  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = samba
-PAK_VER    = 60
+PAK_VER    = 61
 
 DEPS       = "cups krb5"
 
@@ -77,6 +77,18 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
+
+	# Apply Redhat CVE patches
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2015-7560-v3-6.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-preparation-v3-6.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2016-2110-v3-6.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2016-2111-v3-6.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2016-2112-v3-6.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2016-2115-v3-6.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2016-2118-v3-6.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2015-5370-v3-6.patch
+
+	cd $(DIR_APP)/source3 && ./autogen.sh
 	cd $(DIR_APP)/source3 && ./configure \
 		--prefix=/usr \
 		--libdir=/usr/lib/ \
@@ -99,6 +111,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 		--enable-cups \
 		--disable-avahi \
 		--with-syslog
+	cd $(DIR_APP)/source3 && make idl_full
 	cd $(DIR_APP)/source3 && make proto && make all $(MAKETUNING) $(EXTRA_MAKE)
 	cd $(DIR_APP)/source3 && make install
 	cd $(DIR_APP)/source3 && chmod -v 644 /usr/include/libsmbclient.h

src/patches/samba/CVE-2015-7560-v3-6.patch

@@ -0,0 +1,341 @@
+From eb27f9b7bf9c1dc902d9545eecf805831bd4e46c Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 5 Jan 2016 11:18:12 -0800
+Subject: [PATCH 1/8] CVE-2015-7560: s3: smbd: Add refuse_symlink() function
+ that can be used to prevent operations on a symlink.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Michael Adam <obnox@samba.org>
+---
+ source3/smbd/trans2.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
+index 26b6523..7f47579 100644
+--- a/source3/smbd/trans2.c
++++ b/source3/smbd/trans2.c
+@@ -51,6 +51,34 @@ static char *store_file_unix_basic_info2(connection_struct *conn,
+ 				files_struct *fsp,
+ 				const SMB_STRUCT_STAT *psbuf);
+ 
++/****************************************************************************
++ Check if an open file handle or pathname is a symlink.
++****************************************************************************/
++
++static NTSTATUS refuse_symlink(connection_struct *conn,
++			const files_struct *fsp,
++			const char *name)
++{
++	SMB_STRUCT_STAT sbuf;
++	const SMB_STRUCT_STAT *pst = NULL;
++
++	if (fsp) {
++		pst = &fsp->fsp_name->st;
++	} else {
++		int ret = vfs_stat_smb_fname(conn,
++				name,
++				&sbuf);
++		if (ret == -1) {
++			return map_nt_error_from_unix(errno);
++		}
++		pst = &sbuf;
++	}
++	if (S_ISLNK(pst->st_ex_mode)) {
++		return NT_STATUS_ACCESS_DENIED;
++	}
++	return NT_STATUS_OK;
++}
++
+ /********************************************************************
+  Roundup a value to the nearest allocation roundup size boundary.
+  Only do this for Windows clients.
+-- 
+2.5.0
+
+
+From f5b1bcc51e18bc85f376701bb4ae6894d97addfd Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 5 Jan 2016 10:38:28 -0800
+Subject: [PATCH 2/8] CVE-2015-7560: s3: smbd: Refuse to get an ACL from a
+ POSIX file handle on a symlink.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Michael Adam <obnox@samba.org>
+---
+ source3/smbd/nttrans.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
+index 4c145e0..7255600 100644
+--- a/source3/smbd/nttrans.c
++++ b/source3/smbd/nttrans.c
+@@ -1925,6 +1925,12 @@ NTSTATUS smbd_do_query_security_desc(connection_struct *conn,
+ 		return NT_STATUS_ACCESS_DENIED;
+ 	}
+ 
++	if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
++		DEBUG(10, ("ACL get on symlink %s denied.\n",
++			fsp_str_dbg(fsp)));
++		return NT_STATUS_ACCESS_DENIED;
++	}
++
+ 	if (security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|
+ 			SECINFO_GROUP|SECINFO_SACL)) {
+ 		/* Don't return SECINFO_LABEL if anything else was
+-- 
+2.5.0
+
+
+From 8bdbe1c90c98efbd08fc70d773d236c4ba00b1ae Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 5 Jan 2016 10:52:50 -0800
+Subject: [PATCH 3/8] CVE-2015-7560: s3: smbd: Refuse to set an ACL from a
+ POSIX file handle on a symlink.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Michael Adam <obnox@samba.org>
+---
+ source3/smbd/nttrans.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
+index 7255600..d2102ca 100644
+--- a/source3/smbd/nttrans.c
++++ b/source3/smbd/nttrans.c
+@@ -877,6 +877,12 @@ NTSTATUS set_sd(files_struct *fsp, struct security_descriptor *psd,
+ 		return NT_STATUS_OK;
+ 	}
+ 
++	if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
++		DEBUG(10, ("ACL set on symlink %s denied.\n",
++			fsp_str_dbg(fsp)));
++		return NT_STATUS_ACCESS_DENIED;
++	}
++
+ 	if (psd->owner_sid == NULL) {
+ 		security_info_sent &= ~SECINFO_OWNER;
+ 	}
+-- 
+2.5.0
+
+
+From 612b032e2dedd3e07bbe79718ecbb3b68ffbb7a5 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 5 Jan 2016 11:22:12 -0800
+Subject: [PATCH 4/8] CVE-2015-7560: s3: smbd: Refuse to set a POSIX ACL on a
+ symlink.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Michael Adam <obnox@samba.org>
+---
+ source3/smbd/trans2.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
+index 7f47579..2f01e87 100644
+--- a/source3/smbd/trans2.c
++++ b/source3/smbd/trans2.c
+@@ -6480,6 +6480,7 @@ static NTSTATUS smb_set_posix_acl(connection_struct *conn,
+ 	uint16 num_def_acls;
+ 	bool valid_file_acls = True;
+ 	bool valid_def_acls = True;
++	NTSTATUS status;
+ 
+ 	if (total_data < SMB_POSIX_ACL_HEADER_SIZE) {
+ 		return NT_STATUS_INVALID_PARAMETER;
+@@ -6507,6 +6508,11 @@ static NTSTATUS smb_set_posix_acl(connection_struct *conn,
+ 		return NT_STATUS_INVALID_PARAMETER;
+ 	}
+ 
++	status = refuse_symlink(conn, fsp, smb_fname->base_name);
++	if (!NT_STATUS_IS_OK(status)) {
++		return status;
++	}
++
+ 	DEBUG(10,("smb_set_posix_acl: file %s num_file_acls = %u, num_def_acls = %u\n",
+ 		smb_fname ? smb_fname_str_dbg(smb_fname) : fsp_str_dbg(fsp),
+ 		(unsigned int)num_file_acls,
+-- 
+2.5.0
+
+
+From 28e6120d14e5a942df386db0444abaa93a764207 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 5 Jan 2016 11:24:36 -0800
+Subject: [PATCH 5/8] CVE-2015-7560: s3: smbd: Refuse to get a POSIX ACL on a
+ symlink.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Michael Adam <obnox@samba.org>
+---
+ source3/smbd/trans2.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
+index 2f01e87..3a098d1 100644
+--- a/source3/smbd/trans2.c
++++ b/source3/smbd/trans2.c
+@@ -4959,6 +4959,13 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn,
+ 				uint16 num_file_acls = 0;
+ 				uint16 num_def_acls = 0;
+ 
++				status = refuse_symlink(conn,
++						fsp,
++						smb_fname->base_name);
++				if (!NT_STATUS_IS_OK(status)) {
++					return status;
++				}
++
+ 				if (fsp && fsp->fh->fd != -1) {
+ 					file_acl = SMB_VFS_SYS_ACL_GET_FD(fsp);
+ 				} else {
+-- 
+2.5.0
+
+
+From 659bdb80aa65c02cf4f44377cc3bcffb2a817ee0 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 5 Jan 2016 11:05:48 -0800
+Subject: [PATCH 6/8] CVE-2015-7560: s3: smbd: Set return values early, allows
+ removal of code duplication.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Michael Adam <obnox@samba.org>
+---
+ source3/smbd/trans2.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
+index 3a098d1..6fdd1da 100644
+--- a/source3/smbd/trans2.c
++++ b/source3/smbd/trans2.c
+@@ -210,11 +210,12 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ 	size_t num_names;
+ 	ssize_t sizeret = -1;
+ 
++	if (pnames) {
++		*pnames = NULL;
++	}
++	*pnum_names = 0;
++
+ 	if (!lp_ea_support(SNUM(conn))) {
+-		if (pnames) {
+-			*pnames = NULL;
+-		}
+-		*pnum_names = 0;
+ 		return NT_STATUS_OK;
+ 	}
+ 
+@@ -264,10 +265,6 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ 
+ 	if (sizeret == 0) {
+ 		TALLOC_FREE(names);
+-		if (pnames) {
+-			*pnames = NULL;
+-		}
+-		*pnum_names = 0;
+ 		return NT_STATUS_OK;
+ 	}
+ 
+-- 
+2.5.0
+
+
+From 4ba5e7cf01b8074b0313ecb7e218355d771df1cc Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 5 Jan 2016 11:29:38 -0800
+Subject: [PATCH 7/8] CVE-2015-7560: s3: smbd: Silently return no EA's
+ available on a symlink.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Michael Adam <obnox@samba.org>
+---
+ source3/smbd/trans2.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
+index 6fdd1da..8b6e4b2 100644
+--- a/source3/smbd/trans2.c
++++ b/source3/smbd/trans2.c
+@@ -209,6 +209,7 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ 	char **names, **tmp;
+ 	size_t num_names;
+ 	ssize_t sizeret = -1;
++	NTSTATUS status;
+ 
+ 	if (pnames) {
+ 		*pnames = NULL;
+@@ -219,6 +220,14 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ 		return NT_STATUS_OK;
+ 	}
+ 
++	status = refuse_symlink(conn, fsp, fname);
++	if (!NT_STATUS_IS_OK(status)) {
++		/*
++		 * Just return no EA's on a symlink.
++		 */
++		return NT_STATUS_OK;
++	}
++
+ 	/*
+ 	 * TALLOC the result early to get the talloc hierarchy right.
+ 	 */
+-- 
+2.5.0
+
+
+From 9d8c7274ab87a0c07367e872ca1db7fd72886fde Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 5 Jan 2016 11:33:48 -0800
+Subject: [PATCH 8/8] CVE-2015-7560: s3: smbd: Refuse to set EA's on a symlink.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Michael Adam <obnox@samba.org>
+---
+ source3/smbd/trans2.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
+index 8b6e4b2..98fd2af 100644
+--- a/source3/smbd/trans2.c
++++ b/source3/smbd/trans2.c
+@@ -584,6 +584,7 @@ NTSTATUS set_ea(connection_struct *conn, files_struct *fsp,
+ 		const struct smb_filename *smb_fname, struct ea_list *ea_list)
+ {
+ 	char *fname = NULL;
++	NTSTATUS status;
+ 
+ 	if (!lp_ea_support(SNUM(conn))) {
+ 		return NT_STATUS_EAS_NOT_SUPPORTED;
+@@ -593,6 +594,12 @@ NTSTATUS set_ea(connection_struct *conn, files_struct *fsp,
+ 		return NT_STATUS_ACCESS_DENIED;
+ 	}
+ 
++	status = refuse_symlink(conn, fsp, smb_fname->base_name);
++	if (!NT_STATUS_IS_OK(status)) {
++		return status;
++	}
++
++
+ 	/* For now setting EAs on streams isn't supported. */
+ 	fname = smb_fname->base_name;
+ 
+-- 
+2.5.0
+

src/patches/samba/CVE-2016-2110-v3-6.patch

@@ -0,0 +1,670 @@
+From 202d69267c8550b850438877fb51c3d2c992949d Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 1 Dec 2015 08:46:45 +0100
+Subject: [PATCH 01/10] CVE-2016-2110: s3:ntlmssp: set and use
+ ntlmssp_state->allow_lm_key
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Günther Deschner <gd@samba.org>
+---
+ source3/libsmb/ntlmssp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
+index 1de6189..20a5987 100644
+--- a/source3/libsmb/ntlmssp.c
++++ b/source3/libsmb/ntlmssp.c
+@@ -530,7 +530,8 @@ noccache:
+ 	DEBUG(3, ("Got challenge flags:\n"));
+ 	debug_ntlmssp_flags(chal_flags);
+ 
+-	ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, lp_client_lanman_auth());
++	ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags,
++				 ntlmssp_state->allow_lm_key);
+ 
+ 	if (ntlmssp_state->unicode) {
+ 		if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
+@@ -769,6 +770,7 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx,
+ 	ntlmssp_state->unicode = True;
+ 
+ 	ntlmssp_state->use_ntlmv2 = use_ntlmv2;
++	ntlmssp_state->allow_lm_key = lp_client_lanman_auth();
+ 
+ 	ntlmssp_state->expected_state = NTLMSSP_INITIAL;
+ 
+-- 
+2.8.1
+
+
+From a701bc5f8a76584a2e0680b2c3dd9afb77f12430 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 11 Dec 2015 14:50:23 +0100
+Subject: [PATCH 02/10] CVE-2016-2110: s3:ntlmssp: add
+ ntlmssp3_handle_neg_flags()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is a copy of ntlmssp_handle_neg_flags(), which will be changed
+in an incompatible way in the following commits.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Günther Deschner <gd@samba.org>
+---
+ source3/libsmb/ntlmssp.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 56 insertions(+), 2 deletions(-)
+
+diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
+index 20a5987..ad09f9f 100644
+--- a/source3/libsmb/ntlmssp.c
++++ b/source3/libsmb/ntlmssp.c
+@@ -422,6 +422,60 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
+ 	return NT_STATUS_MORE_PROCESSING_REQUIRED;
+ }
+ 
++static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
++				      uint32_t neg_flags, bool allow_lm)
++{
++	if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
++		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
++		ntlmssp_state->unicode = true;
++	} else {
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_UNICODE;
++		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
++		ntlmssp_state->unicode = false;
++	}
++
++	if ((neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) && allow_lm) {
++		/* other end forcing us to use LM */
++		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
++		ntlmssp_state->use_ntlmv2 = false;
++	} else {
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
++	}
++
++	if (!(neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
++	}
++
++	if (!(neg_flags & NTLMSSP_NEGOTIATE_NTLM2)) {
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
++	}
++
++	if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) {
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
++	}
++
++	if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) {
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56;
++	}
++
++	if (!(neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
++	}
++
++	if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
++	}
++
++	if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
++	}
++
++	if ((neg_flags & NTLMSSP_REQUEST_TARGET)) {
++		ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
++	}
++}
++
+ /**
+  * Next state function for the Challenge Packet.  Generate an auth packet.
+  *
+@@ -530,8 +584,8 @@ noccache:
+ 	DEBUG(3, ("Got challenge flags:\n"));
+ 	debug_ntlmssp_flags(chal_flags);
+ 
+-	ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags,
+-				 ntlmssp_state->allow_lm_key);
++	ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags,
++				  ntlmssp_state->allow_lm_key);
+ 
+ 	if (ntlmssp_state->unicode) {
+ 		if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
+-- 
+2.8.1
+
+
+From 92b2f5315d135b7b83a3ae106b43d18181be2f02 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Thu, 31 Mar 2016 12:39:50 +0200
+Subject: [PATCH 03/10] CVE-2016-2110: s3:ntlmssp: let
+ ntlmssp3_handle_neg_flags() return NTSTATUS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In future we can do a more fine granted negotiation
+and assert specific security features.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Günther Deschner <gd@samba.org>
+---
+ source3/libsmb/ntlmssp.c | 33 +++++++++++++++++++--------------
+ 1 file changed, 19 insertions(+), 14 deletions(-)
+
+diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
+index ad09f9f..81a85ce 100644
+--- a/source3/libsmb/ntlmssp.c
++++ b/source3/libsmb/ntlmssp.c
+@@ -422,10 +422,10 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
+ 	return NT_STATUS_MORE_PROCESSING_REQUIRED;
+ }
+ 
+-static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
+-				      uint32_t neg_flags, bool allow_lm)
++static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
++					  uint32_t flags)
+ {
+-	if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
++	if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
+ 		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
+ 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
+ 		ntlmssp_state->unicode = true;
+@@ -435,7 +435,7 @@ static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
+ 		ntlmssp_state->unicode = false;
+ 	}
+ 
+-	if ((neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) && allow_lm) {
++	if ((flags & NTLMSSP_NEGOTIATE_LM_KEY) && ntlmssp_state->allow_lm_key) {
+ 		/* other end forcing us to use LM */
+ 		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
+ 		ntlmssp_state->use_ntlmv2 = false;
+@@ -443,37 +443,39 @@ static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
+ 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+ 	}
+ 
+-	if (!(neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
++	if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
+ 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
+ 	}
+ 
+-	if (!(neg_flags & NTLMSSP_NEGOTIATE_NTLM2)) {
++	if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
+ 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
+ 	}
+ 
+-	if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) {
++	if (!(flags & NTLMSSP_NEGOTIATE_128)) {
+ 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
+ 	}
+ 
+-	if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) {
++	if (!(flags & NTLMSSP_NEGOTIATE_56)) {
+ 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56;
+ 	}
+ 
+-	if (!(neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
++	if (!(flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
+ 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
+ 	}
+ 
+-	if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
++	if (!(flags & NTLMSSP_NEGOTIATE_SIGN)) {
+ 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
+ 	}
+ 
+-	if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
++	if (!(flags & NTLMSSP_NEGOTIATE_SEAL)) {
+ 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
+ 	}
+ 
+-	if ((neg_flags & NTLMSSP_REQUEST_TARGET)) {
++	if ((flags & NTLMSSP_REQUEST_TARGET)) {
+ 		ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
+ 	}
++
++	return NT_STATUS_OK;
+ }
+ 
+ /**
+@@ -584,8 +586,11 @@ noccache:
+ 	DEBUG(3, ("Got challenge flags:\n"));
+ 	debug_ntlmssp_flags(chal_flags);
+ 
+-	ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags,
+-				  ntlmssp_state->allow_lm_key);
++	nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags);
++	if (!NT_STATUS_IS_OK(nt_status)) {
++		return nt_status;
++	}
++
+ 
+ 	if (ntlmssp_state->unicode) {
+ 		if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
+-- 
+2.8.1
+
+
+From a239a337e3c0081af1a41aaac8957bb1aa0771f8 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 1 Dec 2015 15:01:09 +0100
+Subject: [PATCH 04/10] CVE-2016-2110: s3:ntlmssp: don't allow a downgrade from
+ NTLMv2 to LM_AUTH
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+man smb.conf says "client ntlmv2 auth = yes" the default disables,
+"client lanman auth = yes":
+
+  ...
+  Likewise, if the client ntlmv2 auth parameter is enabled, then only NTLMv2
+  logins will be attempted.
+  ...
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Günther Deschner <gd@samba.org>
+---
+ source3/libsmb/ntlmssp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
+index 81a85ce..23a5e5d 100644
+--- a/source3/libsmb/ntlmssp.c
++++ b/source3/libsmb/ntlmssp.c
+@@ -841,6 +841,10 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx,
+ 		NTLMSSP_NEGOTIATE_KEY_EXCH |
+ 		NTLMSSP_REQUEST_TARGET;
+ 
++	if (ntlmssp_state->use_ntlmv2) {
++		ntlmssp_state->allow_lm_key = false;
++	}
++
+ 	ntlmssp_state->client.netbios_name = talloc_strdup(ntlmssp_state, netbios_name);
+ 	if (!ntlmssp_state->client.netbios_name) {
+ 		talloc_free(ntlmssp_state);
+-- 
+2.8.1
+
+
+From e11dc9aa90420947f9fc82365b55ecb08353451c Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 31 Mar 2016 12:59:05 +0200
+Subject: [PATCH 05/10] CVE-2016-2110: s3:ntlmssp: maintain a required_flags
+ variable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We now give an error when required flags are missing.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Günther Deschner <gd@samba.org>
+---
+ libcli/auth/ntlmssp.h    |  1 +
+ source3/libsmb/ntlmssp.c | 20 ++++++++++++++++++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/libcli/auth/ntlmssp.h b/libcli/auth/ntlmssp.h
+index 495d94f..88a049b 100644
+--- a/libcli/auth/ntlmssp.h
++++ b/libcli/auth/ntlmssp.h
+@@ -83,6 +83,7 @@ struct ntlmssp_state
+ 	DATA_BLOB nt_resp;
+ 	DATA_BLOB session_key;
+ 
++	uint32_t required_flags;
+ 	uint32_t neg_flags; /* the current state of negotiation with the NTLMSSP partner */
+ 
+ 	/**
+diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
+index 23a5e5d..48d7d45 100644
+--- a/source3/libsmb/ntlmssp.c
++++ b/source3/libsmb/ntlmssp.c
+@@ -425,6 +425,8 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
+ static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
+ 					  uint32_t flags)
+ {
++	uint32_t missing_flags = ntlmssp_state->required_flags;
++
+ 	if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
+ 		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
+ 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
+@@ -475,6 +477,24 @@ static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
+ 		ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
+ 	}
+ 
++	missing_flags &= ~ntlmssp_state->neg_flags;
++	if (missing_flags != 0) {
++		NTSTATUS status = NT_STATUS_RPC_SEC_PKG_ERROR;
++		DEBUG(1, ("%s: Got challenge flags[0x%08x] "
++			  "- possible downgrade detected! "
++			  "missing_flags[0x%08x] - %s\n",
++			  __func__,
++			  (unsigned)flags,
++			  (unsigned)missing_flags,
++			  nt_errstr(status)));
++		debug_ntlmssp_flags(missing_flags);
++		DEBUGADD(4, ("neg_flags[0x%08x]\n",
++			     (unsigned)ntlmssp_state->neg_flags));
++		debug_ntlmssp_flags(ntlmssp_state->neg_flags);
++
++		return status;
++	}
++
+ 	return NT_STATUS_OK;
+ }
+ 
+-- 
+2.8.1
+
+
+From 06ca5b7655e577ff6e2d5817cf221c05f9bb5c86 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 31 Mar 2016 13:03:24 +0200
+Subject: [PATCH 06/10] CVE-2016-2110: s3:ntlmssp: don't allow a downgrade from
+ NTLMv2 to LM_AUTH
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+man smb.conf says "client ntlmv2 auth = yes" the default disables,
+"client lanman auth = yes":
+
+  ...
+  Likewise, if the client ntlmv2 auth parameter is enabled, then only
+  NTLMv2 logins will be attempted.
+  ...
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Günther Deschner <gd@samba.org>
+---
+ source3/libsmb/ntlmssp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
+index 48d7d45..bf40404 100644
+--- a/source3/libsmb/ntlmssp.c
++++ b/source3/libsmb/ntlmssp.c
+@@ -388,6 +388,7 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
+ 
+ 	if (ntlmssp_state->use_ntlmv2) {
+ 		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
++		ntlmssp_state->allow_lm_key = false;
+ 	}
+ 
+ 	/* generate the ntlmssp negotiate packet */
+-- 
+2.8.1
+
+
+From f99d4469a8b09dd93eb7124f2814e15869915671 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 11 Apr 2016 16:18:44 +0200
+Subject: [PATCH 07/10] CVE-2016-2110: auth/ntlmssp: don't let
+ ntlmssp3_handle_neg_flags() change ntlmssp_state->use_ntlmv2
+
+ntlmssp_handle_neg_flags() can only disable flags, but not
+set them. All supported flags are set at start time.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+---
+ source3/libsmb/ntlmssp.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
+index bf40404..7b17a43 100644
+--- a/source3/libsmb/ntlmssp.c
++++ b/source3/libsmb/ntlmssp.c
+@@ -391,6 +391,10 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
+ 		ntlmssp_state->allow_lm_key = false;
+ 	}
+ 
++	if (ntlmssp_state->allow_lm_key) {
++		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
++	}
++
+ 	/* generate the ntlmssp negotiate packet */
+ 	status = msrpc_gen(ntlmssp_state, next_request, "CddAA",
+ 		  "NTLMSSP",
+@@ -438,20 +442,24 @@ static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
+ 		ntlmssp_state->unicode = false;
+ 	}
+ 
+-	if ((flags & NTLMSSP_NEGOTIATE_LM_KEY) && ntlmssp_state->allow_lm_key) {
+-		/* other end forcing us to use LM */
+-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
+-		ntlmssp_state->use_ntlmv2 = false;
+-	} else {
++	/*
++	 * NTLMSSP_NEGOTIATE_NTLM2 (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY)
++	 * has priority over NTLMSSP_NEGOTIATE_LM_KEY
++	 */
++	if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
++	}
++
++	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
+ 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+ 	}
+ 
+-	if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
+-		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
++	if (!(flags & NTLMSSP_NEGOTIATE_LM_KEY)) {
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+ 	}
+ 
+-	if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
+-		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
++	if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
+ 	}
+ 
+ 	if (!(flags & NTLMSSP_NEGOTIATE_128)) {
+-- 
+2.8.1
+
+
+From 71dda1c57c36a9816af7873f169306a766e0284a Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 31 Mar 2016 14:21:12 +0200
+Subject: [PATCH 08/10] CVE-2016-2110: s3:ntlmssp: let ntlmssp3_client_initial
+ require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Günther Deschner <gd@samba.org>
+---
+ source3/libsmb/ntlmssp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
+index 7b17a43..d5c83fd 100644
+--- a/source3/libsmb/ntlmssp.c
++++ b/source3/libsmb/ntlmssp.c
+@@ -387,7 +387,7 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
+ 	}
+ 
+ 	if (ntlmssp_state->use_ntlmv2) {
+-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
++		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_NTLM2;
+ 		ntlmssp_state->allow_lm_key = false;
+ 	}
+ 
+-- 
+2.8.1
+
+
+From 911e171bd6fc66e2960cbcdf8c48f2f97d19313b Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Thu, 31 Mar 2016 14:30:05 +0200
+Subject: [PATCH 09/10] CVE-2016-2110: s3:ntlmssp: Change want_fetures to
+ require flags
+
+Pair-Programmed-With: Ralph Boehme <slow@samba.org>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Ralph Boehme <slow@samba.org>
+---
+ source3/libsmb/ntlmssp.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
+index d5c83fd..309175b 100644
+--- a/source3/libsmb/ntlmssp.c
++++ b/source3/libsmb/ntlmssp.c
+@@ -176,17 +176,19 @@ void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *featur
+ 	 * also add  NTLMSSP_NEGOTIATE_SEAL here. JRA.
+ 	 */
+ 	if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) {
+-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
++		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ 	}
+ 	if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) {
+-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
++		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ 	}
+ 	if(in_list("NTLMSSP_FEATURE_SEAL", feature_list, True)) {
+-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
++		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
+ 	}
+ 	if (in_list("NTLMSSP_FEATURE_CCACHE", feature_list, true)) {
+ 		ntlmssp_state->use_ccache = true;
+ 	}
++
++	ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
+ }
+ 
+ /**
+@@ -199,17 +201,20 @@ void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature)
+ {
+ 	/* As per JRA's comment above */
+ 	if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
+-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
++		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ 	}
+ 	if (feature & NTLMSSP_FEATURE_SIGN) {
+-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
++		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ 	}
+ 	if (feature & NTLMSSP_FEATURE_SEAL) {
+-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
++		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
++		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
+ 	}
+ 	if (feature & NTLMSSP_FEATURE_CCACHE) {
+ 		ntlmssp_state->use_ccache = true;
+ 	}
++
++	ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
+ }
+ 
+ /**
+-- 
+2.8.1
+
+
+From a95a44eff90cdbd42d683567e0d511e9d52026ad Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 31 Mar 2016 15:02:11 +0200
+Subject: [PATCH 10/10] CVE-2016-2110: s3:ntlmssp: Fix downgrade also for the
+ ntlmssp creds cache case
+
+Pair-Programmed-With: Ralph Boehme <slow@samba.org>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Ralph Boehme <slow@samba.org>
+---
+ source3/libsmb/ntlmssp.c | 42 ++++++++++++++++++++----------------------
+ 1 file changed, 20 insertions(+), 22 deletions(-)
+
+diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
+index 309175b..045dc87 100644
+--- a/source3/libsmb/ntlmssp.c
++++ b/source3/libsmb/ntlmssp.c
+@@ -538,6 +538,26 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
+ 	DATA_BLOB encrypted_session_key = data_blob_null;
+ 	NTSTATUS nt_status = NT_STATUS_OK;
+ 
++	if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
++			 "NTLMSSP",
++			 &ntlmssp_command,
++			 &server_domain_blob,
++			 &chal_flags)) {
++		DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
++		dump_data(2, reply.data, reply.length);
++
++		return NT_STATUS_INVALID_PARAMETER;
++	}
++	data_blob_free(&server_domain_blob);
++
++	DEBUG(3, ("Got challenge flags:\n"));
++	debug_ntlmssp_flags(chal_flags);
++
++	nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags);
++	if (!NT_STATUS_IS_OK(nt_status)) {
++		return nt_status;
++	}
++
+ 	if (ntlmssp_state->use_ccache) {
+ 		struct wbcCredentialCacheParams params;
+ 		struct wbcCredentialCacheInfo *info = NULL;
+@@ -588,17 +608,6 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
+ 
+ noccache:
+ 
+-	if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
+-			 "NTLMSSP",
+-			 &ntlmssp_command,
+-			 &server_domain_blob,
+-			 &chal_flags)) {
+-		DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
+-		dump_data(2, reply.data, reply.length);
+-
+-		return NT_STATUS_INVALID_PARAMETER;
+-	}
+-
+ 	if (DEBUGLEVEL >= 10) {
+ 		struct CHALLENGE_MESSAGE *challenge = talloc(
+ 			talloc_tos(), struct CHALLENGE_MESSAGE);
+@@ -615,17 +624,6 @@ noccache:
+ 		}
+ 	}
+ 
+-	data_blob_free(&server_domain_blob);
+-
+-	DEBUG(3, ("Got challenge flags:\n"));
+-	debug_ntlmssp_flags(chal_flags);
+-
+-	nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags);
+-	if (!NT_STATUS_IS_OK(nt_status)) {
+-		return nt_status;
+-	}
+-
+-
+ 	if (ntlmssp_state->unicode) {
+ 		if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
+ 			chal_parse_string = "CdUdbddB";
+-- 
+2.8.1
+

src/patches/samba/CVE-2016-2112-v3-6.patch

@@ -0,0 +1,184 @@
+From 126e3e992bed7174d60ee19212db9b717647ab2e Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 30 Mar 2016 16:55:44 +0200
+Subject: [PATCH 1/3] CVE-2016-2112: s3:ntlmssp: Implement missing
+ ntlmssp_have_feature()
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ source3/include/proto.h  |  1 +
+ source3/libsmb/ntlmssp.c | 30 ++++++++++++++++++++++++++++++
+ 2 files changed, 31 insertions(+)
+
+diff --git a/source3/include/proto.h b/source3/include/proto.h
+index 32b4e3d..43008ea 100644
+--- a/source3/include/proto.h
++++ b/source3/include/proto.h
+@@ -1260,6 +1260,7 @@ NTSTATUS ntlmssp_set_password(struct ntlmssp_state *ntlmssp_state, const char *p
+ NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *domain) ;
+ void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *feature_list);
+ void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
++bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
+ NTSTATUS ntlmssp_update(struct ntlmssp_state *ntlmssp_state,
+ 			const DATA_BLOB in, DATA_BLOB *out) ;
+ NTSTATUS ntlmssp_server_start(TALLOC_CTX *mem_ctx,
+diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
+index 045dc87..7e58990 100644
+--- a/source3/libsmb/ntlmssp.c
++++ b/source3/libsmb/ntlmssp.c
+@@ -162,6 +162,36 @@ NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *dom
+ 	return NT_STATUS_OK;
+ }
+ 
++bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state,
++			  uint32_t feature)
++{
++	if (feature & NTLMSSP_FEATURE_SIGN) {
++		if (ntlmssp_state->session_key.length == 0) {
++			return false;
++		}
++		if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
++			return true;
++		}
++	}
++
++	if (feature & NTLMSSP_FEATURE_SEAL) {
++		if (ntlmssp_state->session_key.length == 0) {
++			return false;
++		}
++		if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
++			return true;
++		}
++	}
++
++	if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
++		if (ntlmssp_state->session_key.length > 0) {
++			return true;
++		}
++	}
++
++	return false;
++}
++
+ /**
+  * Request features for the NTLMSSP negotiation
+  *
+-- 
+2.8.1
+
+
+From 15338742e0c7304aeecce0e8368f0dad85e8075b Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Thu, 24 Mar 2016 16:22:36 +0100
+Subject: [PATCH 2/3] CVE-2016-2112: s3:libads: make sure we detect downgrade
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
+
+Pair-programmed-with: Ralph Boehme <slow@samba.org>
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Signed-off-by: Ralph Boehme <slow@samba.org>
+---
+ source3/libads/sasl.c | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
+index e7daa8a..6690f83 100644
+--- a/source3/libads/sasl.c
++++ b/source3/libads/sasl.c
+@@ -261,6 +261,37 @@ static ADS_STATUS ads_sasl_spnego_ntlmssp_bind(ADS_STRUCT *ads)
+ 	/* we have a reference conter on ntlmssp_state, if we are signing
+ 	   then the state will be kept by the signing engine */
+ 
++	if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SEAL) {
++		bool ok;
++
++		ok = ntlmssp_have_feature(ntlmssp_state,
++					  NTLMSSP_FEATURE_SEAL);
++		if (!ok) {
++			DEBUG(0,("The ntlmssp feature sealing request, but unavailable\n"));
++			TALLOC_FREE(ntlmssp_state);
++			return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
++		}
++
++		ok = ntlmssp_have_feature(ntlmssp_state,
++					  NTLMSSP_FEATURE_SIGN);
++		if (!ok) {
++			DEBUG(0,("The ntlmssp feature signing request, but unavailable\n"));
++			TALLOC_FREE(ntlmssp_state);
++			return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
++		}
++
++	} else if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SIGN) {
++		bool ok;
++
++		ok = ntlmssp_have_feature(ntlmssp_state,
++					  NTLMSSP_FEATURE_SIGN);
++		if (!ok) {
++			DEBUG(0,("The gensec feature signing request, but unavailable\n"));
++			TALLOC_FREE(ntlmssp_state);
++			return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
++		}
++	}
++
+ 	if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
+ 		ads->ldap.out.max_unwrapped = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED - NTLMSSP_SIG_SIZE;
+ 		ads->ldap.out.sig_size = NTLMSSP_SIG_SIZE;
+-- 
+2.8.1
+
+
+From b020ae88f9024bcc868ed2d85879d14901db32e5 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Fri, 5 Sep 2014 17:38:38 +1200
+Subject: [PATCH 3/3] CVE-2016-2112: winbindd: Change value of "ldap sasl
+ wrapping" to sign
+
+This is to disrupt MITM attacks between us and our DC
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
+
+Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
+Signed-off-by: Garming Sam <garming@catalyst.net.nz>
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+(backported from commit afe02d12f444ad9a6abf31a61f578320520263a9)
+---
+ docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml | 8 +++-----
+ source3/param/loadparm.c                            | 2 ++
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
+index a926cec..a7c4395 100644
+--- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
++++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
+@@ -34,11 +34,9 @@
+ 	</para>
+ 
+ 	<para>
+-	The default value is <emphasis>plain</emphasis> which is not irritable 
+-	to KRB5 clock skew errors. That implies synchronizing the time
+-	with the KDC in the case of using <emphasis>sign</emphasis> or 
+-	<emphasis>seal</emphasis>.
++	The default value is <emphasis>sign</emphasis>. That implies synchronizing the time
++	with the KDC in the case of using <emphasis>Kerberos</emphasis>.
+ 	</para>
+ </description>
+-<value type="default">plain</value>
++<value type="default">sign</value>
+ </samba:parameter>
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index 7065cf6..c5249b7 100644
+--- a/source3/param/loadparm.c
++++ b/source3/param/loadparm.c
+@@ -5392,6 +5392,8 @@ static void init_globals(bool reinit_globals)
+ 	Globals.ldap_debug_level = 0;
+ 	Globals.ldap_debug_threshold = 10;
+ 
++	Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
++
+ 	/* This is what we tell the afs client. in reality we set the token 
+ 	 * to never expire, though, when this runs out the afs client will 
+ 	 * forget the token. Set to 0 to get NEVERDATE.*/
+-- 
+2.8.1
+

src/patches/samba/CVE-2016-2115-v3-6.patch

@@ -0,0 +1,359 @@
+From 513bd34e4523e49e742487be32a7239111486a12 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 27 Feb 2016 03:43:58 +0100
+Subject: [PATCH 1/4] CVE-2016-2115: docs-xml: add "client ipc signing" option
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+---
+ docs-xml/smbdotconf/security/clientipcsigning.xml | 23 +++++++++++++++++++++++
+ docs-xml/smbdotconf/security/clientsigning.xml    |  3 +++
+ source3/include/proto.h                           |  1 +
+ source3/param/loadparm.c                          | 12 ++++++++++++
+ 4 files changed, 39 insertions(+)
+ create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml
+
+diff --git a/docs-xml/smbdotconf/security/clientipcsigning.xml b/docs-xml/smbdotconf/security/clientipcsigning.xml
+new file mode 100644
+index 0000000..1897fc6
+--- /dev/null
++++ b/docs-xml/smbdotconf/security/clientipcsigning.xml
+@@ -0,0 +1,23 @@
++<samba:parameter name="client ipc signing"
++                 context="G"
++                 type="enum"
++                 enumlist="enum_smb_signing_vals"
++                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
++<description>
++    <para>This controls whether the client is allowed or required to use SMB signing for IPC$
++    connections as DCERPC transport inside of winbind. Possible values
++    are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis>
++    and <emphasis>disabled</emphasis>.
++    </para>
++
++    <para>When set to auto, SMB signing is offered, but not enforced and if set
++    to disabled, SMB signing is not offered either.</para>
++
++    <para>Connections from winbindd to Active Directory Domain Controllers
++    always enforce signing.</para>
++</description>
++
++<related>client signing</related>
++
++<value type="default">mandatory</value>
++</samba:parameter>
+diff --git a/docs-xml/smbdotconf/security/clientsigning.xml b/docs-xml/smbdotconf/security/clientsigning.xml
+index c657e05..189a7ae 100644
+--- a/docs-xml/smbdotconf/security/clientsigning.xml
++++ b/docs-xml/smbdotconf/security/clientsigning.xml
+@@ -12,6 +12,9 @@
+     <para>When set to auto, SMB signing is offered, but not enforced. 
+     When set to mandatory, SMB signing is required and if set 
+ 	to disabled, SMB signing is not offered either.
++
++    <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
++    <smbconfoption name="client ipc signing"/> option.</para>
+ </para>
+ </description>
+ 
+diff --git a/source3/include/proto.h b/source3/include/proto.h
+index 43008ea..af950aa 100644
+--- a/source3/include/proto.h
++++ b/source3/include/proto.h
+@@ -1693,6 +1693,7 @@ const char **lp_winbind_nss_info(void);
+ int lp_algorithmic_rid_base(void);
+ int lp_name_cache_timeout(void);
+ int lp_client_signing(void);
++int lp_client_ipc_signing(void);
+ int lp_server_signing(void);
+ int lp_client_ldap_sasl_wrapping(void);
+ char *lp_parm_talloc_string(int snum, const char *type, const char *option, const char *def);
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index c5249b7..a612e5a3 100644
+--- a/source3/param/loadparm.c
++++ b/source3/param/loadparm.c
+@@ -366,6 +366,7 @@ struct global {
+ 	int restrict_anonymous;
+ 	int name_cache_timeout;
+ 	int client_signing;
++	int client_ipc_signing;
+ 	int server_signing;
+ 	int client_ldap_sasl_wrapping;
+ 	int iUsershareMaxShares;
+@@ -2319,6 +2320,15 @@ static struct parm_struct parm_table[] = {
+ 		.flags		= FLAG_ADVANCED,
+ 	},
+ 	{
++		.label		= "client ipc signing",
++		.type		= P_ENUM,
++		.p_class	= P_GLOBAL,
++		.ptr		= &Globals.client_ipc_signing,
++		.special	= NULL,
++		.enum_list	= enum_smb_signing_vals,
++		.flags		= FLAG_ADVANCED,
++	},
++	{
+ 		.label		= "server signing",
+ 		.type		= P_ENUM,
+ 		.p_class	= P_GLOBAL,
+@@ -5470,6 +5480,7 @@ static void init_globals(bool reinit_globals)
+ 	Globals.bClientUseSpnego = True;
+ 
+ 	Globals.client_signing = Auto;
++	Globals.client_ipc_signing = Required;
+ 	Globals.server_signing = False;
+ 
+ 	Globals.bDeferSharingViolations = True;
+@@ -6071,6 +6082,7 @@ FN_GLOBAL_LIST(lp_winbind_nss_info, &Globals.szWinbindNssInfo)
+ FN_GLOBAL_INTEGER(lp_algorithmic_rid_base, &Globals.AlgorithmicRidBase)
+ FN_GLOBAL_INTEGER(lp_name_cache_timeout, &Globals.name_cache_timeout)
+ FN_GLOBAL_INTEGER(lp_client_signing, &Globals.client_signing)
++FN_GLOBAL_INTEGER(lp_client_ipc_signing, &Globals.client_ipc_signing)
+ FN_GLOBAL_INTEGER(lp_server_signing, &Globals.server_signing)
+ FN_GLOBAL_INTEGER(lp_client_ldap_sasl_wrapping, &Globals.client_ldap_sasl_wrapping)
+ 
+-- 
+2.8.1
+
+
+From 633fcce5f7f488738ef8f45393aa8990e01118f4 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 5 Apr 2016 10:46:53 +0200
+Subject: [PATCH 2/4] CVE-2016-2115: s3: Use lp_client_ipc_signing() if we are
+ not an smb client
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
+
+Pair-Programmed-With: Ralph Boehme <slow@samba.org>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Ralph Boehme <slow@samba.org>
+---
+ source3/param/loadparm.c                    | 14 ++++++++++++++
+ source3/rpc_server/spoolss/srv_spoolss_nt.c |  2 +-
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index a612e5a3..c58f860 100644
+--- a/source3/param/loadparm.c
++++ b/source3/param/loadparm.c
+@@ -9712,6 +9712,20 @@ static bool lp_load_ex(const char *pszFname,
+ 		lp_do_parameter(GLOBAL_SECTION_SNUM, "wins server", "127.0.0.1");
+ 	}
+ 
++	if (!lp_is_in_client()) {
++		switch (lp_client_ipc_signing()) {
++		case Required:
++			lp_set_cmdline("client signing", "mandatory");
++			break;
++		case Auto:
++			lp_set_cmdline("client signing", "auto");
++			break;
++		case False:
++			lp_set_cmdline("client signing", "disabled");
++			break;
++		}
++	}
++
+ 	init_iconv();
+ 
+ 	bAllowIncludeRegistry = true;
+diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
+index 181a7b5..a0fcf27 100644
+--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
++++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
+@@ -2480,7 +2480,7 @@ static bool spoolss_connect_to_client(struct rpc_pipe_client **pp_pipe,
+ 		"", /* username */
+ 		"", /* domain */
+ 		"", /* password */
+-		0, lp_client_signing());
++		0, False);
+ 
+ 	if ( !NT_STATUS_IS_OK( ret ) ) {
+ 		DEBUG(2,("spoolss_connect_to_client: connection to [%s] failed!\n",
+-- 
+2.8.1
+
+
+From e319838866bdd3f5f1602b441516d07a1171ab24 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Thu, 31 Mar 2016 11:30:03 +0200
+Subject: [PATCH 3/4] CVE-2016-2115: s3/param: pick up s4 option "winbind
+ sealed pipes"
+
+This will be used in the next commit to prevent mitm attacks on on lsa,
+samr and netlogon in winbindd.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ docs-xml/smbdotconf/winbind/winbindsealedpipes.xml | 15 +++++++++++++++
+ source3/include/proto.h                            |  1 +
+ source3/param/loadparm.c                           | 12 ++++++++++++
+ 3 files changed, 28 insertions(+)
+ create mode 100644 docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
+
+diff --git a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
+new file mode 100644
+index 0000000..016ac9b
+--- /dev/null
++++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
+@@ -0,0 +1,15 @@
++<samba:parameter name="winbind sealed pipes"
++                 context="G"
++                 type="boolean"
++                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
++<description>
++	<para>This option controls whether any requests from winbindd to domain controllers
++		pipe will be sealed. Disabling sealing can be useful for debugging
++		purposes.</para>
++
++	<para>The behavior can be controlled per netbios domain
++	by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para>
++</description>
++
++<value type="default">yes</value>
++</samba:parameter>
+diff --git a/source3/include/proto.h b/source3/include/proto.h
+index af950aa..ac1540f 100644
+--- a/source3/include/proto.h
++++ b/source3/include/proto.h
+@@ -1690,6 +1690,7 @@ int lp_winbind_cache_time(void);
+ int lp_winbind_reconnect_delay(void);
+ int lp_winbind_max_clients(void);
+ const char **lp_winbind_nss_info(void);
++bool lp_winbind_sealed_pipes(void);
+ int lp_algorithmic_rid_base(void);
+ int lp_name_cache_timeout(void);
+ int lp_client_signing(void);
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index c58f860..fdc9407 100644
+--- a/source3/param/loadparm.c
++++ b/source3/param/loadparm.c
+@@ -215,6 +215,7 @@ struct global {
+ 	int  winbind_expand_groups;
+ 	bool bWinbindRefreshTickets;
+ 	bool bWinbindOfflineLogon;
++	bool bWinbindSealedPipes;
+ 	bool bWinbindNormalizeNames;
+ 	bool bWinbindRpcOnly;
+ 	bool bCreateKrb5Conf;
+@@ -4775,6 +4776,15 @@ static struct parm_struct parm_table[] = {
+ 		.flags		= FLAG_ADVANCED,
+ 	},
+ 	{
++		.label		= "winbind sealed pipes",
++		.type		= P_BOOL,
++		.p_class	= P_GLOBAL,
++		.ptr		= &Globals.bWinbindSealedPipes,
++		.special	= NULL,
++		.enum_list	= NULL,
++		.flags		= FLAG_ADVANCED,
++	},
++	{
+ 		.label		= "winbind normalize names",
+ 		.type		= P_BOOL,
+ 		.p_class	= P_GLOBAL,
+@@ -5468,6 +5478,7 @@ static void init_globals(bool reinit_globals)
+ 	Globals.szWinbindNssInfo = str_list_make_v3(NULL, "template", NULL);
+ 	Globals.bWinbindRefreshTickets = False;
+ 	Globals.bWinbindOfflineLogon = False;
++	Globals.bWinbindSealedPipes = True;
+ 
+ 	Globals.iIdmapCacheTime = 86400 * 7; /* a week by default */
+ 	Globals.iIdmapNegativeCacheTime = 120; /* 2 minutes by default */
+@@ -5747,6 +5758,7 @@ FN_GLOBAL_BOOL(lp_winbind_nested_groups, &Globals.bWinbindNestedGroups)
+ FN_GLOBAL_INTEGER(lp_winbind_expand_groups, &Globals.winbind_expand_groups)
+ FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets)
+ FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon)
++FN_GLOBAL_BOOL(lp_winbind_sealed_pipes, &Globals.bWinbindSealedPipes)
+ FN_GLOBAL_BOOL(lp_winbind_normalize_names, &Globals.bWinbindNormalizeNames)
+ FN_GLOBAL_BOOL(lp_winbind_rpc_only, &Globals.bWinbindRpcOnly)
+ FN_GLOBAL_BOOL(lp_create_krb5_conf, &Globals.bCreateKrb5Conf)
+-- 
+2.8.1
+
+
+From b47d8644e6a826f01dae3911fc510a7b2ff60273 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Fri, 5 Sep 2014 17:00:31 +1200
+Subject: [PATCH 4/4] CVE-2016-2115: winbindd: Do not make anonymous
+ connections by default
+
+The requirement is that we have "winbind sealed pipes = false" and
+"require strong key = false" before we make anonymous connections.
+These are a security risk as we cannot prevent MITM attacks.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11796
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(backported from commit e2cd3257141bd4a88cda1fff5bde9df60b253a97)
+---
+ source3/winbindd/winbindd_cm.c | 32 +++++++++++++++++++++++++++++++-
+ 1 file changed, 31 insertions(+), 1 deletion(-)
+
+diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
+index 8271279..50a341e 100644
+--- a/source3/winbindd/winbindd_cm.c
++++ b/source3/winbindd/winbindd_cm.c
+@@ -2384,6 +2384,15 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+ 	TALLOC_FREE(conn->samr_pipe);
+ 
+  anonymous:
++	if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
++		status = NT_STATUS_DOWNGRADE_DETECTED;
++		DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
++			  "without connection level security, "
++			  "must set 'winbind sealed pipes = false' "
++			  "to proceed: %s\n",
++			  domain->name, nt_errstr(status)));
++		goto done;
++	}
+ 
+ 	/* Finally fall back to anonymous. */
+ 	status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
+@@ -2610,6 +2619,16 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+ 
+  anonymous:
+ 
++	if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
++		result = NT_STATUS_DOWNGRADE_DETECTED;
++		DEBUG(1, ("Unwilling to make LSA connection to domain %s "
++			  "without connection level security, "
++			  "must set 'winbind sealed pipes = false' "
++			  "to proceed: %s\n",
++			  domain->name, nt_errstr(result)));
++		goto done;
++	}
++
+ 	result = cli_rpc_pipe_open_noauth(conn->cli,
+ 					  &ndr_table_lsarpc.syntax_id,
+ 					  &conn->lsa_pipe);
+@@ -2749,7 +2768,18 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
+ 
+  no_schannel:
+ 	if ((lp_client_schannel() == False) ||
+-			((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
++		((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
++		if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
++			result = NT_STATUS_DOWNGRADE_DETECTED;
++			DEBUG(1, ("Unwilling to make connection to domain %s "
++				  "without connection level security, "
++				  "must set 'winbind sealed pipes = false' "
++				  "to proceed: %s\n",
++				  domain->name, nt_errstr(result)));
++			TALLOC_FREE(netlogon_pipe);
++			invalidate_cm_connection(conn);
++			return result;
++		}
+ 		/*
+ 		 * NetSamLogonEx only works for schannel
+ 		 */
+-- 
+2.8.1
+

src/patches/samba/CVE-2016-2118-v3-6.patch

@@ -0,0 +1,629 @@
+From 9519f8f5123be055a4e845f87badef8b80ab2ee4 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 15 Dec 2015 14:49:36 +0100
+Subject: [PATCH 01/10] CVE-2016-2118: s3: rpcclient: change the default auth
+ level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
+
+ncacn_ip_tcp:server should get the same protection as ncacn_np:server
+if authentication and smb signing is used.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+(cherry picked from commit dab41dee8a4fb27dbf3913b0e44a4cc726e3ac98)
+---
+ source3/rpcclient/rpcclient.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
+index 949e14c..81c5f42 100644
+--- a/source3/rpcclient/rpcclient.c
++++ b/source3/rpcclient/rpcclient.c
+@@ -1062,10 +1062,9 @@ out_free:
+ 		}
+ 	}
+ 	if (pipe_default_auth_type != DCERPC_AUTH_TYPE_NONE) {
+-		/* If neither Integrity or Privacy are requested then
+-		 * Use just Connect level */
++		/* If nothing is requested then default to integrity */
+ 		if (pipe_default_auth_level == DCERPC_AUTH_LEVEL_NONE) {
+-			pipe_default_auth_level = DCERPC_AUTH_LEVEL_CONNECT;
++			pipe_default_auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
+ 		}
+ 	}
+ 
+-- 
+2.8.1
+
+
+From 0e00f6da40e6f76d9bd56187e74841c85ea86c55 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 11 Mar 2016 16:02:25 +0100
+Subject: [PATCH 02/10] CVE-2016-2118: s4:librpc: use integrity by default for
+ authenticated binds
+
+ncacn_ip_tcp:server should get the same protection as ncacn_np:server
+if authentication and smb signing is used.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 7847ee85d278adb9ce4fc7da7cf171917227c93f)
+---
+ source4/librpc/rpc/dcerpc_util.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c
+index 2cd9499..a6d0df5 100644
+--- a/source4/librpc/rpc/dcerpc_util.c
++++ b/source4/librpc/rpc/dcerpc_util.c
+@@ -593,15 +593,15 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
+ 
+ 	/* Perform an authenticated DCE-RPC bind
+ 	 */
+-	if (!(conn->flags & (DCERPC_SIGN|DCERPC_SEAL))) {
++	if (!(conn->flags & (DCERPC_CONNECT|DCERPC_SEAL))) {
+ 		/*
+ 		  we are doing an authenticated connection,
+-		  but not using sign or seal. We must force
+-		  the CONNECT dcerpc auth type as a NONE auth
+-		  type doesn't allow authentication
+-		  information to be passed.
++		  which needs to use [connect], [sign] or [seal].
++		  If nothing is specified, we default to [sign] now.
++		  This give roughly the same protection as
++		  ncacn_np with smb signing.
+ 		*/
+-		conn->flags |= DCERPC_CONNECT;
++		conn->flags |= DCERPC_SIGN;
+ 	}
+ 
+ 	if (s->binding->flags & DCERPC_AUTH_SPNEGO) {
+-- 
+2.8.1
+
+
+From 8d53761dbcbea6439f4bfaef86ff79f42b682b22 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 10 Mar 2016 17:03:59 +0100
+Subject: [PATCH 03/10] CVE-2016-2118: docs-xml: add "allow dcerpc auth level
+ connect" defaulting to "yes"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We sadly need to allow this for now by default.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Günther Deschner <gd@samba.org>
+(backported from commit 56baca8619ba9ae1734c3d77524fc705ebcbd8d2)
+---
+ .../security/allowdcerpcauthlevelconnect.xml       | 24 ++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+ create mode 100644 docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
+
+diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
+new file mode 100644
+index 0000000..5552112
+--- /dev/null
++++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
+@@ -0,0 +1,24 @@
++<samba:parameter name="allow dcerpc auth level connect"
++                 context="G"
++                 type="boolean"
++                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
++<description>
++	<para>This option controls whether DCERPC services are allowed to
++	be used with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication,
++	but no per message integrity nor privacy protection.</para>
++
++	<para>The behavior can be controlled per interface name (e.g. lsarpc, netlogon, samr, srvsvc,
++	winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = no' as option.</para>
++
++	<para>This option yields precedence to the implentation specific restrictions.
++	E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
++	While others like samr and lsarpc have a hardcoded default of <constant>no</constant>.
++	</para>
++
++	<para>Note the default will very likely change to <constant>no</constant> for Samba 4.5.</para>
++</description>
++
++<value type="default">yes</value>
++<value type="example">no</value>
++
++</samba:parameter>
+-- 
+2.8.1
+
+
+From 9a0e8182314c631681f2dd47da5d790168066279 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Fri, 18 Mar 2016 08:45:11 +0100
+Subject: [PATCH 04/10] CVE-2016-2118: param: add "allow dcerpc auth level
+ connect" defaulting to "yes"
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(backported from commit 6e3ada2c36f527077d77a8278bd41bbc030f48cd)
+
+(cherry picked from commit 74172d061597c96f0e733c11daee6cb15f3277dc)
+Signed-off-by: Aurelien Aptel <aaptel@suse.com>
+---
+ source3/include/proto.h  |  1 +
+ source3/param/loadparm.c | 13 +++++++++++++
+ 2 files changed, 14 insertions(+)
+
+diff --git a/source3/include/proto.h b/source3/include/proto.h
+index ac1540f..2ed6547 100644
+--- a/source3/include/proto.h
++++ b/source3/include/proto.h
+@@ -1821,6 +1821,7 @@ char* lp_perfcount_module(void);
+ void lp_set_passdb_backend(const char *backend);
+ void widelinks_warning(int snum);
+ char *lp_ncalrpc_dir(void);
++bool lp_allow_dcerpc_auth_level_connect(void);
+ 
+ /* The following definitions come from param/loadparm_server_role.c  */
+ 
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index fdc9407..87d33c5 100644
+--- a/source3/param/loadparm.c
++++ b/source3/param/loadparm.c
+@@ -355,6 +355,7 @@ struct global {
+ 	bool bUseMmap;
+ 	bool bHostnameLookups;
+ 	bool bUnixExtensions;
++	bool bAllowDcerpcAuthLevelConnect;
+ 	bool bDisableNetbios;
+ 	char * szDedicatedKeytabFile;
+ 	int  iKerberosMethod;
+@@ -2303,6 +2304,15 @@ static struct parm_struct parm_table[] = {
+ 		.flags		= FLAG_ADVANCED,
+ 	},
+ 	{
++		.label		= "allow dcerpc auth level connect",
++		.type		= P_BOOL,
++		.p_class	= P_GLOBAL,
++		.ptr		= &Globals.bAllowDcerpcAuthLevelConnect,
++		.special	= NULL,
++		.enum_list	= NULL,
++		.flags		= FLAG_ADVANCED,
++	},
++	{
+ 		.label		= "use spnego",
+ 		.type		= P_BOOL,
+ 		.p_class	= P_GLOBAL,
+@@ -5371,6 +5381,8 @@ static void init_globals(bool reinit_globals)
+ 	Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
+ 	/* Note, that we will also use NTLM2 session security (which is different), if it is available */
+ 
++	Globals.bAllowDcerpcAuthLevelConnect = true; /* we need to allow this for now by default */
++
+ 	Globals.map_to_guest = 0;	/* By Default, "Never" */
+ 	Globals.oplock_break_wait_time = 0;	/* By Default, 0 msecs. */
+ 	Globals.enhanced_browsing = true;
+@@ -5745,6 +5757,7 @@ FN_GLOBAL_INTEGER(lp_username_map_cache_time, &Globals.iUsernameMapCacheTime)
+ 
+ FN_GLOBAL_STRING(lp_check_password_script, &Globals.szCheckPasswordScript)
+ 
++FN_GLOBAL_BOOL(lp_allow_dcerpc_auth_level_connect, &Globals.bAllowDcerpcAuthLevelConnect)
+ FN_GLOBAL_STRING(lp_wins_hook, &Globals.szWINSHook)
+ FN_GLOBAL_CONST_STRING(lp_template_homedir, &Globals.szTemplateHomedir)
+ FN_GLOBAL_CONST_STRING(lp_template_shell, &Globals.szTemplateShell)
+-- 
+2.8.1
+
+
+From 82a245ff842ea33c050a8fbe415a531497232d3d Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 18 Mar 2016 04:40:30 +0100
+Subject: [PATCH 05/10] CVE-2016-2118: s3:rpc_server: make use of "allow dcerpc
+ auth level connect"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+With this option turned off we only allow DCERPC_AUTH_LEVEL_{NONE,INTEGRITY,PRIVACY},
+this means the reject any request with AUTH_LEVEL_CONNECT with ACCESS_DENIED.
+
+We sadly need to keep this enabled by default for now.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
+
+Pair-Programmed-With: Günther Deschner <gd@samba.org>
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Signed-off-by: Günther Deschner <gd@samba.org>
+(cherry picked from commit 1fa0bad3da921fca1d34971062522b4cc3e6db2c)
+(cherry picked from commit 46744bbe5e3616613b2dbee7cf6fdf0d8d5caab3)
+Signed-off-by: Aurelien Aptel <aaptel@suse.com>
+---
+ source3/include/ntdomain.h    |  4 ++++
+ source3/rpc_server/srv_pipe.c | 49 ++++++++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 52 insertions(+), 1 deletion(-)
+
+diff --git a/source3/include/ntdomain.h b/source3/include/ntdomain.h
+index 2fbeabc..650f1d0 100644
+--- a/source3/include/ntdomain.h
++++ b/source3/include/ntdomain.h
+@@ -89,6 +89,10 @@ typedef struct pipe_rpc_fns {
+ 	uint32 context_id;
+ 	struct ndr_syntax_id syntax;
+ 
++	/*
++	 * shall we allow "connect" auth level for this interface ?
++	 */
++	bool allow_connect;
+ } PIPE_RPC_FNS;
+ 
+ /*
+diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
+index d659705..c462dcf 100644
+--- a/source3/rpc_server/srv_pipe.c
++++ b/source3/rpc_server/srv_pipe.c
+@@ -335,6 +335,7 @@ static bool check_bind_req(struct pipes_struct *p,
+ 			   uint32 context_id)
+ {
+ 	struct pipe_rpc_fns *context_fns;
++	const char *interface_name = NULL;
+ 
+ 	DEBUG(3,("check_bind_req for %s\n",
+ 		 get_pipe_name_from_syntax(talloc_tos(), abstract)));
+@@ -355,12 +356,29 @@ static bool check_bind_req(struct pipes_struct *p,
+ 		return False;
+ 	}
+ 
++	interface_name = get_pipe_name_from_syntax(talloc_tos(),
++						   abstract);
++
++	SMB_ASSERT(interface_name != NULL);
++
+ 	context_fns->next = context_fns->prev = NULL;
+ 	context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract);
+ 	context_fns->cmds = rpc_srv_get_pipe_cmds(abstract);
+ 	context_fns->context_id = context_id;
+ 	context_fns->syntax = *abstract;
+ 
++	context_fns->allow_connect = lp_allow_dcerpc_auth_level_connect();
++	/*
++	 * every interface can be modified to allow "connect" auth_level by
++	 * using a parametric option like:
++	 * allow dcerpc auth level connect:<interface>
++	 * e.g.
++	 * allow dcerpc auth level connect:samr = yes
++	 */
++	context_fns->allow_connect = lp_parm_bool(-1,
++		"allow dcerpc auth level connect",
++		interface_name, context_fns->allow_connect);
++
+ 	/* add to the list of open contexts */
+ 
+ 	DLIST_ADD( p->contexts, context_fns );
+@@ -1592,6 +1610,7 @@ static bool api_pipe_request(struct pipes_struct *p,
+ 	TALLOC_CTX *frame = talloc_stackframe();
+ 	bool ret = False;
+ 	PIPE_RPC_FNS *pipe_fns;
++	const char *interface_name = NULL;
+ 
+ 	if (!p->pipe_bound) {
+ 		DEBUG(1, ("Pipe not bound!\n"));
+@@ -1613,8 +1632,36 @@ static bool api_pipe_request(struct pipes_struct *p,
+ 		return false;
+ 	}
+ 
++	interface_name = get_pipe_name_from_syntax(talloc_tos(),
++						   &pipe_fns->syntax);
++
++	SMB_ASSERT(interface_name != NULL);
++
+ 	DEBUG(5, ("Requested \\PIPE\\%s\n",
+-		  get_pipe_name_from_syntax(talloc_tos(), &pipe_fns->syntax)));
++		  interface_name));
++
++	switch (p->auth.auth_level) {
++	case DCERPC_AUTH_LEVEL_NONE:
++	case DCERPC_AUTH_LEVEL_INTEGRITY:
++	case DCERPC_AUTH_LEVEL_PRIVACY:
++		break;
++	default:
++		if (!pipe_fns->allow_connect) {
++			DEBUG(1, ("%s: restrict auth_level_connect access "
++				  "to [%s] with auth[type=0x%x,level=0x%x] "
++				  "on [%s] from [%s]\n",
++				  __func__, interface_name,
++				  p->auth.auth_type,
++				  p->auth.auth_level,
++				  derpc_transport_string_by_transport(p->transport),
++				  p->client_id->name));
++
++			setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_ACCESS_DENIED));
++			TALLOC_FREE(frame);
++			return true;
++		}
++		break;
++	}
+ 
+ 	if (!srv_pipe_check_verification_trailer(p, pkt, pipe_fns)) {
+ 		DEBUG(1, ("srv_pipe_check_verification_trailer: failed\n"));
+-- 
+2.8.1
+
+
+From b68b204307e0b24bc2879ea667a706e11925166d Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 7 Aug 2015 09:50:30 +0200
+Subject: [PATCH 06/10] CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}:
+ reject DCERPC_AUTH_LEVEL_CONNECT by default
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This prevents man in the middle downgrade attacks.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
+
+Pair-Programmed-With: Günther Deschner <gd@samba.org>
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Signed-off-by: Günther Deschner <gd@samba.org>
+(cherry picked from commit 51dd08951eb4ab9d297678f96cde61f508937721)
+Signed-off-by: Aurelien Aptel <aaptel@suse.com>
+
+Conflicts:
+	selftest/knownfail
+	source3/rpc_server/srv_pipe.c
+
+selftest/knownfail is ignored in 3.6
+---
+ source3/rpc_server/srv_pipe.c | 20 ++++++++++++++++++++
+ source3/selftest/knownfail    |  1 +
+ source3/selftest/tests.py     |  2 ++
+ 3 files changed, 23 insertions(+)
+
+diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
+index c462dcf..3086b9e 100644
+--- a/source3/rpc_server/srv_pipe.c
++++ b/source3/rpc_server/srv_pipe.c
+@@ -43,6 +43,9 @@
+ #include "ntdomain.h"
+ #include "rpc_server/srv_pipe.h"
+ #include "../librpc/ndr/ndr_dcerpc.h"
++#include "../librpc/gen_ndr/ndr_samr.h"
++#include "../librpc/gen_ndr/ndr_lsa.h"
++#include "../librpc/gen_ndr/ndr_netlogon.h"
+ 
+ #undef DBGC_CLASS
+ #define DBGC_CLASS DBGC_RPC_SRV
+@@ -336,6 +339,7 @@ static bool check_bind_req(struct pipes_struct *p,
+ {
+ 	struct pipe_rpc_fns *context_fns;
+ 	const char *interface_name = NULL;
++	bool ok;
+ 
+ 	DEBUG(3,("check_bind_req for %s\n",
+ 		 get_pipe_name_from_syntax(talloc_tos(), abstract)));
+@@ -369,6 +373,22 @@ static bool check_bind_req(struct pipes_struct *p,
+ 
+ 	context_fns->allow_connect = lp_allow_dcerpc_auth_level_connect();
+ 	/*
++	 * for the samr and the lsarpc interfaces we don't allow "connect"
++	 * auth_level by default.
++	 */
++	ok = ndr_syntax_id_equal(abstract, &ndr_table_samr.syntax_id);
++	if (ok) {
++		context_fns->allow_connect = false;
++	}
++	ok = ndr_syntax_id_equal(abstract, &ndr_table_lsarpc.syntax_id);
++	if (ok) {
++		context_fns->allow_connect = false;
++	}
++	ok = ndr_syntax_id_equal(abstract, &ndr_table_netlogon.syntax_id);
++	if (ok) {
++		context_fns->allow_connect = false;
++	}
++	/*
+ 	 * every interface can be modified to allow "connect" auth_level by
+ 	 * using a parametric option like:
+ 	 * allow dcerpc auth level connect:<interface>
+diff --git a/source3/selftest/knownfail b/source3/selftest/knownfail
+index bda1fe0..8717a4d 100644
+--- a/source3/selftest/knownfail
++++ b/source3/selftest/knownfail
+@@ -18,3 +18,4 @@ samba3.posix_s3.nbt.dgram.*netlogon2
+ samba3.*rap.sam.*.useradd # Not provided by Samba 3
+ samba3.*rap.sam.*.userdelete # Not provided by Samba 3
+ samba3.*rap.basic.*.netsessiongetinfo # Not provided by Samba 3
++samba3.blackbox.rpcclient.over.ncacn_np.with.*connect.* # we don't allow auth_level_connect anymore
+diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
+index a733f14..8dfbf1e 100755
+--- a/source3/selftest/tests.py
++++ b/source3/selftest/tests.py
+@@ -201,6 +201,8 @@ if sub.returncode == 0:
+             plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD')
+         elif t == "raw.samba3posixtimedlock":
+             plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/dc/share')
++        elif t == "rpc.samr.passwords.validate":
++            plansmbtorturetestsuite(t, "s3dc", 'ncacn_np:$SERVER_IP[seal] -U$USERNAME%$PASSWORD', 'over ncacn_np ')
+         else:
+             plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
+ 
+-- 
+2.8.1
+
+
+From 720b9f861322c5fe804c53eb74e7d2d6a4d8b876 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 5 Apr 2016 09:54:38 +0200
+Subject: [PATCH 07/10] CVE-2016-2118: s3:selftest: The lsa tests which use
+ connect need to fail
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ source3/selftest/knownfail | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/source3/selftest/knownfail b/source3/selftest/knownfail
+index 8717a4d..7d9275e 100644
+--- a/source3/selftest/knownfail
++++ b/source3/selftest/knownfail
+@@ -19,3 +19,4 @@ samba3.*rap.sam.*.useradd # Not provided by Samba 3
+ samba3.*rap.sam.*.userdelete # Not provided by Samba 3
+ samba3.*rap.basic.*.netsessiongetinfo # Not provided by Samba 3
+ samba3.blackbox.rpcclient.over.ncacn_np.with.*connect.* # we don't allow auth_level_connect anymore
++samba3.posix_s3.rpc.lsa.lookupsids.*ncacn_ip_tcp.*connect.* # we don't allow auth_level_connect anymore
+-- 
+2.8.1
+
+
+From 9b2b563a1f8247f5ec7efde52d70efc666e30f56 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 26 Mar 2016 08:47:42 +0100
+Subject: [PATCH 08/10] CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow
+ DCERPC_AUTH_LEVEL_CONNECT by default
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit 98f1a85f23d3d2a4f1c665746588688574261d90)
+---
+ source3/rpc_server/srv_pipe.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
+index 3086b9e..964b843 100644
+--- a/source3/rpc_server/srv_pipe.c
++++ b/source3/rpc_server/srv_pipe.c
+@@ -46,6 +46,8 @@
+ #include "../librpc/gen_ndr/ndr_samr.h"
+ #include "../librpc/gen_ndr/ndr_lsa.h"
+ #include "../librpc/gen_ndr/ndr_netlogon.h"
++#include "../librpc/gen_ndr/ndr_epmapper.h"
++#include "../librpc/gen_ndr/ndr_echo.h"
+ 
+ #undef DBGC_CLASS
+ #define DBGC_CLASS DBGC_RPC_SRV
+@@ -389,6 +391,18 @@ static bool check_bind_req(struct pipes_struct *p,
+ 		context_fns->allow_connect = false;
+ 	}
+ 	/*
++	 * for the epmapper and echo interfaces we allow "connect"
++	 * auth_level by default.
++	 */
++	ok = ndr_syntax_id_equal(abstract, &ndr_table_epmapper.syntax_id);
++	if (ok) {
++		context_fns->allow_connect = true;
++	}
++	ok = ndr_syntax_id_equal(abstract, &ndr_table_rpcecho.syntax_id);
++	if (ok) {
++		context_fns->allow_connect = true;
++	}
++	/*
+ 	 * every interface can be modified to allow "connect" auth_level by
+ 	 * using a parametric option like:
+ 	 * allow dcerpc auth level connect:<interface>
+-- 
+2.8.1
+
+
+From 21453f6887569b162be44faaf43e1b9a81423210 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 10 Mar 2016 17:03:59 +0100
+Subject: [PATCH 09/10] CVE-2016-2118: docs-xml/param: default "allow dcerpc
+ auth level connect" to "no"
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(backported from commit 6469e21af32a2a405dd4f43e7d96a2f87c4a9902)
+
+Conflicts:
+	lib/param/loadparm.c
+	source3/param/loadparm.c
+---
+ docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml | 6 ++----
+ source3/param/loadparm.c                                     | 2 +-
+ 2 files changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
+index 5552112..c8e9d18 100644
+--- a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
++++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
+@@ -14,11 +14,9 @@
+ 	E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
+ 	While others like samr and lsarpc have a hardcoded default of <constant>no</constant>.
+ 	</para>
+-
+-	<para>Note the default will very likely change to <constant>no</constant> for Samba 4.5.</para>
+ </description>
+ 
+-<value type="default">yes</value>
+-<value type="example">no</value>
++<value type="default">no</value>
++<value type="example">yes</value>
+ 
+ </samba:parameter>
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index 87d33c5..a514727 100644
+--- a/source3/param/loadparm.c
++++ b/source3/param/loadparm.c
+@@ -5381,7 +5381,7 @@ static void init_globals(bool reinit_globals)
+ 	Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
+ 	/* Note, that we will also use NTLM2 session security (which is different), if it is available */
+ 
+-	Globals.bAllowDcerpcAuthLevelConnect = true; /* we need to allow this for now by default */
++	Globals.bAllowDcerpcAuthLevelConnect = false; /* we don't allow this by default */
+ 
+ 	Globals.map_to_guest = 0;	/* By Default, "Never" */
+ 	Globals.oplock_break_wait_time = 0;	/* By Default, 0 msecs. */
+-- 
+2.8.1
+
+
+From a5aebec4ff2f1d3b824dfcc05091da712639220d Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sun, 28 Feb 2016 22:48:11 +0100
+Subject: [PATCH 10/10] CVE-2016-2118: s3:rpc_server/samr: allow
+ _samr_ValidatePassword only with PRIVACY...
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This requires transport encryption.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Günther Deschner <gd@samba.org>
+(cherry picked from commit d7c2f1e12544ee0f80438dcc1586e2d30c23b54a)
+---
+ source3/rpc_server/samr/srv_samr_nt.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
+index 0984984..37e2e4f 100644
+--- a/source3/rpc_server/samr/srv_samr_nt.c
++++ b/source3/rpc_server/samr/srv_samr_nt.c
+@@ -6628,6 +6628,11 @@ NTSTATUS _samr_ValidatePassword(struct pipes_struct *p,
+ 	struct samr_GetDomPwInfo pw;
+ 	struct samr_PwInfo dom_pw_info;
+ 
++	if (p->auth.auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
++		p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
++		return NT_STATUS_ACCESS_DENIED;
++	}
++
+ 	if (r->in.level < 1 || r->in.level > 3) {
+ 		return NT_STATUS_INVALID_INFO_CLASS;
+ 	}
+-- 
+2.8.1
+