summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2010-09-13 11:36:43 +1000
committerAndrew Tridgell <tridge@samba.org>2010-09-15 15:39:34 +1000
commit67ac8555b1e80aed07e420bca63e5c133c63fb5e (patch)
tree9449d97a83c42d7ea345949a92db72c24c588ffe
parent52445e1583580e135da9e85c93608d0909dea8a7 (diff)
downloadsamba-67ac8555b1e80aed07e420bca63e5c133c63fb5e.tar.gz
samba-67ac8555b1e80aed07e420bca63e5c133c63fb5e.tar.bz2
samba-67ac8555b1e80aed07e420bca63e5c133c63fb5e.zip
s4-auth: set the RODC bit for RODC schannel
When we are using SEC_CHAN_RODC we need to set the NETLOGON_NEG_RODC_PASSTHROUGH bit in the negotiated flags in ServerAuthenticate2 Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
-rw-r--r--libcli/auth/credentials.h1
-rw-r--r--source4/librpc/rpc/dcerpc_schannel.c5
2 files changed, 5 insertions, 1 deletions
diff --git a/libcli/auth/credentials.h b/libcli/auth/credentials.h
index 7175211fba..47582ef73a 100644
--- a/libcli/auth/credentials.h
+++ b/libcli/auth/credentials.h
@@ -68,4 +68,5 @@
#define NETLOGON_NEG_AUTH2_ADS_FLAGS (0x200fbffb | NETLOGON_NEG_ARCFOUR | NETLOGON_NEG_128BIT | NETLOGON_NEG_SCHANNEL)
+#define NETLOGON_NEG_AUTH2_RODC_FLAGS (NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_RODC_PASSTHROUGH)
diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
index ff511a2c67..7716323541 100644
--- a/source4/librpc/rpc/dcerpc_schannel.c
+++ b/source4/librpc/rpc/dcerpc_schannel.c
@@ -243,6 +243,7 @@ struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
struct composite_context *c;
struct schannel_key_state *s;
struct composite_context *epm_map_req;
+ enum netr_SchannelType schannel_type = cli_credentials_get_secure_channel_type(credentials);
/* composite context allocation and setup */
c = composite_create(mem_ctx, p->conn->event_ctx);
@@ -258,7 +259,9 @@ struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
/* allocate credentials */
/* type of authentication depends on schannel type */
- if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) {
+ if (schannel_type == SEC_CHAN_RODC) {
+ s->negotiate_flags = NETLOGON_NEG_AUTH2_RODC_FLAGS;
+ } else if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) {
s->negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
} else {
s->negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;