After getting confirmation from Guenther, add 3 changes we'll

ultimately need to fix bug #6099 Samba returns incurrate capabilities list.
1). Add a comment to point out that r->in.negotiate_flags is an aliased pointer to
r->out.negotiate_flags.
2). Ensure we return NETLOGON_NEG_STRONG_KEYS in our flags
return if the client requested it.
3). Clean up the error exits so we always return the same
way.
Signed off by Guenther.
Jeremy.

1 files changed, 23 insertions, 13 deletions

diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index edd13217d7..333eabe2ce 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -508,13 +508,16 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
 {
 	NTSTATUS status;
 	uint32_t srv_flgs;
+	/* r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags,
+	 * so use a copy to avoid destroying the client values. */
+	uint32_t in_neg_flags = *r->in.negotiate_flags;
 	struct netr_Credential srv_chal_out;
 	const char *fn;
 
 	/* According to Microsoft (see bugid #6099)
 	 * Windows 7 looks at the negotiate_flags
 	 * returned in this structure *even if the
-	 * call fails with access denied ! So in order
+	 * call fails with access denied* ! So in order
 	 * to allow Win7 to connect to a Samba NT style
 	 * PDC we set the flags before we know if it's
 	 * an error or not.
@@ -531,6 +534,11 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
 		   NETLOGON_NEG_REDO |
 		   NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL;
 
+	/* Ensure we support strong (128-bit) keys. */
+	if (in_neg_flags & NETLOGON_NEG_STRONG_KEYS) {
+		srv_flgs |= NETLOGON_NEG_STRONG_KEYS;
+	}
+
 	if (lp_server_schannel() != false) {
 		srv_flgs |= NETLOGON_NEG_SCHANNEL;
 	}
@@ -552,19 +560,19 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
 	if (!p->dc || !p->dc->challenge_sent) {
 		DEBUG(0,("%s: no challenge sent to client %s\n", fn,
 			r->in.computer_name));
-		*r->out.negotiate_flags = srv_flgs;
-		return NT_STATUS_ACCESS_DENIED;
+		status = NT_STATUS_ACCESS_DENIED;
+		goto out;
 	}
 
 	if ( (lp_server_schannel() == true) &&
-	     ((*r->in.negotiate_flags & NETLOGON_NEG_SCHANNEL) == 0) ) {
+	     ((in_neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) {
 
 		/* schannel must be used, but client did not offer it. */
 		DEBUG(0,("%s: schannel required but client failed "
 			"to offer it. Client was %s\n",
 			fn, r->in.account_name));
-		*r->out.negotiate_flags = srv_flgs;
-		return NT_STATUS_ACCESS_DENIED;
+		status = NT_STATUS_ACCESS_DENIED;
+		goto out;
 	}
 
 	status = get_md4pw((char *)p->dc->mach_pw,
@@ -576,12 +584,12 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
 			"account %s: %s\n",
 			fn, r->in.account_name, nt_errstr(status) ));
 		/* always return NT_STATUS_ACCESS_DENIED */
-		*r->out.negotiate_flags = srv_flgs;
-		return NT_STATUS_ACCESS_DENIED;
+		status = NT_STATUS_ACCESS_DENIED;
+		goto out;
 	}
 
 	/* From the client / server challenges and md4 password, generate sess key */
-	creds_server_init(*r->in.negotiate_flags,
+	creds_server_init(in_neg_flags,
 			p->dc,
 			&p->dc->clnt_chal,	/* Stored client chal. */
 			&p->dc->srv_chal,	/* Stored server chal. */
@@ -594,8 +602,8 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
 			"request from client %s machine account %s\n",
 			fn, r->in.computer_name,
 			r->in.account_name));
-		*r->out.negotiate_flags = srv_flgs;
-		return NT_STATUS_ACCESS_DENIED;
+		status = NT_STATUS_ACCESS_DENIED;
+		goto out;
 	}
 	/* set up the LSA AUTH 2 response */
 	memcpy(r->out.return_credentials->data, &srv_chal_out.data,
@@ -613,10 +621,12 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
 					    r->in.computer_name,
 					    p->dc);
 	unbecome_root();
+	status = NT_STATUS_OK;
 
-	*r->out.negotiate_flags = srv_flgs;
+  out:
 
-	return NT_STATUS_OK;
+	*r->out.negotiate_flags = srv_flgs;
+	return status;
 }
 
 /*************************************************************************