diff options
author | Stefan Metzmacher <metze@samba.org> | 2009-09-29 09:47:51 +0200 |
---|---|---|
committer | Andreas Schneider <asn@samba.org> | 2012-07-17 10:58:38 +0200 |
commit | 99231181e319db797f33dc10d1a0886631b5cc64 (patch) | |
tree | 0feb709afaa674ea57df48c2998de771c2d74c47 | |
parent | e48aabc0063c957fb5590c4165997253f6021383 (diff) | |
download | samba-99231181e319db797f33dc10d1a0886631b5cc64.tar.gz samba-99231181e319db797f33dc10d1a0886631b5cc64.tar.bz2 samba-99231181e319db797f33dc10d1a0886631b5cc64.zip |
s4:rpc_server/netlogon: only return STRONG_KEYS if the client asked for it
metze
Signed-off-by: Günther Deschner <gd@samba.org>
-rw-r--r-- | source4/rpc_server/netlogon/dcerpc_netlogon.c | 57 |
1 files changed, 31 insertions, 26 deletions
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 1de1d74dd1..598b7f2c9c 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -91,40 +91,46 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca const char *trust_dom_attrs[] = {"flatname", NULL}; const char *account_name; + uint32_t negotiate_flags = 0; ZERO_STRUCTP(r->out.return_credentials); *r->out.rid = 0; + negotiate_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT | + NETLOGON_NEG_PERSISTENT_SAMREPL | + NETLOGON_NEG_ARCFOUR | + NETLOGON_NEG_PROMOTION_COUNT | + NETLOGON_NEG_CHANGELOG_BDC | + NETLOGON_NEG_FULL_SYNC_REPL | + NETLOGON_NEG_MULTIPLE_SIDS | + NETLOGON_NEG_REDO | + NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL | + NETLOGON_NEG_SEND_PASSWORD_INFO_PDC | + NETLOGON_NEG_GENERIC_PASSTHROUGH | + NETLOGON_NEG_CONCURRENT_RPC | + NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL | + NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL | + NETLOGON_NEG_TRANSITIVE_TRUSTS | + NETLOGON_NEG_DNS_DOMAIN_TRUSTS | + NETLOGON_NEG_PASSWORD_SET2 | + NETLOGON_NEG_GETDOMAININFO | + NETLOGON_NEG_CROSS_FOREST_TRUSTS | + NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION | + NETLOGON_NEG_RODC_PASSTHROUGH | + NETLOGON_NEG_AUTHENTICATED_RPC_LSASS | + NETLOGON_NEG_AUTHENTICATED_RPC; + + if (*r->in.negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { + negotiate_flags |= NETLOGON_NEG_STRONG_KEYS; + } + /* * According to Microsoft (see bugid #6099) * Windows 7 looks at the negotiate_flags * returned in this structure *even if the * call fails with access denied! */ - *r->out.negotiate_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT | - NETLOGON_NEG_PERSISTENT_SAMREPL | - NETLOGON_NEG_ARCFOUR | - NETLOGON_NEG_PROMOTION_COUNT | - NETLOGON_NEG_CHANGELOG_BDC | - NETLOGON_NEG_FULL_SYNC_REPL | - NETLOGON_NEG_MULTIPLE_SIDS | - NETLOGON_NEG_REDO | - NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL | - NETLOGON_NEG_SEND_PASSWORD_INFO_PDC | - NETLOGON_NEG_GENERIC_PASSTHROUGH | - NETLOGON_NEG_CONCURRENT_RPC | - NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL | - NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL | - NETLOGON_NEG_STRONG_KEYS | - NETLOGON_NEG_TRANSITIVE_TRUSTS | - NETLOGON_NEG_DNS_DOMAIN_TRUSTS | - NETLOGON_NEG_PASSWORD_SET2 | - NETLOGON_NEG_GETDOMAININFO | - NETLOGON_NEG_CROSS_FOREST_TRUSTS | - NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION | - NETLOGON_NEG_RODC_PASSTHROUGH | - NETLOGON_NEG_AUTHENTICATED_RPC_LSASS | - NETLOGON_NEG_AUTHENTICATED_RPC; + *r->out.negotiate_flags = negotiate_flags; switch (r->in.secure_channel_type) { case SEC_CHAN_WKSTA: @@ -261,8 +267,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca mach_pwd, r->in.credentials, r->out.return_credentials, - *r->in.negotiate_flags); - + negotiate_flags); if (!creds) { return NT_STATUS_ACCESS_DENIED; } |