diff options
| author | Andrew Tridgell <tridge@samba.org> | 2010-09-13 11:36:43 +1000 |
|---|---|---|
| committer | Andrew Tridgell <tridge@samba.org> | 2010-09-15 15:39:34 +1000 |
| commit | 67ac8555b1e80aed07e420bca63e5c133c63fb5e (patch) | |
| tree | 9449d97a83c42d7ea345949a92db72c24c588ffe | |
| parent | 52445e1583580e135da9e85c93608d0909dea8a7 (diff) | |
| download | samba-67ac8555b1e80aed07e420bca63e5c133c63fb5e.tar.gz samba-67ac8555b1e80aed07e420bca63e5c133c63fb5e.tar.bz2 samba-67ac8555b1e80aed07e420bca63e5c133c63fb5e.zip | |
s4-auth: set the RODC bit for RODC schannel
When we are using SEC_CHAN_RODC we need to set the
NETLOGON_NEG_RODC_PASSTHROUGH bit in the negotiated flags in
ServerAuthenticate2
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
| -rw-r--r-- | libcli/auth/credentials.h | 1 | ||||
| -rw-r--r-- | source4/librpc/rpc/dcerpc_schannel.c | 5 |
2 files changed, 5 insertions, 1 deletions
diff --git a/libcli/auth/credentials.h b/libcli/auth/credentials.h index 7175211fba..47582ef73a 100644 --- a/libcli/auth/credentials.h +++ b/libcli/auth/credentials.h @@ -68,4 +68,5 @@ #define NETLOGON_NEG_AUTH2_ADS_FLAGS (0x200fbffb | NETLOGON_NEG_ARCFOUR | NETLOGON_NEG_128BIT | NETLOGON_NEG_SCHANNEL) +#define NETLOGON_NEG_AUTH2_RODC_FLAGS (NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_RODC_PASSTHROUGH) diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c index ff511a2c67..7716323541 100644 --- a/source4/librpc/rpc/dcerpc_schannel.c +++ b/source4/librpc/rpc/dcerpc_schannel.c @@ -243,6 +243,7 @@ struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx, struct composite_context *c; struct schannel_key_state *s; struct composite_context *epm_map_req; + enum netr_SchannelType schannel_type = cli_credentials_get_secure_channel_type(credentials); /* composite context allocation and setup */ c = composite_create(mem_ctx, p->conn->event_ctx); @@ -258,7 +259,9 @@ struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx, /* allocate credentials */ /* type of authentication depends on schannel type */ - if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) { + if (schannel_type == SEC_CHAN_RODC) { + s->negotiate_flags = NETLOGON_NEG_AUTH2_RODC_FLAGS; + } else if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) { s->negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; } else { s->negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS; |