diff options
author | Andrew Bartlett <abartlet@samba.org> | 2008-08-29 15:06:30 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2008-08-29 15:06:30 +1000 |
commit | 81dcc99e9acb9a7e4c2358e5e44998e4718dc658 (patch) | |
tree | b8a78b33cce3dd118304d2deeb387ca51c948ab1 | |
parent | bfec8985cfef462dd58503138f7c25caefc24332 (diff) | |
download | samba-81dcc99e9acb9a7e4c2358e5e44998e4718dc658.tar.gz samba-81dcc99e9acb9a7e4c2358e5e44998e4718dc658.tar.bz2 samba-81dcc99e9acb9a7e4c2358e5e44998e4718dc658.zip |
It turns out that the Netlogon PAC verification is encrypted.
This test now passes against Win2k3, and a implementation in the
Samba4 server should follow shortly.
Andrew Bartlett
(This used to be commit c6b8ba893dd3ed90bca32c0ae89fd33be729c238)
-rw-r--r-- | source4/librpc/idl/krb5pac.idl | 4 | ||||
-rw-r--r-- | source4/librpc/idl/netlogon.idl | 7 | ||||
-rw-r--r-- | source4/torture/rpc/remote_pac.c | 4 |
3 files changed, 12 insertions, 3 deletions
diff --git a/source4/librpc/idl/krb5pac.idl b/source4/librpc/idl/krb5pac.idl index 699f0b896b..dcee280150 100644 --- a/source4/librpc/idl/krb5pac.idl +++ b/source4/librpc/idl/krb5pac.idl @@ -100,8 +100,10 @@ interface krb5pac PAC_BUFFER_RAW buffers[num_buffers]; } PAC_DATA_RAW; + const int NETLOGON_GENERIC_KRB5_PAC_VALIDATE = 3; + typedef [public] struct { - uint32 MessageType; + [value(NETLOGON_GENERIC_KRB5_PAC_VALIDATE)] uint32 MessageType; uint32 ChecksumLength; uint32 SignatureType; uint32 SignatureLength; diff --git a/source4/librpc/idl/netlogon.idl b/source4/librpc/idl/netlogon.idl index 006411dfbf..2298106851 100644 --- a/source4/librpc/idl/netlogon.idl +++ b/source4/librpc/idl/netlogon.idl @@ -240,6 +240,11 @@ interface netlogon lsa_String unknown4; } netr_PacInfo; + typedef [flag(NDR_PAHEX)] struct { + uint32 length; + [size_is(length)] uint8 *data; + } netr_GenericInfo2; + typedef enum { NetlogonValidationUasInfo = 1, NetlogonValidationSamInfo = 2, @@ -252,7 +257,7 @@ interface netlogon [case(NetlogonValidationSamInfo)] netr_SamInfo2 *sam2; [case(NetlogonValidationSamInfo2)] netr_SamInfo3 *sam3; [case(4)] netr_PacInfo *pac; - [case(NetlogonValidationGenericInfo2)] netr_PacInfo *pac; + [case(NetlogonValidationGenericInfo2)] netr_GenericInfo2 *generic; [case(NetlogonValidationSamInfo4)] netr_SamInfo6 *sam6; } netr_Validation; diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c index a01077a6c7..58c8ba0ee0 100644 --- a/source4/torture/rpc/remote_pac.c +++ b/source4/torture/rpc/remote_pac.c @@ -154,7 +154,9 @@ static bool test_PACVerify(struct torture_context *tctx, (ndr_push_flags_fn_t)ndr_push_PAC_Validate); torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); - + torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); + creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); + /* Validate it over the netlogon pipe */ generic.identity_info.parameter_control = 0; |