Fix NETLOGON credential chain with Windows 2008 all over the place.

In order to avoid receiving NT_STATUS_DOWNGRADE_DETECTED from a w2k8
netr_ServerAuthenticate2 reply, we need to start with the AD netlogon negotiate
flags everywhere (not only when running in security=ads). Only for NT4 we need
to do a downgrade to the returned negotiate flags.

Tested with w2k8, w2ksp4, w2k3r2 and nt4sp6.

Guenther
(This used to be commit 0970369ca0cb9ae465cff40e5c75739824daf1d0)

1 files changed, 11 insertions, 0 deletions

diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index ec16186462..851a4a8da8 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -132,6 +132,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
 	struct netr_Credential clnt_chal_send;
 	struct netr_Credential srv_chal_recv;
 	struct dcinfo *dc;
+	bool retried = false;
 
 	SMB_ASSERT(cli->pipe_idx == PI_NETLOGON);
 
@@ -153,6 +154,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
 
 	fstr_sprintf( dc->mach_acct, "%s$", machine_account);
 
+ again:
 	/* Create the client challenge. */
 	generate_random_buffer(clnt_chal_send.data, 8);
 
@@ -186,6 +188,15 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
 						 &clnt_chal_send, /* input. */
 						 &srv_chal_recv, /* output. */
 						 neg_flags_inout);
+
+	/* we might be talking to NT4, so let's downgrade in that case and retry
+	 * with the returned neg_flags - gd */
+
+	if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) && !retried) {
+		retried = true;
+		goto again;
+	}
+
 	if (!NT_STATUS_IS_OK(result)) {
 		return result;
 	}