summaryrefslogtreecommitdiff
path: root/source3/rpc_client
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2003-08-19 20:39:32 +0000
committerAndrew Bartlett <abartlet@samba.org>2003-08-19 20:39:32 +0000
commitf0cd6b35e551cdb2acb088f52edb0746da251b73 (patch)
tree6b4e672f4f5931d6c361b2023c35267d4e1cc6a1 /source3/rpc_client
parent842b6e858314c4bd791ad203b51eeb463af4110d (diff)
downloadsamba-f0cd6b35e551cdb2acb088f52edb0746da251b73.tar.gz
samba-f0cd6b35e551cdb2acb088f52edb0746da251b73.tar.bz2
samba-f0cd6b35e551cdb2acb088f52edb0746da251b73.zip
- Fix the kerberos downgrade problem:
- When connecting to the NETOGON pipe, we make a call to auth2, in order to verify our identity. This call was being made with negotiation flags of 0x1ff. This caused our account to be downgraded. If we instead make the call with flags > 1ff (such as 0x701ff), then this does not occour. - This is *not* related to the use of kerberos for the CIFS-level connection My theory is that Win2k has a test to see if we are sending *exactly* what NT4 sent - setting any other flags seems to cause us to remain intact. Also ensure that we only have 'setup schannel' code in a few places, not scattered around cmd_netlogon too. Andrew Bartlett (This used to be commit e10f0529fe9d8d245b3cd001cce6a9a86896679c)
Diffstat (limited to 'source3/rpc_client')
-rw-r--r--source3/rpc_client/cli_netlogon.c15
-rw-r--r--source3/rpc_client/cli_pipe.c6
2 files changed, 7 insertions, 14 deletions
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 2de830e558..97bc4c65b7 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -685,30 +685,19 @@ NTSTATUS cli_net_srv_pwset(struct cli_state *cli, TALLOC_CTX *mem_ctx,
NET_Q_SRV_PWSET q_s;
uint16 sec_chan_type = 2;
NTSTATUS nt_status;
- char *mach_acct;
gen_next_creds( cli, &new_clnt_cred);
prs_init(&qbuf , 1024, mem_ctx, MARSHALL);
prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
- /* create and send a MSRPC command with api NET_SRV_PWSET */
-
- mach_acct = talloc_asprintf(mem_ctx, "%s$", machine_name);
-
- if (!mach_acct) {
- DEBUG(0,("talloc_asprintf failed!\n"));
- nt_status = NT_STATUS_NO_MEMORY;
- goto done;
- }
-
DEBUG(4,("cli_net_srv_pwset: srv:%s acct:%s sc: %d mc: %s clnt %s %x\n",
- cli->srv_name_slash, mach_acct, sec_chan_type, machine_name,
+ cli->srv_name_slash, cli->mach_acct, sec_chan_type, machine_name,
credstr(new_clnt_cred.challenge.data), new_clnt_cred.timestamp.time));
/* store the parameters */
init_q_srv_pwset(&q_s, cli->srv_name_slash, (const char *)cli->sess_key,
- mach_acct, sec_chan_type, machine_name,
+ cli->mach_acct, sec_chan_type, machine_name,
&new_clnt_cred, hashed_mach_pwd);
/* turn parameters into data stream */
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 13a7841455..dedbf017a9 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1493,7 +1493,9 @@ NTSTATUS cli_nt_establish_netlogon(struct cli_state *cli, int sec_chan,
const uchar trust_password[16])
{
NTSTATUS result;
- uint32 neg_flags = 0x000001ff;
+ /* The 7 here seems to be required to get Win2k not to downgrade us
+ to NT4. Actually, anything other than 1ff would seem to do... */
+ uint32 neg_flags = 0x000701ff;
int fnum;
cli_nt_netlogon_netsec_session_close(cli);
@@ -1586,6 +1588,8 @@ NTSTATUS cli_nt_setup_netsec(struct cli_state *cli, int sec_chan,
const uchar trust_password[16])
{
NTSTATUS result;
+ /* The 7 here seems to be required to get Win2k not to downgrade us
+ to NT4. Actually, anything other than 1ff would seem to do... */
uint32 neg_flags = 0x000701ff;
cli->pipe_auth_flags = 0;