summaryrefslogtreecommitdiff
path: root/source3/rpc_client
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2008-04-02 02:29:48 +0200
committerGünther Deschner <gd@samba.org>2008-04-02 11:12:47 +0200
commit99d35904552b01ef9f2adc40e16887da9eb4de69 (patch)
tree9362193c6a4a8a3dbc51e51f0c6c39416fd1dbe6 /source3/rpc_client
parent5b07337cc5e853d0f02554593f4eb842191d67e5 (diff)
downloadsamba-99d35904552b01ef9f2adc40e16887da9eb4de69.tar.gz
samba-99d35904552b01ef9f2adc40e16887da9eb4de69.tar.bz2
samba-99d35904552b01ef9f2adc40e16887da9eb4de69.zip
Fix NETLOGON credential chain with Windows 2008 all over the place.
In order to avoid receiving NT_STATUS_DOWNGRADE_DETECTED from a w2k8 netr_ServerAuthenticate2 reply, we need to start with the AD netlogon negotiate flags everywhere (not only when running in security=ads). Only for NT4 we need to do a downgrade to the returned negotiate flags. Tested with w2k8, w2ksp4, w2k3r2 and nt4sp6. Guenther (This used to be commit 0970369ca0cb9ae465cff40e5c75739824daf1d0)
Diffstat (limited to 'source3/rpc_client')
-rw-r--r--source3/rpc_client/cli_netlogon.c11
-rw-r--r--source3/rpc_client/cli_pipe.c4
2 files changed, 13 insertions, 2 deletions
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index ec16186462..851a4a8da8 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -132,6 +132,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
struct netr_Credential clnt_chal_send;
struct netr_Credential srv_chal_recv;
struct dcinfo *dc;
+ bool retried = false;
SMB_ASSERT(cli->pipe_idx == PI_NETLOGON);
@@ -153,6 +154,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
fstr_sprintf( dc->mach_acct, "%s$", machine_account);
+ again:
/* Create the client challenge. */
generate_random_buffer(clnt_chal_send.data, 8);
@@ -186,6 +188,15 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
&clnt_chal_send, /* input. */
&srv_chal_recv, /* output. */
neg_flags_inout);
+
+ /* we might be talking to NT4, so let's downgrade in that case and retry
+ * with the returned neg_flags - gd */
+
+ if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) && !retried) {
+ retried = true;
+ goto again;
+ }
+
if (!NT_STATUS_IS_OK(result)) {
return result;
}
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 1fd06f868e..71422cd9ad 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2600,7 +2600,7 @@ struct rpc_pipe_client *cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state
const char *password,
NTSTATUS *perr)
{
- uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
struct rpc_pipe_client *netlogon_pipe = NULL;
struct rpc_pipe_client *result = NULL;
@@ -2634,7 +2634,7 @@ struct rpc_pipe_client *cli_rpc_pipe_open_schannel(struct cli_state *cli,
const char *domain,
NTSTATUS *perr)
{
- uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
struct rpc_pipe_client *netlogon_pipe = NULL;
struct rpc_pipe_client *result = NULL;