diff options
| author | Günther Deschner <gd@samba.org> | 2008-04-02 02:29:48 +0200 |
|---|---|---|
| committer | Günther Deschner <gd@samba.org> | 2008-04-02 11:12:47 +0200 |
| commit | 99d35904552b01ef9f2adc40e16887da9eb4de69 (patch) | |
| tree | 9362193c6a4a8a3dbc51e51f0c6c39416fd1dbe6 /source3/rpc_client | |
| parent | 5b07337cc5e853d0f02554593f4eb842191d67e5 (diff) | |
| download | samba-99d35904552b01ef9f2adc40e16887da9eb4de69.tar.gz samba-99d35904552b01ef9f2adc40e16887da9eb4de69.tar.bz2 samba-99d35904552b01ef9f2adc40e16887da9eb4de69.zip | |
Fix NETLOGON credential chain with Windows 2008 all over the place.
In order to avoid receiving NT_STATUS_DOWNGRADE_DETECTED from a w2k8
netr_ServerAuthenticate2 reply, we need to start with the AD netlogon negotiate
flags everywhere (not only when running in security=ads). Only for NT4 we need
to do a downgrade to the returned negotiate flags.
Tested with w2k8, w2ksp4, w2k3r2 and nt4sp6.
Guenther
(This used to be commit 0970369ca0cb9ae465cff40e5c75739824daf1d0)
Diffstat (limited to 'source3/rpc_client')
| -rw-r--r-- | source3/rpc_client/cli_netlogon.c | 11 | ||||
| -rw-r--r-- | source3/rpc_client/cli_pipe.c | 4 |
2 files changed, 13 insertions, 2 deletions
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index ec16186462..851a4a8da8 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -132,6 +132,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, struct netr_Credential clnt_chal_send; struct netr_Credential srv_chal_recv; struct dcinfo *dc; + bool retried = false; SMB_ASSERT(cli->pipe_idx == PI_NETLOGON); @@ -153,6 +154,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, fstr_sprintf( dc->mach_acct, "%s$", machine_account); + again: /* Create the client challenge. */ generate_random_buffer(clnt_chal_send.data, 8); @@ -186,6 +188,15 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, &clnt_chal_send, /* input. */ &srv_chal_recv, /* output. */ neg_flags_inout); + + /* we might be talking to NT4, so let's downgrade in that case and retry + * with the returned neg_flags - gd */ + + if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) && !retried) { + retried = true; + goto again; + } + if (!NT_STATUS_IS_OK(result)) { return result; } diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 1fd06f868e..71422cd9ad 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -2600,7 +2600,7 @@ struct rpc_pipe_client *cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state const char *password, NTSTATUS *perr) { - uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; + uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; struct rpc_pipe_client *netlogon_pipe = NULL; struct rpc_pipe_client *result = NULL; @@ -2634,7 +2634,7 @@ struct rpc_pipe_client *cli_rpc_pipe_open_schannel(struct cli_state *cli, const char *domain, NTSTATUS *perr) { - uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; + uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; struct rpc_pipe_client *netlogon_pipe = NULL; struct rpc_pipe_client *result = NULL; |