Fix NETLOGON credential chain with Windows 2008 all over the place.

In order to avoid receiving NT_STATUS_DOWNGRADE_DETECTED from a w2k8
netr_ServerAuthenticate2 reply, we need to start with the AD netlogon negotiate
flags everywhere (not only when running in security=ads). Only for NT4 we need
to do a downgrade to the returned negotiate flags.

Tested with w2k8, w2ksp4, w2k3r2 and nt4sp6.

Guenther
(This used to be commit 0970369ca0cb9ae465cff40e5c75739824daf1d0)

2 files changed, 3 insertions, 3 deletions

diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
index 45c0fe5097..ea3bb10c22 100644
--- a/source3/utils/net_rpc_join.c
+++ b/source3/utils/net_rpc_join.c
@@ -46,7 +46,7 @@ NTSTATUS net_rpc_join_ok(const char *domain, const char *server,
 {
 	enum security_types sec;
 	unsigned int conn_flags = NET_FLAGS_PDC;
-	uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
+	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 	struct cli_state *cli = NULL;
 	struct rpc_pipe_client *pipe_hnd = NULL;
 	struct rpc_pipe_client *netlogon_pipe = NULL;
@@ -133,7 +133,7 @@ int net_rpc_join_newstyle(int argc, const char **argv)
 	struct cli_state *cli;
 	TALLOC_CTX *mem_ctx;
         uint32 acb_info = ACB_WSTRUST;
-	uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|(lp_client_schannel() ? NETLOGON_NEG_SCHANNEL : 0);
+	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 	uint32 sec_channel_type;
 	struct rpc_pipe_client *pipe_hnd = NULL;
 
diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c
index 87d35b3ef6..986499731a 100644
--- a/source3/utils/net_rpc_samsync.c
+++ b/source3/utils/net_rpc_samsync.c
@@ -412,7 +412,7 @@ NTSTATUS rpc_samdump_internals(const DOM_SID *domain_sid,
 
 	NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
 	uchar trust_password[16];
-	uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS;
+	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 	uint32 sec_channel_type = 0;
 
 	if (!secrets_fetch_trust_account_password(domain_name,