summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2009-05-06 19:29:01 +0200
committerGünther Deschner <gd@samba.org>2009-05-06 19:37:39 +0200
commit78754ab2c9b28ea8ab09d3fd1f5450abe721a2c1 (patch)
tree674e8aa2641cf444b32774fdbbee8077ee57962f /source3
parent730c91aaaad42c68fdb44bc51fee6c89e0c22910 (diff)
downloadsamba-78754ab2c9b28ea8ab09d3fd1f5450abe721a2c1.tar.gz
samba-78754ab2c9b28ea8ab09d3fd1f5450abe721a2c1.tar.bz2
samba-78754ab2c9b28ea8ab09d3fd1f5450abe721a2c1.zip
s3-netlogon: Fix NETLOGON credential chain. Fixes Bug #6099 (Windows 7 joining Samba3) and probably many, many more.
Jeremy, with 9a5d5cc1db0ee60486f932e34cd7961b90c70a56 you alter the in negotiate flags (which are a pointer to the out negotiate flags assigned in the generated netlogon server code). So, while you wanted to just set the *out* negflags, you did in fact reset the *in* negflags, effectively eliminating the NETLOGON_NEG_STRONG_KEYS bit (formerly known as NETLOGON_NEG_128BIT) which then caused creds_server_init() to generate 64bit creds instead of 128bit, causing the whole chain to break. *Please* check. Guenther
Diffstat (limited to 'source3')
-rw-r--r--source3/rpc_server/srv_netlog_nt.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index c5e2ca7c71..edd13217d7 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -535,8 +535,6 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
srv_flgs |= NETLOGON_NEG_SCHANNEL;
}
- *r->out.negotiate_flags = srv_flgs;
-
switch (p->hdr_req.opnum) {
case NDR_NETR_SERVERAUTHENTICATE2:
fn = "_netr_ServerAuthenticate2";
@@ -554,6 +552,7 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
if (!p->dc || !p->dc->challenge_sent) {
DEBUG(0,("%s: no challenge sent to client %s\n", fn,
r->in.computer_name));
+ *r->out.negotiate_flags = srv_flgs;
return NT_STATUS_ACCESS_DENIED;
}
@@ -564,6 +563,7 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
DEBUG(0,("%s: schannel required but client failed "
"to offer it. Client was %s\n",
fn, r->in.account_name));
+ *r->out.negotiate_flags = srv_flgs;
return NT_STATUS_ACCESS_DENIED;
}
@@ -576,6 +576,7 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
"account %s: %s\n",
fn, r->in.account_name, nt_errstr(status) ));
/* always return NT_STATUS_ACCESS_DENIED */
+ *r->out.negotiate_flags = srv_flgs;
return NT_STATUS_ACCESS_DENIED;
}
@@ -593,6 +594,7 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
"request from client %s machine account %s\n",
fn, r->in.computer_name,
r->in.account_name));
+ *r->out.negotiate_flags = srv_flgs;
return NT_STATUS_ACCESS_DENIED;
}
/* set up the LSA AUTH 2 response */
@@ -612,6 +614,8 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
p->dc);
unbecome_root();
+ *r->out.negotiate_flags = srv_flgs;
+
return NT_STATUS_OK;
}