diff options
author | Jeremy Allison <jra@samba.org> | 2009-05-06 16:10:20 -0700 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2009-05-06 16:10:20 -0700 |
commit | 78fb479325ce7073ab8383ada3903080d12aef91 (patch) | |
tree | 21f14c23e9ea93b4b59780a60e4ab2b705d13181 /source3 | |
parent | 512879a69b6e94c323c37a6c0e56824c097b7f70 (diff) | |
download | samba-78fb479325ce7073ab8383ada3903080d12aef91.tar.gz samba-78fb479325ce7073ab8383ada3903080d12aef91.tar.bz2 samba-78fb479325ce7073ab8383ada3903080d12aef91.zip |
After getting confirmation from Guenther, add 3 changes we'll
ultimately need to fix bug #6099 Samba returns incurrate capabilities list.
1). Add a comment to point out that r->in.negotiate_flags is an aliased pointer to
r->out.negotiate_flags.
2). Ensure we return NETLOGON_NEG_STRONG_KEYS in our flags
return if the client requested it.
3). Clean up the error exits so we always return the same
way.
Signed off by Guenther.
Jeremy.
Diffstat (limited to 'source3')
-rw-r--r-- | source3/rpc_server/srv_netlog_nt.c | 36 |
1 files changed, 23 insertions, 13 deletions
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index edd13217d7..333eabe2ce 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -508,13 +508,16 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p, { NTSTATUS status; uint32_t srv_flgs; + /* r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags, + * so use a copy to avoid destroying the client values. */ + uint32_t in_neg_flags = *r->in.negotiate_flags; struct netr_Credential srv_chal_out; const char *fn; /* According to Microsoft (see bugid #6099) * Windows 7 looks at the negotiate_flags * returned in this structure *even if the - * call fails with access denied ! So in order + * call fails with access denied* ! So in order * to allow Win7 to connect to a Samba NT style * PDC we set the flags before we know if it's * an error or not. @@ -531,6 +534,11 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p, NETLOGON_NEG_REDO | NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL; + /* Ensure we support strong (128-bit) keys. */ + if (in_neg_flags & NETLOGON_NEG_STRONG_KEYS) { + srv_flgs |= NETLOGON_NEG_STRONG_KEYS; + } + if (lp_server_schannel() != false) { srv_flgs |= NETLOGON_NEG_SCHANNEL; } @@ -552,19 +560,19 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p, if (!p->dc || !p->dc->challenge_sent) { DEBUG(0,("%s: no challenge sent to client %s\n", fn, r->in.computer_name)); - *r->out.negotiate_flags = srv_flgs; - return NT_STATUS_ACCESS_DENIED; + status = NT_STATUS_ACCESS_DENIED; + goto out; } if ( (lp_server_schannel() == true) && - ((*r->in.negotiate_flags & NETLOGON_NEG_SCHANNEL) == 0) ) { + ((in_neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) { /* schannel must be used, but client did not offer it. */ DEBUG(0,("%s: schannel required but client failed " "to offer it. Client was %s\n", fn, r->in.account_name)); - *r->out.negotiate_flags = srv_flgs; - return NT_STATUS_ACCESS_DENIED; + status = NT_STATUS_ACCESS_DENIED; + goto out; } status = get_md4pw((char *)p->dc->mach_pw, @@ -576,12 +584,12 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p, "account %s: %s\n", fn, r->in.account_name, nt_errstr(status) )); /* always return NT_STATUS_ACCESS_DENIED */ - *r->out.negotiate_flags = srv_flgs; - return NT_STATUS_ACCESS_DENIED; + status = NT_STATUS_ACCESS_DENIED; + goto out; } /* From the client / server challenges and md4 password, generate sess key */ - creds_server_init(*r->in.negotiate_flags, + creds_server_init(in_neg_flags, p->dc, &p->dc->clnt_chal, /* Stored client chal. */ &p->dc->srv_chal, /* Stored server chal. */ @@ -594,8 +602,8 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p, "request from client %s machine account %s\n", fn, r->in.computer_name, r->in.account_name)); - *r->out.negotiate_flags = srv_flgs; - return NT_STATUS_ACCESS_DENIED; + status = NT_STATUS_ACCESS_DENIED; + goto out; } /* set up the LSA AUTH 2 response */ memcpy(r->out.return_credentials->data, &srv_chal_out.data, @@ -613,10 +621,12 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p, r->in.computer_name, p->dc); unbecome_root(); + status = NT_STATUS_OK; - *r->out.negotiate_flags = srv_flgs; + out: - return NT_STATUS_OK; + *r->out.negotiate_flags = srv_flgs; + return status; } /************************************************************************* |