diff options
author | Günther Deschner <gd@samba.org> | 2009-05-06 19:29:01 +0200 |
---|---|---|
committer | Günther Deschner <gd@samba.org> | 2009-05-06 19:37:39 +0200 |
commit | 78754ab2c9b28ea8ab09d3fd1f5450abe721a2c1 (patch) | |
tree | 674e8aa2641cf444b32774fdbbee8077ee57962f /source3 | |
parent | 730c91aaaad42c68fdb44bc51fee6c89e0c22910 (diff) | |
download | samba-78754ab2c9b28ea8ab09d3fd1f5450abe721a2c1.tar.gz samba-78754ab2c9b28ea8ab09d3fd1f5450abe721a2c1.tar.bz2 samba-78754ab2c9b28ea8ab09d3fd1f5450abe721a2c1.zip |
s3-netlogon: Fix NETLOGON credential chain. Fixes Bug #6099 (Windows 7 joining Samba3) and probably many, many more.
Jeremy, with 9a5d5cc1db0ee60486f932e34cd7961b90c70a56 you alter the in negotiate
flags (which are a pointer to the out negotiate flags assigned in the generated
netlogon server code). So, while you wanted to just set the *out* negflags, you
did in fact reset the *in* negflags, effectively eliminating the
NETLOGON_NEG_STRONG_KEYS bit (formerly known as NETLOGON_NEG_128BIT) which then
caused creds_server_init() to generate 64bit creds instead of 128bit, causing
the whole chain to break. *Please* check.
Guenther
Diffstat (limited to 'source3')
-rw-r--r-- | source3/rpc_server/srv_netlog_nt.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index c5e2ca7c71..edd13217d7 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -535,8 +535,6 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p, srv_flgs |= NETLOGON_NEG_SCHANNEL; } - *r->out.negotiate_flags = srv_flgs; - switch (p->hdr_req.opnum) { case NDR_NETR_SERVERAUTHENTICATE2: fn = "_netr_ServerAuthenticate2"; @@ -554,6 +552,7 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p, if (!p->dc || !p->dc->challenge_sent) { DEBUG(0,("%s: no challenge sent to client %s\n", fn, r->in.computer_name)); + *r->out.negotiate_flags = srv_flgs; return NT_STATUS_ACCESS_DENIED; } @@ -564,6 +563,7 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p, DEBUG(0,("%s: schannel required but client failed " "to offer it. Client was %s\n", fn, r->in.account_name)); + *r->out.negotiate_flags = srv_flgs; return NT_STATUS_ACCESS_DENIED; } @@ -576,6 +576,7 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p, "account %s: %s\n", fn, r->in.account_name, nt_errstr(status) )); /* always return NT_STATUS_ACCESS_DENIED */ + *r->out.negotiate_flags = srv_flgs; return NT_STATUS_ACCESS_DENIED; } @@ -593,6 +594,7 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p, "request from client %s machine account %s\n", fn, r->in.computer_name, r->in.account_name)); + *r->out.negotiate_flags = srv_flgs; return NT_STATUS_ACCESS_DENIED; } /* set up the LSA AUTH 2 response */ @@ -612,6 +614,8 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p, p->dc); unbecome_root(); + *r->out.negotiate_flags = srv_flgs; + return NT_STATUS_OK; } |