s4:librpc/rpc/dcerpc_schannel: rework downgrade logic

metze

Signed-off-by: Günther Deschner <gd@samba.org>

1 files changed, 38 insertions, 5 deletions

diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
index 335c34ca35..1655e6bad0 100644
--- a/source4/librpc/rpc/dcerpc_schannel.c
+++ b/source4/librpc/rpc/dcerpc_schannel.c
@@ -221,15 +221,48 @@ static void continue_srv_auth2(struct tevent_req *subreq)
 	TALLOC_FREE(subreq);
 	if (!composite_is_ok(c)) return;
 
+	if (!NT_STATUS_EQUAL(s->a.out.result, NT_STATUS_ACCESS_DENIED) &&
+	    !NT_STATUS_IS_OK(s->a.out.result)) {
+		composite_error(c, s->a.out.result);
+		return;
+	}
+
 	/*
 	 * Strong keys could be unsupported (NT4) or disables. So retry with the
 	 * flags returned by the server. - asn
 	 */
-	if (NT_STATUS_EQUAL(s->a.out.result, NT_STATUS_ACCESS_DENIED) &&
-	    s->dcerpc_schannel_auto &&
-	    (s->local_negotiate_flags & NETLOGON_NEG_STRONG_KEYS)) {
-		DEBUG(3, ("Server doesn't support strong keys, "
-			  "downgrade and retry!\n"));
+	if (NT_STATUS_EQUAL(s->a.out.result, NT_STATUS_ACCESS_DENIED)) {
+		uint32_t lf = s->local_negotiate_flags;
+		const char *ln = NULL;
+		uint32_t rf = s->remote_negotiate_flags;
+		const char *rn = NULL;
+
+		if (!s->dcerpc_schannel_auto) {
+			composite_error(c, s->a.out.result);
+			return;
+		}
+		s->dcerpc_schannel_auto = false;
+
+		if (lf & NETLOGON_NEG_STRONG_KEYS) {
+			ln = "strong";
+			if (rf & NETLOGON_NEG_STRONG_KEYS) {
+				composite_error(c, s->a.out.result);
+				return;
+			}
+		} else {
+			ln = "des";
+		}
+
+		if (rf & NETLOGON_NEG_STRONG_KEYS) {
+			rn = "strong";
+		} else {
+			rn = "des";
+		}
+
+		DEBUG(3, ("Server doesn't support %s keys, downgrade to %s"
+			  "and retry! local[0x%08X] remote[0x%08X]\n",
+			  ln, rn, lf, rf));
+
 		s->local_negotiate_flags = s->remote_negotiate_flags;
 
 		generate_random_buffer(s->credentials1.data,