summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/rpc_server/srv_netlog_nt.c36
1 files changed, 23 insertions, 13 deletions
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index edd13217d7..333eabe2ce 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -508,13 +508,16 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
{
NTSTATUS status;
uint32_t srv_flgs;
+ /* r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags,
+ * so use a copy to avoid destroying the client values. */
+ uint32_t in_neg_flags = *r->in.negotiate_flags;
struct netr_Credential srv_chal_out;
const char *fn;
/* According to Microsoft (see bugid #6099)
* Windows 7 looks at the negotiate_flags
* returned in this structure *even if the
- * call fails with access denied ! So in order
+ * call fails with access denied* ! So in order
* to allow Win7 to connect to a Samba NT style
* PDC we set the flags before we know if it's
* an error or not.
@@ -531,6 +534,11 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
NETLOGON_NEG_REDO |
NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL;
+ /* Ensure we support strong (128-bit) keys. */
+ if (in_neg_flags & NETLOGON_NEG_STRONG_KEYS) {
+ srv_flgs |= NETLOGON_NEG_STRONG_KEYS;
+ }
+
if (lp_server_schannel() != false) {
srv_flgs |= NETLOGON_NEG_SCHANNEL;
}
@@ -552,19 +560,19 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
if (!p->dc || !p->dc->challenge_sent) {
DEBUG(0,("%s: no challenge sent to client %s\n", fn,
r->in.computer_name));
- *r->out.negotiate_flags = srv_flgs;
- return NT_STATUS_ACCESS_DENIED;
+ status = NT_STATUS_ACCESS_DENIED;
+ goto out;
}
if ( (lp_server_schannel() == true) &&
- ((*r->in.negotiate_flags & NETLOGON_NEG_SCHANNEL) == 0) ) {
+ ((in_neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) {
/* schannel must be used, but client did not offer it. */
DEBUG(0,("%s: schannel required but client failed "
"to offer it. Client was %s\n",
fn, r->in.account_name));
- *r->out.negotiate_flags = srv_flgs;
- return NT_STATUS_ACCESS_DENIED;
+ status = NT_STATUS_ACCESS_DENIED;
+ goto out;
}
status = get_md4pw((char *)p->dc->mach_pw,
@@ -576,12 +584,12 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
"account %s: %s\n",
fn, r->in.account_name, nt_errstr(status) ));
/* always return NT_STATUS_ACCESS_DENIED */
- *r->out.negotiate_flags = srv_flgs;
- return NT_STATUS_ACCESS_DENIED;
+ status = NT_STATUS_ACCESS_DENIED;
+ goto out;
}
/* From the client / server challenges and md4 password, generate sess key */
- creds_server_init(*r->in.negotiate_flags,
+ creds_server_init(in_neg_flags,
p->dc,
&p->dc->clnt_chal, /* Stored client chal. */
&p->dc->srv_chal, /* Stored server chal. */
@@ -594,8 +602,8 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
"request from client %s machine account %s\n",
fn, r->in.computer_name,
r->in.account_name));
- *r->out.negotiate_flags = srv_flgs;
- return NT_STATUS_ACCESS_DENIED;
+ status = NT_STATUS_ACCESS_DENIED;
+ goto out;
}
/* set up the LSA AUTH 2 response */
memcpy(r->out.return_credentials->data, &srv_chal_out.data,
@@ -613,10 +621,12 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
r->in.computer_name,
p->dc);
unbecome_root();
+ status = NT_STATUS_OK;
- *r->out.negotiate_flags = srv_flgs;
+ out:
- return NT_STATUS_OK;
+ *r->out.negotiate_flags = srv_flgs;
+ return status;
}
/*************************************************************************