From 99d35904552b01ef9f2adc40e16887da9eb4de69 Mon Sep 17 00:00:00 2001
From: Günther Deschner <gd@samba.org>
Date: Wed, 2 Apr 2008 02:29:48 +0200
Subject: Fix NETLOGON credential chain with Windows 2008 all over the place.

In order to avoid receiving NT_STATUS_DOWNGRADE_DETECTED from a w2k8
netr_ServerAuthenticate2 reply, we need to start with the AD netlogon negotiate
flags everywhere (not only when running in security=ads). Only for NT4 we need
to do a downgrade to the returned negotiate flags.

Tested with w2k8, w2ksp4, w2k3r2 and nt4sp6.

Guenther
(This used to be commit 0970369ca0cb9ae465cff40e5c75739824daf1d0)
---
 source3/include/rpc_dce.h | 44 ++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 40 insertions(+), 4 deletions(-)

(limited to 'source3/include/rpc_dce.h')

diff --git a/source3/include/rpc_dce.h b/source3/include/rpc_dce.h
index ec08eb5f8f..33ab365160 100644
--- a/source3/include/rpc_dce.h
+++ b/source3/include/rpc_dce.h
@@ -101,12 +101,48 @@ enum RPC_PKT_TYPE {
 /* The 7 here seems to be required to get Win2k not to downgrade us
    to NT4.  Actually, anything other than 1ff would seem to do... */
 #define NETLOGON_NEG_AUTH2_FLAGS 0x000701ff
+/*
+	(NETLOGON_NEG_ACCOUNT_LOCKOUT |
+	 NETLOGON_NEG_PERSISTENT_SAMREPL |
+	 NETLOGON_NEG_ARCFOUR |
+	 NETLOGON_NEG_PROMOTION_COUNT |
+	 NETLOGON_NEG_CHANGELOG_BDC |
+	 NETLOGON_NEG_FULL_SYNC_REPL |
+	 NETLOGON_NEG_MULTIPLE_SIDS |
+	 NETLOGON_NEG_REDO |
+	 NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
+	 NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
+	 NETLOGON_NEG_PASSWORD_SET2 |
+	 NETLOGON_NEG_GETDOMAININFO)
+*/
 #define NETLOGON_NEG_DOMAIN_TRUST_ACCOUNT	0x2010b000
- 
-/* these are the flags that ADS clients use */
-#define NETLOGON_NEG_AUTH2_ADS_FLAGS (0x200fbffb | NETLOGON_NEG_ARCFOUR | NETLOGON_NEG_128BIT | NETLOGON_NEG_SCHANNEL)
 
-#define NETLOGON_NEG_SELECT_AUTH2_FLAGS ((lp_security() == SEC_ADS) ? NETLOGON_NEG_AUTH2_ADS_FLAGS : NETLOGON_NEG_AUTH2_FLAGS)
+/* these are the flags that ADS clients use */
+#define NETLOGON_NEG_AUTH2_ADS_FLAGS 0x600fffff
+/*
+	(NETLOGON_NEG_ACCOUNT_LOCKOUT |
+	 NETLOGON_NEG_PERSISTENT_SAMREPL |
+	 NETLOGON_NEG_ARCFOUR |
+	 NETLOGON_NEG_PROMOTION_COUNT |
+	 NETLOGON_NEG_CHANGELOG_BDC |
+	 NETLOGON_NEG_FULL_SYNC_REPL |
+	 NETLOGON_NEG_MULTIPLE_SIDS |
+	 NETLOGON_NEG_REDO |
+	 NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
+	 NETLOGON_NEG_SEND_PASSWORD_INFO_PDC |
+	 NETLOGON_NEG_GENERIC_PASSTHROUGH |
+	 NETLOGON_NEG_CONCURRENT_RPC |
+	 NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL |
+	 NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL |
+	 NETLOGON_NEG_128BIT |
+	 NETLOGON_NEG_TRANSITIVE_TRUSTS |
+	 NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
+	 NETLOGON_NEG_PASSWORD_SET2 |
+	 NETLOGON_NEG_GETDOMAININFO |
+	 NETLOGON_NEG_CROSS_FOREST_TRUSTS |
+	 NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
+	 NETLOGON_NEG_SCHANNEL)
+*/
 
 enum schannel_direction {
 	SENDER_IS_INITIATOR,
-- 
cgit