From cbe69f65f69b0c7b7c2d0d32005da488b50e52ba Mon Sep 17 00:00:00 2001
From: Gerald Carter <jerry@samba.org>
Date: Wed, 1 Oct 2003 21:18:32 +0000
Subject: commit sign only patch from Andrew; bug 167; tested using 2k & XP
 clientspreviously joined to the Samba domain (This used to be commit
 3802f5895ee18507c6f467bd11db0b1147a6fdfd)

---
 source3/rpcclient/rpcclient.c | 50 +++++++++++++++++++++++++------------------
 1 file changed, 29 insertions(+), 21 deletions(-)

(limited to 'source3/rpcclient/rpcclient.c')

diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
index 515489292b..773441a27c 100644
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -352,38 +352,33 @@ static NTSTATUS cmd_none(struct cli_state *cli, TALLOC_CTX *mem_ctx,
 	return NT_STATUS_OK; 
 }
 
-static NTSTATUS cmd_schannel(struct cli_state *cli, TALLOC_CTX *mem_ctx,
-			     int argc, const char **argv)
+static NTSTATUS setup_schannel(struct cli_state *cli, int pipe_auth_flags,
+			       int argc, const char **argv)
 {
 	NTSTATUS ret;
+	static uchar zeros[16];
 	uchar trust_password[16];
 	uint32 sec_channel_type;
-	static uchar zeros[16];
-
 	if (argc == 2) {
 		strhex_to_str((char *)cli->auth_info.sess_key,
 			      strlen(argv[1]), 
 			      argv[1]);
 		memcpy(cli->sess_key, cli->auth_info.sess_key, sizeof(cli->sess_key));
 
-		cli->pipe_auth_flags = AUTH_PIPE_NETSEC;
-		cli->pipe_auth_flags |= AUTH_PIPE_SIGN;
-		cli->pipe_auth_flags |= AUTH_PIPE_SEAL;
-
+		cli->pipe_auth_flags = pipe_auth_flags;
 		return NT_STATUS_OK;
 	}
 
 	/* Cleanup */
 
 	if ((memcmp(cli->auth_info.sess_key, zeros, sizeof(cli->auth_info.sess_key)) != 0)) {
-		if (cli->pipe_auth_flags == (AUTH_PIPE_NETSEC|AUTH_PIPE_SIGN|AUTH_PIPE_SEAL)) {
+		if (cli->pipe_auth_flags == pipe_auth_flags) {
 			/* already in this mode nothing to do */
 			return NT_STATUS_OK;
 		} else {
-			/* schannel is setup, just need to use it again */
-			cli->pipe_auth_flags = AUTH_PIPE_NETSEC;
-			cli->pipe_auth_flags |= AUTH_PIPE_SIGN;
-			cli->pipe_auth_flags |= AUTH_PIPE_SEAL;
+			/* schannel is setup, just need to use it again with new flags */
+			cli->pipe_auth_flags = pipe_auth_flags;
+
 			if (cli->nt_pipe_fnum != 0)
 				cli_nt_session_close(cli);
 			return NT_STATUS_OK;
@@ -393,17 +388,13 @@ static NTSTATUS cmd_schannel(struct cli_state *cli, TALLOC_CTX *mem_ctx,
 	if (cli->nt_pipe_fnum != 0)
 		cli_nt_session_close(cli);
 
-	cli->pipe_auth_flags = AUTH_PIPE_NETSEC;
-	cli->pipe_auth_flags |= AUTH_PIPE_SIGN;
-	cli->pipe_auth_flags |= AUTH_PIPE_SEAL;
-
 	if (!secrets_fetch_trust_account_password(lp_workgroup(),
 						  trust_password,
 						  NULL, &sec_channel_type)) {
 		return NT_STATUS_UNSUCCESSFUL;
 	}
 
-	ret = cli_nt_setup_netsec(cli, sec_channel_type, trust_password);
+	ret = cli_nt_setup_netsec(cli, sec_channel_type, pipe_auth_flags, trust_password);
 	if (NT_STATUS_IS_OK(ret)) {
 		char *hex_session_key;
 		hex_encode(cli->auth_info.sess_key,
@@ -415,6 +406,24 @@ static NTSTATUS cmd_schannel(struct cli_state *cli, TALLOC_CTX *mem_ctx,
 	return ret;
 }
 
+
+static NTSTATUS cmd_schannel(struct cli_state *cli, TALLOC_CTX *mem_ctx,
+			     int argc, const char **argv)
+{
+	d_printf("Setting schannel - sign and seal\n");
+	return setup_schannel(cli, AUTH_PIPE_NETSEC | AUTH_PIPE_SIGN | AUTH_PIPE_SEAL, 
+			      argc, argv);
+}
+
+static NTSTATUS cmd_schannel_sign(struct cli_state *cli, TALLOC_CTX *mem_ctx,
+			     int argc, const char **argv)
+{
+	d_printf("Setting schannel - sign only\n");
+	return setup_schannel(cli, AUTH_PIPE_NETSEC | AUTH_PIPE_SIGN, 
+			      argc, argv);
+}
+
+
 /* Built in rpcclient commands */
 
 static struct cmd_set rpcclient_commands[] = {
@@ -430,6 +439,7 @@ static struct cmd_set rpcclient_commands[] = {
 	{ "sign", RPC_RTYPE_NTSTATUS, cmd_sign, NULL,	  -1,	"Force RPC pipe connections to be signed", "" },
 	{ "seal", RPC_RTYPE_NTSTATUS, cmd_seal, NULL,	  -1,	"Force RPC pipe connections to be sealed", "" },
 	{ "schannel", RPC_RTYPE_NTSTATUS, cmd_schannel, NULL,	  -1,	"Force RPC pipe connections to be sealed with 'schannel' (NETSEC).  Assumes valid machine account to this domain controller.", "" },
+	{ "schannelsign", RPC_RTYPE_NTSTATUS, cmd_schannel_sign, NULL,	  -1,	"Force RPC pipe connections to be signed (not sealed) with 'schannel' (NETSEC).  Assumes valid machine account to this domain controller.", "" },
 	{ "none", RPC_RTYPE_NTSTATUS, cmd_none, NULL,	  -1,	"Force RPC pipe connections to have no special properties", "" },
 
 	{ NULL }
@@ -522,9 +532,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
 	/* some of the DsXXX commands use the netlogon pipe */
 
 	if (lp_client_schannel() && (cmd_entry->pipe_idx == PI_NETLOGON) && !(cli->pipe_auth_flags & AUTH_PIPE_NETSEC)) {
-		/* The 7 here seems to be required to get Win2k not to downgrade us
-		   to NT4.  Actually, anything other than 1ff would seem to do... */
-		uint32 neg_flags = 0x000001ff;
+		uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
 		uint32 sec_channel_type;
 	
 		if (!secrets_fetch_trust_account_password(lp_workgroup(),
-- 
cgit