From 34fa7946993506fde2c6b30e4a41bea27390a814 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 16 Jul 2013 10:07:30 +0200 Subject: s4:librpc: fix netlogon connections against servers without AES support LogonGetCapabilities() only works on the credential chain if the server supports AES, so we need to work on a temporary copy until we know the server replied a valid return authenticator. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider --- source4/librpc/rpc/dcerpc_schannel.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'source4/librpc') diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c index 1480486c32..130ebebd90 100644 --- a/source4/librpc/rpc/dcerpc_schannel.c +++ b/source4/librpc/rpc/dcerpc_schannel.c @@ -385,6 +385,7 @@ struct auth_schannel_state { struct loadparm_context *lp_ctx; uint8_t auth_level; struct netlogon_creds_CredentialState *creds_state; + struct netlogon_creds_CredentialState save_creds_state; struct netr_Authenticator auth; struct netr_Authenticator return_auth; union netr_Capabilities capabilities; @@ -449,7 +450,8 @@ static void continue_bind_auth(struct composite_context *ctx) s->creds_state = cli_credentials_get_netlogon_creds(s->credentials); if (composite_nomem(s->creds_state, c)) return; - netlogon_creds_client_authenticator(s->creds_state, &s->auth); + s->save_creds_state = *s->creds_state; + netlogon_creds_client_authenticator(&s->save_creds_state, &s->auth); s->c.in.server_name = talloc_asprintf(c, "\\\\%s", @@ -519,12 +521,14 @@ static void continue_get_capabilities(struct tevent_req *subreq) } /* verify credentials */ - if (!netlogon_creds_client_check(s->creds_state, + if (!netlogon_creds_client_check(&s->save_creds_state, &s->c.out.return_authenticator->cred)) { composite_error(c, NT_STATUS_UNSUCCESSFUL); return; } + *s->creds_state = s->save_creds_state; + if (!NT_STATUS_IS_OK(s->c.out.result)) { composite_error(c, s->c.out.result); return; -- cgit