From d6fdd13dec854c681ad047d104ccfc2bf0ca5de5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 23 Jul 2008 16:14:20 +1000 Subject: Remove the 'accoc_group_id' check in the RPC server. This check breaks more than it fixes, and while technically not correct, is the best solution we have at this time. Otherwise, SCHANNEL binds from WinXP fail. Andrew Bartlett (This used to be commit f8628fa330abcd50923d995d5bda1f4811582ea9) --- source4/rpc_server/dcerpc_server.c | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'source4/rpc_server/dcerpc_server.c') diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c index d8dafd61f6..91ae5fcd94 100644 --- a/source4/rpc_server/dcerpc_server.c +++ b/source4/rpc_server/dcerpc_server.c @@ -534,9 +534,20 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call) uint32_t context_id; const struct dcesrv_interface *iface; +#if 0 + /* It is not safe to enable this check - windows clients + * (WinXP in particular) will use it for NETLOGON calls, for + * the subsequent SCHANNEL bind. It turns out that NETLOGON + * calls include no policy handles, so it is safe there. Let + * the failure occour on the attempt to reuse a poilcy handle, + * rather than here */ + + /* Association groups allow policy handles to be shared across + * multiple client connections. We don't implement this yet. */ if (call->pkt.u.bind.assoc_group_id != 0) { return dcesrv_bind_nak(call, 0); } +#endif if (call->pkt.u.bind.num_contexts < 1 || call->pkt.u.bind.ctx_list[0].num_transfer_syntaxes < 1) { -- cgit From 768515f4ad13785729fcd4df7cecaede39b7409a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 23 Jul 2008 16:19:54 +1000 Subject: The SMB session key must not be more than 16 bytes in SAMR (and presumably LSA). Tests show that Vista requires the sesion key to be truncated for a domain join. Andrew Bartlett (This used to be commit af629a3738298d27eb2dbecf466ceb503cec9638) --- source4/rpc_server/dcerpc_server.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'source4/rpc_server/dcerpc_server.c') diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c index d8dafd61f6..fb487dfdcf 100644 --- a/source4/rpc_server/dcerpc_server.c +++ b/source4/rpc_server/dcerpc_server.c @@ -270,11 +270,20 @@ NTSTATUS dcesrv_generic_session_key(struct dcesrv_connection *p, /* fetch the user session key - may be default (above) or the SMB session key + + The key is always truncated to 16 bytes */ _PUBLIC_ NTSTATUS dcesrv_fetch_session_key(struct dcesrv_connection *p, DATA_BLOB *session_key) { - return p->auth_state.session_key(p, session_key); + NTSTATUS status = p->auth_state.session_key(p, session_key); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + session_key->length = MIN(session_key->length, 16); + + return NT_STATUS_OK; } -- cgit From 5bb679aa0fe87b5dd7f7c82d09157bc93b8b54cb Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 23 Jul 2008 14:41:16 +0200 Subject: rpc_server: be more strict with the incoming assoc_group_id Allow 0 and 0x12345678 only. This fixes the RPC-HANDLES test. metze (This used to be commit c123e597cc84685abf2b0d3564e1a26d80bbef2f) --- source4/rpc_server/dcerpc_server.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) (limited to 'source4/rpc_server/dcerpc_server.c') diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c index a2ca897981..ac36825acd 100644 --- a/source4/rpc_server/dcerpc_server.c +++ b/source4/rpc_server/dcerpc_server.c @@ -543,20 +543,20 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call) uint32_t context_id; const struct dcesrv_interface *iface; -#if 0 - /* It is not safe to enable this check - windows clients - * (WinXP in particular) will use it for NETLOGON calls, for - * the subsequent SCHANNEL bind. It turns out that NETLOGON - * calls include no policy handles, so it is safe there. Let - * the failure occour on the attempt to reuse a poilcy handle, - * rather than here */ - - /* Association groups allow policy handles to be shared across - * multiple client connections. We don't implement this yet. */ - if (call->pkt.u.bind.assoc_group_id != 0) { + /* + * Association groups allow policy handles to be shared across + * multiple client connections. We don't implement this yet. + * + * So we just allow 0 if the client wants to create a new + * association group. + * + * And we allow the 0x12345678 value, we give away as + * assoc_group_id back to the clients + */ + if (call->pkt.u.bind.assoc_group_id != 0 && + call->pkt.u.bind.assoc_group_id != 0x12345678) { return dcesrv_bind_nak(call, 0); } -#endif if (call->pkt.u.bind.num_contexts < 1 || call->pkt.u.bind.ctx_list[0].num_transfer_syntaxes < 1) { -- cgit From 552fd06dedbef0fbf3ba5c78698cd286973c61aa Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 25 Jul 2008 14:11:18 +1000 Subject: Make a new define to ensure the accoc_group_id we use is always in common. (This used to be commit b62490e3e21b606b66e0737a403b0d170b64cddd) --- source4/rpc_server/dcerpc_server.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/dcerpc_server.c') diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c index ac36825acd..cb07f6e8ce 100644 --- a/source4/rpc_server/dcerpc_server.c +++ b/source4/rpc_server/dcerpc_server.c @@ -36,6 +36,8 @@ #include "libcli/security/security.h" #include "param/param.h" +#define SAMBA_ACCOC_GROUP 0x12345678 + extern const struct dcesrv_interface dcesrv_mgmt_interface; /* @@ -554,7 +556,7 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call) * assoc_group_id back to the clients */ if (call->pkt.u.bind.assoc_group_id != 0 && - call->pkt.u.bind.assoc_group_id != 0x12345678) { + call->pkt.u.bind.assoc_group_id != SAMBA_ACCOC_GROUP) { return dcesrv_bind_nak(call, 0); } @@ -629,7 +631,7 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call) pkt.u.bind_ack.max_xmit_frag = 0x2000; pkt.u.bind_ack.max_recv_frag = 0x2000; /* we need to send a non zero assoc_group_id here to make longhorn happy, it also matches samba3 */ - pkt.u.bind_ack.assoc_group_id = 0x12345678; + pkt.u.bind_ack.assoc_group_id = SAMBA_ACCOC_GROUP; if (iface) { /* FIXME: Use pipe name as specified by endpoint instead of interface name */ pkt.u.bind_ack.secondary_address = talloc_asprintf(call, "\\PIPE\\%s", iface->name); -- cgit