1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00

s3-netlogon: Fix NETLOGON credential chain. Fixes Bug #6099 (Windows 7 joining Samba3) and probably many, many more.

Jeremy, with 9a5d5cc1db you alter the in negotiate
flags (which are a pointer to the out negotiate flags assigned in the generated
netlogon server code). So, while you wanted to just set the *out* negflags, you
did in fact reset the *in* negflags, effectively eliminating the
NETLOGON_NEG_STRONG_KEYS bit (formerly known as NETLOGON_NEG_128BIT) which then
caused creds_server_init() to generate 64bit creds instead of 128bit, causing
the whole chain to break. *Please* check.

Guenther
This commit is contained in:
Günther Deschner 2009-05-06 19:29:01 +02:00
parent 730c91aaaa
commit 78754ab2c9

View File

@ -535,8 +535,6 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
srv_flgs |= NETLOGON_NEG_SCHANNEL;
}
*r->out.negotiate_flags = srv_flgs;
switch (p->hdr_req.opnum) {
case NDR_NETR_SERVERAUTHENTICATE2:
fn = "_netr_ServerAuthenticate2";
@ -554,6 +552,7 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
if (!p->dc || !p->dc->challenge_sent) {
DEBUG(0,("%s: no challenge sent to client %s\n", fn,
r->in.computer_name));
*r->out.negotiate_flags = srv_flgs;
return NT_STATUS_ACCESS_DENIED;
}
@ -564,6 +563,7 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
DEBUG(0,("%s: schannel required but client failed "
"to offer it. Client was %s\n",
fn, r->in.account_name));
*r->out.negotiate_flags = srv_flgs;
return NT_STATUS_ACCESS_DENIED;
}
@ -576,6 +576,7 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
"account %s: %s\n",
fn, r->in.account_name, nt_errstr(status) ));
/* always return NT_STATUS_ACCESS_DENIED */
*r->out.negotiate_flags = srv_flgs;
return NT_STATUS_ACCESS_DENIED;
}
@ -593,6 +594,7 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
"request from client %s machine account %s\n",
fn, r->in.computer_name,
r->in.account_name));
*r->out.negotiate_flags = srv_flgs;
return NT_STATUS_ACCESS_DENIED;
}
/* set up the LSA AUTH 2 response */
@ -612,6 +614,8 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
p->dc);
unbecome_root();
*r->out.negotiate_flags = srv_flgs;
return NT_STATUS_OK;
}