mirror of
https://github.com/samba-team/samba.git
synced 2024-12-25 23:21:54 +03:00
s3-netlogon: Fix NETLOGON credential chain. Fixes Bug #6099 (Windows 7 joining Samba3) and probably many, many more.
Jeremy, with 9a5d5cc1db
you alter the in negotiate
flags (which are a pointer to the out negotiate flags assigned in the generated
netlogon server code). So, while you wanted to just set the *out* negflags, you
did in fact reset the *in* negflags, effectively eliminating the
NETLOGON_NEG_STRONG_KEYS bit (formerly known as NETLOGON_NEG_128BIT) which then
caused creds_server_init() to generate 64bit creds instead of 128bit, causing
the whole chain to break. *Please* check.
Guenther
This commit is contained in:
parent
730c91aaaa
commit
78754ab2c9
@ -535,8 +535,6 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
|
||||
srv_flgs |= NETLOGON_NEG_SCHANNEL;
|
||||
}
|
||||
|
||||
*r->out.negotiate_flags = srv_flgs;
|
||||
|
||||
switch (p->hdr_req.opnum) {
|
||||
case NDR_NETR_SERVERAUTHENTICATE2:
|
||||
fn = "_netr_ServerAuthenticate2";
|
||||
@ -554,6 +552,7 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
|
||||
if (!p->dc || !p->dc->challenge_sent) {
|
||||
DEBUG(0,("%s: no challenge sent to client %s\n", fn,
|
||||
r->in.computer_name));
|
||||
*r->out.negotiate_flags = srv_flgs;
|
||||
return NT_STATUS_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
@ -564,6 +563,7 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
|
||||
DEBUG(0,("%s: schannel required but client failed "
|
||||
"to offer it. Client was %s\n",
|
||||
fn, r->in.account_name));
|
||||
*r->out.negotiate_flags = srv_flgs;
|
||||
return NT_STATUS_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
@ -576,6 +576,7 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
|
||||
"account %s: %s\n",
|
||||
fn, r->in.account_name, nt_errstr(status) ));
|
||||
/* always return NT_STATUS_ACCESS_DENIED */
|
||||
*r->out.negotiate_flags = srv_flgs;
|
||||
return NT_STATUS_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
@ -593,6 +594,7 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
|
||||
"request from client %s machine account %s\n",
|
||||
fn, r->in.computer_name,
|
||||
r->in.account_name));
|
||||
*r->out.negotiate_flags = srv_flgs;
|
||||
return NT_STATUS_ACCESS_DENIED;
|
||||
}
|
||||
/* set up the LSA AUTH 2 response */
|
||||
@ -612,6 +614,8 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
|
||||
p->dc);
|
||||
unbecome_root();
|
||||
|
||||
*r->out.negotiate_flags = srv_flgs;
|
||||
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user