1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-05 09:18:06 +03:00
samba-mirror/source4/rpc_server
Arvid Requate d3ac3da986 s4:rpc_server/netlogon: Fix for NetApp
This patch fixes an issue where NetApp filers joined to a
Samba/ADDC cannot resolve SIDs. Without this patch the issue
can only be avoided by setting "allow nt4 crypto = yes" in smb.conf.

The issue is triggered by NetApp filers in three steps:

1. The client calls netr_ServerReqChallenge to set up challenge tokens

2. Next it calls netr_ServerAuthenticate2 with NETLOGON_NEG_STRONG_KEYS
   set to 0. Native AD and Samba respond to this with
   NT_STATUS_DOWNGRADE_DETECTED. At this point Samba throws away
   the challenge token negotiated in the first step.

3. Next the client calls netr_ServerAuthenticate2 again, this time with
   NETLOGON_NEG_STRONG_KEYS set to 1.
   Samba returns NT_STATUS_ACCESS_DENIED as it has lost track
   of the challenge and denies logon with the message

   No challenge requested by client [CLNT1/CLNT1$], cannot authenticate

Git commit 321ebc99b5 introduced
a workaround for a different but related issue. This patch makes a minor
adjustment to that commit to delay flushing the cached challenge until
it's clear that we are not in a NT_STATUS_DOWNGRADE_DETECTED
situation.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11291

Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Aug  6 20:29:04 CEST 2015 on sn-devel-104
2015-08-06 20:29:04 +02:00
..
backupkey rpc_server: Coverity fix for CID 1273079 2015-04-02 19:38:22 +02:00
browser s4:rpc_server/browser.c - remove unused code 2010-06-29 22:32:05 +02:00
common s4:rpc_server: let dcesrv_reply() use a sig_size for a padded payload 2015-06-23 14:38:53 +02:00
dnsserver s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses 2014-11-26 03:44:06 +01:00
drsuapi s4-rpc_server/drsuapi: Fix timeouts on forwarded DsExecuteKCC IRPC call 2015-05-28 07:25:07 +02:00
echo s4:misc: remove last usage of legacy event_ fn names 2011-08-14 00:38:13 +02:00
epmapper s4:rpc_server/epmapper: make use of dcerpc_binding_set_abstract_syntax() in build_ep_list() 2014-02-13 11:54:17 +01:00
eventlog s4-eventlog: fixed dcerpc handle return 2010-11-16 07:16:04 +00:00
lsa s4:rpc_server/lsa: remove unused code 2015-07-08 18:38:22 +02:00
netlogon s4:rpc_server/netlogon: Fix for NetApp 2015-08-06 20:29:04 +02:00
remote s4:rpc_server/remote: use dcerpc_binding_set_*() in remote_op_bind() 2014-02-13 11:54:17 +01:00
samr s4:rpc_server/samr: use the same logic in *info_DomInfo7() as in info_DomGeneralInformation() 2015-03-20 20:43:12 +01:00
spoolss s4:rpc_server/spoolss: use dcerpc_parse_binding() to create the notify binding 2014-02-13 11:54:14 +01:00
srvsvc lib/param: handle non-constant strings properly by passing in a memory context 2014-02-20 10:11:06 +13:00
unixinfo dcesrv_unixinfo: No wbc_context required 2014-03-05 16:33:21 +01:00
winreg s4-rpc: improved error mapping for several RPC server calls 2011-04-04 10:30:30 +10:00
wkssvc s4:wkssvc RPC server - better solution for srvsvc* enum's in server_info.c 2010-11-27 21:50:41 +01:00
dcerpc_server.c s4: rpc: Refactor dcesrv_alter() function into setup and send steps. 2015-04-25 02:43:22 +02:00
dcerpc_server.h Add DCERPC flag to call unbind hooks without destroying the connection itself upon termination of a connection with outstanding pending calls. 2015-04-14 20:39:34 +02:00
dcerpc_server.pc.in dcerpc_server: Add 'modulesdir' variable to pkg-config file. 2012-02-23 16:26:25 +01:00
dcesrv_auth.c s4:rpc_server: fix padding caclucation in dcesrv_auth_response() 2015-06-23 14:38:53 +02:00
dcesrv_mgmt.c
handles.c libndr: Rename policy_handle_empty to ndr_policy_handle_empty. 2012-03-20 13:54:07 +01:00
service_rpc.c s4:rpc_server: ignore ncacn_http endpoints for now 2014-09-22 23:09:08 +02:00
wscript_build s4-rpc_server: only build backup_key rpc service when Heimdal is available. 2015-03-20 23:25:52 +01:00