mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
18692b060f
If we create a copy of the credential state we miss updates to the credentials. To establish a netlogon schannel connection we create client credentials and authenticate with them using dcerpc_netr_ServerAuthenticate2() For this we call netlogon_creds_client_authenticator() which increases the sequence number and steps the credentials. Lets assume the sequence number is 1002. After a successful authentication we get the server credentials and we send bind a auth request with the received creds. This sets up gensec and the gensec schannel module created a copy of the client creds and stores it in the schannel auth state. So the creds stored in gensec have the sequence number 1002. After that we continue and need the client credentials to call dcerpc_netr_LogonGetCapabilities() to verify the connection. So we need to increase the sequence number of the credentials to 1004 and step the credentials to the next state. The server always does the same and everything is just fine here. The connection is established and we want to do another netlogon call. So we get the creds from gensec and want to do a netlogon call e.g. dcerpc_netr_SamLogonWithFlags. We get the needed creds from gensec. The sequence number is 1002 and we talk to the server. The server is already ahead cause we are already at sequence number 1004 and the server expects it to be 1006. So the server gives us ACCESS_DENIED cause we use a copy in gensec. Signed-off-by: Günther Deschner <gd@samba.org> |
||
---|---|---|
.. | ||
cyrus_sasl.c | ||
gensec_gssapi.c | ||
gensec_gssapi.h | ||
gensec_krb5_util.c | ||
gensec_krb5_util.h | ||
gensec_krb5.c | ||
gensec_socket.h | ||
gensec_tstream.c | ||
gensec_tstream.h | ||
pygensec.c | ||
schannel.c | ||
schannel.h | ||
socket.c | ||
wscript_build |