mirror of
https://github.com/samba-team/samba.git
synced 2025-01-27 14:04:05 +03:00
d3ac3da986
This patch fixes an issue where NetApp filers joined to a Samba/ADDC cannot resolve SIDs. Without this patch the issue can only be avoided by setting "allow nt4 crypto = yes" in smb.conf. The issue is triggered by NetApp filers in three steps: 1. The client calls netr_ServerReqChallenge to set up challenge tokens 2. Next it calls netr_ServerAuthenticate2 with NETLOGON_NEG_STRONG_KEYS set to 0. Native AD and Samba respond to this with NT_STATUS_DOWNGRADE_DETECTED. At this point Samba throws away the challenge token negotiated in the first step. 3. Next the client calls netr_ServerAuthenticate2 again, this time with NETLOGON_NEG_STRONG_KEYS set to 1. Samba returns NT_STATUS_ACCESS_DENIED as it has lost track of the challenge and denies logon with the message No challenge requested by client [CLNT1/CLNT1$], cannot authenticate Git commit 321ebc99b5a00f82265aee741a48aa84b214d6e8 introduced a workaround for a different but related issue. This patch makes a minor adjustment to that commit to delay flushing the cached challenge until it's clear that we are not in a NT_STATUS_DOWNGRADE_DETECTED situation. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11291 Signed-off-by: Arvid Requate <requate@univention.de> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Aug 6 20:29:04 CEST 2015 on sn-devel-104