The branch, master has been updated
via 78754ab2c9b28ea8ab09d3fd1f5450abe721a2c1 (commit)
from 730c91aaaad42c68fdb44bc51fee6c89e0c22910 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 78754ab2c9b28ea8ab09d3fd1f5450abe721a2c1
Author: Günther Deschner <[email protected]>
Date: Wed May 6 19:29:01 2009 +0200
s3-netlogon: Fix NETLOGON credential chain. Fixes Bug #6099 (Windows 7
joining Samba3) and probably many, many more.
Jeremy, with 9a5d5cc1db0ee60486f932e34cd7961b90c70a56 you alter the in
negotiate
flags (which are a pointer to the out negotiate flags assigned in the
generated
netlogon server code). So, while you wanted to just set the *out* negflags,
you
did in fact reset the *in* negflags, effectively eliminating the
NETLOGON_NEG_STRONG_KEYS bit (formerly known as NETLOGON_NEG_128BIT) which
then
caused creds_server_init() to generate 64bit creds instead of 128bit,
causing
the whole chain to break. *Please* check.
Guenther
-----------------------------------------------------------------------
Summary of changes:
source3/rpc_server/srv_netlog_nt.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/rpc_server/srv_netlog_nt.c
b/source3/rpc_server/srv_netlog_nt.c
index c5e2ca7..edd1321 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -535,8 +535,6 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
srv_flgs |= NETLOGON_NEG_SCHANNEL;
}
- *r->out.negotiate_flags = srv_flgs;
-
switch (p->hdr_req.opnum) {
case NDR_NETR_SERVERAUTHENTICATE2:
fn = "_netr_ServerAuthenticate2";
@@ -554,6 +552,7 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
if (!p->dc || !p->dc->challenge_sent) {
DEBUG(0,("%s: no challenge sent to client %s\n", fn,
r->in.computer_name));
+ *r->out.negotiate_flags = srv_flgs;
return NT_STATUS_ACCESS_DENIED;
}
@@ -564,6 +563,7 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
DEBUG(0,("%s: schannel required but client failed "
"to offer it. Client was %s\n",
fn, r->in.account_name));
+ *r->out.negotiate_flags = srv_flgs;
return NT_STATUS_ACCESS_DENIED;
}
@@ -576,6 +576,7 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
"account %s: %s\n",
fn, r->in.account_name, nt_errstr(status) ));
/* always return NT_STATUS_ACCESS_DENIED */
+ *r->out.negotiate_flags = srv_flgs;
return NT_STATUS_ACCESS_DENIED;
}
@@ -593,6 +594,7 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
"request from client %s machine account %s\n",
fn, r->in.computer_name,
r->in.account_name));
+ *r->out.negotiate_flags = srv_flgs;
return NT_STATUS_ACCESS_DENIED;
}
/* set up the LSA AUTH 2 response */
@@ -612,6 +614,8 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
p->dc);
unbecome_root();
+ *r->out.negotiate_flags = srv_flgs;
+
return NT_STATUS_OK;
}
--
Samba Shared Repository
