[SCM] Samba Shared Repository - branch v3-0-test updated - release-3-0-28a-18-g20c499d

Günther Deschner gd at samba.org
Fri Apr 4 07:55:43 GMT 2008


The branch, v3-0-test has been updated
       via  20c499dada296ffe5ee533730316a8ec963c6284 (commit)
      from  a3b5ba12ccff9184af348148c6e9fb73218aa1bb (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test


- Log -----------------------------------------------------------------
commit 20c499dada296ffe5ee533730316a8ec963c6284
Author: Günther Deschner <gd at samba.org>
Date:   Wed Apr 2 02:29:48 2008 +0200

    Fix NETLOGON credential chain with Windows 2008 all over the place.
    
    In order to avoid receiving NT_STATUS_DOWNGRADE_DETECTED from a w2k8
    netr_ServerAuthenticate2 reply, we need to start with the AD netlogon negotiate
    flags everywhere (not only when running in security=ads). Only for NT4 we need
    to do a downgrade to the returned negotiate flags.
    
    Tested with w2k8, w2ksp4, w2k3r2 and nt4sp6.
    
    Guenther

-----------------------------------------------------------------------

Summary of changes:
 source/auth/auth_domain.c        |    2 +-
 source/include/rpc_dce.h         |    6 ++----
 source/libsmb/trusts_util.c      |    2 +-
 source/nsswitch/winbindd_cm.c    |    6 +-----
 source/rpc_client/cli_netlogon.c |   10 ++++++++++
 source/rpc_client/cli_pipe.c     |    4 ++--
 source/rpcclient/rpcclient.c     |    2 +-
 source/utils/net_rpc_join.c      |    4 ++--
 source/utils/net_rpc_samsync.c   |    2 +-
 9 files changed, 21 insertions(+), 17 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/auth/auth_domain.c b/source/auth/auth_domain.c
index 24b651c..1e78f54 100644
--- a/source/auth/auth_domain.c
+++ b/source/auth/auth_domain.c
@@ -125,7 +125,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
 
 	if (!lp_client_schannel()) {
 		/* We need to set up a creds chain on an unauthenticated netlogon pipe. */
-		uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS;
+		uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 		uint32 sec_chan_type = 0;
 		unsigned char machine_pwd[16];
 		const char *account_name;
diff --git a/source/include/rpc_dce.h b/source/include/rpc_dce.h
index 8a7934c..ad5fb68 100644
--- a/source/include/rpc_dce.h
+++ b/source/include/rpc_dce.h
@@ -108,11 +108,9 @@ enum RPC_PKT_TYPE {
    to NT4.  Actually, anything other than 1ff would seem to do... */
 #define NETLOGON_NEG_AUTH2_FLAGS 0x000701ff
 #define NETLOGON_NEG_DOMAIN_TRUST_ACCOUNT	0x2010b000
- 
-/* these are the flags that ADS clients use */
-#define NETLOGON_NEG_AUTH2_ADS_FLAGS (0x200fbffb | NETLOGON_NEG_ARCFOUR | NETLOGON_NEG_128BIT | NETLOGON_NEG_SCHANNEL)
 
-#define NETLOGON_NEG_SELECT_AUTH2_FLAGS ((lp_security() == SEC_ADS) ? NETLOGON_NEG_AUTH2_ADS_FLAGS : NETLOGON_NEG_AUTH2_FLAGS)
+/* these are the flags that ADS clients use */
+#define NETLOGON_NEG_AUTH2_ADS_FLAGS 0x600fffff
 
 enum schannel_direction {
 	SENDER_IS_INITIATOR,
diff --git a/source/libsmb/trusts_util.c b/source/libsmb/trusts_util.c
index 2580b50..bd6bbfe 100644
--- a/source/libsmb/trusts_util.c
+++ b/source/libsmb/trusts_util.c
@@ -41,7 +41,7 @@ static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX
 	   already have valid creds. If not we must set them up. */
 
 	if (cli->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
-		uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS;
+		uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 
 		result = rpccli_netlogon_setup_creds(cli, 
 					cli->cli->desthost, /* server name */
diff --git a/source/nsswitch/winbindd_cm.c b/source/nsswitch/winbindd_cm.c
index 7f6076e..5b3120e 100644
--- a/source/nsswitch/winbindd_cm.c
+++ b/source/nsswitch/winbindd_cm.c
@@ -2027,7 +2027,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 	struct winbindd_cm_conn *conn;
 	NTSTATUS result;
 
-	uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
+	uint32 neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 	uint8  mach_pwd[16];
 	uint32  sec_chan_type;
 	const char *account_name;
@@ -2040,10 +2040,6 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 		return result;
 	}
 
-	if (domain->active_directory) {
-		neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
-	}
-
 	conn = &domain->conn;
 
 	if (conn->netlogon_pipe != NULL) {
diff --git a/source/rpc_client/cli_netlogon.c b/source/rpc_client/cli_netlogon.c
index 13a31e8..d151113 100644
--- a/source/rpc_client/cli_netlogon.c
+++ b/source/rpc_client/cli_netlogon.c
@@ -264,6 +264,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
 	DOM_CHAL clnt_chal_send;
 	DOM_CHAL srv_chal_recv;
 	struct dcinfo *dc;
+	bool retried = false;
 
 	SMB_ASSERT(cli->pipe_idx == PI_NETLOGON);
 
@@ -285,6 +286,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
 
 	fstr_sprintf( dc->mach_acct, "%s$", machine_account);
 
+ again:
 	/* Create the client challenge. */
 	generate_random_buffer(clnt_chal_send.data, 8);
 
@@ -322,6 +324,14 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
 			&clnt_chal_send, /* input. */
 			&srv_chal_recv); /* output */
 
+	/* we might be talking to NT4, so let's downgrade in that case and retry
+	 * with the returned neg_flags - gd */
+
+	if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) && !retried) {
+		retried = true;
+		goto again;
+	}
+
 	if (!NT_STATUS_IS_OK(result)) {
 		return result;
 	}
diff --git a/source/rpc_client/cli_pipe.c b/source/rpc_client/cli_pipe.c
index 43c3044..47fcbfe 100644
--- a/source/rpc_client/cli_pipe.c
+++ b/source/rpc_client/cli_pipe.c
@@ -2596,7 +2596,7 @@ struct rpc_pipe_client *cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state
 						const char *password,
 						NTSTATUS *perr)
 {
-	uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
+	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 	struct rpc_pipe_client *netlogon_pipe = NULL;
 	struct rpc_pipe_client *result = NULL;
 
@@ -2630,7 +2630,7 @@ struct rpc_pipe_client *cli_rpc_pipe_open_schannel(struct cli_state *cli,
                                                 const char *domain,
 						NTSTATUS *perr)
 {
-	uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
+	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 	struct rpc_pipe_client *netlogon_pipe = NULL;
 	struct rpc_pipe_client *result = NULL;
 
diff --git a/source/rpcclient/rpcclient.c b/source/rpcclient/rpcclient.c
index 0f7ff63..adf0498 100644
--- a/source/rpcclient/rpcclient.c
+++ b/source/rpcclient/rpcclient.c
@@ -568,7 +568,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
 		}
 
 		if (cmd_entry->pipe_idx == PI_NETLOGON) {
-			uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS;
+			uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 			uint32 sec_channel_type;
 			uchar trust_password[16];
 	
diff --git a/source/utils/net_rpc_join.c b/source/utils/net_rpc_join.c
index fe5cef1..139d1dc 100644
--- a/source/utils/net_rpc_join.c
+++ b/source/utils/net_rpc_join.c
@@ -43,7 +43,7 @@
  **/
 int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip )
 {
-	uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
+	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 	struct cli_state *cli = NULL;
 	struct rpc_pipe_client *pipe_hnd = NULL;
 	struct rpc_pipe_client *netlogon_pipe = NULL;
@@ -114,7 +114,7 @@ int net_rpc_join_newstyle(int argc, const char **argv)
 	struct cli_state *cli;
 	TALLOC_CTX *mem_ctx;
         uint32 acb_info = ACB_WSTRUST;
-	uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|(lp_client_schannel() ? NETLOGON_NEG_SCHANNEL : 0);
+	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 	uint32 sec_channel_type;
 	struct rpc_pipe_client *pipe_hnd = NULL;
 
diff --git a/source/utils/net_rpc_samsync.c b/source/utils/net_rpc_samsync.c
index bd209de..6a884c4 100644
--- a/source/utils/net_rpc_samsync.c
+++ b/source/utils/net_rpc_samsync.c
@@ -238,7 +238,7 @@ NTSTATUS rpc_samdump_internals(const DOM_SID *domain_sid,
 
 	NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
 	uchar trust_password[16];
-	uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS;
+	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 	uint32 sec_channel_type = 0;
 
 	if (!secrets_fetch_trust_account_password(domain_name,


-- 
Samba Shared Repository


More information about the samba-cvs mailing list