[SCM] Samba Shared Repository - branch v3-4-test updated - release-4-0-0alpha7-897-g2ea00bf

[Günther Deschner]

The branch, v3-4-test has been updated
       via  2ea00bf3a65c76211a42d29adfa3f71e06c813e8 (commit)
       via  e527a1aa73b3fdb86787e9c55f6a01660b4d1a0f (commit)
      from  d0854a690d1ce25a0c4f0ed92a3706a90f12305f (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-4-test


- Log -----------------------------------------------------------------
commit 2ea00bf3a65c76211a42d29adfa3f71e06c813e8
Author: Jeremy Allison <jra at samba.org>
Date:   Wed May 6 16:10:20 2009 -0700

    After getting confirmation from Guenther, add 3 changes we'll
    ultimately need to fix bug #6099 Samba returns incurrate capabilities list.
    1). Add a comment to point out that r->in.negotiate_flags is an aliased pointer to
    r->out.negotiate_flags.
    2). Ensure we return NETLOGON_NEG_STRONG_KEYS in our flags
    return if the client requested it.
    3). Clean up the error exits so we always return the same
    way.
    Signed off by Guenther.
    Jeremy.
    (cherry picked from commit 78fb479325ce7073ab8383ada3903080d12aef91)

commit e527a1aa73b3fdb86787e9c55f6a01660b4d1a0f
Author: Günther Deschner <gd at samba.org>
Date:   Wed May 6 19:29:01 2009 +0200

    s3-netlogon: Fix NETLOGON credential chain. Fixes Bug #6099 (Windows 7 joining Samba3) and probably many, many more.
    
    Jeremy, with 9a5d5cc1db0ee60486f932e34cd7961b90c70a56 you alter the in negotiate
    flags (which are a pointer to the out negotiate flags assigned in the generated
    netlogon server code). So, while you wanted to just set the *out* negflags, you
    did in fact reset the *in* negflags, effectively eliminating the
    NETLOGON_NEG_STRONG_KEYS bit (formerly known as NETLOGON_NEG_128BIT) which then
    caused creds_server_init() to generate 64bit creds instead of 128bit, causing
    the whole chain to break. *Please* check.
    
    Guenther
    (cherry picked from commit 78754ab2c9b28ea8ab09d3fd1f5450abe721a2c1)

-----------------------------------------------------------------------

Summary of changes:
 source3/rpc_server/srv_netlog_nt.c |   34 ++++++++++++++++++++++++----------
 1 files changed, 24 insertions(+), 10 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index 0c83144..e0d1e22 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -507,13 +507,16 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
 {
 	NTSTATUS status;
 	uint32_t srv_flgs;
+	/* r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags,
+	 * so use a copy to avoid destroying the client values. */
+	uint32_t in_neg_flags = *r->in.negotiate_flags;
 	struct netr_Credential srv_chal_out;
 	const char *fn;
 
 	/* According to Microsoft (see bugid #6099)
 	 * Windows 7 looks at the negotiate_flags
 	 * returned in this structure *even if the
-	 * call fails with access denied ! So in order
+	 * call fails with access denied* ! So in order
 	 * to allow Win7 to connect to a Samba NT style
 	 * PDC we set the flags before we know if it's
 	 * an error or not.
@@ -530,12 +533,15 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
 		   NETLOGON_NEG_REDO |
 		   NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL;
 
+	/* Ensure we support strong (128-bit) keys. */
+	if (in_neg_flags & NETLOGON_NEG_STRONG_KEYS) {
+		srv_flgs |= NETLOGON_NEG_STRONG_KEYS;
+	}
+
 	if (lp_server_schannel() != false) {
 		srv_flgs |= NETLOGON_NEG_SCHANNEL;
 	}
 
-	*r->out.negotiate_flags = srv_flgs;
-
 	switch (p->hdr_req.opnum) {
 		case NDR_NETR_SERVERAUTHENTICATE2:
 			fn = "_netr_ServerAuthenticate2";
@@ -553,17 +559,19 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
 	if (!p->dc || !p->dc->challenge_sent) {
 		DEBUG(0,("%s: no challenge sent to client %s\n", fn,
 			r->in.computer_name));
-		return NT_STATUS_ACCESS_DENIED;
+		status = NT_STATUS_ACCESS_DENIED;
+		goto out;
 	}
 
 	if ( (lp_server_schannel() == true) &&
-	     ((*r->in.negotiate_flags & NETLOGON_NEG_SCHANNEL) == 0) ) {
+	     ((in_neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) {
 
 		/* schannel must be used, but client did not offer it. */
 		DEBUG(0,("%s: schannel required but client failed "
 			"to offer it. Client was %s\n",
 			fn, r->in.account_name));
-		return NT_STATUS_ACCESS_DENIED;
+		status = NT_STATUS_ACCESS_DENIED;
+		goto out;
 	}
 
 	status = get_md4pw((char *)p->dc->mach_pw,
@@ -575,11 +583,12 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
 			"account %s: %s\n",
 			fn, r->in.account_name, nt_errstr(status) ));
 		/* always return NT_STATUS_ACCESS_DENIED */
-		return NT_STATUS_ACCESS_DENIED;
+		status = NT_STATUS_ACCESS_DENIED;
+		goto out;
 	}
 
 	/* From the client / server challenges and md4 password, generate sess key */
-	creds_server_init(*r->in.negotiate_flags,
+	creds_server_init(in_neg_flags,
 			p->dc,
 			&p->dc->clnt_chal,	/* Stored client chal. */
 			&p->dc->srv_chal,	/* Stored server chal. */
@@ -592,7 +601,8 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
 			"request from client %s machine account %s\n",
 			fn, r->in.computer_name,
 			r->in.account_name));
-		return NT_STATUS_ACCESS_DENIED;
+		status = NT_STATUS_ACCESS_DENIED;
+		goto out;
 	}
 	/* set up the LSA AUTH 2 response */
 	memcpy(r->out.return_credentials->data, &srv_chal_out.data,
@@ -610,8 +620,12 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
 					    r->in.computer_name,
 					    p->dc);
 	unbecome_root();
+	status = NT_STATUS_OK;
 
-	return NT_STATUS_OK;
+  out:
+
+	*r->out.negotiate_flags = srv_flgs;
+	return status;
 }
 
 /*************************************************************************


-- 
Samba Shared Repository