[SCM] Samba Shared Repository - branch v3-2-test updated -
release-3-2-0pre2-3584-g43bab13
Karolin Seeger
kseeger at samba.org
Tue May 19 08:51:21 GMT 2009
The branch, v3-2-test has been updated
via 43bab13d00fa073acf709ac9a66cb2782694811b (commit)
via c578c66569eed3ae19b42c9787399eb70b935e0a (commit)
via 59ee131464636d3363bc7ee398ba6390a6333558 (commit)
via 853bbc0d3920654aa7401fa5d6fcba7ff86e1a21 (commit)
from 7f1771f26dcc334c32df332545d33937f8602bd6 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test
- Log -----------------------------------------------------------------
commit 43bab13d00fa073acf709ac9a66cb2782694811b
Author: Jeremy Allison <jra at samba.org>
Date: Thu May 7 12:53:31 2009 -0700
s3-auth: use full 16byte session key in make_user_info_netlogon_interactive().
Patch from Jeremy.
With this patch, I was able to join Windows 7 RC to a Samba3 DC, and login into a
Samba 3 Domain.
There are still two registry settings required:
HKLM\System\CCS\Services\LanmanWorkstation\Parameters
DWORD DomainCompatibilityMode = 1
DWORD DNSNameResolutionRequired = 0
Do *not* modify the other netlogon registry parameters that were passed around,
they weaken security.
Guenther / Jeremy.
commit c578c66569eed3ae19b42c9787399eb70b935e0a
Author: Guenther Deschner <gd at samba.org>
Date: Thu May 7 12:53:00 2009 -0700
s3-credentials: protect netlogon_creds_server_step() against NULL creds.
Found by SCHANNEL torture tests.
Guenther
commit 59ee131464636d3363bc7ee398ba6390a6333558
Author: Jeremy Allison <jra at samba.org>
Date: Mon May 11 11:17:56 2009 -0700
After getting confirmation from Guenther, add 3 changes we'll ultimately need to fix bug #6099 Samba returns incurrate capabilities list. 1). Add a comment to point out that r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags. 2). Ensure we return NETLOGON_NEG_STRONG_KEYS in our flags return if the client requested it. 3). Clean up the error exits so we always return the same way. Signed off by Guenther. Jeremy.
commit 853bbc0d3920654aa7401fa5d6fcba7ff86e1a21
Author: Guenther Deschner <gd at samba.org>
Date: Mon May 11 11:13:47 2009 -0700
Jeremy, with 9a5d5cc1db0ee60486f932e34cd7961b90c70a56 you alter the in negotiate flags (which are a pointer to the out negotiate flags assigned in the generated netlogon server code). So, while you wanted to just set the *out* negflags, you did in fact reset the *in* negflags, effectively eliminating the NETLOGON_NEG_STRONG_KEYS bit (formerly known as NETLOGON_NEG_128BIT) which then caused creds_server_init() to generate 64bit creds instead of 128bit, causing the whole chain to break. *Please* check.
Guenther
-----------------------------------------------------------------------
Summary of changes:
source/auth/auth_util.c | 3 +--
source/include/ntdomain.h | 2 +-
source/libsmb/credentials.c | 4 ++++
source/rpc_server/srv_netlog_nt.c | 34 ++++++++++++++++++++++++----------
4 files changed, 30 insertions(+), 13 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/auth/auth_util.c b/source/auth/auth_util.c
index 175a234..c9b5614 100644
--- a/source/auth/auth_util.c
+++ b/source/auth/auth_util.c
@@ -292,8 +292,7 @@ bool make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
unsigned char local_nt_response[24];
unsigned char key[16];
- ZERO_STRUCT(key);
- memcpy(key, dc_sess_key, 8);
+ memcpy(key, dc_sess_key, 16);
if (lm_interactive_pwd)
memcpy(lm_pwd, lm_interactive_pwd, sizeof(lm_pwd));
diff --git a/source/include/ntdomain.h b/source/include/ntdomain.h
index b89b0fe..9ebef4c 100644
--- a/source/include/ntdomain.h
+++ b/source/include/ntdomain.h
@@ -139,7 +139,7 @@ struct dcinfo {
struct netr_Credential clnt_chal; /* Client credential */
struct netr_Credential srv_chal; /* Server credential */
- unsigned char sess_key[16]; /* Session key - 8 bytes followed by 8 zero bytes */
+ unsigned char sess_key[16]; /* Session key */
unsigned char mach_pw[16]; /* md4(machine password) */
fstring mach_acct; /* Machine name we've authenticated. */
diff --git a/source/libsmb/credentials.c b/source/libsmb/credentials.c
index 9d33e6d..4bfa231 100644
--- a/source/libsmb/credentials.c
+++ b/source/libsmb/credentials.c
@@ -255,6 +255,10 @@ bool netlogon_creds_server_step(struct dcinfo *dc,
bool ret;
struct dcinfo tmp_dc = *dc;
+ if (!received_cred || !cred_out) {
+ return false;
+ }
+
/* Do all operations on a temporary copy of the dc,
which we throw away if the checks fail. */
diff --git a/source/rpc_server/srv_netlog_nt.c b/source/rpc_server/srv_netlog_nt.c
index 7ea845d..4a78c94 100644
--- a/source/rpc_server/srv_netlog_nt.c
+++ b/source/rpc_server/srv_netlog_nt.c
@@ -472,12 +472,15 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
{
NTSTATUS status;
uint32_t srv_flgs;
+ /* r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags,
+ * so use a copy to avoid destroying the client values. */
+ uint32_t in_neg_flags = *r->in.negotiate_flags;
struct netr_Credential srv_chal_out;
/* According to Microsoft (see bugid #6099)
* Windows 7 looks at the negotiate_flags
* returned in this structure *even if the
- * call fails with access denied ! So in order
+ * call fails with access denied* ! So in order
* to allow Win7 to connect to a Samba NT style
* PDC we set the flags before we know if it's
* an error or not.
@@ -494,29 +497,34 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
NETLOGON_NEG_REDO |
NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL;
+ /* Ensure we support strong (128-bit) keys. */
+ if (in_neg_flags & NETLOGON_NEG_128BIT) {
+ srv_flgs |= NETLOGON_NEG_128BIT;
+ }
+
if (lp_server_schannel() != false) {
srv_flgs |= NETLOGON_NEG_SCHANNEL;
}
- *r->out.negotiate_flags = srv_flgs;
-
/* We use this as the key to store the creds: */
/* r->in.computer_name */
if (!p->dc || !p->dc->challenge_sent) {
DEBUG(0,("_netr_ServerAuthenticate2: no challenge sent to client %s\n",
r->in.computer_name));
- return NT_STATUS_ACCESS_DENIED;
+ status = NT_STATUS_ACCESS_DENIED;
+ goto out;
}
if ( (lp_server_schannel() == true) &&
- ((*r->in.negotiate_flags & NETLOGON_NEG_SCHANNEL) == 0) ) {
+ ((in_neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) {
/* schannel must be used, but client did not offer it. */
DEBUG(0,("_netr_ServerAuthenticate2: schannel required but client failed "
"to offer it. Client was %s\n",
r->in.account_name));
- return NT_STATUS_ACCESS_DENIED;
+ status = NT_STATUS_ACCESS_DENIED;
+ goto out;
}
status = get_md4pw((char *)p->dc->mach_pw,
@@ -527,11 +535,12 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
"account %s: %s\n",
r->in.account_name, nt_errstr(status) ));
/* always return NT_STATUS_ACCESS_DENIED */
- return NT_STATUS_ACCESS_DENIED;
+ status = NT_STATUS_ACCESS_DENIED;
+ goto out;
}
/* From the client / server challenges and md4 password, generate sess key */
- creds_server_init(*r->in.negotiate_flags,
+ creds_server_init(in_neg_flags,
p->dc,
&p->dc->clnt_chal, /* Stored client chal. */
&p->dc->srv_chal, /* Stored server chal. */
@@ -544,7 +553,8 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
"request from client %s machine account %s\n",
r->in.computer_name,
r->in.account_name));
- return NT_STATUS_ACCESS_DENIED;
+ status = NT_STATUS_ACCESS_DENIED;
+ goto out;
}
/* set up the LSA AUTH 2 response */
@@ -563,8 +573,12 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
r->in.computer_name,
p->dc);
unbecome_root();
+ status = NT_STATUS_OK;
- return NT_STATUS_OK;
+ out:
+
+ *r->out.negotiate_flags = srv_flgs;
+ return status;
}
/*************************************************************************
--
Samba Shared Repository
More information about the samba-cvs
mailing list