[SCM] Samba Shared Repository - branch v3-3-test updated -
release-3-2-0pre2-5269-g0da1331
Karolin Seeger
kseeger at samba.org
Tue May 19 08:51:32 GMT 2009
The branch, v3-3-test has been updated
via 0da133101ab149b074ab369d819fc48b7c95bf71 (commit)
via 339b99e31577d8a522711f84bc7d94e88c75d334 (commit)
via 41f9e61d7c8c106a98792e9009bbecf5edfcebe9 (commit)
via 1f05472b9a27861f8e4b9b60410890b920f9d359 (commit)
from 2238f7eede55fe780630df70b712fad7ebc95c76 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test
- Log -----------------------------------------------------------------
commit 0da133101ab149b074ab369d819fc48b7c95bf71
Author: Jeremy Allison <jra at samba.org>
Date: Thu May 7 12:53:31 2009 -0700
s3-auth: use full 16byte session key in make_user_info_netlogon_interactive().
Patch from Jeremy.
With this patch, I was able to join Windows 7 RC to a Samba3 DC, and login into a
Samba 3 Domain.
There are still two registry settings required:
HKLM\System\CCS\Services\LanmanWorkstation\Parameters
DWORD DomainCompatibilityMode = 1
DWORD DNSNameResolutionRequired = 0
Do *not* modify the other netlogon registry parameters that were passed around,
they weaken security.
Guenther / Jeremy.
commit 339b99e31577d8a522711f84bc7d94e88c75d334
Author: Guenther Deschner <gd at samba.org>
Date: Thu May 7 12:53:00 2009 -0700
s3-credentials: protect netlogon_creds_server_step() against NULL creds.
Found by SCHANNEL torture tests.
Guenther
commit 41f9e61d7c8c106a98792e9009bbecf5edfcebe9
Author: Jeremy Allison <jra at samba.org>
Date: Thu May 7 12:52:35 2009 -0700
After getting confirmation from Guenther, add 3 changes we'll ultimately need to fix bug #6099 Samba returns incurrate capabilities list. 1). Add a comment to point out that r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags. 2). Ensure we return NETLOGON_NEG_STRONG_KEYS in our flags return if the client requested it. 3). Clean up the error exits so we always return the same way. Signed off by Guenther. Jeremy.
commit 1f05472b9a27861f8e4b9b60410890b920f9d359
Author: Guenther Deschner <gd at samba.org>
Date: Thu May 7 12:52:10 2009 -0700
s3-netlogon: Fix NETLOGON credential chain. Fixes Bug #6099 (Windows 7 joining Samba3) and probably many, many more.
Jeremy, with 9a5d5cc1db0ee60486f932e34cd7961b90c70a56 you alter the in negotiate
flags (which are a pointer to the out negotiate flags assigned in the generated
netlogon server code). So, while you wanted to just set the *out* negflags, you
did in fact reset the *in* negflags, effectively eliminating the
NETLOGON_NEG_STRONG_KEYS bit (formerly known as NETLOGON_NEG_128BIT) which then
caused creds_server_init() to generate 64bit creds instead of 128bit, causing
the whole chain to break. *Please* check.
Guenther
-----------------------------------------------------------------------
Summary of changes:
source/auth/auth_util.c | 3 +--
source/include/ntdomain.h | 2 +-
source/libsmb/credentials.c | 4 ++++
source/rpc_server/srv_netlog_nt.c | 34 ++++++++++++++++++++++++----------
4 files changed, 30 insertions(+), 13 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/auth/auth_util.c b/source/auth/auth_util.c
index 2bd857c..f6c5eaa 100644
--- a/source/auth/auth_util.c
+++ b/source/auth/auth_util.c
@@ -292,8 +292,7 @@ bool make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
unsigned char local_nt_response[24];
unsigned char key[16];
- ZERO_STRUCT(key);
- memcpy(key, dc_sess_key, 8);
+ memcpy(key, dc_sess_key, 16);
if (lm_interactive_pwd)
memcpy(lm_pwd, lm_interactive_pwd, sizeof(lm_pwd));
diff --git a/source/include/ntdomain.h b/source/include/ntdomain.h
index de0a313..4b49b5e 100644
--- a/source/include/ntdomain.h
+++ b/source/include/ntdomain.h
@@ -139,7 +139,7 @@ struct dcinfo {
struct netr_Credential clnt_chal; /* Client credential */
struct netr_Credential srv_chal; /* Server credential */
- unsigned char sess_key[16]; /* Session key - 8 bytes followed by 8 zero bytes */
+ unsigned char sess_key[16]; /* Session key */
unsigned char mach_pw[16]; /* md4(machine password) */
fstring mach_acct; /* Machine name we've authenticated. */
diff --git a/source/libsmb/credentials.c b/source/libsmb/credentials.c
index 9d33e6d..4bfa231 100644
--- a/source/libsmb/credentials.c
+++ b/source/libsmb/credentials.c
@@ -255,6 +255,10 @@ bool netlogon_creds_server_step(struct dcinfo *dc,
bool ret;
struct dcinfo tmp_dc = *dc;
+ if (!received_cred || !cred_out) {
+ return false;
+ }
+
/* Do all operations on a temporary copy of the dc,
which we throw away if the checks fail. */
diff --git a/source/rpc_server/srv_netlog_nt.c b/source/rpc_server/srv_netlog_nt.c
index 0d6d80d..dd49096 100644
--- a/source/rpc_server/srv_netlog_nt.c
+++ b/source/rpc_server/srv_netlog_nt.c
@@ -472,12 +472,15 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
{
NTSTATUS status;
uint32_t srv_flgs;
+ /* r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags,
+ * so use a copy to avoid destroying the client values. */
+ uint32_t in_neg_flags = *r->in.negotiate_flags;
struct netr_Credential srv_chal_out;
/* According to Microsoft (see bugid #6099)
* Windows 7 looks at the negotiate_flags
* returned in this structure *even if the
- * call fails with access denied ! So in order
+ * call fails with access denied* ! So in order
* to allow Win7 to connect to a Samba NT style
* PDC we set the flags before we know if it's
* an error or not.
@@ -494,29 +497,34 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
NETLOGON_NEG_REDO |
NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL;
+ /* Ensure we support strong (128-bit) keys. */
+ if (in_neg_flags & NETLOGON_NEG_128BIT) {
+ srv_flgs |= NETLOGON_NEG_128BIT;
+ }
+
if (lp_server_schannel() != false) {
srv_flgs |= NETLOGON_NEG_SCHANNEL;
}
- *r->out.negotiate_flags = srv_flgs;
-
/* We use this as the key to store the creds: */
/* r->in.computer_name */
if (!p->dc || !p->dc->challenge_sent) {
DEBUG(0,("_netr_ServerAuthenticate2: no challenge sent to client %s\n",
r->in.computer_name));
- return NT_STATUS_ACCESS_DENIED;
+ status = NT_STATUS_ACCESS_DENIED;
+ goto out;
}
if ( (lp_server_schannel() == true) &&
- ((*r->in.negotiate_flags & NETLOGON_NEG_SCHANNEL) == 0) ) {
+ ((in_neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) {
/* schannel must be used, but client did not offer it. */
DEBUG(0,("_netr_ServerAuthenticate2: schannel required but client failed "
"to offer it. Client was %s\n",
r->in.account_name));
- return NT_STATUS_ACCESS_DENIED;
+ status = NT_STATUS_ACCESS_DENIED;
+ goto out;
}
status = get_md4pw((char *)p->dc->mach_pw,
@@ -527,11 +535,12 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
"account %s: %s\n",
r->in.account_name, nt_errstr(status) ));
/* always return NT_STATUS_ACCESS_DENIED */
- return NT_STATUS_ACCESS_DENIED;
+ status = NT_STATUS_ACCESS_DENIED;
+ goto out;
}
/* From the client / server challenges and md4 password, generate sess key */
- creds_server_init(*r->in.negotiate_flags,
+ creds_server_init(in_neg_flags,
p->dc,
&p->dc->clnt_chal, /* Stored client chal. */
&p->dc->srv_chal, /* Stored server chal. */
@@ -544,7 +553,8 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
"request from client %s machine account %s\n",
r->in.computer_name,
r->in.account_name));
- return NT_STATUS_ACCESS_DENIED;
+ status = NT_STATUS_ACCESS_DENIED;
+ goto out;
}
/* set up the LSA AUTH 2 response */
memcpy(r->out.return_credentials->data, &srv_chal_out.data,
@@ -562,8 +572,12 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
r->in.computer_name,
p->dc);
unbecome_root();
+ status = NT_STATUS_OK;
- return NT_STATUS_OK;
+ out:
+
+ *r->out.negotiate_flags = srv_flgs;
+ return status;
}
/*************************************************************************
--
Samba Shared Repository
More information about the samba-cvs
mailing list