[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Thu Aug 6 18:30:03 UTC 2015
The branch, master has been updated
via d3ac3da s4:rpc_server/netlogon: Fix for NetApp
from 42f38fe dns: always add authority records
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d3ac3da98611e665dc0f4e825faa5f12f6c848ef
Author: Arvid Requate <requate at univention.de>
Date: Thu Aug 6 15:00:25 2015 +0200
s4:rpc_server/netlogon: Fix for NetApp
This patch fixes an issue where NetApp filers joined to a
Samba/ADDC cannot resolve SIDs. Without this patch the issue
can only be avoided by setting "allow nt4 crypto = yes" in smb.conf.
The issue is triggered by NetApp filers in three steps:
1. The client calls netr_ServerReqChallenge to set up challenge tokens
2. Next it calls netr_ServerAuthenticate2 with NETLOGON_NEG_STRONG_KEYS
set to 0. Native AD and Samba respond to this with
NT_STATUS_DOWNGRADE_DETECTED. At this point Samba throws away
the challenge token negotiated in the first step.
3. Next the client calls netr_ServerAuthenticate2 again, this time with
NETLOGON_NEG_STRONG_KEYS set to 1.
Samba returns NT_STATUS_ACCESS_DENIED as it has lost track
of the challenge and denies logon with the message
No challenge requested by client [CLNT1/CLNT1$], cannot authenticate
Git commit 321ebc99b5a00f82265aee741a48aa84b214d6e8 introduced
a workaround for a different but related issue. This patch makes a minor
adjustment to that commit to delay flushing the cached challenge until
it's clear that we are not in a NT_STATUS_DOWNGRADE_DETECTED
situation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11291
Signed-off-by: Arvid Requate <requate at univention.de>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Aug 6 20:29:04 CEST 2015 on sn-devel-104
-----------------------------------------------------------------------
Summary of changes:
source4/rpc_server/netlogon/dcerpc_netlogon.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index b47ccf4..49b5b2f 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -172,17 +172,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
}
}
- /*
- * At this point we can cleanup the cache entry,
- * if we fail the client needs to call netr_ServerReqChallenge
- * again.
- *
- * Note: this handles global_challenge_table == NULL
- * and also a non existing record just fine.
- */
- memcache_delete(global_challenge_table,
- SINGLETON_CACHE, challenge_key);
-
server_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT |
NETLOGON_NEG_PERSISTENT_SAMREPL |
NETLOGON_NEG_ARCFOUR |
@@ -229,6 +218,17 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
}
/*
+ * At this point we can cleanup the cache entry,
+ * if we fail the client needs to call netr_ServerReqChallenge
+ * again.
+ *
+ * Note: this handles global_challenge_table == NULL
+ * and also a non existing record just fine.
+ */
+ memcache_delete(global_challenge_table,
+ SINGLETON_CACHE, challenge_key);
+
+ /*
* According to Microsoft (see bugid #6099)
* Windows 7 looks at the negotiate_flags
* returned in this structure *even if the
--
Samba Shared Repository
More information about the samba-cvs
mailing list