[PATCH] Re: netlogon_creds_cli_validate() in master4-schannel

Garming Sam garming at catalyst.net.nz
Sun Dec 8 17:09:38 MST 2013 

On 07/12/13 00:43, Stefan (metze) Metzmacher wrote:
> Hi Garming,
>
>> + sudo bin/net rpc join -S 192.168.122.249 -Uroot%password12#
>> No realm has been specified! Do you really want to join an Active
>> Directory server?
>> netlogon_creds_cli_ServerPasswordSet failed:
>> NT_STATUS_INVALID_PARAMETER_MIX
>> No realm has been specified! Do you really want to join an Active
>> Directory server?
>> netlogon_creds_cli_check failed with NT_STATUS_NOT_IMPLEMENTED
>> libnet_join_ok: failed to open schannel session on netlogon pipe to
>> server 192.168.122.249 for domain S3. Error was NT_STATUS_NOT_IMPLEMENTED
>> Failed to join domain: failed to verify domain membership after joining:
>> Not implemented
> I've fixed the NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE and
> NT_STATUS_NOT_IMPLEMENTED
> code pathes in netlogon_creds_cli_check_caps(). I also added some comments.
>
> I also check result in netlogon_creds_cli_auth_srvauth_done() before the
> downgrade check.
>
> I've updated my
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-schannel-ok
> branch.
>
> Can you reset with the new code. It would be good to know if
> netlogon_creds_cli_ServerPasswordSet
> still reports NT_STATUS_INVALID_PARAMETER_MIX.
>
> metze
>

Hi,

I tried out your new code and it joins just fine to the 3.5 domain with 
the net rpc join command that I used previously.


As for the NT_STATUS_INVALID_PARAMETER_MIX error, I connected with 
rpcclient to the domain.

I ran this command and the invalid parameter mix error appears:

     sudo bin/rpcclient ncacn_np:ubuntumachine -Uroot%password12# -c 
change_trust_pw



It seems to come from this piece of code:

function: netlogon_creds_cli_ServerPasswordSet_send in 
libcli/auth/netlogon_creds_cli.c
line number: 1674

   dcerpc_binding_handle_auth_info(state->binding_handle,
                     &state->auth_type,
                     &state->auth_level);

     switch (state->auth_level) {
     case DCERPC_AUTH_LEVEL_INTEGRITY:
     case DCERPC_AUTH_LEVEL_PRIVACY:
         break;
     default:
         tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
         return tevent_req_post(req, ev);
     }




Cheers,

Garming Sam

More information about the samba-technical mailing list