[PATCH] Re: netlogon_creds_cli_validate() in master4-schannel

Stefan (metze) Metzmacher metze at samba.org
Wed Dec 11 11:21:06 MST 2013


Hi Andrew,

>>> I've updated my
>>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-schannel-ok
>>>
>>> I now require NETLOGON_NEG_PASSWORD_SET2 with require_strong_key.
>>> and we also require NETLOGON_NEG_ARCFOUR unless we don't propose
>>> NETLOGON_NEG_AUTHENTICATED_RPC.
>>>
>>> I've also added "allow nt4 crypto" (default: no) and "reject md5
>>> clients" (default: no)
>>> as options for the AD netlogon server.
>>
>> I'll look over the changes today, and hopefully be able to give you my
>> review.  Do you want me to push if it's all OK?
> 
> I've reviewed these, and pushed with my review tags to
> http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/metze-master4-schannel-ok

Thanks! Are you able to do a wintest with this?

I also want to do some tests with windows dcs.

I important thing I want to verify is the behavior of

        invalidate_cm_connection(&domain->conn);
+       domain->conn.netlogon_force_reauth = true;

in _wbint_CheckMachineAccount() and related code.

Testing against a s4 dc showed that we are doing
netr_ServerReqChallenge/netr_ServerAuthenticate3 over a connection
with DCERPC_AUTH_TYPE_SCHANNEL/DCERPC_AUTH_LEVEL_PRIVACY and I'm not
sure Windows also likes that.

I think some combination of 'wbinfo -t' and 'wbinfo -c' triggered that.

Günther can you also do some tests with your VMs?

metze


More information about the samba-technical mailing list