[PATCH] Re: netlogon_creds_cli_validate() in master4-schannel
abartlet at samba.org
Wed Dec 11 11:40:24 MST 2013
On Wed, 2013-12-11 at 19:21 +0100, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
> >>> I've updated my
> >>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-schannel-ok
> >>> I now require NETLOGON_NEG_PASSWORD_SET2 with require_strong_key.
> >>> and we also require NETLOGON_NEG_ARCFOUR unless we don't propose
> >>> NETLOGON_NEG_AUTHENTICATED_RPC.
> >>> I've also added "allow nt4 crypto" (default: no) and "reject md5
> >>> clients" (default: no)
> >>> as options for the AD netlogon server.
> >> I'll look over the changes today, and hopefully be able to give you my
> >> review. Do you want me to push if it's all OK?
> > I've reviewed these, and pushed with my review tags to
> > http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/metze-master4-schannel-ok
> Thanks! Are you able to do a wintest with this?
> I also want to do some tests with windows dcs.
> I important thing I want to verify is the behavior of
> + domain->conn.netlogon_force_reauth = true;
> in _wbint_CheckMachineAccount() and related code.
> Testing against a s4 dc showed that we are doing
> netr_ServerReqChallenge/netr_ServerAuthenticate3 over a connection
> with DCERPC_AUTH_TYPE_SCHANNEL/DCERPC_AUTH_LEVEL_PRIVACY and I'm not
> sure Windows also likes that.
> I think some combination of 'wbinfo -t' and 'wbinfo -c' triggered that.
> Günther can you also do some tests with your VMs?
I'll get Garming to give this a test against some real Windows VMs, and
yes, this is a very good excuse to get wintest running again.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical