[PATCH] Re: netlogon_creds_cli_validate() in master4-schannel
garming at catalyst.net.nz
Wed Dec 11 21:52:32 MST 2013
On 12/12/13 07:40, Andrew Bartlett wrote:
> On Wed, 2013-12-11 at 19:21 +0100, Stefan (metze) Metzmacher wrote:
>> Hi Andrew,
>>>>> I've updated my
>>>>> I now require NETLOGON_NEG_PASSWORD_SET2 with require_strong_key.
>>>>> and we also require NETLOGON_NEG_ARCFOUR unless we don't propose
>>>>> I've also added "allow nt4 crypto" (default: no) and "reject md5
>>>>> clients" (default: no)
>>>>> as options for the AD netlogon server.
>>>> I'll look over the changes today, and hopefully be able to give you my
>>>> review. Do you want me to push if it's all OK?
>>> I've reviewed these, and pushed with my review tags to
>> Thanks! Are you able to do a wintest with this?
>> I also want to do some tests with windows dcs.
>> I important thing I want to verify is the behavior of
>> + domain->conn.netlogon_force_reauth = true;
>> in _wbint_CheckMachineAccount() and related code.
>> Testing against a s4 dc showed that we are doing
>> netr_ServerReqChallenge/netr_ServerAuthenticate3 over a connection
>> with DCERPC_AUTH_TYPE_SCHANNEL/DCERPC_AUTH_LEVEL_PRIVACY and I'm not
>> sure Windows also likes that.
>> I think some combination of 'wbinfo -t' and 'wbinfo -c' triggered that.
>> Günther can you also do some tests with your VMs?
> I'll get Garming to give this a test against some real Windows VMs, and
> yes, this is a very good excuse to get wintest running again.
> Andrew Bartlett
It appears to work just fine on my end.
More information about the samba-technical