[PATCH] Re: netlogon_creds_cli_validate() in master4-schannel

Andrew Bartlett abartlet at samba.org
Sun Dec 15 15:54:22 MST 2013 

On Fri, 2013-12-13 at 20:40 +0100, Stefan (metze) Metzmacher wrote:
> Hi,
> 
> >>> Thanks! Are you able to do a wintest with this?
> >>>
> >>> I also want to do some tests with windows dcs.
> >>>
> >>> I important thing I want to verify is the behavior of
> >>>
> >>>          invalidate_cm_connection(&domain->conn);
> >>> +       domain->conn.netlogon_force_reauth = true;
> >>>
> >>> in _wbint_CheckMachineAccount() and related code.
> >>>
> >>> Testing against a s4 dc showed that we are doing
> >>> netr_ServerReqChallenge/netr_ServerAuthenticate3 over a connection
> >>> with DCERPC_AUTH_TYPE_SCHANNEL/DCERPC_AUTH_LEVEL_PRIVACY and I'm not
> >>> sure Windows also likes that.
> >>>
> >>> I think some combination of 'wbinfo -t' and 'wbinfo -c' triggered that.
> >>>
> >>> Günther can you also do some tests with your VMs?
> >> I'll get Garming to give this a test against some real Windows VMs, and
> >> yes, this is a very good excuse to get wintest running again.
> >>
> >> Andrew Bartlett
> >>
> > 
> > It appears to work just fine on my end.
> 
> Against what windows versions did you test?

Garming tested with 2008R2.

> I've tested today against a w2012 dc and found that it works.
> 
> I just found one bug when using net rpc testjoin, which triggered
> a DCERPC_FAULT_SEC_PKG_ERROR.
> This commit should fix the problem for now:
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=88d3b57a7f744c4be39668031717df146eba7e6d
> it's part of
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-schannel-ok
> now.
> 
> I've done some captures see
> https://www.samba.org/~metze/ads/caps/netlogon/v4-0-schannel/20131213/
> 
> I'll try to do some more testing on monday.

Great!  I'll try and get my Wintest rig going again, but it may take
some time.  The most amusing bitrot has been the valid options for 'nc'
changing!  I'll re-implement our port-checker in python, as it's not at
a point where what Debian and Fedora ship are two different things!

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list