[PATCH] Re: netlogon_creds_cli_validate() in master4-schannel
Stefan (metze) Metzmacher
metze at samba.org
Wed Dec 18 14:40:21 MST 2013
Hi Andrew,
>>>>> Thanks! Are you able to do a wintest with this?
>>>>>
>>>>> I also want to do some tests with windows dcs.
>>>>>
>>>>> I important thing I want to verify is the behavior of
>>>>>
>>>>> invalidate_cm_connection(&domain->conn);
>>>>> + domain->conn.netlogon_force_reauth = true;
>>>>>
>>>>> in _wbint_CheckMachineAccount() and related code.
>>>>>
>>>>> Testing against a s4 dc showed that we are doing
>>>>> netr_ServerReqChallenge/netr_ServerAuthenticate3 over a connection
>>>>> with DCERPC_AUTH_TYPE_SCHANNEL/DCERPC_AUTH_LEVEL_PRIVACY and I'm not
>>>>> sure Windows also likes that.
>>>>>
>>>>> I think some combination of 'wbinfo -t' and 'wbinfo -c' triggered that.
>>>>>
>>>>> Günther can you also do some tests with your VMs?
>>>> I'll get Garming to give this a test against some real Windows VMs, and
>>>> yes, this is a very good excuse to get wintest running again.
>>>>
>>>> Andrew Bartlett
>>>>
>>>
>>> It appears to work just fine on my end.
>>
>> Against what windows versions did you test?
>
> Garming tested with 2008R2.
>
>> I've tested today against a w2012 dc and found that it works.
>>
>> I just found one bug when using net rpc testjoin, which triggered
>> a DCERPC_FAULT_SEC_PKG_ERROR.
>> This commit should fix the problem for now:
>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=88d3b57a7f744c4be39668031717df146eba7e6d
>> it's part of
>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-schannel-ok
>> now.
>>
>> I've done some captures see
>> https://www.samba.org/~metze/ads/caps/netlogon/v4-0-schannel/20131213/
>>
>> I'll try to do some more testing on monday.
I've also tested with Windows 2008 and will do with nt4 and windows 2000
and some samba versions.
I have some updates in my
https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-schannel-ok
branch.
While testing with winbind sealed pipes = no, I noticed that we send the
same Authenticator again and again to a dc that returns NOT_IMPLEMENTED
to LogonGetCapabilities(). As this is the first request on each schannel
connection,
I think it's better to avoid this, as the session key is much more long
living now.
https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=fa68a5814d7ad3fb48b22eaaad1bdb0ed2fc495c
https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=5df6c619f5670b71e04ab047a2d6f12073d376dc
https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=485ed1950affa3b9da0d78dc927c4185b2111e8c
are the cleanup ups for this.
https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=23896aefe5f50ba977167a85b1b6189dd65d03f0
got netlogon_creds_cli_open_global_db()
which is used in
https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=82e902bad329a0734ab2b4c1436f53c440cca4ef
which is used in
https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=46949116273667b65d7ac59f1d1a11ec9284f963
This makes sure that the winbind parent opens the netlogon_creds_cli.tdb
and it doesn't get cleared
if a child was killed and a new one was started. This way we only do a
ServerChallenge/ServerAuthenticate
pair when winbindd is restarted or the dc gets restarted.
metze
More information about the samba-technical
mailing list