[PATCH] Re: netlogon_creds_cli_validate() in master4-schannel

Stefan (metze) Metzmacher metze at samba.org
Thu Dec 19 12:55:17 MST 2013

Am 19.12.2013 05:16, schrieb Andrew Bartlett:
> On Wed, 2013-12-18 at 22:40 +0100, Stefan (metze) Metzmacher wrote:
>> Hi Andrew,
>>>>>>> Thanks! Are you able to do a wintest with this?
>>>>>>> I also want to do some tests with windows dcs.
>>>>>>> I important thing I want to verify is the behavior of
>>>>>>>          invalidate_cm_connection(&domain->conn);
>>>>>>> +       domain->conn.netlogon_force_reauth = true;
>>>>>>> in _wbint_CheckMachineAccount() and related code.
>>>>>>> Testing against a s4 dc showed that we are doing
>>>>>>> netr_ServerReqChallenge/netr_ServerAuthenticate3 over a connection
>>>>>>> sure Windows also likes that.
>>>>>>> I think some combination of 'wbinfo -t' and 'wbinfo -c' triggered that.
>>>>>>> Günther can you also do some tests with your VMs?
>>>>>> I'll get Garming to give this a test against some real Windows VMs, and
>>>>>> yes, this is a very good excuse to get wintest running again.
>>>>>> Andrew Bartlett
>>>>> It appears to work just fine on my end.
>>>> Against what windows versions did you test?
>>> Garming tested with 2008R2.
>>>> I've tested today against a w2012 dc and found that it works.
>>>> I just found one bug when using net rpc testjoin, which triggered
>>>> This commit should fix the problem for now:
>>>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=88d3b57a7f744c4be39668031717df146eba7e6d
>>>> it's part of
>>>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-schannel-ok
>>>> now.
>>>> I've done some captures see
>>>> https://www.samba.org/~metze/ads/caps/netlogon/v4-0-schannel/20131213/
>>>> I'll try to do some more testing on monday.
>> I've also tested with Windows 2008 and will do with nt4 and windows 2000
>> and some samba versions.
>> I have some updates in my
>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-schannel-ok
>> branch.
>> While testing with winbind sealed pipes = no, I noticed that we send the
>> same Authenticator again and again to a dc that returns NOT_IMPLEMENTED
>> to LogonGetCapabilities(). As this is the first request on each schannel
>> connection,
>> I think it's better to avoid this, as the session key is much more long
>> living now.
>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=fa68a5814d7ad3fb48b22eaaad1bdb0ed2fc495c
>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=5df6c619f5670b71e04ab047a2d6f12073d376dc
>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=485ed1950affa3b9da0d78dc927c4185b2111e8c
>> are the cleanup ups for this.
>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=23896aefe5f50ba977167a85b1b6189dd65d03f0
>> got netlogon_creds_cli_open_global_db()
>> which is used in
>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=82e902bad329a0734ab2b4c1436f53c440cca4ef
>> which is used in
>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=46949116273667b65d7ac59f1d1a11ec9284f963
>> This makes sure that the winbind parent opens the netlogon_creds_cli.tdb
>> and it doesn't get cleared
>> if a child was killed and a new one was started. This way we only do a
>> ServerChallenge/ServerAuthenticate
>> pair when winbindd is restarted or the dc gets restarted.
> I've looked over the changes individually, and the diff between what I
> last reviewed and your current tree.  On that basis:
> Reviewed-by: Andrew Bartlett <abartlet at samba.org>
> Thanks for all your great work here!

After testing with NT4 4.0 SP6a I have some little changes.


Here I changed the comment, when getting NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
in netlogon_creds_cli_check_caps(), NT 4.0 also returns that.

I tested with this settings:

        # NT 4.0 sp6a
        security = domain
        workgroup = NT4DOM
        require strong key = no
        disable aes schannel = yes
        client NTLMv2 auth = no

I also tested if "client schannel = no" still works.
I had to change netlogon_creds_cli_auth_send() and
we always start with try_auth3 and try_auth2, we also
set require_auth2 if require any of NETLOGON_NEG_ARCFOUR,
after testing against 3.0.37, it seems that NT 4.0 and Samba 3.0.37 both
support Authenticate2.

Here I explained where "disable aes schannel = yes" might be needed.

Here I fixed the flags we require with "reject md5 servers = yes".

Here I fixed the flags we require with "require strong key = yes" (the
and that "require strong key = no" is needed for Samba < 3.5.

Against 3.2.15 and 3.4.17 I used:

     security = domain
     workgroup = WDOM
     require strong key = no


More information about the samba-technical mailing list