[PATCH] Re: netlogon_creds_cli_validate() in master4-schannel

Andrew Bartlett abartlet at samba.org
Mon Dec 23 17:35:19 MST 2013 

On Tue, 2013-12-24 at 00:02 +0100, Stefan (metze) Metzmacher wrote:
> Am 23.12.2013 21:09, schrieb Andrew Bartlett:
> > On Mon, 2013-12-23 at 09:47 +0100, Stefan (metze) Metzmacher wrote:
> >> Am 23.12.2013 04:43, schrieb Garming Sam:
> >>> Hi there,
> >>>
> >>> So I was just running some tests with your schannel-ok branch and
> >>> noticed that,
> >>>
> >>> make test TESTS=wbinfo
> >>>
> >>> causes NT_STATUS_DOWNGRADE_DETECTED errors. I had an older version of
> >>> your branch which succeeded on the tests just fine it seems,
> >>> d3cc081117bda18f124fdffb740d116ef37d7c70. While the new version I used
> >>> was 1a6e37da410fb11fee6cc551c2ae2c4db775c70e.
> >>>
> >>>
> >>>
> >>> An example of the messages:
> >>>
> >>> "netlogon_creds_cli_check failed with NT_STATUS_DOWNGRADE_DETECTED
> >>> libnet_join_ok: failed to open schannel session on netlogon pipe to
> >>> server localdc.samba.example.com for domain SAMBADOMAIN. Error was
> >>> NT_STATUS_DOWNGRADE_DETECTED"
> >>
> >> I introduced a regression when removing the "disable aes schannel" option.
> >>
> >> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-schannel-ok
> >> has this fixed in
> >> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=8a24aeb3874021da57dbb8cdc88e639bcced63c6
> >>
> >> I still have to squash the top commits and add some more comments,
> >> but I think the code is fine now, I'll redo my testing with this state.
> > 
> > I look forward to seeing this in master!  We may continue to find
> > issues, but I think this is a very big leap forward.
> > 
> > Thanks for the improvements in:
> > https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=c1b436c75f7a6493ba11fbb511f93414600f4570
> > 
> > (feel confident to add my review to these latest fixups, I'm fine with
> > them too, and have reviewed the inter-branch diff).
> 
> Thanks!
> 
> > Let me know if there is anything else you wish to draw my specific
> > attention to, and I'll look at it today. 
> 
> No, I just need to retest with this code.
> 
> You could try to fix the flakey tests we currently have...:-)

This fixes samba.tests.docs

I do have to agree, the test output is insane for debugging.  Garming
and I are working on improving the test, and it's debugging interface.
I'm not sure why the build didn't pick this up however. 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-fix-missing-tag-close.patch
Type: text/x-patch
Size: 1763 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131224/1421ee30/attachment.bin>

More information about the samba-technical mailing list