netlogon_creds_cli_validate() in master4-schannel
Andrew Bartlett
abartlet at samba.org
Thu Nov 28 15:12:45 MST 2013
On Thu, 2013-11-28 at 16:18 +0100, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
>
> > I was looking at this in particular, because it seems to be blocking a
> > lot of other work.
> > https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=b96ee68714389abee2f0cc0743246a335818376a
> >
> > What I don't understand is why we have this complex
> > netlogon_creds_cli_validate() routine, rather than something at the NDR
> > layer using memcmp()? If we ever add something to this structure, we
> > are going to have to keep this in sync, and that seems unfortunate.
>
> I've changed that.
>
> > Other than that, it looks good. I was supprised by the downgrade
> > handling in netlogon_creds_cli_check_caps but as long as we are careful
> > as to when we choose not to propose AES, I guess it's OK.
> >
> > How can I help you get the rest of this set merged?
>
> Please review/test/push my
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-schannel-base
> branch. This contains the netlogon secure channel changes which should
> be ready for master.
>
> The rest needs more work. I need to do some more research regarding the
> password change code and
> fallback to the old password.
I've reviewed them:
http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/master4-schannel-base
Some non-critical comments:
In 's3:libnet_join: make use of rpccli_{create,setup}_netlogon_creds()'
you have
+ /*
+ * We now have an anonymous connection to IPC$ on the domain password
server.
+ */
However the connection appears to be authenticated.
I was worried about netlogon_creds_cli_context_copy() but I see you
remove it in the last patch. Nice work!
Finally, I'm a little worries that the rpcclient changes don't have a
testsuite.
We just need to extend the rpcclient blackbox test script. I'll hack at
this later today.
It would also be a good idea to run some of our make test with the
different options etc, and to have a test showing the defence against a
downgrade attack, given how important that is.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list