[PATCH] Re: netlogon_creds_cli_validate() in master4-schannel

Andrew Bartlett abartlet at samba.org
Sun Jan 5 15:54:21 MST 2014 

On Sun, 2014-01-05 at 23:46 +0100, Stefan (metze) Metzmacher wrote:
> Am 05.01.2014 23:13, schrieb Andrew Bartlett:
> > On Sun, 2014-01-05 at 13:55 +0100, Stefan (metze) Metzmacher wrote:
> >> Hi Andrew,
> >>
> >>>> No, I just need to retest with this code.
> >>>>
> >>>> You could try to fix the flakey tests we currently have...:-)
> >>>
> >>> This fixes samba.tests.docs
> >>
> >> Thanks!
> >>
> >> I've added rpc header signing support and
> >> dcerpc_sec_verification_trailer support (s3 client only for now) to my
> >> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-schannel-ok
> >> branch.
> >>
> >> I'll retest this against Samba 3.0, 3.2, 3.4, ...
> >> and windows NT4 sp6a, 2000, ...
> >>
> >> If the tests are ok, we can finally push to master.
> > 
> > One final thing (sorry), but if you can push the docs with the new
> > parameters in a single commit, then the result will be bisect-able
> > across a full make test. 
> 
> Ok, I'll try to let every commit pass autobuild.

Thanks.

> Can I have your review on the new patches?

I'm reading over that code now.  

> With this wireshark branch:
> https://git.samba.org/?p=metze/wireshark/wip.git;a=shortlog;h=refs/heads/ws-metze-gssapi-20140105
> You can have a look at captures, with experiments of the verification
> trailer against
> windows 2012.
> https://www.samba.org/~metze/ads/caps/netlogon/v4-0-schannel/20140103/
> 
> This captures show that the code still works against old Samba 3.0
> and Windows 2000 both without support for the verification trailer nor
> header signing.

Nice work!

> Windows 2008r2 and Windows 2012 also work just fine:
> 
> https://www.samba.org/~metze/ads/caps/netlogon/v4-0-schannel/20140105/
> 
> I'll test NT4.0 SP6a and more Samba versions tomorrow.

Thanks for all your hard work and patience on this.  This is a really
important step forward for our security in this area.

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list