[PATCH] Re: netlogon_creds_cli_validate() in master4-schannel
Andrew Bartlett
abartlet at samba.org
Wed Dec 18 21:16:50 MST 2013
On Wed, 2013-12-18 at 22:40 +0100, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
>
> >>>>> Thanks! Are you able to do a wintest with this?
> >>>>>
> >>>>> I also want to do some tests with windows dcs.
> >>>>>
> >>>>> I important thing I want to verify is the behavior of
> >>>>>
> >>>>> invalidate_cm_connection(&domain->conn);
> >>>>> + domain->conn.netlogon_force_reauth = true;
> >>>>>
> >>>>> in _wbint_CheckMachineAccount() and related code.
> >>>>>
> >>>>> Testing against a s4 dc showed that we are doing
> >>>>> netr_ServerReqChallenge/netr_ServerAuthenticate3 over a connection
> >>>>> with DCERPC_AUTH_TYPE_SCHANNEL/DCERPC_AUTH_LEVEL_PRIVACY and I'm not
> >>>>> sure Windows also likes that.
> >>>>>
> >>>>> I think some combination of 'wbinfo -t' and 'wbinfo -c' triggered that.
> >>>>>
> >>>>> Günther can you also do some tests with your VMs?
> >>>> I'll get Garming to give this a test against some real Windows VMs, and
> >>>> yes, this is a very good excuse to get wintest running again.
> >>>>
> >>>> Andrew Bartlett
> >>>>
> >>>
> >>> It appears to work just fine on my end.
> >>
> >> Against what windows versions did you test?
> >
> > Garming tested with 2008R2.
> >
> >> I've tested today against a w2012 dc and found that it works.
> >>
> >> I just found one bug when using net rpc testjoin, which triggered
> >> a DCERPC_FAULT_SEC_PKG_ERROR.
> >> This commit should fix the problem for now:
> >> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=88d3b57a7f744c4be39668031717df146eba7e6d
> >> it's part of
> >> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-schannel-ok
> >> now.
> >>
> >> I've done some captures see
> >> https://www.samba.org/~metze/ads/caps/netlogon/v4-0-schannel/20131213/
> >>
> >> I'll try to do some more testing on monday.
>
> I've also tested with Windows 2008 and will do with nt4 and windows 2000
> and some samba versions.
>
> I have some updates in my
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-schannel-ok
> branch.
>
> While testing with winbind sealed pipes = no, I noticed that we send the
> same Authenticator again and again to a dc that returns NOT_IMPLEMENTED
> to LogonGetCapabilities(). As this is the first request on each schannel
> connection,
> I think it's better to avoid this, as the session key is much more long
> living now.
>
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=fa68a5814d7ad3fb48b22eaaad1bdb0ed2fc495c
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=5df6c619f5670b71e04ab047a2d6f12073d376dc
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=485ed1950affa3b9da0d78dc927c4185b2111e8c
>
> are the cleanup ups for this.
>
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=23896aefe5f50ba977167a85b1b6189dd65d03f0
> got netlogon_creds_cli_open_global_db()
> which is used in
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=82e902bad329a0734ab2b4c1436f53c440cca4ef
> which is used in
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=46949116273667b65d7ac59f1d1a11ec9284f963
>
> This makes sure that the winbind parent opens the netlogon_creds_cli.tdb
> and it doesn't get cleared
> if a child was killed and a new one was started. This way we only do a
> ServerChallenge/ServerAuthenticate
> pair when winbindd is restarted or the dc gets restarted.
I've looked over the changes individually, and the diff between what I
last reviewed and your current tree. On that basis:
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Thanks for all your great work here!
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list