[PATCH] Re: netlogon_creds_cli_validate() in master4-schannel
Stefan (metze) Metzmacher
metze at samba.org
Thu Dec 19 12:55:17 MST 2013
Am 19.12.2013 05:16, schrieb Andrew Bartlett:
> On Wed, 2013-12-18 at 22:40 +0100, Stefan (metze) Metzmacher wrote:
>> Hi Andrew,
>>
>>>>>>> Thanks! Are you able to do a wintest with this?
>>>>>>>
>>>>>>> I also want to do some tests with windows dcs.
>>>>>>>
>>>>>>> I important thing I want to verify is the behavior of
>>>>>>>
>>>>>>> invalidate_cm_connection(&domain->conn);
>>>>>>> + domain->conn.netlogon_force_reauth = true;
>>>>>>>
>>>>>>> in _wbint_CheckMachineAccount() and related code.
>>>>>>>
>>>>>>> Testing against a s4 dc showed that we are doing
>>>>>>> netr_ServerReqChallenge/netr_ServerAuthenticate3 over a connection
>>>>>>> with DCERPC_AUTH_TYPE_SCHANNEL/DCERPC_AUTH_LEVEL_PRIVACY and I'm not
>>>>>>> sure Windows also likes that.
>>>>>>>
>>>>>>> I think some combination of 'wbinfo -t' and 'wbinfo -c' triggered that.
>>>>>>>
>>>>>>> Günther can you also do some tests with your VMs?
>>>>>> I'll get Garming to give this a test against some real Windows VMs, and
>>>>>> yes, this is a very good excuse to get wintest running again.
>>>>>>
>>>>>> Andrew Bartlett
>>>>>>
>>>>>
>>>>> It appears to work just fine on my end.
>>>>
>>>> Against what windows versions did you test?
>>>
>>> Garming tested with 2008R2.
>>>
>>>> I've tested today against a w2012 dc and found that it works.
>>>>
>>>> I just found one bug when using net rpc testjoin, which triggered
>>>> a DCERPC_FAULT_SEC_PKG_ERROR.
>>>> This commit should fix the problem for now:
>>>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=88d3b57a7f744c4be39668031717df146eba7e6d
>>>> it's part of
>>>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-schannel-ok
>>>> now.
>>>>
>>>> I've done some captures see
>>>> https://www.samba.org/~metze/ads/caps/netlogon/v4-0-schannel/20131213/
>>>>
>>>> I'll try to do some more testing on monday.
>>
>> I've also tested with Windows 2008 and will do with nt4 and windows 2000
>> and some samba versions.
>>
>> I have some updates in my
>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-schannel-ok
>> branch.
>>
>> While testing with winbind sealed pipes = no, I noticed that we send the
>> same Authenticator again and again to a dc that returns NOT_IMPLEMENTED
>> to LogonGetCapabilities(). As this is the first request on each schannel
>> connection,
>> I think it's better to avoid this, as the session key is much more long
>> living now.
>>
>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=fa68a5814d7ad3fb48b22eaaad1bdb0ed2fc495c
>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=5df6c619f5670b71e04ab047a2d6f12073d376dc
>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=485ed1950affa3b9da0d78dc927c4185b2111e8c
>>
>> are the cleanup ups for this.
>>
>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=23896aefe5f50ba977167a85b1b6189dd65d03f0
>> got netlogon_creds_cli_open_global_db()
>> which is used in
>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=82e902bad329a0734ab2b4c1436f53c440cca4ef
>> which is used in
>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=46949116273667b65d7ac59f1d1a11ec9284f963
>>
>> This makes sure that the winbind parent opens the netlogon_creds_cli.tdb
>> and it doesn't get cleared
>> if a child was killed and a new one was started. This way we only do a
>> ServerChallenge/ServerAuthenticate
>> pair when winbindd is restarted or the dc gets restarted.
>
> I've looked over the changes individually, and the diff between what I
> last reviewed and your current tree. On that basis:
>
> Reviewed-by: Andrew Bartlett <abartlet at samba.org>
>
> Thanks for all your great work here!
After testing with NT4 4.0 SP6a I have some little changes.
https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=e20b593ce69298f1dc7ec0ac126f865173d4f3c9
Here I changed the comment, when getting NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
in netlogon_creds_cli_check_caps(), NT 4.0 also returns that.
I tested with this settings:
# NT 4.0 sp6a
security = domain
workgroup = NT4DOM
require strong key = no
disable aes schannel = yes
client NTLMv2 auth = no
I also tested if "client schannel = no" still works.
I had to change netlogon_creds_cli_auth_send() and
we always start with try_auth3 and try_auth2, we also
set require_auth2 if require any of NETLOGON_NEG_ARCFOUR,
NETLOGON_NEG_STRONG_KEYS, NETLOGON_NEG_PASSWORD_SET2,
NETLOGON_NEG_SUPPORTS_AES. I may add NETLOGON_NEG_AUTHENTICATED_RPC
after testing against 3.0.37, it seems that NT 4.0 and Samba 3.0.37 both
support Authenticate2.
https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=9447e1d665991af78d71223ca099a9a8a49d88ce
Here I explained where "disable aes schannel = yes" might be needed.
https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=c78e78cea8b9f25e79407c12a60410e755d05f58
Here I fixed the flags we require with "reject md5 servers = yes".
https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=371fa99fd1ae88898839d0c4a26bd5a3ae4e0a39
Here I fixed the flags we require with "require strong key = yes" (the
default)
and that "require strong key = no" is needed for Samba < 3.5.
Against 3.2.15 and 3.4.17 I used:
security = domain
workgroup = WDOM
require strong key = no
metze
More information about the samba-technical
mailing list