From 78fb479325ce7073ab8383ada3903080d12aef91 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 6 May 2009 16:10:20 -0700 Subject: [PATCH] After getting confirmation from Guenther, add 3 changes we'll ultimately need to fix bug #6099 Samba returns incurrate capabilities list. 1). Add a comment to point out that r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags. 2). Ensure we return NETLOGON_NEG_STRONG_KEYS in our flags return if the client requested it. 3). Clean up the error exits so we always return the same way. Signed off by Guenther. Jeremy. --- source3/rpc_server/srv_netlog_nt.c | 36 +++++++++++++++++++----------- 1 file changed, 23 insertions(+), 13 deletions(-) diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index edd13217d73..333eabe2ce2 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -508,13 +508,16 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p, { NTSTATUS status; uint32_t srv_flgs; + /* r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags, + * so use a copy to avoid destroying the client values. */ + uint32_t in_neg_flags = *r->in.negotiate_flags; struct netr_Credential srv_chal_out; const char *fn; /* According to Microsoft (see bugid #6099) * Windows 7 looks at the negotiate_flags * returned in this structure *even if the - * call fails with access denied ! So in order + * call fails with access denied* ! So in order * to allow Win7 to connect to a Samba NT style * PDC we set the flags before we know if it's * an error or not. @@ -531,6 +534,11 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p, NETLOGON_NEG_REDO | NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL; + /* Ensure we support strong (128-bit) keys. */ + if (in_neg_flags & NETLOGON_NEG_STRONG_KEYS) { + srv_flgs |= NETLOGON_NEG_STRONG_KEYS; + } + if (lp_server_schannel() != false) { srv_flgs |= NETLOGON_NEG_SCHANNEL; } @@ -552,19 +560,19 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p, if (!p->dc || !p->dc->challenge_sent) { DEBUG(0,("%s: no challenge sent to client %s\n", fn, r->in.computer_name)); - *r->out.negotiate_flags = srv_flgs; - return NT_STATUS_ACCESS_DENIED; + status = NT_STATUS_ACCESS_DENIED; + goto out; } if ( (lp_server_schannel() == true) && - ((*r->in.negotiate_flags & NETLOGON_NEG_SCHANNEL) == 0) ) { + ((in_neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) { /* schannel must be used, but client did not offer it. */ DEBUG(0,("%s: schannel required but client failed " "to offer it. Client was %s\n", fn, r->in.account_name)); - *r->out.negotiate_flags = srv_flgs; - return NT_STATUS_ACCESS_DENIED; + status = NT_STATUS_ACCESS_DENIED; + goto out; } status = get_md4pw((char *)p->dc->mach_pw, @@ -576,12 +584,12 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p, "account %s: %s\n", fn, r->in.account_name, nt_errstr(status) )); /* always return NT_STATUS_ACCESS_DENIED */ - *r->out.negotiate_flags = srv_flgs; - return NT_STATUS_ACCESS_DENIED; + status = NT_STATUS_ACCESS_DENIED; + goto out; } /* From the client / server challenges and md4 password, generate sess key */ - creds_server_init(*r->in.negotiate_flags, + creds_server_init(in_neg_flags, p->dc, &p->dc->clnt_chal, /* Stored client chal. */ &p->dc->srv_chal, /* Stored server chal. */ @@ -594,8 +602,8 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p, "request from client %s machine account %s\n", fn, r->in.computer_name, r->in.account_name)); - *r->out.negotiate_flags = srv_flgs; - return NT_STATUS_ACCESS_DENIED; + status = NT_STATUS_ACCESS_DENIED; + goto out; } /* set up the LSA AUTH 2 response */ memcpy(r->out.return_credentials->data, &srv_chal_out.data, @@ -613,10 +621,12 @@ NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p, r->in.computer_name, p->dc); unbecome_root(); + status = NT_STATUS_OK; - *r->out.negotiate_flags = srv_flgs; + out: - return NT_STATUS_OK; + *r->out.negotiate_flags = srv_flgs; + return status; } /************************************************************************* -- 2.34.1