s4:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*()

The domain join with VMWare Horizon Quickprep seems to use
netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS
(and in addition the NEG_SUPPORTS_AES) just to verify a password.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 0bb350aa9a8c2a475f8f3a89577f7a31e618be4a..d9eb9e3bb62f4d1c3eef23e6530f2c0d1c6302b8 100644 (file)
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -144,8 +144,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
        bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(dce_call->conn->dce_ctx->lp_ctx);
        bool reject_des_client = !allow_nt4_crypto;
        bool reject_md5_client = lpcfg_reject_md5_clients(dce_call->conn->dce_ctx->lp_ctx);
-       int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx);
-       bool reject_none_rpc = (schannel == true);
 
        ZERO_STRUCTP(r->out.return_credentials);
        *r->out.rid = 0;
@@ -226,10 +224,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
 
        negotiate_flags = *r->in.negotiate_flags & server_flags;
 
-       if (negotiate_flags & NETLOGON_NEG_AUTHENTICATED_RPC) {
-               reject_none_rpc = false;
-       }
-
        if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
                reject_des_client = false;
        }
@@ -276,15 +270,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
         */
        *r->out.negotiate_flags = negotiate_flags;
 
-       if (reject_none_rpc) {
-               /* schannel must be used, but client did not offer it. */
-               DEBUG(0,("%s: schannel required but client failed "
-                       "to offer it. Client was %s\n",
-                        __func__,
-                        log_escape(mem_ctx, r->in.account_name)));
-               return NT_STATUS_ACCESS_DENIED;
-       }
-
        switch (r->in.secure_channel_type) {
        case SEC_CHAN_WKSTA:
        case SEC_CHAN_DNS_DOMAIN: