- Fix the kerberos downgrade problem:

 - When connecting to the NETOGON pipe, we make a call to auth2, in order
   to verify our identity.  This call was being made with negotiation flags
   of 0x1ff.  This caused our account to be downgraded.  If we instead make
   the call with flags > 1ff (such as 0x701ff), then this does not occour.

 - This is *not* related to the use of kerberos for the CIFS-level connection

My theory is that Win2k has a test to see if we are sending *exactly* what
NT4 sent - setting any other flags seems to cause us to remain intact.

Also ensure that we only have 'setup schannel' code in a few places, not
scattered around cmd_netlogon too.

Andrew Bartlett

diff --git a/source/rpc_client/cli_netlogon.c b/source/rpc_client/cli_netlogon.c
index 2de830e558e400c94ed88bba2df2e54cff0c67d8..97bc4c65b76c68985580c0709bbc859242f9d9d9 100644 (file)
--- a/source/rpc_client/cli_netlogon.c
+++ b/source/rpc_client/cli_netlogon.c
@@ -685,30 +685,19 @@ NTSTATUS cli_net_srv_pwset(struct cli_state *cli, TALLOC_CTX *mem_ctx,
        NET_Q_SRV_PWSET q_s;
        uint16 sec_chan_type = 2;
        NTSTATUS nt_status;
-       char *mach_acct;
 
        gen_next_creds( cli, &new_clnt_cred);
        
        prs_init(&qbuf , 1024, mem_ctx, MARSHALL);
        prs_init(&rbuf, 0,    mem_ctx, UNMARSHALL);
        
-       /* create and send a MSRPC command with api NET_SRV_PWSET */
-       
-       mach_acct = talloc_asprintf(mem_ctx, "%s$", machine_name);
-       
-       if (!mach_acct) {
-               DEBUG(0,("talloc_asprintf failed!\n"));
-               nt_status = NT_STATUS_NO_MEMORY;
-               goto done;
-       }
-
        DEBUG(4,("cli_net_srv_pwset: srv:%s acct:%s sc: %d mc: %s clnt %s %x\n",
-                cli->srv_name_slash, mach_acct, sec_chan_type, machine_name,
+                cli->srv_name_slash, cli->mach_acct, sec_chan_type, machine_name,
                 credstr(new_clnt_cred.challenge.data), new_clnt_cred.timestamp.time));
        
         /* store the parameters */
        init_q_srv_pwset(&q_s, cli->srv_name_slash, (const char *)cli->sess_key,
-                        mach_acct, sec_chan_type, machine_name, 
+                        cli->mach_acct, sec_chan_type, machine_name, 
                         &new_clnt_cred, hashed_mach_pwd);
        
        /* turn parameters into data stream */

diff --git a/source/rpc_client/cli_pipe.c b/source/rpc_client/cli_pipe.c
index 13a78414556edd0547418822440b538d165009ed..dedbf017a93a04caae8bc4f9055e36cea4fc5f5b 100644 (file)
--- a/source/rpc_client/cli_pipe.c
+++ b/source/rpc_client/cli_pipe.c
@@ -1493,7 +1493,9 @@ NTSTATUS cli_nt_establish_netlogon(struct cli_state *cli, int sec_chan,
                                   const uchar trust_password[16])
 {
        NTSTATUS result;        
-       uint32 neg_flags = 0x000001ff;
+       /* The 7 here seems to be required to get Win2k not to downgrade us
+          to NT4.  Actually, anything other than 1ff would seem to do... */
+       uint32 neg_flags = 0x000701ff;
        int fnum;
 
        cli_nt_netlogon_netsec_session_close(cli);
@@ -1586,6 +1588,8 @@ NTSTATUS cli_nt_setup_netsec(struct cli_state *cli, int sec_chan,
                             const uchar trust_password[16])
 {
        NTSTATUS result;        
+       /* The 7 here seems to be required to get Win2k not to downgrade us
+          to NT4.  Actually, anything other than 1ff would seem to do... */
        uint32 neg_flags = 0x000701ff;
        cli->pipe_auth_flags = 0;
 

diff --git a/source/rpcclient/cmd_netlogon.c b/source/rpcclient/cmd_netlogon.c
index e7d5f7f118517e16489d0741906866b2a1e5afdd..a48b59bf6a38ec31b4a49dd77aec08c5b53dfa5c 100644 (file)
--- a/source/rpcclient/cmd_netlogon.c
+++ b/source/rpcclient/cmd_netlogon.c
@@ -146,13 +146,10 @@ static NTSTATUS cmd_netlogon_sam_sync(struct cli_state *cli,
                                       const char **argv)
 {
        NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
-        unsigned char trust_passwd[16];
         uint32 database_id = 0, num_deltas;
         SAM_DELTA_HDR *hdr_deltas;
         SAM_DELTA_CTR *deltas;
        DOM_CRED ret_creds;
-       uint32 neg_flags = 0x000001ff;
-       uint32 sec_channel_type = 0;
 
         if (argc > 2) {
                 fprintf(stderr, "Usage: %s [database_id]\n", argv[0]);
@@ -162,26 +159,6 @@ static NTSTATUS cmd_netlogon_sam_sync(struct cli_state *cli,
         if (argc == 2)
                 database_id = atoi(argv[1]);
 
-        if (!secrets_init()) {
-                fprintf(stderr, "Unable to initialise secrets database\n");
-                return result;
-        }
-
-        /* Initialise session credentials */
-
-       if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd,
-                                                  NULL, &sec_channel_type)) {
-               fprintf(stderr, "could not fetch trust account password\n");
-               goto done;
-       }        
-
-        result = cli_nt_setup_creds(cli, sec_channel_type, trust_passwd, &neg_flags, 2);
-
-        if (!NT_STATUS_IS_OK(result)) {
-                fprintf(stderr, "Error initialising session creds\n");
-                goto done;
-        }
-
        /* on first call the returnAuthenticator is empty */
        memset(&ret_creds, 0, sizeof(ret_creds));
  
@@ -208,13 +185,10 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct cli_state *cli,
                                         const char **argv)
 {
        NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
-        unsigned char trust_passwd[16];
         uint32 database_id, num_deltas, tmp;
         SAM_DELTA_HDR *hdr_deltas;
         SAM_DELTA_CTR *deltas;
         UINT64_S seqnum;
-       uint32 neg_flags = 0x000001ff;
-       uint32 sec_channel_type = 0;
 
         if (argc != 3) {
                 fprintf(stderr, "Usage: %s database_id seqnum\n", argv[0]);
@@ -227,28 +201,6 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct cli_state *cli,
         seqnum.low = tmp & 0xffff;
         seqnum.high = 0;
 
-        if (!secrets_init()) {
-                fprintf(stderr, "Unable to initialise secrets database\n");
-                goto done;
-        }
-
-        /* Initialise session credentials */
-
-       if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd,
-                                                  NULL, &sec_channel_type)) {
-               fprintf(stderr, "could not fetch trust account password\n");
-               goto done;
-       }        
-
-        result = cli_nt_setup_creds(cli, sec_channel_type, trust_passwd, &neg_flags, 2);
-
-        if (!NT_STATUS_IS_OK(result)) {
-                fprintf(stderr, "Error initialising session creds\n");
-                goto done;
-        }
-
-        /* Synchronise sam database */
-
        result = cli_netlogon_sam_deltas(cli, mem_ctx, database_id,
                                         seqnum, &num_deltas, 
                                         &hdr_deltas, &deltas);
@@ -317,6 +269,39 @@ static NTSTATUS cmd_netlogon_sam_logon(struct cli_state *cli,
         return result;
 }
 
+/* Change the trust account password */
+
+static NTSTATUS cmd_netlogon_change_trust_pw(struct cli_state *cli, 
+                                            TALLOC_CTX *mem_ctx, int argc,
+                                            const char **argv)
+{
+        NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+       DOM_CRED ret_creds;
+
+        /* Check arguments */
+
+        if (argc > 1) {
+                fprintf(stderr, "Usage: change_trust_pw");
+                return NT_STATUS_OK;
+        }
+
+        /* Perform the sam logon */
+
+       ZERO_STRUCT(ret_creds);
+
+       result = trust_pw_find_change_and_store_it(cli, mem_ctx,
+                                                  lp_workgroup());
+
+       clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &ret_creds);
+
+       if (!NT_STATUS_IS_OK(result))
+               goto done;
+
+ done:
+        return result;
+}
+
+
 /* List of commands exported by this module */
 
 struct cmd_set netlogon_commands[] = {
@@ -327,7 +312,8 @@ struct cmd_set netlogon_commands[] = {
        { "logonctrl",  RPC_RTYPE_NTSTATUS, cmd_netlogon_logon_ctrl,  NULL, PI_NETLOGON, "Logon Control",       "" },
        { "samsync",    RPC_RTYPE_NTSTATUS, cmd_netlogon_sam_sync,    NULL, PI_NETLOGON, "Sam Synchronisation", "" },
        { "samdeltas",  RPC_RTYPE_NTSTATUS, cmd_netlogon_sam_deltas,  NULL, PI_NETLOGON, "Query Sam Deltas",    "" },
-     { "samlogon",   RPC_RTYPE_NTSTATUS, cmd_netlogon_sam_logon,   NULL, PI_NETLOGON, "Sam Logon",           "" },
+       { "samlogon",   RPC_RTYPE_NTSTATUS, cmd_netlogon_sam_logon,   NULL, PI_NETLOGON, "Sam Logon",           "" },
+       { "samlogon",   RPC_RTYPE_NTSTATUS, cmd_netlogon_change_trust_pw,   NULL, PI_NETLOGON, "Change Trust Account Password",           "" },
 
        { NULL }
 };