s4:rpc_server/netlogon: Fix for NetApp
This patch fixes an issue where NetApp filers joined to a
Samba/ADDC cannot resolve SIDs. Without this patch the issue
can only be avoided by setting "allow nt4 crypto = yes" in smb.conf.
The issue is triggered by NetApp filers in three steps:
1. The client calls netr_ServerReqChallenge to set up challenge tokens
2. Next it calls netr_ServerAuthenticate2 with NETLOGON_NEG_STRONG_KEYS
set to 0. Native AD and Samba respond to this with
NT_STATUS_DOWNGRADE_DETECTED. At this point Samba throws away
the challenge token negotiated in the first step.
3. Next the client calls netr_ServerAuthenticate2 again, this time with
NETLOGON_NEG_STRONG_KEYS set to 1.
Samba returns NT_STATUS_ACCESS_DENIED as it has lost track
of the challenge and denies logon with the message
No challenge requested by client [CLNT1/CLNT1$], cannot authenticate
Git commit
321ebc99b5a00f82265aee741a48aa84b214d6e8 introduced
a workaround for a different but related issue. This patch makes a minor
adjustment to that commit to delay flushing the cached challenge until
it's clear that we are not in a NT_STATUS_DOWNGRADE_DETECTED
situation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11291
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Aug 6 20:29:04 CEST 2015 on sn-devel-104
git.samba.org / kai / samba-autobuild / .git / commit