Merge from 3.0:

source/libsmb/ntlmssp.c:
Picked up by the build farm - despite all my efforts, security=server was
broken by my NTLM2 commit.  This should correctly cause the NTLM2 case
not to be negotiated when 'security=server' is in effect.

testsuide/build_farm/runlist:
Without 'non unix accounts' we can't test security=domain on the build farm.

source/rpc_server/srv_samr_nt.c:
Match Win2k and return 'invalid parameter' for creating of a new account with
account flags of 0.

Andrew Bartlett

diff --git a/source/libsmb/ntlmssp.c b/source/libsmb/ntlmssp.c
index d36119604710aff423bb4462427b27a0afeddf22..ca1aa674031e765d7b17d68269cdd5972bfad470 100644 (file)
--- a/source/libsmb/ntlmssp.c
+++ b/source/libsmb/ntlmssp.c
@@ -340,7 +340,6 @@ static void ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
 
        if (!(neg_flags & NTLMSSP_NEGOTIATE_NTLM2)) {
                ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
-               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
        }
 
        if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) {
@@ -403,13 +402,6 @@ static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
        
        ntlmssp_handle_neg_flags(ntlmssp_state, neg_flags, lp_lanman_auth());
 
-       chal_flags = ntlmssp_state->neg_flags;
-
-       target_name = ntlmssp_target_name(ntlmssp_state, 
-                                         neg_flags, &chal_flags); 
-       if (target_name == NULL) 
-               return NT_STATUS_INVALID_PARAMETER;
-
        /* Ask our caller what challenge they would like in the packet */
        cryptkey = ntlmssp_state->get_challenge(ntlmssp_state);
 
@@ -418,6 +410,19 @@ static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
                ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
        }
 
+       /* The flags we send back are not just the negotiated flags,
+        * they are also 'what is in this packet'.  Therfore, we
+        * operate on 'chal_flags' from here on 
+        */
+
+       chal_flags = ntlmssp_state->neg_flags;
+
+       /* get the right name to fill in as 'target' */
+       target_name = ntlmssp_target_name(ntlmssp_state, 
+                                         neg_flags, &chal_flags); 
+       if (target_name == NULL) 
+               return NT_STATUS_INVALID_PARAMETER;
+
        ntlmssp_state->chal = data_blob_talloc(ntlmssp_state->mem_ctx, cryptkey, 8);
        ntlmssp_state->internal_chal = data_blob_talloc(ntlmssp_state->mem_ctx, cryptkey, 8);
        

diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c
index 7be9b41ee90fd6962558cb73a0f4193481617496..7f57a9fc9d42d8c59dbe015470fe1bc49ee40d61 100644 (file)
--- a/source/rpc_server/srv_samr_nt.c
+++ b/source/rpc_server/srv_samr_nt.c
@@ -2130,6 +2130,12 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA
                return nt_status;
        }
 
+       if (!acb_info) { 
+               /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if 
+                  this parameter is zero (ie, no user type specified) */
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
        /* find the account: tell the caller if it exists.
          lkclXXXX i have *no* idea if this is a problem or not
          or even if you are supposed to construct a different

diff --git a/testsuite/build_farm/runlist b/testsuite/build_farm/runlist
index 5996f24ba8960e0f090b9b465f8903fbe5a62372..594c172b6ff713e396a88815046a908ba2f373b7 100644 (file)
--- a/testsuite/build_farm/runlist
+++ b/testsuite/build_farm/runlist
@@ -1,6 +1,6 @@
 TEST_ALL="basicsmb-sharelist basicsmb-local-pass-change \
 basicsmb-sharesec basicsmb-usersec \
-basicsmb-serversec basicsmb-domainsec basicsmb-domainsec-nt4 \
+basicsmb-serversec \
 basicsmb-shareguest basicsmb-hostsequiv basicsmb-invalidusers \
 basicsmb-hostsdeny basicsmb-remote-pass-change \
 basicsmb-preexec \
@@ -15,4 +15,4 @@ torture-RW1 torture-RW2 torture-OPEN torture-XCOPY \
 torture-RENAME torture-DELETE torture-PROPERTIES \
 torture-MANGLE torture-FDSESS"
 
-#basicsmb-serversec
+#basicsmb-domainsec basicsmb-domainsec-nt4 
\ No newline at end of file