From 908b3d630f92595ece9b4a647dfef13ba2d47b78 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Sun, 15 Feb 2009 18:18:21 -0800
Subject: [PATCH] Attempt to fix bug #6099. According to Microsoft Windows 7
 looks at the negotiate_flags returned in this structure *even if the call
 fails with access denied ! So in order to allow Win7 to connect to a Samba NT
 style PDC we set the flags before we know if it's an error or not. Jeremy.
 (cherry picked from commit eb82149dc7f6bbcca85e8ef97f3e23952b438770)

---
 source/rpc_server/srv_netlog_nt.c | 33 ++++++++++++++++++++++++++-------
 1 file changed, 26 insertions(+), 7 deletions(-)

diff --git a/source/rpc_server/srv_netlog_nt.c b/source/rpc_server/srv_netlog_nt.c
index 203f5382a85..fa329d38365 100644
--- a/source/rpc_server/srv_netlog_nt.c
+++ b/source/rpc_server/srv_netlog_nt.c
@@ -474,6 +474,32 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
 	uint32_t srv_flgs;
 	struct netr_Credential srv_chal_out;
 
+	/* According to Microsoft (see bugid #6099)
+	 * Windows 7 looks at the negotiate_flags
+	 * returned in this structure *even if the
+	 * call fails with access denied ! So in order
+	 * to allow Win7 to connect to a Samba NT style
+	 * PDC we set the flags before we know if it's
+	 * an error or not.
+	 */
+
+	/* 0x000001ff */
+	srv_flgs = NETLOGON_NEG_ACCOUNT_LOCKOUT |
+		   NETLOGON_NEG_PERSISTENT_SAMREPL |
+		   NETLOGON_NEG_ARCFOUR |
+		   NETLOGON_NEG_PROMOTION_COUNT |
+		   NETLOGON_NEG_CHANGELOG_BDC |
+		   NETLOGON_NEG_FULL_SYNC_REPL |
+		   NETLOGON_NEG_MULTIPLE_SIDS |
+		   NETLOGON_NEG_REDO |
+		   NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL;
+
+	if (lp_server_schannel() != false) {
+		srv_flgs |= NETLOGON_NEG_SCHANNEL;
+	}
+
+	*r->out.negotiate_flags = srv_flgs;
+
 	/* We use this as the key to store the creds: */
 	/* r->in.computer_name */
 
@@ -521,16 +547,9 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	srv_flgs = 0x000001ff;
-
-	if (lp_server_schannel() != false) {
-		srv_flgs |= NETLOGON_NEG_SCHANNEL;
-	}
-
 	/* set up the LSA AUTH 2 response */
 	memcpy(r->out.return_credentials->data, &srv_chal_out.data,
 	       sizeof(r->out.return_credentials->data));
-	*r->out.negotiate_flags = srv_flgs;
 
 	fstrcpy(p->dc->mach_acct, r->in.account_name);
 	fstrcpy(p->dc->remote_machine, r->in.computer_name);
-- 
2.11.4.GIT