From 19d8e97916c909a5685e5f8a8f6ef149f87d3ebc Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 7 May 2009 12:52:35 -0700 Subject: [PATCH] After getting confirmation from Guenther, add 3 changes we'll ultimately need to fix bug #6099 Samba returns incurrate capabilities list. 1). Add a comment to point out that r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags. 2). Ensure we return NETLOGON_NEG_STRONG_KEYS in our flags return if the client requested it. 3). Clean up the error exits so we always return the same way. Signed off by Guenther. Jeremy. (cherry picked from commit 41f9e61d7c8c106a98792e9009bbecf5edfcebe9) --- source/rpc_server/srv_netlog_nt.c | 36 +++++++++++++++++++++++------------- 1 file changed, 23 insertions(+), 13 deletions(-) diff --git a/source/rpc_server/srv_netlog_nt.c b/source/rpc_server/srv_netlog_nt.c index 427aeda3483..dd490961d3a 100644 --- a/source/rpc_server/srv_netlog_nt.c +++ b/source/rpc_server/srv_netlog_nt.c @@ -472,12 +472,15 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p, { NTSTATUS status; uint32_t srv_flgs; + /* r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags, + * so use a copy to avoid destroying the client values. */ + uint32_t in_neg_flags = *r->in.negotiate_flags; struct netr_Credential srv_chal_out; /* According to Microsoft (see bugid #6099) * Windows 7 looks at the negotiate_flags * returned in this structure *even if the - * call fails with access denied ! So in order + * call fails with access denied* ! So in order * to allow Win7 to connect to a Samba NT style * PDC we set the flags before we know if it's * an error or not. @@ -494,6 +497,11 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p, NETLOGON_NEG_REDO | NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL; + /* Ensure we support strong (128-bit) keys. */ + if (in_neg_flags & NETLOGON_NEG_128BIT) { + srv_flgs |= NETLOGON_NEG_128BIT; + } + if (lp_server_schannel() != false) { srv_flgs |= NETLOGON_NEG_SCHANNEL; } @@ -504,19 +512,19 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p, if (!p->dc || !p->dc->challenge_sent) { DEBUG(0,("_netr_ServerAuthenticate2: no challenge sent to client %s\n", r->in.computer_name)); - *r->out.negotiate_flags = srv_flgs; - return NT_STATUS_ACCESS_DENIED; + status = NT_STATUS_ACCESS_DENIED; + goto out; } if ( (lp_server_schannel() == true) && - ((*r->in.negotiate_flags & NETLOGON_NEG_SCHANNEL) == 0) ) { + ((in_neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) { /* schannel must be used, but client did not offer it. */ DEBUG(0,("_netr_ServerAuthenticate2: schannel required but client failed " "to offer it. Client was %s\n", r->in.account_name)); - *r->out.negotiate_flags = srv_flgs; - return NT_STATUS_ACCESS_DENIED; + status = NT_STATUS_ACCESS_DENIED; + goto out; } status = get_md4pw((char *)p->dc->mach_pw, @@ -527,12 +535,12 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p, "account %s: %s\n", r->in.account_name, nt_errstr(status) )); /* always return NT_STATUS_ACCESS_DENIED */ - *r->out.negotiate_flags = srv_flgs; - return NT_STATUS_ACCESS_DENIED; + status = NT_STATUS_ACCESS_DENIED; + goto out; } /* From the client / server challenges and md4 password, generate sess key */ - creds_server_init(*r->in.negotiate_flags, + creds_server_init(in_neg_flags, p->dc, &p->dc->clnt_chal, /* Stored client chal. */ &p->dc->srv_chal, /* Stored server chal. */ @@ -545,8 +553,8 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p, "request from client %s machine account %s\n", r->in.computer_name, r->in.account_name)); - *r->out.negotiate_flags = srv_flgs; - return NT_STATUS_ACCESS_DENIED; + status = NT_STATUS_ACCESS_DENIED; + goto out; } /* set up the LSA AUTH 2 response */ memcpy(r->out.return_credentials->data, &srv_chal_out.data, @@ -564,10 +572,12 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p, r->in.computer_name, p->dc); unbecome_root(); + status = NT_STATUS_OK; - *r->out.negotiate_flags = srv_flgs; + out: - return NT_STATUS_OK; + *r->out.negotiate_flags = srv_flgs; + return status; } /************************************************************************* -- 2.11.4.GIT