From 99231181e319db797f33dc10d1a0886631b5cc64 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 29 Sep 2009 09:47:51 +0200
Subject: [PATCH] s4:rpc_server/netlogon: only return STRONG_KEYS if the client
 asked for it
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

metze

Signed-off-by: Günther Deschner <gd@samba.org>
---
 source4/rpc_server/netlogon/dcerpc_netlogon.c | 57 +++++++++++++++------------
 1 file changed, 31 insertions(+), 26 deletions(-)

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 1de1d74dd1c..598b7f2c9c4 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -91,40 +91,46 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
 
 	const char *trust_dom_attrs[] = {"flatname", NULL};
 	const char *account_name;
+	uint32_t negotiate_flags = 0;
 
 	ZERO_STRUCTP(r->out.return_credentials);
 	*r->out.rid = 0;
 
+	negotiate_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT |
+			  NETLOGON_NEG_PERSISTENT_SAMREPL |
+			  NETLOGON_NEG_ARCFOUR |
+			  NETLOGON_NEG_PROMOTION_COUNT |
+			  NETLOGON_NEG_CHANGELOG_BDC |
+			  NETLOGON_NEG_FULL_SYNC_REPL |
+			  NETLOGON_NEG_MULTIPLE_SIDS |
+			  NETLOGON_NEG_REDO |
+			  NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
+			  NETLOGON_NEG_SEND_PASSWORD_INFO_PDC |
+			  NETLOGON_NEG_GENERIC_PASSTHROUGH |
+			  NETLOGON_NEG_CONCURRENT_RPC |
+			  NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL |
+			  NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL |
+			  NETLOGON_NEG_TRANSITIVE_TRUSTS |
+			  NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
+			  NETLOGON_NEG_PASSWORD_SET2 |
+			  NETLOGON_NEG_GETDOMAININFO |
+			  NETLOGON_NEG_CROSS_FOREST_TRUSTS |
+			  NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION |
+			  NETLOGON_NEG_RODC_PASSTHROUGH |
+			  NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
+			  NETLOGON_NEG_AUTHENTICATED_RPC;
+
+	if (*r->in.negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
+		negotiate_flags |= NETLOGON_NEG_STRONG_KEYS;
+	}
+
 	/*
 	 * According to Microsoft (see bugid #6099)
 	 * Windows 7 looks at the negotiate_flags
 	 * returned in this structure *even if the
 	 * call fails with access denied!
 	 */
-	*r->out.negotiate_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT |
-				  NETLOGON_NEG_PERSISTENT_SAMREPL |
-				  NETLOGON_NEG_ARCFOUR |
-				  NETLOGON_NEG_PROMOTION_COUNT |
-				  NETLOGON_NEG_CHANGELOG_BDC |
-				  NETLOGON_NEG_FULL_SYNC_REPL |
-				  NETLOGON_NEG_MULTIPLE_SIDS |
-				  NETLOGON_NEG_REDO |
-				  NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
-				  NETLOGON_NEG_SEND_PASSWORD_INFO_PDC |
-				  NETLOGON_NEG_GENERIC_PASSTHROUGH |
-				  NETLOGON_NEG_CONCURRENT_RPC |
-				  NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL |
-				  NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL |
-				  NETLOGON_NEG_STRONG_KEYS |
-				  NETLOGON_NEG_TRANSITIVE_TRUSTS |
-				  NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
-				  NETLOGON_NEG_PASSWORD_SET2 |
-				  NETLOGON_NEG_GETDOMAININFO |
-				  NETLOGON_NEG_CROSS_FOREST_TRUSTS |
-				  NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION |
-				  NETLOGON_NEG_RODC_PASSTHROUGH |
-				  NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
-				  NETLOGON_NEG_AUTHENTICATED_RPC;
+	*r->out.negotiate_flags = negotiate_flags;
 
 	switch (r->in.secure_channel_type) {
 	case SEC_CHAN_WKSTA:
@@ -261,8 +267,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
 					   mach_pwd,
 					   r->in.credentials,
 					   r->out.return_credentials,
-					   *r->in.negotiate_flags);
-
+					   negotiate_flags);
 	if (!creds) {
 		return NT_STATUS_ACCESS_DENIED;
 	}
-- 
2.11.4.GIT