git.samba.org / kamenim / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 52445e1)
s4-auth: set the RODC bit for RODC schannel
authorAndrew Tridgell <tridge@samba.org>
Mon, 13 Sep 2010 01:36:43 +0000 (11:36 +1000)
committerAndrew Tridgell <tridge@samba.org>
Wed, 15 Sep 2010 05:39:34 +0000 (15:39 +1000)
When we are using SEC_CHAN_RODC we need to set the
NETLOGON_NEG_RODC_PASSTHROUGH bit in the negotiated flags in
ServerAuthenticate2

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

libcli/auth/credentials.h patch | blob | history
source4/librpc/rpc/dcerpc_schannel.c patch | blob | history

diff --git a/libcli/auth/credentials.h b/libcli/auth/credentials.h
index 7175211fbaa1546f7fa568d7af54b2989d8c71d0..47582ef73ac7405ae0ce5f3d9b4b0d08b167facc 100644 (file)
--- a/libcli/auth/credentials.h
+++ b/libcli/auth/credentials.h
@@ -68,4 +68,5 @@
 
 #define NETLOGON_NEG_AUTH2_ADS_FLAGS (0x200fbffb | NETLOGON_NEG_ARCFOUR | NETLOGON_NEG_128BIT | NETLOGON_NEG_SCHANNEL)
 
+#define NETLOGON_NEG_AUTH2_RODC_FLAGS (NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_RODC_PASSTHROUGH)
 
diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
index ff511a2c67682454de82ae8006cd8cb91aaf0620..77163235416582dc229343b203b49fef312e025b 100644 (file)
--- a/source4/librpc/rpc/dcerpc_schannel.c
+++ b/source4/librpc/rpc/dcerpc_schannel.c
@@ -243,6 +243,7 @@ struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
        struct composite_context *c;
        struct schannel_key_state *s;
        struct composite_context *epm_map_req;
+       enum netr_SchannelType schannel_type = cli_credentials_get_secure_channel_type(credentials);
        
        /* composite context allocation and setup */
        c = composite_create(mem_ctx, p->conn->event_ctx);
@@ -258,7 +259,9 @@ struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
 
        /* allocate credentials */
        /* type of authentication depends on schannel type */
-       if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) {
+       if (schannel_type == SEC_CHAN_RODC) {
+               s->negotiate_flags = NETLOGON_NEG_AUTH2_RODC_FLAGS;
+       } else if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) {
                s->negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
        } else {
                s->negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
kamenim's wip repo