git.samba.org / metze / samba / wip.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1367b94)
It turns out that the Netlogon PAC verification is encrypted.
authorAndrew Bartlett <abartlet@samba.org>
Fri, 29 Aug 2008 05:06:30 +0000 (15:06 +1000)
committerAndrew Bartlett <abartlet@samba.org>
Fri, 29 Aug 2008 05:06:30 +0000 (15:06 +1000)
This test now passes against Win2k3, and a implementation in the
Samba4 server should follow shortly.

Andrew Bartlett

source/librpc/idl/krb5pac.idl patch | blob | history
source/librpc/idl/netlogon.idl patch | blob | history
source/torture/rpc/remote_pac.c patch | blob | history

diff --git a/source/librpc/idl/krb5pac.idl b/source/librpc/idl/krb5pac.idl
index 699f0b896b6c8033f2b991e8b1c3a3de3d609e75..dcee280150dbf5313996e6208296640894cc01c7 100644 (file)
--- a/source/librpc/idl/krb5pac.idl
+++ b/source/librpc/idl/krb5pac.idl
@@ -100,8 +100,10 @@ interface krb5pac
                PAC_BUFFER_RAW buffers[num_buffers];
        } PAC_DATA_RAW;
 
+       const int NETLOGON_GENERIC_KRB5_PAC_VALIDATE = 3;
+
        typedef [public] struct {
-               uint32 MessageType;
+               [value(NETLOGON_GENERIC_KRB5_PAC_VALIDATE)] uint32 MessageType;
                uint32 ChecksumLength;
                uint32 SignatureType;
                uint32 SignatureLength;
diff --git a/source/librpc/idl/netlogon.idl b/source/librpc/idl/netlogon.idl
index 006411dfbf7c66c60301782f830bfe4bb05d7afa..22981068518bcd5ad0ec7a2e3b8f412daa78cc99 100644 (file)
--- a/source/librpc/idl/netlogon.idl
+++ b/source/librpc/idl/netlogon.idl
@@ -240,6 +240,11 @@ interface netlogon
                lsa_String unknown4;
        } netr_PacInfo;
 
+       typedef [flag(NDR_PAHEX)] struct {
+               uint32 length;
+               [size_is(length)] uint8 *data;
+       } netr_GenericInfo2;
+
        typedef enum {
                NetlogonValidationUasInfo = 1,
                NetlogonValidationSamInfo = 2,
@@ -252,7 +257,7 @@ interface netlogon
                [case(NetlogonValidationSamInfo)] netr_SamInfo2 *sam2;
                [case(NetlogonValidationSamInfo2)] netr_SamInfo3 *sam3;
                [case(4)] netr_PacInfo  *pac;
-               [case(NetlogonValidationGenericInfo2)] netr_PacInfo  *pac;
+               [case(NetlogonValidationGenericInfo2)] netr_GenericInfo2  *generic;
                [case(NetlogonValidationSamInfo4)] netr_SamInfo6 *sam6;
        } netr_Validation;
 
diff --git a/source/torture/rpc/remote_pac.c b/source/torture/rpc/remote_pac.c
index a01077a6c7327818817be15d95cdeb1afcc9784e..58c8ba0ee0eef2250e08c9fd749895524045f7e3 100644 (file)
--- a/source/torture/rpc/remote_pac.c
+++ b/source/torture/rpc/remote_pac.c
@@ -154,7 +154,9 @@ static bool test_PACVerify(struct torture_context *tctx,
                                       (ndr_push_flags_fn_t)ndr_push_PAC_Validate);
        torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed");
                
-       
+       torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption");
+       creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length);
+
        /* Validate it over the netlogon pipe */
 
        generic.identity_info.parameter_control = 0;
Work in progress branches