From 1f05472b9a27861f8e4b9b60410890b920f9d359 Mon Sep 17 00:00:00 2001
From: Guenther Deschner <gd@samba.org>
Date: Thu, 7 May 2009 12:52:10 -0700
Subject: [PATCH] s3-netlogon: Fix NETLOGON credential chain. Fixes Bug #6099
 (Windows 7 joining Samba3) and probably many, many more.

Jeremy, with 9a5d5cc1db0ee60486f932e34cd7961b90c70a56 you alter the in negotiate
flags (which are a pointer to the out negotiate flags assigned in the generated
netlogon server code). So, while you wanted to just set the *out* negflags, you
did in fact reset the *in* negflags, effectively eliminating the
NETLOGON_NEG_STRONG_KEYS bit (formerly known as NETLOGON_NEG_128BIT) which then
caused creds_server_init() to generate 64bit creds instead of 128bit, causing
the whole chain to break. *Please* check.

Guenther
---
 source/rpc_server/srv_netlog_nt.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/source/rpc_server/srv_netlog_nt.c b/source/rpc_server/srv_netlog_nt.c
index 0d6d80d6462..427aeda3483 100644
--- a/source/rpc_server/srv_netlog_nt.c
+++ b/source/rpc_server/srv_netlog_nt.c
@@ -498,14 +498,13 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
 		srv_flgs |= NETLOGON_NEG_SCHANNEL;
 	}
 
-	*r->out.negotiate_flags = srv_flgs;
-
 	/* We use this as the key to store the creds: */
 	/* r->in.computer_name */
 
 	if (!p->dc || !p->dc->challenge_sent) {
 		DEBUG(0,("_netr_ServerAuthenticate2: no challenge sent to client %s\n",
 			r->in.computer_name));
+		*r->out.negotiate_flags = srv_flgs;
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
@@ -516,6 +515,7 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
 		DEBUG(0,("_netr_ServerAuthenticate2: schannel required but client failed "
 			"to offer it. Client was %s\n",
 			r->in.account_name));
+		*r->out.negotiate_flags = srv_flgs;
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
@@ -527,6 +527,7 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
 			"account %s: %s\n",
 			r->in.account_name, nt_errstr(status) ));
 		/* always return NT_STATUS_ACCESS_DENIED */
+		*r->out.negotiate_flags = srv_flgs;
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
@@ -544,6 +545,7 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
 			"request from client %s machine account %s\n",
 			r->in.computer_name,
 			r->in.account_name));
+		*r->out.negotiate_flags = srv_flgs;
 		return NT_STATUS_ACCESS_DENIED;
 	}
 	/* set up the LSA AUTH 2 response */
@@ -563,6 +565,8 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
 					    p->dc);
 	unbecome_root();
 
+	*r->out.negotiate_flags = srv_flgs;
+
 	return NT_STATUS_OK;
 }
 
-- 
2.34.1