git.samba.org / metze / samba / wip.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 88263cc)
s4:librpc: fix netlogon connections against servers without AES support
authorStefan Metzmacher <metze@samba.org>
Tue, 16 Jul 2013 08:07:30 +0000 (10:07 +0200)
committerStefan Metzmacher <metze@samba.org>
Sat, 3 Aug 2013 07:12:17 +0000 (09:12 +0200)
LogonGetCapabilities() only works on the credential chain if
the server supports AES, so we need to work on a temporary copy
until we know the server replied a valid return authenticator.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
source4/librpc/rpc/dcerpc_schannel.c patch | blob | history

diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
index 1480486c3206debe5994534a29a828f4a9210193..130ebebd9092aa2a5161a9b0b4f6426969160723 100644 (file)
--- a/source4/librpc/rpc/dcerpc_schannel.c
+++ b/source4/librpc/rpc/dcerpc_schannel.c
@@ -385,6 +385,7 @@ struct auth_schannel_state {
        struct loadparm_context *lp_ctx;
        uint8_t auth_level;
        struct netlogon_creds_CredentialState *creds_state;
+       struct netlogon_creds_CredentialState save_creds_state;
        struct netr_Authenticator auth;
        struct netr_Authenticator return_auth;
        union netr_Capabilities capabilities;
@@ -449,7 +450,8 @@ static void continue_bind_auth(struct composite_context *ctx)
                s->creds_state = cli_credentials_get_netlogon_creds(s->credentials);
                if (composite_nomem(s->creds_state, c)) return;
 
-               netlogon_creds_client_authenticator(s->creds_state, &s->auth);
+               s->save_creds_state = *s->creds_state;
+               netlogon_creds_client_authenticator(&s->save_creds_state, &s->auth);
 
                s->c.in.server_name = talloc_asprintf(c,
                                                      "\\\\%s",
@@ -519,12 +521,14 @@ static void continue_get_capabilities(struct tevent_req *subreq)
        }
 
        /* verify credentials */
-       if (!netlogon_creds_client_check(s->creds_state,
+       if (!netlogon_creds_client_check(&s->save_creds_state,
                                         &s->c.out.return_authenticator->cred)) {
                composite_error(c, NT_STATUS_UNSUCCESSFUL);
                return;
        }
 
+       *s->creds_state = s->save_creds_state;
+
        if (!NT_STATUS_IS_OK(s->c.out.result)) {
                composite_error(c, s->c.out.result);
                return;
Work in progress branches