s4:rpc_server/netlogon: Fix for NetApp

This patch fixes an issue where NetApp filers joined to a
Samba/ADDC cannot resolve SIDs. Without this patch the issue
can only be avoided by setting "allow nt4 crypto = yes" in smb.conf.

The issue is triggered by NetApp filers in three steps:

1. The client calls netr_ServerReqChallenge to set up challenge tokens

2. Next it calls netr_ServerAuthenticate2 with NETLOGON_NEG_STRONG_KEYS
   set to 0. Native AD and Samba respond to this with
   NT_STATUS_DOWNGRADE_DETECTED. At this point Samba throws away
   the challenge token negotiated in the first step.

3. Next the client calls netr_ServerAuthenticate2 again, this time with
   NETLOGON_NEG_STRONG_KEYS set to 1.
   Samba returns NT_STATUS_ACCESS_DENIED as it has lost track
   of the challenge and denies logon with the message

   No challenge requested by client [CLNT1/CLNT1$], cannot authenticate

Git commit 321ebc99b5a00f82265aee741a48aa84b214d6e8 introduced
a workaround for a different but related issue. This patch makes a minor
adjustment to that commit to delay flushing the cached challenge until
it's clear that we are not in a NT_STATUS_DOWNGRADE_DETECTED
situation.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11291

Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Aug  6 20:29:04 CEST 2015 on sn-devel-104

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index b47ccf44f40044f20ed9792826698933f5ba1846..49b5b2f2379c6ef25f6c15ec3d00f15e951cd128 100644 (file)
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -172,17 +172,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
                }
        }
 
-       /*
-        * At this point we can cleanup the cache entry,
-        * if we fail the client needs to call netr_ServerReqChallenge
-        * again.
-        *
-        * Note: this handles global_challenge_table == NULL
-        * and also a non existing record just fine.
-        */
-       memcache_delete(global_challenge_table,
-                       SINGLETON_CACHE, challenge_key);
-
        server_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT |
                       NETLOGON_NEG_PERSISTENT_SAMREPL |
                       NETLOGON_NEG_ARCFOUR |
@@ -228,6 +217,17 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
                return NT_STATUS_DOWNGRADE_DETECTED;
        }
 
+       /*
+        * At this point we can cleanup the cache entry,
+        * if we fail the client needs to call netr_ServerReqChallenge
+        * again.
+        *
+        * Note: this handles global_challenge_table == NULL
+        * and also a non existing record just fine.
+        */
+       memcache_delete(global_challenge_table,
+                       SINGLETON_CACHE, challenge_key);
+
        /*
         * According to Microsoft (see bugid #6099)
         * Windows 7 looks at the negotiate_flags