s3:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*()

The domain join with VMWare Horizon Quickprep seems to use
netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS
(and in addition the NEG_SUPPORTS_AES) just to verify a password.

Note: NETLOGON_NEG_SCHANNEL is an alias to NEG_AUTHENTICATED_RPC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit fa5215ce5b93fb032df341e718d7011e619f0916)

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 9b9947455ed9e0dfcbea27cde6129b1f7f961ae1..afe7b25f74d6d303a3ed666a15752beabe098047 100644 (file)
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -927,7 +927,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
                srv_flgs |= NETLOGON_NEG_SUPPORTS_AES;
        }
 
-       if (lp_server_schannel() != false) {
+       if (in_neg_flags & NETLOGON_NEG_SCHANNEL) {
                srv_flgs |= NETLOGON_NEG_SCHANNEL;
        }
 
@@ -968,17 +968,6 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
                goto out;
        }
 
-       if ( (lp_server_schannel() == true) &&
-            ((in_neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) {
-
-               /* schannel must be used, but client did not offer it. */
-               DEBUG(0,("%s: schannel required but client failed "
-                       "to offer it. Client was %s\n",
-                       fn, r->in.account_name));
-               status = NT_STATUS_ACCESS_DENIED;
-               goto out;
-       }
-
        status = get_md4pw(&mach_pwd,
                           r->in.account_name,
                           r->in.secure_channel_type,