From: Stefan Metzmacher Date: Mon, 27 May 2019 10:38:43 +0000 (+0200) Subject: s3:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*() X-Git-Tag: samba-4.9.12~75 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a47fd552e123690e3ca5ad95c06172d4ae64be07;p=thirdparty%2Fsamba.git s3:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*() The domain join with VMWare Horizon Quickprep seems to use netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS (and in addition the NEG_SUPPORTS_AES) just to verify a password. Note: NETLOGON_NEG_SCHANNEL is an alias to NEG_AUTHENTICATED_RPC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe) BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider (cherry picked from commit fa5215ce5b93fb032df341e718d7011e619f0916) --- diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index 9b9947455ed..afe7b25f74d 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -927,7 +927,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p, srv_flgs |= NETLOGON_NEG_SUPPORTS_AES; } - if (lp_server_schannel() != false) { + if (in_neg_flags & NETLOGON_NEG_SCHANNEL) { srv_flgs |= NETLOGON_NEG_SCHANNEL; } @@ -968,17 +968,6 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p, goto out; } - if ( (lp_server_schannel() == true) && - ((in_neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) { - - /* schannel must be used, but client did not offer it. */ - DEBUG(0,("%s: schannel required but client failed " - "to offer it. Client was %s\n", - fn, r->in.account_name)); - status = NT_STATUS_ACCESS_DENIED; - goto out; - } - status = get_md4pw(&mach_pwd, r->in.account_name, r->in.secure_channel_type,