From cb279144037d79bd40da93c082d34ab3a425bf64 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 26 Nov 2024 11:13:32 +0100
Subject: [PATCH] s4:rpc_server/netlogon: fix
 dcesrv_netr_LogonSamLogon_base_call() for ServerAuthenticateKerberos()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Dec 12 15:00:10 UTC 2024 on atb-devel-224
---
 selftest/knownfail.d/samba.tests.krb5.netlogon |  2 --
 source4/rpc_server/netlogon/dcerpc_netlogon.c  | 15 ++++++++++-----
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/selftest/knownfail.d/samba.tests.krb5.netlogon b/selftest/knownfail.d/samba.tests.krb5.netlogon
index a59934805b4..dc2304c1162 100644
--- a/selftest/knownfail.d/samba.tests.krb5.netlogon
+++ b/selftest/knownfail.d/samba.tests.krb5.netlogon
@@ -1,4 +1,2 @@
 # This is not implemented yet
 ^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_ticket_samlogon
-# These will be fixed in the next commits
-^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_.*_samlogon_.*_authK
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 0c36ad6be20..7fce61c5792 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -1445,10 +1445,6 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base_call(struct dcesrv_netr_LogonSamL
 		break;
 	case NDR_NETR_LOGONSAMLOGONEX:
 	default:
-		if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
-			return NT_STATUS_ACCESS_DENIED;
-		}
-
 		nt_status = dcesrv_netr_check_schannel(dce_call,
 						       creds,
 						       auth_type,
@@ -1457,6 +1453,13 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base_call(struct dcesrv_netr_LogonSamL
 		if (!NT_STATUS_IS_OK(nt_status)) {
 			return nt_status;
 		}
+
+		if (!creds->authenticate_kerberos &&
+		    auth_type != DCERPC_AUTH_TYPE_SCHANNEL)
+		{
+			return NT_STATUS_ACCESS_DENIED;
+		}
+
 		break;
 	}
 
@@ -1598,7 +1601,9 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base_call(struct dcesrv_netr_LogonSamL
 
 	case NetlogonGenericInformation:
 	{
-		if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+		if (creds->authenticate_kerberos) {
+			/* OK */
+		} else if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
 			/* OK */
 		} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
 			/* OK */
-- 
2.47.3